Meaning of So Far As Is
Reasonably Practicable
(SFAIRP)
A guideline for rail organisations to assist them
in developing a decision making framework
and judging what is “reasonably practicable”.
Consultation Draft
Prepared by: National Transport Commission
MARCH 2007
National Transport Commission
National Guideline for the Meaning of so far as is Reasonably Practicable (SFAIRP)
Report Prepared by: National Transport Commission
ISBN: Not yet allocated
REPORT OUTLINE
Date:
March 2007
ISBN:
Not yet allocated
Title:
National Guideline for the Meaning of So Far as is
Reasonably Practicable (SFAIRP)
Address:
National Transport Commission
Level 15/628 Bourke Street
MELBOURNE VIC 3000
E-mail: ntc@ntc.gov.au
Website: www.ntc.gov.au
Type of report:
Draft National Guideline
Objectives:
Improve rail
efficiency
NTC Programs:
Implementation of the National Rail Safety Reforms
Key Milestones:
The public comment period closes on 6 May 2007.
After the suite of Guidelines is assessed in the light of
comments received, the Guidelines will be submitted
to Transport Agencies Chief Executives (TACE) and
to ATC in June 2007 for consideration and approval.
Abstract:
The NTC, working in conjunction with the rail
industry, the Rail Tram and Bus Union and rail safety
regulators has developed this draft National Guideline
to provide general assistance to rail transport
operators and other duty holders in meeting their
obligations under the new requirements included in
the recently approved Rail Safety Bill 2006.
Purpose:
For comment
Comments by:
Written comments may be forwarded by 9 May 2007
safety
outcomes
and
regulatory
FOREWORD
The National Transport Commission (NTC) is an independent body established under
Commonwealth legislation and an inter-governmental agreement and funded jointly by the
Commonwealth, States and Territories. In accordance with its duties, the NTC has
developed a national model Rail Safety Bill 2006 and Regulations to achieve a nationally
consistent approach to regulating rail safety in Australia. They were developed in
conjunction with representatives of all jurisdictions, the rail industry and rail unions and
were approved by the Australian Transport Council in 2006. The national model Bill and
Regulations will receive legal effect when reproduced in each jurisdiction’s legislation in
mid 2007.
National Guidelines
National Guidelines are intended to assist rail safety regulators, industry stakeholders and
other relevant parties with duties under the rail safety legislation to understand and comply
with the new legislative requirements. The National Guidelines are also intended to
support consistency in the administration of State and Territory rail safety law.
This draft National Guideline is one of a suite of six national guidelines which are released
for public comment. The suite of National Guidelines comprises:
•
Guideline to Accreditation under the National Rail Safety Scheme
•
Guideline for Establishing a Rail Safety Management System
•
Guideline on the meaning of So Far As Is Reasonably Practicable (SFAIRP)
•
Guideline for Compliance and Enforcement Policy for Rail Safety
•
Business Rules for Uniform Administration of Accreditation
•
Guideline for Fatigue Management for Rail Safety Workers
National Guidelines are administrative documents intended to provide practical advice to
rail safety regulators and rail transport operators or other parties to whom legislative duties
apply. Depending on the subject matter, the Guidelines in this suite may:
•
articulate how rail safety regulators will behave when undertaking their functions to
ensure that their processes are transparent to the duty holders (e.g. national compliance
and enforcement);
•
provide nationally consistent and/or integrated processes by which rail safety regulators
will make decisions (e.g. Business Rules for Uniform Administration);
•
assist duty holders with the interpretation of legislative provisions and provide practical
guidance for satisfying these requirements (e.g. Accreditation, Safety Management
Systems, Managing Risks SFAIRP, Fatigue Management).
National guidelines impose no legal duties or requirements. Failure to comply with a
national guideline does not give rise to any civil or criminal liability. Where actions or
outcomes are described as being mandatory in the Guidelines, this is because those actions
or outcomes reflect provisions in the national model legislation.
The advice provided in the national guidelines has been expressed in general terms. Rail
transport operators and other duty holders should not assume that the advice and any
examples provided automatically apply to the operating and environmental circumstances
of their railway operations. They should be used as a guide only to the processes and
procedures involved and should not substitute for the conduct of risk assessment of their
own environment and operations.
Public Comment
The suite of draft national guidelines has been developed through the NTC processes by
the NTC and rail safety regulators acting as lead agents to the NTC. The Rail Safety
Regulators Panel, Australasian Railway Association and Rail Tram and Bus Union have
had input into the drafting process.
The public comment period closes on 9 May 2007.
At the completion of the public comment period the suite of guidelines will be assessed in
the light of comments received. Following are required amendments, draft guidelines will
be finalised and submitted to Transport Agencies Chief Executives (TACE) and to the
ATC in June 2007 for consideration and approval.
Acknowledgements
The NTC would like to thank the members of the Rail Safety Package Steering Committee
for their guidance and advice during the developmental phase of the guideline. In
particular, the NTC acknowledges the contributions of Peter Burns, Simon Meiers, Andrew
Kitto and members of the Guideline reference group to the development of the draft
guideline. . Finally, the work of the following NTC officers is acknowledged: Paul Salter
and Jan Powning for drafting the guideline and Heather Lipscombe for her administrative
support.
Michael Deegan
Chairman
HOW TO MAKE A SUBMISSION TO THE NTC
The NTC invites individual stakeholders and organisations to provide a written submission on this topic. The
submission period closes on Wednesday, 9 May 2007.
Who Can Make a Submission?
Any individual or organisation can make a submission to the NTC. There are no restrictions on
who can provide comment, e.g. individuals, community groups, private organisations and
representatives of government departments and agencies.
Structure of submissions
Please use the structured submission forms provided. Comment on matters you consider relevant
to the topic. Where possible, you should provide evidence, such as data and documentation, to
support your views.
If you are representing an organisation, please indicate your position in your organisation, and if
relevant, specify at what level the submission has been authorised (branch, executive, president,
sub-committee, executive committee, national body).
How to Submit Online
Online submissions are preferred. To make an online submission please follow these steps:
Step 1
On the NTC homepage (www.ntc.gov.au) select a Report Issued for Comment or click
on the link forwarded to you through a web alert.
Step 2
Select the Name of the NTC representative in the New Comments To column of the
Report Issued for Comment table.
Step 3
Enter your NTC website login name and login password (you would have typed in these
details when you registered to receive NTC alerts. If you cannot remember these details or
have not registered then do so by selecting the ‘Register’ button to register as a new user.
Step 4
On entry to the Respond to RFC Topics homepage enter any General Comments to
accompany your submission.
Step 5
Select Browse to upload your comments if they are contained in a separate document. If you
are submitting an electronic version of your submission, it should be compatible with
Microsoft Word 2003 (.doc) or be in Adobe Portable Document File (.pdf) format.
Step 6
Enter your Document Author Details
Step 7
Select Save.
Once your submission has been saved it is automatically sent via email to the nominated NTC representative.
You will receive a confirmation email to your preferred address once the submission is received by the NTC.
Publication of Submissions
Unless submissions are made in confidence or accompanied by a request to delay release, all
submissions will be published online. Copyright of received submissions, however, will reside with
the author(s), not with the National Transport Commission.
Important - Confidentiality
The NTC accepts confidential submissions. If you want to provide content not for public release, provide two
copies of your submission, one with the confidential content and the other with content suitable for public
release. You are encouraged to contact the NTC before submitting confidential material. If material is agreed
to be confidential it will be withdrawn. Note that access to confidential material is determined in accordance
with the Freedom of Information Act 1982. In the absence of any clear indication that a submission is
confidential, the NTC will treat the submission as non-confidential.
CONTENTS
INTRODUCTION...................................................................................................... 1
PART A:
1.
2.
3.
THE RAIL SAFETY REGULATORY REGIME..............................................................3
JUSTIFIED DECISION MAKING ..................................................................................7
DECISION MAKING STEPS ........................................................................................8
3.1 Step 1. Scoping the decision ...............................................................................8
3.2 Step 2. Analysis of the options ............................................................................8
3.3 Step 3. Taking the decision ...............................................................................11
3.4 Step 4. Reviewing the decision .........................................................................11
3.5 Additional criteria applicable to the ‘taking of the decision’ ...............................12
PART B:
4.
5.
RISK MANAGEMENT: CONSIDERATION OF SFAIRP IN
CONTEXT ............................................................................................ 3
LEGAL CONSIDERATIONS ............................................................. 14
THE MEANING OF SO FAR AS IS REASONABLY PRACTICABLE .........................14
4.1 Purpose of SFAIRP ...........................................................................................14
4.2. Overview of Treatment by Courts......................................................................14
4.3. Factors to be considered ...................................................................................15
4.4 Applying and balancing the factors....................................................................19
SFAIRP IN PRACTICE ...............................................................................................19
PART C:
METHODOLOGIES CONSIDERED .................................................. 20
6.
CONTENT AND PURPOSE .......................................................................................20
6.1 Methodologies ...................................................................................................20
7. USING QUALITATIVE ANALYSIS .............................................................................21
7.1 Energy Barrier or Bow Tie Model ......................................................................21
7.2 How to use the Bow Tie methodology ...............................................................22
7.3 Case Example: Derailment in Tourist-Heritage Railway....................................23
8. USING SEMI-QUANTITATIVE ANALYSIS.................................................................25
8.1 Order of Magnitude Analysis .............................................................................25
8.2 The Risk Matrix Methodology ............................................................................25
8.3 The Risk Workshop ...........................................................................................27
8.4 Case Example: Signal Overlaps Project............................................................28
9. USING QUANTITATIVE RISK ANALYSIS .................................................................31
9.1 Introduction to Concepts....................................................................................31
9.2 Quantitative Risk Analysis .................................................................................32
9.3 Fault Tree Analysis............................................................................................33
9.4 Event Tree Analysis...........................................................................................34
9.5 Case Example: Light Rail Vehicle in Collision ...................................................36
10. RISK IMPROVEMENT AND MAINTENANCE PROGRAMS ......................................38
10.1 Valuing Improvements in Risk ...........................................................................38
APPENDIX 1:
BASIC RISK CONCEPTS........................................................... 41
GLOSSARY OF TERMS........................................................................................ 47
REFERENCES....................................................................................................... 51
INTRODUCTION
Occupational Health and Safety (OHS) Legislation which is applicable in Australian States
and Territories establishes statutory duties of care: obligations on employers, contractors,
manufacturers, designers and other parties to ensure the safety of the workplace for
employees, contractors and third parties that might otherwise be affected by the
undertakings carried out in workplaces. Section 28 and 29 of the model Rail Safety Bill
reinforces the duty of care obligation pertaining to ‘workplaces’ in general by making it
clear that rail organisations and associated industry participants have an obligation to
ensure the safety of their ‘railway operations’ (irrespective of where these operations are
conducted).
These duties of care do not require safety at any cost. Duties to ‘ensure’ are qualified by
the statement ‘so far as is reasonably practicable’ (SFAIRP). The SFAIRP qualification is
either included in the formulation of the obligation (the wording of the duty itself), or is
indicated in the primary Act as an acceptable defence to a prosecution under the Act.
Irrespective of the means by which the qualification is added, the effect is still the same:
the level of safety the duty holder must provide hinges on what is ‘reasonably practicable’
given the situation and context.
SFAIRP is a legislative qualification that is well known to the law and found in a number of
statutes both in Australia and overseas. In essence, it requires weighing the risk against
the resources needed to eliminate or reduce the risk. It does not require every possible
measure to be implemented to eliminate or reduce risk, but it places the onus on the
person holding the duty to demonstrate (or be in a position to demonstrate) that the cost
of additional measures to control the risk (over and above those risk controls already in
place) would be grossly disproportionate to the benefit of the risk reduction associated
with the implementation of the additional risk control.
From the outset it should be noted that the duties of care established in the model Rail
Safety Bill are not new. As indicated, overlapping duties already exist in Occupational
Health and Safety (OHS) legislation (and have existed for quite some time). In addition:
• the National Accreditation Package (NAP) has required accredited rail
organisations to be able to demonstrate that they have identified all reasonably
foreseeable safety risks relevant to their operations, and that these risks are
managed effectively within the bounds of what is ‘reasonably practicable’; and
• many engineering standards and guidelines applicable to risk management (e.g.
AS4360) or the Australian rail industry (e.g. AS4292) refer to a standard of
reducing risk to as low as reasonably practicable.
The historical context therefore indicates that the rail industry is familiar with the
undertaking of risk management and is (or should be) familiar with the concept of
‘reasonably practicable’.
The primary purpose of this document is to provide guidance on how to develop and
implement a suitable decision making framework and, within this framework, determine
what is reasonable practicable given the multitude of situations and contexts in which a
rail organisation might be operating. This guideline is therefore in three parts:
• Part A defines concepts and points to considerations that need to be made when
developing and implementing a decision making framework within a rail
organisation.
• Part B provides guidance on how to determine what is reasonably practicable with
reference to case law and relevant regulatory theory. This content is relevant to
staff with general and management responsibilities for safety.
National SFAIRP Guideline
Draft March 2007
Page 1
•
Part C provides guidance on the risk identification, risk assessment and decision
making process. It comprises guidance of a more technical nature and details the
processes and techniques involved in demonstrating risks are being managed
effectively within the bounds of what is ‘reasonably practicable’. This content is
suitable for those with more specialist technical background who may need to
apply the more quantitative aspects of risk analysis and control. Part C also
includes rail related case examples.
Status of Guideline
The guideline accompanies and is complementary to the model Rail Safety Bill and model
Rail Safety Regulations. It is intended for general application across the rail industry in all
jurisdictions of Australia.
The guideline is a guide only. The advice provided in this document is not intended to
replace the provisions of rail safety legislation, regulations or other relevant legislation or
to limit or expand the scope of such legislation. In the event of any perceived
inconsistency between this Guideline and relevant legislation, the legislation will prevail.
Page 2
Draft: March 2007
National SFAIRP Guideline
PART A: RISK MANAGEMENT:
SFAIRP IN CONTEXT
1.
CONSIDERATION
OF
THE RAIL SAFETY REGULATORY REGIME
The rail safety regulatory regime is focused on encouraging and enforcing good risk
management practice by rail organisations and associated industry participants.
Legislation and regulations do not prescribe how rail safety risks are to be controlled, but
rather establish performance obligations (duties of care) and more specific process
requirements that force rail organisations to identify risks and consider the merits of
available risk controls and elimination measures.
Of prime importance to the
effectiveness of this approach is the risk management process and the integration of that
process into the effective functioning of the safety management system.
The risk management process, at the highest level, has four essential steps. At each step,
consultation with affected parties is necessary for risk management to be effective.
Table 1: Steps in generic risk management process
Step 1: Risk Identification
This step is the essential starting point for satisfying your
duty of care. You need to establish what risks are present
in respect to your proposed railway operations. Many risks
are well known and can be immediately tackled by equally
well established ways of eliminating or reducing them.
Other risks are not well known and may require some
foresight and careful consideration.
Step 2: Risk Assessment
You need to understand the nature of the risks and the
level of the risk before taking action. Understanding the
nature of the risk means working out what could happen
and why. The risk assessment step is a way of estimating
the level of risk.
Step 3: Risk Control
You need to choose risk controls that will achieve the
highest level of protection so far as is reasonably
practicable. A hierarchy of controls has to be considered
from elimination, through to substitution, designing out
risks, down to administrative practices and personal
protective equipment. In practice, a number of risk controls
may be required to reduce risks so far as is reasonably
practicable.
Step 4: Check Controls
Effective risk management requires not only that your risks
be controlled but that they are checked to see if they are
operating effectively and that circumstances have remained
constant.
National SFAIRP Guideline
Draft March 2007
Page 3
The tests and judgements involved in determining what is reasonably practicable are
made as part of the risk management process.
Experience arising from OHS prosecutions suggests that one of the most common
reasons why duty holders fail to meet their duties of care is that they do not take sufficient
action to identify risks; or otherwise know about the risks but take no action. It is therefore
important to get the basics of the risk management process right and follow through with
necessary actions.
The concept of risk management, and the importance of the risk management process, is
embedded in the model Rail Safety Bill.
As a means of ensuring safety, a rail transport operator is required to have a Safety
Management System (SMS) for its railway operations. Clause 57 of the Bill requires the
safety management systems of rail transport operators to:
• identify and assess any risks to safety that have arisen or may arise from the
carrying out of the railway operations;
• specify the controls that are to be used by the rail transport operator to manage
the risks to safety and to monitor the risks to safety in relation to its railway
operations; and
• include procedures for monitoring, reviewing and revising the adequacy of those
controls.
As can be seen, these requirements are consistent with the four (4) step risk management
process depicted in Table 1.
The combination of the performance obligation (duty of care) and the process
requirements established in the model Bill obliges rail transport operators to practice good
risk management. Additional safety management system requirements included in the
model Bill and included in the model Rail Safety Regulations require consideration of
known areas of risk, or otherwise provide imperative to consider the applicability of known
means of risk control. However, the Bill and the Regulations do not prescribe risk
management methods or procedures. The rationale is that risk assessment methods
need to be tailored to the cultures, systems and risk conditions that exist in individual rail
organisations in order to be truly effective. In recognition of this, the intent of the model
Bill is to make rail organisations responsible for interpreting legislative requirements into
specific methods and criteria, and then applying these as part of their risk management
process. Some characteristics that define a good risk management process are provided
below in Table 2. The table provides good guidance to duty holders about what they need
to consider when developing their own risk management process, tailored to their own
cultures, systems and risk conditions.
Page 4
Draft: March 2007
National SFAIRP Guideline
Table 2: Characteristics of a good risk management process
Title
Description
1
Definition of scope
and context
A clear definition of the scope and context of the
system under analysis needs to be made.
2
Consultation and
involvement of
stakeholders
The risk management process needs to include
consultation with and involvement of a full range of
affected parties, including those at interfaces.
3
Process for hazard
identification
A process ensuring a comprehensive identification of
all significant hazards and potential hazardous events is
an essential starting point for the risk management
process.
The requirement for risk identification should not be limited
to significant hazards, as this prejudges the risk assessment
process.
4
Proportional process
for risk assessment
The process for determining the likelihood and
consequence of risks associated with identified hazards
needs to be systematic, objective and proportional to
the significance of the risks under analysis (which may
require a multi-step process).
Proportionality is implicit in managing a risk adequately.
Regard should be had to factors including (but not limited
to):
•
The depth and strength of analysis undertaken by
duty holder should match risk or significance of
operation / change in question (scale of activity,
complex functionality)
•
Technical difficulty (inherent difficulty or unfamiliar /
novel activity)
•
Organisational factors (size and
organisation, number of contractors)
complexity
of
Formal safety studies (eg Rail HAZOP, SIL Specification
and verification, Fire Safety Analysis, Human Factors,
Emergency Evacuation Analysis etc) should be performed
for significant risks.
The over-riding imperative is that the risk assessment
process must be ‘suitable and sufficient’ to identify and
adequately assess foreseeable risks, as the obligation to
reduce a risk to SFAIRP is not avoided by having failed to
identify the risk or to properly assess it.
National SFAIRP Guideline
Draft March 2007
Page 5
5
Title
Description
Process for
evaluation and
treatment of risk
Risks need to be evaluated against suitable criteria and
treated accordingly to ensure residual risks are reduced
SFAIRP. This needs to involve a process of considering
what additional controls are available and justification
of their adoption or rejection taking into account what is
reasonably practicable.
The following sections of this guideline expand on what is
needed to support justified decision making.
6
Consideration of
Uncertainty
Risk assessments are fraught with uncertainties. This
needs to be recognised and both assumptions and
uncertainties identified and tested.
7
Priority of risks
Risks need to be ranked in order to establish a priority
for treatment.
The risk management approach should not go so far as to
exclusively require risks to be treated in order of ranking as
to do so may inflate costs unreasonably.
8
Monitoring of Risk
Levels
Risk levels in a railway operation need to be monitored
in order to compare them against the results of risk
assessment.
9
Linked risk
assessment to SMS,
with measurable
performance
indicators
Controls identified in the risk management process
need to be linked to safety management activities within
the safety management system to ensure their ongoing
effectiveness.
Page 6
The safety management system (and the risk management
process that forms part of it) needs to include :
•
tests for the effectiveness of controls;
•
indicators of control failure;
•
procedures for reporting control failure; and
•
procedures for responding to control failure.
Draft: March 2007
National SFAIRP Guideline
2.
JUSTIFIED DECISION MAKING
It is the duty holder’s responsibility to develop and apply risk assessment methods and
decision making frameworks that enable it to comply with the model Rail Safety Bill and
other relevant legislation (e.g. OHS). What is suitable and sufficient for one duty holder
may not be so for another. Importantly, the obligation to reduce a risk to SFAIRP is not
avoided by having failed to identify the risk or to properly assess it.
The risk management process is central to the operation of the duty holder’s safety
management system and the fulfilment of the duty holder’s duty of care. It is important to
acknowledge that the end outcomes of the risk management process are decisions, which
need to be given effect. Some characteristics of a good decision making framework are
articulated in Table 3.
Table 3: Characteristics of a good decision making framework
Accountability
The person or persons responsible for making the decisions know
that they are responsible and are known by others to be responsible
for making the decision(s).
Decisions made
by those with
best information
and knowledge
It is important that the decision making framework allows the
decision to be taken at the correct level in the organisation. This
may require responsibility for a safety decision resting with
operational units, whose personnel are best able to obtain and
assess the evidence on which the decision should be based, or it
may require escalation of approval to more senior management with
the authority to enforce the decision taken.
Consultation
There needs to be adequate engagement with all those who are
affected by the decision, or who have a contribution to make to it.
The level of consultation needs to be proportionate to the nature of
the decision being taken (novel/complex versus operational).
Decision criteria
and decision
making process
specified and
transparent
The criteria applicable to decision making and the process by which
decisions are to be made need to be transparent and known from the
outset to ensure that the process of assessment and evaluation remain
objective and systematic. This is an important protection against the
‘goal posts moving’ in order to get the answer that is convenient or
most advantageous from a narrow commercial perspective.
Scope to apply a
range of methods
to assessment
and evaluation
process
In most cases the comparison of safety benefits of a risk reducing
measure and the costs of its implementation can be performed through
direct judgement by stakeholders. However for wide reaching,
expensive and subtle risk reduction measures, such as the introduction
of a standard or additional technology a direct judgement technique is
very difficult to justify. In such circumstances, social cost benefit
analysis and other techniques may need to be applied.
Record keeping
Decisions that affect safety must be taken and the reasons for the
decision must be recorded. Failure to take any decision is itself a
decision that needs to be able to be defended in the future. It should
be noted that the correct course of action may be to decide to take
no action, but again the reasons for coming to that decision should
be recorded. In all cases, both the actual decision and the way that
it was reached should be able to be examined subsequently.
What is reasonable is as much about the process by which you reach your decision as the
decision itself. The decision making process, in a generic sense, can be seen to parallel
the risk management process via four steps as explained in the following sections.
National SFAIRP Guideline
Draft March 2007
Page 7
3.
DECISION MAKING STEPS
3.1
Step 1.
Scoping the decision
First the decision must be scoped. This involves considering what type of decision has to
be taken. Some considerations that need to be made include:
• Is it an immediate operational decision or more of a managerial decision?
• Who is responsible for taking the decision?
• Will in-depth analysis be needed to support the decision?
This step in the decision making process is integrated with step 1 (risk identification) and
step 2 (risk assessment) of the risk management process. The answers to the questions
listed above (and others that are relevant at this stage) flow naturally from the
identification of the risk and the assessment of it nature and significance. Some risks are
well known and may be the subject of regulations to which compliance is required.
Accordingly, the decision to be made is simply to make the changes that are required to
the duty holder’s safety management system such that it is compliant with the regulations.
In other situations, the risks that have been identified are more novel or situation specific,
requiring a more iterative process of assessment and consideration.
The question of what level the decision can be taken, and ultimately the question of who is
responsible for making the decision, is a function of the duty holder’s organisational
structure and how that structure has evolved to enable it to meet commercial objectives
and comply with statutory requirements. In demonstrating that a justified decision making
system is effective it must be able to be shown that there are logical inter-relationships
between the decision making framework and the organisational hierarchy and structure.
Ideally, the inter-relationship between the organisational hierarchy and the decision
making framework should enable those with the best information and knowledge to make
the decision. This structural approach to effective risk management and decision making
needs to be supplemented by the commitment to, and practice of, consultation with those
who are affected by the decision, or who have a contribution to make to it.
3.2
Step 2.
Analysis of the options
In those situations where an identified risk does not have a corresponding risk control that
is prescribed in regulations, further assessment is needed to determine what is
reasonably practicable. Having made the best possible assessment of consequences and
likelihood, there needs to be an assessment of which options address the identified risk or
combination of risks. The corresponding costs and benefits of the different options then
need to be assessed. This step parallels step 3 in the generic risk management process.
Method of analysis
Figure 1 (sourced from RSSB 2006) highlights a range of methods that may be applied to
provide input to the decision taking process. The diagram is wedge shaped to indicate that
increasing problem complexity requires more resource to be allocated to the process of
decision making. It provides a structured checklist of approaches that can be applied to
obtain useful information with which to inform the decision. The methods are as follows.
Existing good practice
Existing good practice provides effective, easily accessible information about what
measures in an organisation are likely to be sensible and effective. All organisations, as a
minimum, must implement authoritative good practice, irrespective of situation-based risk
estimates. This requirement flows from the observation that good practice is inherently
‘reasonable’ and clearly ‘practicable’. In short, ‘Good practice’ is a threshold, something
that is necessary but not always sufficient in reducing risks to SFAIRP.
Page 8
Draft: March 2007
National SFAIRP Guideline
Quantitative Analysis/Qualitative Analysis
According to the obligation to ensure safety SFAIRP the relevant safety risks must be
assessed and balanced against costs to take that judgement. This implies some form of
social cost benefit analysis that permits a systematic and objective comparison of benefits
and costs. Depending on the size and complexity of the problem this form of analysis can
be undertaken as a brief qualitative assessment or as a more detailed quantitative
analysis.
Strategic Analysis
In some instances decisions will have strategic effects that need to be taken into account.
Decision taking is not an academic exercise, and real strategic difficulties associated with
the decision need to be considered, such as the practical ability of the organisation to
implement any change and the commercial interests of the company.
Targeted Engagement
To take good decisions, companies must engage with those who fund the railway, those
who work within the railway and those who regulate the industry.
It is important to emphasise at this point that it is necessary at this stage in the decision
making process to make a professional judgement as to the method of analysis that is to
be adopted and the time and resources that are to be applied to the making of the
decision. For the decision making process itself to remain ‘justified’, this judgement needs
to be defendable. This implies that considerations of the above options should be made
carefully and that records pertaining to this judgement should be kept.
Figure 1
Range of inputs to decision making
Immediate
decisions
Management
decisions
Targeted engagement
Strategic
analysis
Qualitative
analysis
Quantitative analysis
Rules and good practice
Simple
Compl ex
Identifying control options
The risk assessment process provides the basis for identifying suitable risk control options
at the “highest level of protection” as is reasonably practicable.
National SFAIRP Guideline
Draft March 2007
Page 9
The conventional way of describing what is meant by the highest level of protection is the
concept of the hierarchy of control. The principle behind the hierarchy of control is that risk
controls that are dependent on individual behaviour are less reliable and durable than risk
controls that engineer or design out risks.
The first question that needs to be asked is whether the risk can be removed or otherwise
eliminated. In some cases this can be achieved by using different equipment or
technology or changing the way operations are undertaken. Where elimination is not
reasonably practicable then the assessment of the control options has to take into account
the nature and level of risk.
The following questions, sourced from OHS guidance, indicate what is meant by the
hierarchy of available controls:
• SUBSTITUTION: Can materials, equipment or processes be replaced with less
hazardous ones?
• ISOLATION: Can the source of risk be isolated by barriers or enclosures?
• ENGINEERING: Can the source of risk be reduced by engineering controls?
• DESIGN: Can the risk be reduced by redesign of the materials, equipment and work
process?
• ADMINISTRATIVE: Can the risk be reduced by using safe work practices?
• INDIVIDUAL: Can the risk be reduced by using Personal Protective Equipment (PPE)?
As you descend the hierarchy the likelihood of the risk being eliminated or reduced
becomes far less. Elimination of the hazard, or substitution of some other process or
substance, may leave no hazard remaining to give rise to risk. Isolation and engineering
controls remove or minimise the chance or extent of exposure, but not entirely.
Administrative controls are less certain to be effective as they may be affected by the
skills, attitudes or knowledge of the individuals interpreting them or following them.
Personal protective equipment will only be effective when worn properly or used, and
even then only to protect the individual wearing or using it and no others (Sheriff, 2005).
In most cases a combination of measures will be required. While personal protective
equipment is the lowest level of protection it may still be required in combination with other
measures such as engineering controls. You should accordingly consider the hierarchy of
controls as options and not as alternatives, to be used in the combination that will produce
the level of risk elimination or control that is reasonably practicable. In determining what
is reasonably practicable, the key choice is often the additional control measure that is to
be added to the combination of control measures that are already regarded as being good
practice.
Knowing, or being aware of what constitutes good practice is obviously a pre-condition to
being able to identify control options effectively. As stated previously, good practice is a
threshold, something that is necessary but not always sufficient in reducing risks to
SFAIRP. The duties of care require the duty holder to consider the application of risk
elimination or control measures that the duty holder knows of, or ought to reasonably
know of. The latter part of this statement is important because it implies that the duty
holder needs to devote a reasonable amount of resources identifying and being aware of
elimination and risk control measures. Again this is a point in the decision making
process where a judgement needs to be made, specifically about how much effort should
be taken. As such, records of the judgement made and the reasons underlying it should
be kept.
Page 10
Draft: March 2007
National SFAIRP Guideline
3.3
Step 3.
Taking the decision
Once a decision has been scoped and analysis undertaken the decision maker is in a
position to take the decision. This step parallels step 3 in the generic risk management
process: what risk controls should be applied?
There are two inevitable truths about the taking of decisions. The first is that there is no
such thing as a pure safety decision. The decision will need to take appropriate account of
cost, performance and safety. The second is that there is always an amount of judgement
that needs to be applied. As previously indicated, risk assessments are fraught with
uncertainties. Assumptions should be identified and tested but it needs to be accepted
that some uncertainties will remain.
For these very reasons the determination of what is ‘reasonably practicable’ can never be
a simple formulae that the decision maker calculates by inputting values for known
variables. The ‘comfort’ of the individual decision maker is borne from adhering to the
decision making process and applying the relevant criteria (see Part B for ‘5 tests’) in an
appropriate way. There are no guarantees that a court will agree with your determination
of what is or was ‘reasonably practicable’ in a given situation, however, it is far more
probable the court will if a process of justified decision making is adhered to.
The overriding requirement from a commercial and safety perspective is to take decisions,
even if this means explicitly deciding to do nothing and recording the reasons why. Such
decision making practices go some way to fulfilling the statutory duty of care and can be
clearly differentiated from simply letting things happen by default.
3.4
Step 4.
Reviewing the decision
Does the decision make sense? The decision maker should consider whether they would
feel comfortable explaining the decision, were an accident subsequently to occur. What
were the reasons for taking the decision? Does it give due regards to the interests of all
affected parties?
This step makes it clear that decisions need to be defensible at a specific point in time, but
over time, need not and should not be viewed as being set in stone. Indeed, decisions
can and should change, or at least be reviewed, in response to a number of factors
including (but not limited to):
• observations about the effectiveness of the risk control measure implemented as
an outcome of the taking of the decision;
• changes to the availability of risk elimination or control measures;
• changes to the cost of implementing risk elimination measures or applying risk
control measures; and/or
• changes to the frequency of services (which would affect the foreseeable safety
benefits side of the equation).
This step in the justified decision making process can be seen to parallel step 4 (check
controls) in the risk management process. This step in the process recognises that the
risk environment is ever changing and accordingly the risk management process needs to
be dynamic: able to identify changes and respond, such that the duty holder continues to
be in compliance with its statutory duty of care.
Figure 2 brings together, in a diagrammatic form, the complementary steps being
undertaken in the risk management process and in the justified decision making process.
As will be indicated in the next section, the entirety of the considerations portrayed here
are required to be undertaken in order for the duty holder to be in a position to
demonstrate compliance with its statutory duty of care. Various judgements (as flagged in
National SFAIRP Guideline
Draft March 2007
Page 11
the text above) will need to be made whilst undertaking this process.
application of judgement cannot be avoided.
3.5
The need for
Additional criteria applicable to the ‘taking of the decision’
In addition to the decision making criteria that duty holders are legally obliged to apply the
point needs to be made (in closing off this section of the guideline) that other criteria can
and should be applied by duty holders when taking the decision. As indicated, there is no
such thing as a pure safety decision: judgements will be made on the basis of commercial
criteria as well as legally enforceable safety criteria. For example, if the cost of
compliance associated with the application of legal criteria to a particular circumstance are
so high that the undertaking of the activity is not commercially viable then the commercial
criteria will take precedence – the duty holder will cease undertaking the activity or part
thereof, rather than making the expenditure required on risk controls that is necessary to
satisfy the legal criteria (SFAIRP).
Such commercial criteria are to be applied at the discretion (and in the interests) of the
duty holder. Such criteria should not only consider the direct impacts in terms of costs
and benefits but also the indirect. For example, it is rational and indeed necessary that
duty holders consider foreseeable political and public reactions to possible accident
scenarios (e.g. those involving multiple fatalities). It is important that duty holders
consider the implications arising from those reactions (loss of revenue, patronage, etc),
and as a result, consider whether this justifies a higher level of risk control than would
otherwise be provided. This is an appropriate method for taking into account ‘societal
concerns’, recognising that perceptions of safety affect the reality of commercial
performance to the extent to which they affect behaviour of customers, the public and
other persons potentially affected by the undertaking of the railway operations.
Page 12
Draft: March 2007
National SFAIRP Guideline
Figure 2
Complementary steps of risk management and justified decision making
processes
Justified
Decision
Making Process
Risk
Management
Process
Step 1
Hazard Identification
Identify hazards by
inspecting workplace,
analysing injury records,
measuring exposure and
using guidance.
Step1
Scoping the
decision
Step 2
Risk Assessment
Work out how likely it is that
the hazard will result in an
injury or incident and how
severe the consequences
might be. Identify what risks
factors have to be controlled
Steps 2 & 3
Analysis of
the Options
&
Taking the
decision
Step 4
Reviewing
the decision
National SFAIRP Guideline
If Act or
regulations
prescribe
method of
control do as
required.
Voluntarily
adopt
compliance
code (if
available) and
be deemed to
comply
Ste p 3
Risk Control
Eliminate risk but if not
reasonably practicable
reduce by using design,
engineering, substitution,
safe work practices and
personnel protection
equipment
Risk
Controlled
Step 4
Check Controls
Check controls are working
as planned, follow
recommended maintenance
cycles, monitor information,
training and supervision and
make changes where
necessary.
Draft March 2007
Page 13
PART B: LEGAL CONSIDERATIONS
4.
THE MEANING OF SO FAR AS IS REASONABLY PRACTICABLE
4.1
Purpose of SFAIRP
As indicated in the introduction to this guideline, So Far As Is Reasonably Practicable
(SFAIRP) is used as a qualification on what would otherwise be an absolute obligation or
duty. In the case of rail safety legislation, the obligation is to ensure the safety of railway
operations for which the party is responsible or partially responsible for (as may be the
case with a contractor or supplier). Without the SFAIRP qualification the requirement to
‘ensure’ is tantamount to requiring the duty holder to provide a guarantee. For a host of
reasons relating to foreseeability, cost and limits on the level of control that can be
exercised, the imposition of an absolute duty or obligation is impracticable. Accordingly,
the SFAIRP qualification is used.
The SFAIRP qualification is either included in the formulation of the obligation (the
wording of the duty itself), or is indicated in the primary Act as an acceptable defence to a
prosecution under the Act. The formulations of these duties of care differ between
jurisdictions, but are consistent in their substantive effect.
The reason for the
inconsistency of formulation is that priority has been attached to the duties being
consistent with the OHS duties which they are intended to complement. The formulation
of the OHS duties differs. Legal analysis undertaken by Bluff and Johnstone (2004, p3) in
relation to the formulation of the OHS duties is that:
In all of the OHS statutes apart from the Workplace Health and Safety Act 1995
(Qld), these absolute or strict liability duties are qualified by whether it is ‘reasonably
practicable’ to take particular measures to ensure worker health and safety (p3,
2004).
Bluff and Johnstone go on further to make the point that the formulation used in the
Queensland statute is nothing more than a recasting of the reasonably practicable
expression (p3, 2004). In support of this position Sherriff (2005) asserts that:
Fortunately there has been a consistency in the line of authorities in various State
courts and in the High Court of Australia interpreting practicable and reasonably
practicable and the meaning is accordingly well settled.
4.2.
Overview of Treatment by Courts
A study of case law shows that Australian courts adjudicating on alleged breaches of OHS
duties commonly take into account a number of factors when determining whether the
1
actions taken to ensure the safety of operations were “reasonably practicable” .
Courts do not demand the impossible to be done. To fulfil their legislative obligations,
organisations are expected to take a proactive and common sense approach.
Indeed, this is reinforced by the Australian High Court which observed in 2001 that the
words ‘reasonably practicable’ are ordinary words bearing their ordinary meaning. And
the question whether a measure is or is not reasonably practicable is one which requires
no more than the making of a value judgment in the light of all the facts. (Slivak v Lurgi
(Australia) Pty Ltd 2001). The wording and intended meaning of this judgement is
important in two regards:
• whether measures need to be taken, and the extent of those measures, needs to
be decided on the circumstances and facts of each case; and
1.
Bluff L & Johnstone R, The Relationship between ‘Reasonably Practicable’ and Risk Management Regulation, Working
Paper 27, National Research Centre for OHS Regulation, ANU. September 2004
Page 14
Draft: March 2007
National SFAIRP Guideline
•
there is no absolute precision about what constitutes a level of risk control that is
reasonably practicable, value judgements, inevitably, need to be made.
In general, the courts have considered the duties of care to be a statutory enactment of
the common law duties of care which provide the basis for an action for damages for
negligence. However, it should be noted that although there cannot be a liability to
damages for negligence without there first being an injury, loss or damage, it is possible to
be prosecuted for a breach of duty owed under legislation without injury, and even,
without incident. Sherrif (2005) cites the case of R v Feltourn Holdings Pty Ltd
(unreported, County Court, 11 June 1996) where the judge accepted that the defendant
company was guilty of an offence for a breach of duty even though the relevant
circumstances did not result in injury to any person.
4.3.
Factors to be considered
Clause 7 of the model Rail Safety Bill makes it clear that the obligation of duty holders
(see section 28 and 29 of the model Rail Safety Bill) is to eliminate risks to safety; or if it is
not reasonably practicable, to reduce those risks so far as is reasonably practicable. The
provision goes on further to say that in determining what is ‘reasonably practicable’,
regard must be had to the following five factors:
•
the likelihood of the risk concerned eventuating;
•
the degree of harm that would result if the risk eventuated;
•
what was known or ought reasonably to be known, about the risk and any ways of
eliminating or reducing the risk;
•
the availability and suitability of ways to eliminate or reduce the risk; and
•
the cost of eliminating or reducing the risk.
Each of the five matters above must be considered when demonstrating SFAIRP. The five
matters are described below.
The degree of harm that would result if the risk eventuated and the likelihood of the
risk concerned eventuating
For the risk to be considered at all, the duty holder will have had to identify the risk.
Section 57(c) of the model Rail Safety Bill requires that the duty holder identifies and
assesses any risks to safety that have arisen or may arise from the carrying out of railway
operations on or in relation to the rail transport operator's rail infrastructure or rolling stock.
Having identified the risk, the degree of potential harm and the likelihood of the being
realised need to be considered jointly.
Harm refers to the potential severity of injuries and the number of persons that may be
injured if the risk eventuated.
It is clear from the cases over many years in all Australian jurisdictions that the degree of
harm that may eventuate is in practice the most important factor in determining what is
reasonably practicable (Sherrif, 2005). A realistic or appreciable risk of death, the risk not
being fanciful even if remote, is expected by the courts to compel efforts towards
elimination of the risk or reduction to a point very close to it.
Likelihood refers to the need to consider the frequency with which circumstances give rise
to any particular hazard, or with which a person or persons may be exposed to the hazard
and associated risk.
The foreseeability of such circumstances and the probability that these circumstances will
eventuate has been a factor in many court cases. For example, comments of the Court of
Criminal Appeal in The Queen v Australian Char Pty Ltd (1995) indicate the importance of
responding to foreseeability (and in turn likelihood):
National SFAIRP Guideline
Draft March 2007
Page 15
…in many employment situations the risk of injury…is negligible so long as the
employee executes his work without inadvertence and takes reasonable care for his
own safety. But long experience has shown that employees do sometimes act
inadvertently or without due care for their own safety. It is in that context that an
employer must guard against such acts or omissions as may foreseeably cause
injury…
The degree of harm assessed should not be limited to the most likely outcome that could
eventuate. Consideration should also be given to the worst credible outcome. For
example, a low speed derailment may be expected to result in minor injuries, but the
potential for multiple fatalities and injuries is also there.
It may be argued that if there is only a low likelihood of very minor injury, such as minor
bruises or cuts, then the degree to which the risk reduction may be required may be far
less, opening up the possibility of directing resources towards the reduction of the risks
with potentially more severe outcomes. If however, there is a high likelihood of minor
injury then some significant effort should be made to reduce the risks even though the
consequences may be thought to be minor.
When considering these possibilities it becomes clear that decisions about risk elimination
or control should be based on the highest risk (i.e. the product of likelihood and degree of
harm).
As indicated in Part A of this guideline the undertaking of steps 1 (identification) and 2
(assessment) of the risk management process and the complementary process of
‘scoping the decision’ as part of the justified decision making process is a precursor to
fulfilling the duty holder’s obligations in relation to these matters.
The duty holder must ensure it has a good understanding of the risks for which it is
responsible. The duty holder needs to be in a position to show that they have identified
and documented the risk in order to be in a position to demonstrate that they understand
the risk. Three recommended steps are as follows:
• Determine how the risk is currently controlled (if at all).
• Identify not only the risk but the chain of events that lead to the risk eventuating, that
is, what are the precursors?
• Assess the likelihood and consequences of the risk, and how that risk contributes to
the overall risk profile.
This will require the following:
• appropriate competency of those involved in the assessment and may include access
to expert involvement; and
• consultation with the various stakeholders who are in a position to help ensure a
proper understanding of the hazards or risks and to ensure risk controls are
reasonable, accepted, practical and effective.
What the person concerned knows, or ought reasonably to know, about the risk
and any ways of eliminating or reducing the risk
The previous two factors required the duty holder to have a good understanding of the
risk(s). Knowledge and understanding of the risk is an important precursor to treatment,
as without this knowledge and understanding, the duty holder will lack the means to do
anything about the risk. Having developed an understanding of the risk, consideration of
ways of eliminating or controlling the risk can be made.
The important aspect of the duty of care, established via the case law, is that it is not only
what the duty holder knows, it is also what the duty holder ought reasonably to know
about the available means of eliminating or controlling the risk. In general, this has been
interpreted by the courts to be the knowledge available to someone in the position of the
duty holder, that is, relevant industry knowledge. In effect, this establishes the minimum
Page 16
Draft: March 2007
National SFAIRP Guideline
expectation for duty holders. If the duty holder knows of additional or alternative controls,
or becomes aware of such, the duty of care obliges the duty holder to act on this
knowledge by carefully considering the reasonableness of applying the risk elimination or
risk control measure.
Understanding ways to eliminate or reduce risk can be gained by :
• reference to established standards, where applicable. This may include local and
international standards, codes of practice, company procedures and track access
agreements. The standards used must be applicable to the risk;
• reference to ‘good practice’; and
• drawing on knowledge held by those performing the assessment and of stakeholders.
The following should be considered when establishing what is ‘good practice’:
•
The practice is established in the jurisdiction, or another jurisdiction which has railway
operations that are similar in scale to the operation in question.
•
The practice is established and widely implemented in a similar industrial sector.
•
The practice is enforced by legislation in more than one other country.
•
The practice has demonstrably improved safety in its current application.
•
The application of the risk elimination or control measure is relevant to the
circumstances, as shown by experience of other organisations facing similar operating
conditions.
•
The established risk elimination or control measure of combination thereof has a
proven track record in terms of incident history both locally and internationally.
•
The application of the risk measure is supported by existing reports or studies.
The availability and suitability of ways to eliminate or reduce the risk
Any potential alternative or additional risk controls should be considered for their suitability
to the duty holder's specific environment and operations. This requires the duty holder to
determine what options are available to them to reduce or eliminate the risk and if they are
suitable. The emergence of new technology or systems may offer new ways to control the
risks but the question of their availability and suitability remains.
In assessing the suitability of risk controls, the duty holder through analysis or professional
judgement may consider whether they will be:
• technically and logistically suitable, for example, compatible with the existing
systems or operating requirements, or available at the locations required;
• environmentally suitable, for example, suited to the climatic conditions or operating
environment; and
• effective at reducing the risk.
The following points should be considered:
• the level of risk reduction offered;
• the hierarchy of controls prescribed in OHS legislation should be used when
considering additional risk controls;
• the number of other independent risk controls providing protection;
• the potential for common failure modes which could render more than one risk
control ineffective;
• the number of hazards a particular control deals with; and
• whether the implementation of the risk control is significantly detrimental to other
service delivery goals (e.g. journey time). As with the other matters the sacrifice
must be balanced against the risk (likelihood and degree of harm).
National SFAIRP Guideline
Draft March 2007
Page 17
If alternative or additional controls are not considered practicable then their rejection
should be justified. In adherence to the justified risk making process (adopted by the duty
holder), records of the decision should be kept.
The cost of eliminating or reducing the risk
The consideration of costs relative to benefits requires a value judgement to be made.
Case law indicates that duty holders should err in favour of making the expenditure on risk
controls. The decision to not act should only be made where the likelihood of injury is
remote or the cost is so disproportionate to the potential benefit that it would clearly be
unreasonable to require the expenditure (Sherrif, 2005).
This so called ‘gross
disproportion’ test was established following the language of Lord Asquith in Edwards v
National Coal Board (1949). This case established that a computation must be made
[before the occurrence of an accident] in which
the quantum of risk is placed in one scale and the sacrifice, whether in money, time
or trouble, involved in the measures necessary to avert the risk is placed in the
other; and that, if it be shown that there is a gross disproportion between them, the
risk being insignificant in relation to the sacrifice, the person upon whom the duty is
laid discharges the burden of proving that compliance was not reasonably
practicable.”
Bluff and Johnstone (2004:8) consider the Edwards v The National Coal Board judgement
definitively defined ‘reasonably practicable’. They go on to note (pp8-9) that these English
decisions have been confirmed by the Australian High Court. In Slivak v Lurgi (Australia)
Pty Ltd (2001):
The words ‘reasonably practicable’ have, somewhat surprisingly, been the subject of
much judicial consideration. It is surprising because the words ‘reasonably
practicable’ are ordinary words bearing their ordinary meaning. And the question
whether a measure is or is not reasonably practicable is one which requires no more
than the making of a value judgment in the light of all the facts. Nevertheless, three
general propositions are to be discerned from the decided cases: the phrase
‘reasonably practicable’ means something narrower than ‘physically possible’ or
‘feasible’; what is ‘reasonably practicable’ is to be judged on the basis of what was
known at the relevant time; to determine what is ‘reasonably practicable’ it is
necessary to balance the likelihood of the risk occurring against the cost, time and
trouble necessary to avert that risk.
The important observation to be made is both the Coal Board and Slivak v Lurgi
judgements require a comparative assessment and balancing of costs and benefits.
A word of warning is necessary. A practical interpretation of relevant case law leads to
the conclusion that cost considerations will rarely justify doing nothing. It should be
remembered that the conduct or omissions of the party will most likely be considered with
the benefit of hindsight, in the light of an accident and probable injury, which will make
arguments about foreseeability and seriousness of consequences difficult to put
successfully in favour of the defendant.
Also a rail transport operator may be tempted to take into account its financial
circumstances when deciding what is reasonably practicable. It should be noted however
that case law establishes that ‘financial strength or weakness’ is not relevant in
determining the proper degree of care. Reasonable practicability is an objective test and
the specific financial circumstances of the duty holder are not relevant.
Page 18
Draft: March 2007
National SFAIRP Guideline
4.4
Applying and balancing the factors
All of the five factors must be considered in determining what is reasonably practicable.
The factors are inter-related and cannot be considered in isolation. The question of cost,
for example, cannot be considered without reference to the issues of likelihood, degree of
harm and availability of various ways to minimise the risk.
The determination of what is reasonably practicable must consider all of the five factors at
a particular point in time. What may have been impracticable or unreasonable will change
over time. Cost of new technology may be prohibitive in the first instance but reasonable
and affordable at a later point in time following a reduction in price. A risk control measure
not of practical use when combined with a particular machine may be able to be adopted
at a latter point in time such that it is available and suitable. This highlights the fluid
nature of the duty of care and the on-going need for review and modification.
5.
SFAIRP IN PRACTICE
Case law makes it clear that duty holders are not expected to do the impossible. For
example, in Holmes v R E Spence (1992) Justice Harper makes the point that:
…The Act does not require employers to ensure that accidents never happen. It
requires them to take such steps as are practicable to provide and maintain a safe
working environment… The courts will best assist the attainment of this end by
looking at the facts of each case as practicable people would look at them: not with
the benefit of hindsight, not with the wisdom of Solomon, but nevertheless
remembering that one of the chief responsibilities of all employers is the safety of
those who work for them. Remembering also that, in the main, such a responsibility
can only be discharged by taking an active, imaginative and flexible approach to
potential dangers in the knowledge that human frailty is an ever-present reality…
In acting to comply with duties of care, duty holders are armed with the best defence
against accident, incident and associated prosecutions by adopting and diligently
practicing the risk management process and by establishing and applying a
complementary justified decision making process. In most cases (given all the relevant
circumstances) the determination of what is reasonably practicable (the ‘taking of the
decision’) is expected to involve a direct judgement by appropriate persons based on a
qualitative assessment of costs and benefits. In some other cases a more detailed
quantified cost benefit analysis (CBA) may be required to better inform the decision. In
either case, a judgement will be required. Duty holders must be in a position to defend
their judgement with due reference to the 5 factors considered above.
National SFAIRP Guideline
Draft March 2007
Page 19
PART C: METHODOLOGIES CONSIDERED
6.
CONTENT AND PURPOSE
This section of the guideline comprises guidance of a more technical nature and details
some of the processes and techniques that could be used to determine what is
‘reasonably practicable’.
The content is suitable for those with more specialist technical background e.g. Safety
Managers. It assumes the reader is technically literate, but does not assume specialist
risk engineering knowledge.
This section presents a practical guide to demonstrating that a level of risk elimination or
control constitutes the undertaking of all that is reasonably practicable within the context
of an existing SMS. The focus is on evaluating measures to reduce risk by improving
existing controls or introducing new controls.
Qualitative, semi quantitative and fully quantitative risk assessment methods are
explained with reference to their applicability to the duty holder’s situation. A practical
example of the application of each of these methods is also provided.
Guidance is provided regarding the selection and prioritisation of risk improvement
projects, including how to judge reasonable levels of resources to be allocated to risk
reduction. Resource allocation for maintenance of existing risk profile is also addressed.
Risk analysis is an inexact and complex science. A number of simplifications have been
made in the presentations which may not suit all Safety Managers. Additional assistance
is available from the references provided throughout and at the end of the Guideline, or by
contacting the Rail Safety Regulator. Specialist Risk Management organisations may also
be able to assist in guiding the specific application of any given methodology.
6.1
Methodologies
The residual risk and risk reduction options may be evaluated using one or more of the
following approaches:
• qualitative analysis, such as benchmarking against standards, codes and Recognised
Good Practice, or using Energy Barrier/Bow Tie techniques (refer to section 7);
• semi quantitative analysis with methods such as risk matrices (refer to section 8);
• quantitative risk analysis (QRA) with methods such as Fault and Event Trees and Cost
Benefit Analysis (refer to section 9).
The degree of justification provided is expected to be proportional to the risk being
addressed. This consideration generally drives the method of analysis selected. (Refer to
section 3.2 of Part A for further discussion)
Where quantitative analysis is used, care should be taken to ensure that the numeric units
of risk that have been used are understood. Any assumptions should be made explicit.
Whatever the method used, suitable records need to be kept. The duty holder is expected
to have a very good understanding of the nature of the causes and consequences of
hazards in order to demonstrate that all possible hazards / risks have been foreseen and
addressed SFAIRP. The duty holder needs to be in a position to demonstrate this.
Energy barrier analysis, Bow tie analysis, Fault tree-Event Tree and other common risk
identification and analysis techniques can be useful presentation tools in this regard.
Note that the Principal Risk Register provides a starting point and valuable resource for
this task.
Page 20
Draft: March 2007
National SFAIRP Guideline
7.
USING QUALITATIVE ANALYSIS
This section if the Guideline explains qualitative risk analysis and how to carry out the
analysis using the various components of the “BowTie” methodology.
The Bow Tie methodology is a useful tool for:
• documenting low risk hazards.
• Illustrating control measures for hazards of any level of risk
Qualitative analysis is any method of analysis which uses description rather than
numerical means to define a level of risk.
Qualitative methods for generating information for risk analysis include:
• evaluation using multidisciplinary groups;
• specialist and expert judgement; and
• structured interviews and questionnaires.
Even where qualitative analysis has been used, best possible use should be made of the
available information. In particular, presentation of any risk situation (any level of risk) can
be enhanced through use of a Bow Tie presentation.
7.1
Energy Barrier or Bow Tie Model
An increasingly adopted approach to qualitative risk management is the “Energy Barrier”,
or “Bow Tie” model popularised by James Reason. The model allows for a systematic
consideration of:
• accident causation (a combination of hazardous events and failure of defences); and
• preventive defences (preventing the initial incident) and mitigative defences and
recoveries (limiting the impacts of the incident).
It is assumed in this model that each specific hazard can be represented by one or
several threats that have the potential to lead to an incident or initiating event. Each
accidental event may lead to unwanted consequences.
For each threat, one or several “barriers” can be specified to prevent or minimise the
likelihood of hazards becoming manifest as accidents and incidents. For any barrier there
may be internal or external factors that affect its effectiveness.
These factors or barrier failure modes can be controlled by “secondary barriers”. Any
threat should have a sufficient number of primary and secondary barriers to ensure the
integrity of the system.
If a hazard is released, the accidental event can escalate to one of the several possible
consequences or outcomes. To prevent escalation, the mitigation measures, emergency
preparedness and escalation controls (recovery measures) need to be in place to stop the
chain of event propagation and/or to minimise the consequences of escalation.
The Bow Tie is simply one way of presenting this information diagrammatically. However,
because method illustrates the use of barriers to prevent and mitigate the risk of an event
occurring, it may often also be referred to as the “Swiss Cheese Model”.
The strength of the approach is that it ensures a detailed evaluation of individual causes,
controls and outcomes and how they are linked together. It provides a way of
representing results from a hazard analysis and evaluation in a manner that may be
readily understood at all levels in an organisation.
The Bow Tie analysis is a qualitative approach, suitable for low-risk situations. As an
illustrative tool, it can be suitable for any situation. The focus is on control measures
rather than the size of residual risk.
National SFAIRP Guideline
Draft March 2007
Page 21
A significant development in this approach is the integration of the (management) safety
critical activities and tasks with hazard controls (barriers, secondary barriers, and recovery
measures).
Tasks are grouped into the high level activities to preserve the logic of the system. Each
task is described along with its execution party, task inputs, task competence, method of
verification and frequency. In associating tasks with the hazard controls, the integrity of
the safety management system is demonstrated.
This integration of the SMS with the identified threat barriers, recovery measures and
escalation factor controls is compliant to the recommendations on integrated safety
management systems specified by Justice McInerney in his final report on the Special
Commission of Inquiry into the Waterfall Rail Accident (2005).
A typical Defence in Depth Bow-tie diagram illustrating an integrated SMS is illustrated in
Figure 7.
Figure 7
7.2
Elements of the Bow Tie showing integration with the SMS
How to use the Bow Tie methodology
“Bow Tie” analysis is one of a family of fairly generic methodologies which can vary
substantially in quantitative rigour - from highly quantitative (then called “cause consequence analysis”) through to highly qualitative. The method described here is a
qualitative method.
The method gets its name from the central role of the “top event” or “accident”. In rail
safety the top events can be defined colloquially as “things we really don’t want to
happen”. Examples are:
• collision between trains;
• derailment of a train;
•
fire on a railway station.
Both defences and mitigations are forms of “controls”. On the left hand side of the Bow
Tie are all of the events which needed to come together for the top event to happen (the
causes). On the right hand side are all the possible consequences and what leads to
them (the consequences). Visually the effect is like a Bow Tie. Hence the name.
Page 22
Draft: March 2007
National SFAIRP Guideline
The preventive (left hand) elements of the hazard model can be viewed as a logical
simplification of a Fault Tree. The mitigative (right hand) elements (recovery measures)
can also be viewed as a simplification of an Event Tree.
The overall Bow-tie model can then be used to convey the logical complexity of a detailed
rail risk model that is both easily comprehendible as well as emphasising the risk
management ‘controls’ that fault and Event Trees don’t always manage to highlight
adequately
In terms of the analysis, accidents happen when hazards are activated by threats.
Hazards are latent conditions (such as combustible material under escalators) which
should not be there, while threats are common, generally unavoidable events which can
happen at any time (eg the lighting of a match). When a “threat” occurs in the presence of
a “hazard”, the result can be an “accident” (eg a station fire). The accident is the top
event.
On the right half of the Bow Tie are the possible consequences of the accident. Of
interest here are those consequences which involve death and injury.
Between the hazard and the accident are defences as well as threats. These are
measures put in place to prevent the hazard and the threat coming together to cause the
accident (for instance: “employ cleaner to remove rubbish periodically” and “display ‘no
smoking’ signs in station and near escalators”). Defences reduce the likelihood of an
accident.
Between the accident and the consequences are shown “mitigations”. These act to ensure
that, although the accident has happened, the consequences are minimised (for instance:
provision of fire extinguishes and instigation of Emergency Plan). Mitigations and
Recovery Measures reduce the “consequences” of the accident.
The final aspect associated with the Bow Tie are the individual “systems” which comprise
the SMS. These are the source of the defences and mitigations (eg cleaning standards
and emergency management plan).
7.3
Case Example: Derailment in Tourist-Heritage Railway
The Bow Tie method is qualitative in nature. For this reason, the Bow Tie method may be
especially appropriate for analysing risk in a tourist or heritage railway.
An illustration of the Bow Tie method used to analyse a train derailment due to faulty rail
bed on a tourist railway and integrated with the railway’s SMS is shown in Figure 8.
The Bow Tie is constructed by considering the ‘threats’ associated with the hazard, which
can cause a train derailment. Information has been gathered from subject matter experts
on the controls in place against the hazard (left hand side) and mitigative systems in place
to control the consequences of a derailment if it occurs (right hand side).
The user can see from this where controls are entirely absent and make a qualitative
assessment of whether controls provided are of the right type given the hazard controlled.
National SFAIRP Guideline
Draft March 2007
Page 23
Figure 8.
Page 24
Bow tie presentation for train derailment on tourist/ heritage railway
Draft: March 2007
National SFAIRP Guideline
8.
USING SEMI-QUANTITATIVE ANALYSIS
In this section it is explained that, when using semi quantitative analysis:
• categories are selected to provide proportional differences between categories - in
order of magnitude assessment, a logarithmic scale is used in table addition rather
than multiplication of indices gives risk;
• index numbers can be related to actual risk expressed quantitatively;
• use of accident and fatality statistics can ground the outcomes.
• the risk workshop process: how to arrange, who to invite and how to document.
8.1
Order of Magnitude Analysis
Semi-quantitative analysis is sometimes characterised as “order of magnitude analysis”.
It is used where the likelihood and consequence of accidents can be estimated by a
subject matter expert, though not to a large degree of accuracy.
In practice, a majority of risk assessments actually carried out by duty holders are based
on this method.
In the context of a medium or low risk event, where the duty holder can tolerate risk
estimates being out by large factors without affecting overall risk. Where accurate
estimates of risk factors are not available, such analysis is appropriate.
Focus in this method is on the size of the risk rather than the controls in place. In some
cases, a Bow Tie diagram may be complementary, presenting in an illustrative way
additional information concerning structure of controls for the SMS.
8.2
The Risk Matrix Methodology
The risk matrix approach, when properly applied, provides an “order of magnitude”
assessment of safety risk.
The matrix is constructed with “likelihood” on one axis and “consequence” on the other
and an index of ratings attributed to each. A sample index definitions for likelihood and
consequence ratings is shown in Figure 9.
Figure 9
Rating
Sample index definitions
Likelihood
(system wide)
Highly likely to occur (more
than once per year)
Consequence
Relativity scale
Catastrophic to individual or
business (multiple fatalities)
5 incidents per year
5 fatalities per incident
4
Likely to occur (yearly)
Major impact on individual
or business (fatality or
serious injury)
1 incident per year
1 fatality per incident
3
May or may not occur
(frequency once every 1 to 5
years)
Moderate (major LTI)
1 incident per 5 years
1/5 fatalities per incident
2
Unlikely to occur (frequency
once every 5 to 20 years)
Minor (minor LTI)
1 incident per 25 years
1/25 fatalities per incident
1
Highly unlikely to occur
(frequency less than once
every 20 years)
Insignificant
(no
management
action
or
medical treatment required)
1 incident per 100 years
1/100
fatalities
per
incident
5
A scaled index is provided for each of these, as shown in Figure 10.
National SFAIRP Guideline
Draft March 2007
Page 25
It can be seen that the scales are intended to be logarithmic in nature. The difference
between a rating of 3 and 4 in likelihood is an order of magnitude increase in likelihood,
with a further order of magnitude increase going from 4 to 5.
Similarly on the consequence scale, the difference between a 3 and a 4 is intended to be
an order of magnitude difference in severity (as modified by the “disaster effect”). Thus the
two scales are logarithmic in nature. Adding these index numbers in the body of the table
is then the same in principle as multiplying fully quantified likelihood by consequence to
give risk.
The numbers in the body of the table can also be related to actual accident statistics
recorded by the duty holder or across a number of similar duty holders giving a sanity
check for the final outcomes.
In the case of the methodology, the principal risk register will contain the risks to be added
to and/ or assessed by a “panel of experts”.
In making their judgements on likelihood and consequence, the following interpretation of
terms should be used:
• Likelihood is the likelihood of the accident happening anywhere across the duty
holder’s network. So if “1 event in 10 years” is chosen for train collisions, it means the
duty holder expects 1 train collision overall in10 years. For level crossing collisions, we
may expect several accidents per year network-wide (the “per crossing rate is not
used here). This again will be reflected in a higher index number.
• Consequence is the expected consequence for a more serious occurrence of the
accident (not the worst possible outcome).
Care needs to be taken in setting up the risk register to ensure that the risk items are at a
comparable level of aggregation between risk factors. For instance, it may be common
knowledge that a train collision occurs on average once in ten years (likelihood = 3 in
terms of the table). However, where there are 10 equally probable causes of such
collisions, each cause will be responsible for the event only once in a hundred years
(likelihood = 2 in terms of the table).
Often the Principal Risk Register will contain more than one entry which will describe the
cause of the same incident. For instance:
• collision due to SPAD;
• collision due to over-speed;
• collision due to disabled driver.
This could indicate an opportunity for improvement for the PRR, but it is not an essential
requirement that the risks be mutually exclusive, only that they be at about the same level.
That said, it is desirable that events be exclusive where possible.
Page 26
Draft: March 2007
National SFAIRP Guideline
Figure 10
8.3
Sample risk matrix
The Risk Workshop
As part of using this method of risk analysis a risk workshop is often used. The success
of the risk workshop relies on the involvement of experts in the area to be assessed. The
assessments made will be on the basis of the judgement and experience of these people.
The starting point for the assessment is the sections of the existing Principal Risk Register
relevant to the subject to be risk assessed. Where a change is being assessed, new risk
factors may be added and existing risks annotated or modified according to the effect of
the change.
The purpose of the workshop is to ensure that all relevant hazards have been identified
and risk assessed. To do this successfully, subject matter experts in each aspect of the
item being assessed should participate in the risk workshop. There is a danger otherwise
that a relevant hazard will go unidentified and uncontrolled.
Selecting the participants for the risk workshop is thus an important task.
The actual invitees will vary according to the topic being assessed. Good subject matter
experts will have detailed knowledge of equipment, standards and locality. Groups of
experts will also be able to assess interface issues between disciplines.
To ensure efficiency in the assessment meeting, the draft assessment should be
distributed to participants for review prior to the meeting. Participants should then come
to the meeting prepared to use the draft assessment as a starting point for the formal
review. The action of the meeting, based on the range of expertise present, may range
from completely rewriting the assessment to simply affirming it.
It is important that the output from the meeting is endorsed by all the participants who
have contributed their expertise.
National SFAIRP Guideline
Draft March 2007
Page 27
8.4
Case Example: Signal Overlaps Project
The following example is based on an actual assessment to evaluate the change in risk
associated with a mitigation project – in this case a project to reduce the risk of collision
between trains due to SPADs.
The table on page 38 (Figure 12) shows one of the relevant entries from the Principal Risk
Register.
In this case the accident is a collision with one train stopped in a platform and a second
passing a signal at stop. The inherent risk (L1, C1) is the risk of the event assuming no
controls in place. Since all duty holders apply controls for this risk, the figure is not an
observable risk (except perhaps by observing past rail practices perhaps by other railways
before controls were put in place), but an estimate. The incidence of SPADs can be
measured; the incidence of collisions in platforms, if no overlaps provided, can then be
estimated. Statistics from rail authorities (e.g. in US), where overlaps and other controls
are absent, can also be referred to.
In this case, likelihood is assessed as 5 (more than 1 collision per year to this cause) and
expected outcome assessed as 4 (single fatality, multiple serious injuries). The
associated risk is “extreme” (mitigation must be taken).
The “base risk” (L2, C2) is then the residual risk with current controls in place as per the
approved SMS. In this case the mitigations are the current signalling system and overlaps
provided.
Since the inherent risk is “extreme”, a quantitative standard is called for. This is met in
this case by ensuring that the signal design, procurement and installation are to SIL4 or
“vital” standards (refer next section). In the assessment, the likelihood is reduced to 2
(once every 5-20 years) with consequence still 4. The risk is then “medium”.
The project is to introduce additional control measures to further reduce the risk. In this
case the essential change is in new design guidelines to be applied generally, though with
reference to a particular location. This leads to the “Project Residual Risk” (L3, C3),
assessments based on application of the guideline system-wide. The likelihood is
predicted to reduce to 1 (once every 20-100 years) and the risk to “low”, in the “Broadly
Acceptable region”.
Additional risk factors are assessed apart from the one presented here in detail. These
include “collision due to SPAD past signal protecting converging points” and “collision due
to driver disability”.
It can be seen that these risks are not always independent of each other. In an ideal
world, the Principal Risk Register would be constructed so that all risks identified are
independent, but this is generally not achieved in practical risk registers.
For a semi-quantitative (“order of magnitude) analysis, it is more important that risks are
identified at a common level of aggregation than that they be independent. For example,
a system-wide risk of derailment due to over-speed can be compared directly with systemwide risk of collision due to SPAD, but not directly with risk due to all causes, or with risk
of derailment at a particular location.
The process is not intended to have the same level of rigour as a fully quantitative
analysis.
At this point, it is appropriate to conduct the Risk Workshop. Typical invitees to be
involved and the knowledge they would bring to the workshop are illustrated in Figure 11.
Page 28
Draft: March 2007
National SFAIRP Guideline
Figure 11.
Risk Assessment Committee Composition
Attendee
Purpose/ expertise
Network Safety
Representative
Knowledge of rules and procedures. Experience of incident
investigation and loss assessment for practical accidents on the
network.
Signal Engineer
Knowledge of Signal design standards and the practical affect of the
change on designs and safety margins.
Project’s Engineer
Knowledge of the measures proposed to be undertaken by the project
Signaller
Knowledge of practical considerations for day to day signal control (eg
human factors considerations)
Driver
Knowledge of practical considerations for day to day driving of trains
and observing any changes to signal aspects (eg human factors
considerations)
Signal Maintainer
Knowledge of practical considerations for day to day maintenance of
any new equipment. (eg reliability or maintainability considerations)
Vehicle Engineer
Knowledge of Vehicle design standards and the practical affect of the
change on designs and safety margins where changes to vehicles are
proposed.
“Other” Engineers
Subject matter experts in particular design areas impacted by the
change.
At the meeting, each relevant risk entry is reviewed and updated according to the
comments of the meeting. Ideally the changes to the assessment are made to the risk
register at the actual meeting so that all attendees can agree the change. Additional risks
relevant to the change can also be included and assessed at the meeting. The final
assessment should be agreeable to all attendees.
In the sample risk table provided (Figure 12), the draft assessment comments (distributed
for initial review) are shown in black while the comments provided at the meeting itself are
shown in red. The final numerical assessments (L3, C3) are modified as agreed by the
meeting.
On the “project cost” side (not presented in the actual assessment or discussed at the
assessment meeting) a number of implementation options will generally exist, each with
its own cost profile. In the case of introducing a new guideline, the options generally are:
• Require the guidelines to be adhered to for all future works as well as
implementing a rework project to modify all existing locations.
• Require the guidelines to be adhered to for all future works as well as
implementing an annual works program to modify all existing locations in priority
order over a number of years.
• Require the new standard for new projects only.
National SFAIRP Guideline
Draft March 2007
Page 29
Figure 12.
Sample Risk Register entry
Signal Overlaps Project - Risk Register
Inherent Risk
C 1-1.1
Principal Risk Register (relevant risks identified in system
(no controls from PRR)
prior to mitigations provided by project)
Potential Hazard
Event
Description
L1 C1 R1
Train to train collision Train exceeding authority (SPAD) Train collides with stationary train in
platform (as in accident at
Footscray)
5
Page 30
Draft: March 2007
4
PRR residual
Controls provided by SMS prior to
risk
project.
R2 Mitigations
L2 C2 R2
Trains are provided with line speed
overlaps in 3 aspect areas, and 2
signal warning plus medium speed
(from 40 km/hr) in 4 aspect areas.
E
National SFAIRP Guideline
2
4
Additional controls provided by
project
R3 Mitigations
Overlap protection guidelines
ensure that a line speed overlap
(based on vehicle's specified
emergency braking + 20% distance).
Note that where 4 aspect signalling
is provided and available overlap
clear of platform is greater than line
speed emergency braking + 10%
(the specified vehicle tolerance), the
platform track may be omitted as a
low risk. In one case (321 signal) for
M
this project, line speed braking +
10% only is provided.
Where a medium speed overlap
only is available, speed proving
(approach operated signal with
timing track) to prove "train under
control" is provided as a
supplementary measure to allow
earlier clearing of signals.
9.
USING QUANTITATIVE RISK ANALYSIS
This section of the guideline explains where it is appropriate to use Quantitative Risk
Assessment (QRA). Circumstances where QRA is appropriate are where:
•
the risk is high or extreme
•
the risk is the highest in the duty holder’s Principal Risk Register
•
a novel change, or a reduction in a control for an inherently high or extreme risk is
being considered
In some cases, the duty holder can rely on the QRA carried out by a supplier rather than
needing to carry out a separate comprehensive QRA for a new system being introduced.
9.1
Introduction to Concepts
A quantitative risk assessment may be used in the context of a high residual risk, or in the
case of a high or extreme inherent risk.
In practice, for a duty holder with an existing SMS, there will be few if any risks remaining
in the “high” category since projects for further controls would be expected to reduce this
level almost immediately.
It is much more common for duty holders to have inherent risk in the high or extreme
range. In these cases, it is important that new systems introduced to control these
inherent risks have been subjected to a quantitative risk analysis (note that existing
systems may not have been subjected to such analysis – their acceptance is based on
proven performance in “vital” systems over their years of service rather than a formal
analysis). This risk analysis is generally carried out by the system developer rather than
the duty holder and involves and is expressed as a “Safety Integrity Level” (SIL) for the
equipment and design processes.
Safety Integrity Level (SIL)
Analysis of Safety Integrity Level (SIL) is not something generally undertaken directly by a
duty holder. It is undertaken by suppliers to provide assurance that the systems they
supply meet the specified safety criteria.
The value of SILs to the duty holder is that, by requiring them in a supply specification, the
need for separate, detailed Quantitative Risk Analyses by the duty holder can be avoided
for many safety critical systems.
SIL is defined as a quantitative measure of hazard rate for a safety related subsystem.
The SIL is defined at five levels between SIL-0 (non safety related) to SIL-4 (highest
available safety rating). Each successive SIL level step represents a single order of
magnitude improvement in hazard rate over the step below.
SIL is defined in AS 61508.4 Functional safety of electrical/ electronic/ programmable
electronic safety related systems (paragraph 3.5.6) as:
“Discrete level (one out of a possible four) for specifying the safety integrity
requirements of the safety functions to be allocated to the E/EP/PE safetyrelated systems, where safety integrity level 4 has the highest level of safety
integrity and safety integrity level 1 has the lowest.”
The standard sets the minimum dangerous failure rate that can be assumed for a non
safety designated system at 10-5 and the minimum dangerous failure rate that can be
assumed for a safety designated system at 10-9.
The SIL levels for subsystems both in “on demand mode” and “continuous operation
mode” are defined as shown in Figure 13.
National SFAIRP Guideline
Draft March 2007
Page 31
Figure 13.
Safety
Level
Safety Integrity Levels
Integrity
Low demand mode of operation
(Average probability of failure to perform its function on demand)
4
≥ 10-5 to < 10-4
3
≥ 10-4 to < 10-3
2
≥ 10-3 to < 10-2
1
≥ 10 to < 10
Safety
Level
-2
Integrity
-1
High demand or continuous mode of operation
(Probability of a dangerous failure per hour)
4
≥ 10-9 to < 10-8
3
≥ 10-8 to < 10-7
2
≥ 10-7 to < 10-6
1
≥ 10-6 to < 10-5
Between those extremes, the ability to claim a particular SIL level is a function of the
design and implementation processes in place as well as the inherent reliability of the
components. According to EN 50129, this failure rate is made up of:
• Systematic failure rates – failures caused by human error in the specification, design,
manufacture, installation and maintenance processes. These errors are controlled by
having in place processes as set out in the standards.
• Random failure rates – failures caused by factors of an unpredictable nature, but
measurable.
The focus of the standards is then on defining the appropriate processes to have in place
to achieve the desired SIL level. Tables presented at EN 50129 Annex E, EN 50128
Annex A, AS 61508.2 Annex B and AS 61508.3 Annex A & B are illustrative.
Thus, achievement of a particular target SIL level is a matter of instituting the appropriate
life-cycle processes from the start rather than a matter of carrying out a measurement at
the end. SIL levels are not assigned to legacy systems.
In demonstrating that a particular SIL level has been achieved it is necessary to
demonstrate that the mandatory process specified in the relevant standard have been
followed. This in itself may not be sufficient as the processes specified for SIL 3 and SIL 4
systems in EN50128 are the same. Therefore agreement needs to reached between
stakeholders at the commencement of the project as to what will be acceptable
demonstration that the specified SIL level has been achieved.
SILs Application
For the duty holder, the requirement for a particular SIL level (generally SIL-4 for “vital”
equipment) can be stated in the semi-quantitative risk assessment as one of the controls.
The duty holder should then ensure that specifications issued contain a similar
requirement where called up in the analysis.
9.2
Quantitative Risk Analysis
Quantitative Risk Assessment (QRA) refers to methods that use numerical values for both
likelihood and consequences, rather than the descriptive and “order of magnitude” scales
used in qualitative and semi-quantitative analysis.
Page 32
Draft: March 2007
National SFAIRP Guideline
This level of accuracy in analysis of data is appropriate where the particular risk or group
of risks is in the “high” or “extreme” range. It can also be appropriate where the risk being
assessed is the highest identified in the Principle Risk Register. Such a risk may “drive”
the overall risk exposure of the duty holder. By controlling or eliminating such a risk, the
overall risk exposure of the duty holder may be reduced substantially.
QRA techniques such as Fault Tree / Event Tree techniques may be used to analyse the
effectiveness of control options.
Dealing with Uncertainty in QRA
To be effective, QRA requires a good safety performance measuring system to provide data
that will support the process. Without this, QRA can be little more than a series of well
intentioned estimates that may add little more than less intensive techniques can offer.
Proxy data from other sources (eg comparable rail authorities) can be used, but only on
the basis that differences between the rail authorities can be adjusted for appropriately in
the risk estimates. In some cases, differences between rail authorities will make
comparative data not usable at all.
The quality of the analysis depends on the accuracy and completeness of the data
sources for the numerical values and the validity of the models used.
The uncertainty and variability of both consequences and likelihoods should be
considered in the analysis and recorded.
Since some of the estimates in QRA are imprecise, a sensitivity analysis should be carried
out to test the effect of uncertainty on anticipated outcomes.
9.3
Fault Tree Analysis
Fault Tree Analysis (FTA) is used to analyse the likelihood of events occurring that could
result in an accident or incident.
Fault Trees can be used either as a graphical representation of a risk or they can be
quantified, making them useful for evaluating the likelihood of a risk.
The technique describes how undesirable events occur in combinations of individual
system, component and / or operator failures. In complex situations where there are
combinations of failures that can lead to the risk, use of a Fault Tree aids the identification
of these combinations and can present those combinations concisely.
Fault Trees are used to:
• identify possible causes of system, component or operator failure;
• predict the probability of failure rates;
• identify areas for improvements;
• predict the effects of change; and
• develop and/or demonstrate a detailed understanding of a system.
A Fault Tree is structured with a "top event" with probable causes placed below it on the
tree. By analogy with the Bow Tie analysis discussed earlier, the FTA is the left hand side
of the bow tie in quantitative form. The “top event” or “incident” is the same in both cases.
“Gates” are used for calculating likelihood:
an “AND” gates signifies that both, or all events have to occur and are multiplied;
• an “OR” gate signifies that only one of the events has to occur and are added.
•
A typical Fault Tree is shown in Figure 14.
National SFAIRP Guideline
Draft March 2007
Page 33
Figure 14.
Example of a Fault Tree
The strengths of FTA are:
• they are very widely used and the theory is well developed;
• there are many published texts and papers to refer to;
• there are a substantial number of engineers trained in FTA;
• complimentary information is available from qualitative and semi quantitative
analysis; and
• they are graphically easy to read and understand.
The weaknesses of FTA are:
• they can be very time consuming to construct;
• there may be errors if branches (paths) are missed;
• substantial experience is needed;
• there is an assumption of the binary nature of failures; and
• they are a snapshot in time and need constant updating in dynamic or evolving
systems.
9.4
Event Tree Analysis
Event Tree Analysis (ETA) is used to determine the possible sequence of consequences
that could result from such a fault occurring.
Although Event Trees can be used alone, they are most commonly used in conjunction
with Fault Trees to quantify a risk. This is because fault trees only look at the probability
of an event occurring but not the consequence of the event.
ETA graphically presents a logic model which identifies and quantifies outcomes of an
initiating event and subsequent events. For example, an Event Tree may start with a fire
as an initiating event, which by itself may cause little harm. However, if a subsequent
event was the failure of the fire detection system, the consequences of the fire may be
extreme.
In an Event Tree, subsequent events are conditional on the occurrence of each precursor
(causal factor). As such, ETA outcomes are normally binary, meaning the control was
either a success or failure.
Page 34
Draft: March 2007
National SFAIRP Guideline
Figure 15.
Example of an Event Tree: Light Rail Vehicle equipped with Emergency Door
Release in collision with motor vehicle
Event Trees can include a range of outcomes if there are various combinations of
predicted success or failure of an event. For example a detection system may not entirely
fail; instead it could be 90% or 80% effective, requiring the separate consideration of the
different scenarios.
ETA is an inductive type of analysis in which the basic question addressed is “what
happens if - - -?” It provides the relationship between the functioning or failure of the
control option being assessed and the ultimate hazardous outcome following an initiating
event.
By analogy with the Bow Tie analysis discussed earlier, the ETA is the right hand side of
the bow tie in quantitative form.
The consequences of interest from the analysis are the fatalities, serious and minor
injuries. It is important to the risk model that numbers used in the analysis are estimated
to the same precision as that achieved in the FTA.
Fault Trees and Event Trees can be put together to create a Cause – Consequence
diagram. This is the quantified version of the Bow Tie analysis. The strengths of Event
Trees are:
• they present the event outcome in a systematic and logical way that can be readily
understood and verified or modified by others;
• the logic and mathematical computations are simple;
• pre-incident Event Trees highlight the value and potential weaknesses of
protective systems, especially indicating outcomes that lead directly to failures with
no intervening control measures; and
• post-incident Event Trees highlight a range of outcomes that are probable.
The weaknesses of Event Trees are:
• they assume events are independent and conditional only on the precursor event;
National SFAIRP Guideline
Draft March 2007
Page 35
•
•
9.5
each node within the Event Tree doubles the number of outcomes (binary logic)
and increases the complexity of frequency; and
there is a practical limit to the how many headings that can be presented (usually 8
to 10).
Case Example: Light Rail Vehicle in Collision
The example of the Event Tree shown in Figure 15 illustrates the case example. It has
been constructed to assess the benefits of installing Emergency Door Release on Light
Rail Vehicles.
The quantified analysis attempts to compare the benefits of allowing passengers to selfevacuate against staying aboard the Light Rail Vehicle.
In any such analysis, justification of data used is vital to the quality of the assessment. It
should also be understood that assumptions made for one environment may not
necessarily be true when applied to another environment.
The Event Tree shown in Figure 15 makes a number of assumptions and uses data from
a number of sources.
In the example, it has been deduced from accident statistics that on average there are
1100 collisions a year between Light Rail Vehicles and motor vehicles.
The first branch considered by the Event Tree is whether the driver of the Light Rail
Vehicle becomes incapacitated or not. In this example it is assumed that the probability of
a driver becoming incapacitated as a result of a collision with a motor vehicle is 0.001, or
once in 1000 collisions. This figure may again be deduced from incident data. Where
there is uncertainty in a value chosen, (for example, little incident data exists), it is
suggested that a range of values are considered to assess the sensitivity of the
assumption.
The next branch considered in the Event Tree example is whether the driver makes an
announcement and opens the doors. Obviously the driver can only do this if he or she
survives the collision and so the branch is only applicable to the lower portion of the Event
Tree. In this example, the probability of the driver opening the doors is assumed to be
0.05 (once in 20 events). This figure could be derived at by canvassing the reaction of
Light Rail Vehicle drivers who have been involved in collisions with motor vehicles.
The third branch of the Event Tree assigns probabilities to whether passengers self evacuate of not. The Event Tree shown assumes the logic that self-evacuation is only
considered if either the driver is incapacitated (the top of the Event Tree), or if the driver
survives the collision but choses not to open the doors. A probability of self evacuation of
0.1 with an emergency door release function available (once in 10 events) has been
assumed.
The next two branches of the Event Tree looks at the likelihood that the passenger selfevacuates the Light Rail Vehicle and is struck by a passing motor vehicle, or remains
trapped on the Light Rail Vehicle after the collision and is overcome by a fire on the
vehicle.
Once the probabilities of the events in the Event Tree have been calculated and the Event
Tree constructed, the expected frequency of the different scenarios considered by the tree
can be calculated by multiplying the different numbers on each branch. For example if the
top branch of the Event Tree shown in Figure 15 is considered, the expected frequency of
Light Rail Vehicle to motor vehicle collisions resulting in a driver becoming incapacitated,
resulting in passengers self-evacuating, resulting in passengers being struck by passing
motor vehicles is :
1100 (collisions per year) X 0.001 X 0.9 X 0.0000006 = 5.94E-7
Page 36
Draft: March 2007
National SFAIRP Guideline
Clearly, the most likely scenario shown in figure 15 is that of a collision where the driver is
not incapacitated, doesn’t open the doors, the passengers don’t self-evacuated, and a fire
doesn’t ensue. The analysis indicates this scenario occurs 939 times out of the 1100
collisions between Light Rail Vehicles and motor vehicles that are anticipated to occur
each year.
Once the expected frequencies of the considered scenarios have been calculated from
the Event Tree, the risk associated with each scenario is determined by multiplying the
expected frequency by the expected number of fatalities for that scenario. In the case
example, the expected number of fatalities as a result of being struck by a passing motor
vehicle has been assumed to be 1, whereas the expected number of fatalities as a result
of a fire has been assumed to be 5.
There are also a number of scenarios where the passengers stay on the tram and there
are no fatalities. Once the risk (in fatalities per year in the example shown above) for
each scenario have been calculated, they may be summed to estimate the total risk.
In the case example the risk associated with Light Rail Vehicle to motor vehicle collisions
where emergency door release is fitted is estimated to be 0.047 per year based on the
inputs used.
A similar Event Tree could be constructed for a design where emergency door release is
not fitted and a comparison between the two options made.
It should also be noted that there may be a number of different scenarios that need to be
considered in such an analysis.
National SFAIRP Guideline
Draft March 2007
Page 37
10.
RISK IMPROVEMENT AND MAINTENANCE PROGRAMS
10.1
Valuing Improvements in Risk
This section of the Guideline provides guidance with respect to the proposal and
assessment of risk reduction projects. It is important in the first instance to gain an
understanding of how to convert safety benefits and dis-benefits to monetary terms as a
sanity check against project and program costs
The concept of VFP (Value for Preventing a Fatality)
When undertaking comparisons between costs and benefits as part of the determination
of what is reasonably practicable, it is necessary to convert the safety benefits (the
reduction in risk measures in fatalities, injuries or dollars avoided) to a monetary value
(dollars).
Generally, this is done using a standard conversion factor. This factor is the “Value for
Preventing a Fatality” (VPF).
The VPF is an economic conversion factor which includes more than the direct financial
costs avoided. The VPF factor can be applied to equivalent fatalities in order to take
injury costs into consideration. Its value is in comparing investment in risk reduction with
value obtained in a common currency.
What does this mean to a duty holder?
Each duty holder will have a current risk profile and will be seeking, within the risk
management process, to reduce that risk profile.
We may take the example of the generic metropolitan operator considered in section 2
who currently experiences 10 safety related passenger equivalent fatalities per year.
If we consider the VPF associated with this situation, the duty holder may reasonably be
expected to have between $13M and $40M per year invested in projects aimed at
reducing passenger fatalities towards zero. Each duty holder will have its own risk profile
to consider in relation to this calculation.
It should be noted that were residual risk for the same duty holder is medium (eg 1
equivalent fatality per year) the reasonable annual budget might be $1-4M.
Available projects needed to achieve the outcome of reducing risk by a factor of 10 will
tend to exceed this cost by several times. It is thus necessary to prioritise the spending of
the available budget to the most cost effective measures.
The above calculation is based on the residual risk of the duty holder as seen in the SMS.
The SMS includes a large number of controls which need to be maintained and (in the
case of infrastructure and fleet) replaced periodically to maintain residual risk at existing
levels. It is relevant to look at the “inherent risk” seen in the Principal Risk Register to
make a judgement on the value of these existing controls from a safety perspective. In
the case of the fictitious Metro duty holder referred to above, by not maintaining existing
controls, Equivalent Fatalities could rise to 100 annually (much higher figures are seen
commonly on third world railways under similar circumstances). The VPF for avoiding
such a decline would exceed $120M annually. This figure is in addition to that invested in
improved safety measures.
For most practical duty holders, the cost of maintaining existing controls is much less than
that figure. Procedures should be in place to maintain the effectiveness of existing
controls on a “no less safe” basis without necessary reference to a cost/benefit analysis.
Staging options and their implications
Where a safety improvement opportunity has been identified, a number of staging options
generally exist for its implementation. The cost of implementation will often vary greatly
depending on the staging option chosen.
Typical staging options are:
• Require the improvement to be adhered to for all future works as well as implementing
a rework project to modify all existing locations (this model was adopted when
changes to signal bonding practices at points were introduced). This method is
generally highest cost but introduces the change most quickly.
• Require the improvement to be adhered to for all future works as well as implementing
an annual works program to modify all existing locations in priority order over a
number of years (this model was adopted when introducing new technology LED
signals to replace incandescent types). This method enables most efficient use of
annual works funding (since locations are prioritised according to risk), but
implementation period is longer.
• Require the improvement for new projects only. This option is lowest cost. For some
types of changes it may be close to cost free. However implementation will be
according to the signal renewals program and may be on a cycle of 50 years or more.
Where the cost/ benefit analysis is strongly positive, one of the first two options should be
chosen.
Where a clear benefit can be seen, but not sufficient to justify either a special project or
program, the third option can provide a practical way to implement the improvement as
part of a “continuous improvement” activity within the risk management framework.
Programs based on risk ranking
Risk ranking approaches are often used when it has been determined to establish an
annual program of improvement with an annual budget consistent with the duty holder’s
overall risk reduction budget. The locations to be improved are then addressed in priority
order.
One example of this approach is that used for level crossing upgrades in Victoria.
Analysis shows a safety benefit for providing improved protection to level crossings.
However, there are a very large number of level crossings across the state (more than
3000) which could benefit from upgrade.
The resources do not exist to upgrade all at once. Instead an annual works program has
been in place for many years and the crossings are upgraded in priority order in
accordance with the Australian Level Crossing Assessment Method (ALCAM) model.
This is used to rank risk at level crossings based on safety data (number of crashes,
fatalities and serious injuries), vehicular usage (numbers of vehicles and trains using the
level crossing) and other factors (proximity of schools, heavy vehicle route, co-ordinated
traffic signals).
By establishing an ongoing annual program and addressing each crossing in priority
order, all crossings may be upgraded in the long term. Such an outcome would be much
less likely if it was necessary to justify a project to upgrade all crossings at once.
The Junction Screening Tool similarly is a tool which can be used to rank the risk of
railway signals to prioritise fitment of SPAD mitigation measures. Once junctions and
signals are prioritised, they become suitable for application of an annual program of
improvement similar to that in place for level crossings.
Risk ranking tools do not usually require the resources and data that a quantitative risk
assessment would require. The level of justification for each annual increment in terms of
the cost/benefit analysis is less.
National SFAIRP Guideline
Draft March 2007
Page 39
However, there are also disadvantages with risk ranking techniques when used in
isolation:
• they do not indicate the level at which risk mitigation is not required (when the risk
is “Broadly Acceptable”);
• there are many situations where the level that is considered ‘reasonably
practicable’ is related to the available funding; and
• it is difficult to compare the costs and benefits with similar programs.
Page 40
Draft: March 2007
National SFAIRP Guideline
APPENDIX 1: BASIC RISK CONCEPTS
Through this discussion, the risk of concern is the risk to individuals who interact with the
duty holder’s business.
Such risk is termed “individual risk” and is generally expressed as a probability of an exposed
2
individual suffering injury or death in a given year. 1.0 x 10-6 might be a typical figure .
An alternate way to present the same information is to say that an individual will suffer
“one statistical injury or death in a million years”. Often duty holder’s use this notation in
their risk registers as they find it more intuitive for the risk analysis process.
Note that although individuals do not live for a million years, this figure can be converted
to actual long term annual fatality rates by multiplying the risk by the size of exposed
population. For instance, if the exposed population were 100,000 people, the average
fatality rate would be 1 in 10 years.
Both methods of notation for expressing risk are used in this text.
Risk and the exposed individual
It is often said that travelling by rail is an inherently dangerous activity. Yet this is not the
experience of the average rail traveller.
Rail is a mature industry with more than a century’s experience in effectively controlling
risk to the extent that it is regarded as one of our safest forms of transport – inherent risk
is not visible in many places. Risks observed are residual risk after many controls have
been applied over many years.
Given this state of maturity, it is often difficult, as part of the analysis process, to strip
away the controls to gain a measure of the inherent risks of the duty holder. In practical
terms, these inherent risks come to the surface only when a duty holder neglects some
existing controls.
The Principal Risk Register generally provides two risk-related assessments:
•
Current residual risk is the current risk level with existing controls identified in the
SMS in place.
•
Inherent risk is the inherent risk level of the activity with no controls applied.
Having an understanding of both the inherent and residual risks are relevant to being in a
position to demonstrate that risks have been reduced to as low as ‘reasonably
practicable’.
The risk items contained in the Principal Risk Register are “component risks”. To obtain
the overall risk profile (“Individual Risk”) for the duty holder, the component risks should
be added together.
Consequences (risk of what?)
The units of Individual Risk are measured in statistical fatalities as they reflect intolerance
to loss of life rather than injury. However, where evaluating the consequences of
Component Risks in the Risk Register, the units are typically:
• fatalities per year;
• major (serious) injuries per year;
• minor injuries per year; and
• property loss per year.
2
-6
Scientific notation is used here and throughout the text. 10 is the same as 1/1,000,000 or “one one millionth”).
National SFAIRP Guideline
Draft March 2007
Page 41
This makes it difficult to evaluate different risk controls which may have different values of
each consequence type. In addition, some risks (e.g. property loss) assessed in this way
are business rather than safety risks.
Therefore, in assessing safety risk, it is common practice to use “Equivalent Fatalities
(EQF) per year” as a standard method of measuring risk with standard conversion factors
used. In this case, the standard conversion factors are:
One (1) Equivalent Fatality (EQF) equals:
• One (1) fatality,
• Ten (10) major injuries, or
• Two Hundred (200) minor injuries.
The total EQF is obtained by adding each of these together. The number of equivalent
fatalities experienced by the duty holder will be higher than the number of fatalities,
sometimes by a significant amount.
The duty holder should be aware of this difference when quoting or obtaining fatality
3
statistics from various sources .
Exposed persons (risk to whom?)
There are different types of people who use and interact with the rail system. These include:
• employees: including station staff, train drivers, shunters, track maintainers and signal
technicians;
• passengers using the rail network;
• public: those in the environs of the rail line such as visitors to rail facilities;
• level crossing users (part of the “public”): including pedestrians at pedestrian
crossings, cyclists or motorists at level crossings; and
• trespassers (part of the “public”): persons accessing non-public areas without
authority.
Each of these different groups is exposed to different combinations of rail system hazards
and therefore has a different overall risk exposure when accessing the rail system.
For example train drivers have a relatively high risk exposure to the hazard of a train
passing a signal at danger (SPAD), compared with the public. Shunters are likely to have
a higher level of exposure to being struck by shunting trains than other groups.
It is important that no single group is exposed to a higher than tolerable level of risk due to
proximity to any particular risk factor. This possibility will be particularly evident in
occupational groups.
In general, the duty holder should consider at least three separate populations. These will be
referred to as the generic groups in this guide and in the examples presented. They are:
• General public
These are of the order of millions of people. For example, most of a large city’s
population interact with the metropolitan train operator in some way, if only as level
crossing user. The responsibility of the duty holder depends on the circumstances.
• Passengers
The duty holder has clear responsibilities in relation to this group.
• Employees:
The duty holder has a clear responsibility (defined for instance in OHS legislation) towards
this group.
3
Through this text, where “fatalities” are referred to, they should be read as statistical “equivalent fatalities”.
Page 42
Draft: March 2007
National SFAIRP Guideline
Quantifying the Concepts in Practice for a Duty Holder
This section of the Guideline answers the question “what does this mean to me?” from the
viewpoint of a generic operator within in a metropolitan centre with a population of
between 1 to 3 million.
•
Risk level are converted to expected long term fatalities
•
Risk categories are introduced for use in the risk analyses
Duty holders with different operating patterns and passenger profiles such as tourist or
heritage railways are also considered within this section. A method of calculating risk,
using populations with special exposures is presented at a conceptual level.
Relationship between risk and observed fatalities
All duty holders submit safety incident statistics to the Rail Safety Regulator on a regular
basis. As well as this, statistics kept over a hundred years or more by a variety of rail
authorities can provide good guidance as to the areas of inherent risk in operating a railway.
At the top level, the overall risk for the duty holder to all causes (with SMS in place) can
be observed on an ongoing basis through these statistics and can be compared with the
maximum tolerable risk value. The Rail Safety Regulator can provide guidance on upper
limits to tolerable risk .
In the UK, the expected risk of fatality due to all rail safety related causes is required to be
no greater than 2.5x10-5 per passenger per year. In the case of a population centre of 1-3
million people, this requirement would translate to 3-8 total passenger fatalities per year
for a generic suburban train operator (based on 10% of population being rail travellers as
discussed).
This risk represents the sum of the risks to each individual cause. For instance, the long
term average of deaths due to derailments, collisions, fires in stations, and all else must
sum to less than 10 equivalent fatalities per year. Clearly the long term average of any
individual accident type cannot be anywhere near 10 fatalities per year. That would be
intolerable.
To put this number into context, Granville (NSW,1977) caused about 105 equivalent
fatalities, Voilet Town (Vic, 1969) caused 13; Glenbrook (NSW, 1999) caused 12
equivalent fatalities and Waterfall (NSW, 2003) caused 11.
Note that level crossing accidents should not be included in this calculation since the
exposed population (general public) is different and appropriate safety targets in terms of
average annual fatalities consequently also differ. Since exposed population is higher,
tolerable average deaths per year for level crossing users will also be higher.
Choosing the appropriate method of analysis
The risk may be analysed using one or more of the following approaches:
• qualitative analysis, such as benchmarking against standards, codes and
Recognised Good Practice, or using Energy Barrier/Bow Tie techniques;
• semi quantitative analysis with methods such as risk ranking matrices;
• quantitative risk analysis (QRA) with methods such as Fault and Event Trees and
Cost Benefit Analysis.
Selection of the risk analysis method should be determined by factors such as the
magnitude of the risk, the degree of societal concern, and the novelty of the hazard. The
higher the component risk, the more quantitative the risk assessment appropriate to that
risk. Looking at the accident statistics from the point of view of the generic metropolitan
operator, any accident type which causes on average 1 or more passenger equivalent
fatalities per year (as a rule of thumb) in a major city would be classified as a high risk. A
quantified risk analysis would be appropriate in such circumstances. This is because
National SFAIRP Guideline
Draft March 2007
Page 43
these are the accident types which are driving the overall duty holder passenger risk (due
to their relative size).
Figure 6
Classification of ARO component risk levels for ARO
Quite small proportional change in risk profile in these accident types can have a relatively
large impact on overall duty holder passenger risk.
Because of the logarithmic nature of the risk classifications shown in Figure 6, changes to
accident frequencies and severities in the medium and low categories tend to have very
much less impact on overall risk outcome than those in the high category.
An order of magnitude error in calculating actual risk for a medium risk item can have less
impact on final outcome than a 10% error for a high risk. Low risk accident types
generally have negligible impact on overall duty holder passenger risk regardless of any
level of calculation error.
This is not to say that medium and low accident types are not important in determining
what is reasonably practicable – they are. It means that other, less rigorous (and
potentially less accurate) methods may be used to evaluate them. These methods are
semi-quantitative (generally for medium risk) and qualitative (generally for low risk).
The risk levels and associated rigour in analysis method is summarised in Figure 6.
The level of both current residual risk (under existing SMS) and inherent risk (risk if no
controls applied) can be found in the Principal Risk Register for all duty holders.
It is important to be aware of “Inherent Risk” in this exercise.
It is not uncommon in the rail environment for inherent risk for particular accident types to
be assessed. These are high and extreme risks currently being controlled by substantial
control measures. Any change to the SMS which introduces quite novel controls to
replace existing controls, or lessens the effectiveness of those existing control measures,
can have a substantial effect on duty holder overall passenger risk even though residual
risk shown in Principal Risk Register is medium or low. For this reason, any changes to
controls should be demonstrated to be “no less safe” than existing controls or supported
by a quantitative methodology as described in section 9 of this Guideline.
Page 44
Draft: March 2007
National SFAIRP Guideline
Defining special types of hypothetical persons
The issue of the exposed individual appears deceptively simple. In fact it can be quite
complex, particularly for rail operators with irregular operating patterns such as tourist or
heritage railways.
For instance, many rail accident risks internationally are expressed in terms of incidents
per train km or alternately, incidents per journey. This can be used to develop appropriate
measures for various types of railway. But having changed the risk base away from “risks
per year” to “risk per significant event (eg risk per train journey or risk per train km), the
risk engineer faces a much more technical analysis.
It is necessary to define the hypothetical persons (public, passenger, employee) relevant
to the duty holder to determine whether the annualised risk for each is acceptable. The
specifics of each case will be different and highly dependent on the actual characteristics
of the group to be evaluated.
Assistance from a risk specialist in this exercise is recommended.
To ensure that all significant risks for a particular hazard are adequately covered, a
number of hypothetical persons may need to be specifically constructed for determining
the control measures necessary to protect them.
Caution should be exercised when Individual Risk is calculated for occasional users and
then compared with the tolerability of risk framework. In such cases it is important to
construct the correct hypothetical person(s), such that the risk from just a few journeys is
not averaged over a year. This is particularly important with a tourist or heritage rail
organisation only running a few journeys per year.
In order to demonstrate conformance with the tolerability criteria, the duty holder should
consider the hypothetical person for each risk group.
For the “hypothetical person” for each risk group, the average person with high exposure
is defined in this Guideline as follows:
•
Employees would be “equivalent full time employees” in the risk subgroup under
consideration such as “track workers” or “train drivers”.
•
Passengers where they are or regular travellers, or commuters in a typical train
operating company, are normally considered to be the most exposed passenger
group. It is assumed typically that a regular traveller on average makes 500 journeys
per year (that is, 2 journeys per day, 5 days per week for 50 weeks per year).
Other definitions can be used, for example 450 journeys per year taking account of typical
annual leave, sickness, etc, providing a justification is given for the number used.
•
General Public comprises many groups. Calculations for groups such as the railway
neighbours and trespassers will be developed in a similar way based on the duty
holder’s operations. For level crossing users it may be defined as a regular motorist,
cyclist or pedestrian who crosses a level crossing 1000 times per year.
The risk tolerability for trespassers is the same as for the public, but in reality often the
duty holder is not able to control the risk. In this case duty holders should be able to
demonstrate that controls are in place to discourage trespassers.
For a tourist or heritage railway, a similarly appropriate “hypothetical person” will need to be
defined as a basis for this more technical analysis. These assumptions will differ from those
for a commuter railway because of different pattern of operation and passenger usage.
It should be noted also that for a tourist or heritage railway, each risk level will translate to
a different number of expected annual equivalent fatalities compared to a metropolitan
railway.
National SFAIRP Guideline
Draft March 2007
Page 45
GLOSSARY OF TERMS
Broadly Acceptable – A level of risk deemed to be negligible and requiring no further
action.
Accreditation – Permission to carry out certain activities within defined scope and limits
and according to specified conditions. The grant of accreditation is based on a range of
submitted documents and other evidence to demonstrate the duty holder’s competence
and capacity to operate safely.
Accredited Railway Organisation (duty holder) – a Railway Organisation accredited
under Rail Safety or other applicable legislation applying in an Australian Jurisdiction.
Component Risk – The probability of statistical fatality per year to which an individual is
exposed to from a particular risk under consideration in a risk analysis process.
Contractor – Both contracting companies and those rail safety workers performing
railway safety-related work for such companies, and sub-contractors and their rail safety
workers.
Consequence – Outcome or impact of an event. Note that:
• There can be more than one consequence from one event.
• Consequences can range from positive to negative.
• Consequences can be expressed qualitatively or quantitatively.
• Consequences are considered in the relation to the achievement of objectives.
Duty holder - Person under an Act (such as Occupational Health and Safety) with duty of
care.
Environment – The combination of surrounding conditions and influences. In this
document the environment will include (but is not limited to) whether the operations are
conducted on the main line; whether operations are conducted in metropolitan areas or in
isolated areas; impacting features of the natural environment such as extreme
temperatures.
Hazard – A source of potential harm or a situation with a potential to cause loss (AS
4360).
Hazard Identification – Process of identifying and characterising hazards that exist or
may exist.
Hazard Log – A list of hazards that are the basis of the risk assessment.
Hierarchy of Control – A legal and logical preference of treating or controlling risk.
Equivalent Fatalities – A measure of risk that combines different consequences of an
accident including fatalities, major injuries and minor injuries which is used to simplify cost
benefit analyses. Defined as one equivalent fatality = one fatality = Ten major injuries =
200 minor injuries.
Frequency – A measure of the number of occurrences per unit of time.
Individual Risk – The probability of statistical fatality per year to which an individual is
exposed to from the overall operation of the railway.
Inherent Risk – The level of risk that exists without controls or treatments being applied.
Intolerable – A level of risk that cannot be justified under any circumstances, irrespective
of the benefits the activity may bring, and risk reduction measures are essential whatever
their cost.
Likelihood – A general description of probability or frequency.
Railway Organisation – A person accredited or required to be accredited under Rail
Safety or other applicable legislation applying in an Australian Jurisdiction.
Rail Safety Regulator (RSR) – A generic term used to describe the person or body
responsible for accrediting and regulating rail safety in any Australian jurisdiction.
Rail Safety – The safety and physical integrity of the infrastructure, rolling stock,
signalling, telecommunications and train management systems used specifically for
railway operations and activities, covering:• passenger safety at stations whilst boarding and alighting trains and during rail
journeys;
• safety of members of the public affected by railway activity, particularly at the
interfaces with railway infrastructure;
• prevention of damage to freight commodities carried and the storage and
transportation of dangerous goods carried by rail.
Rail safety does not include matters such as the structural safety of railway administration
buildings or occupational health and safety of employees exposed to chemicals, noise or
dust, as these matters are governed by separate legislation and regulation.
Rail Safety Worker –An employee, contractor, subcontractor or volunteer performing
work on a railway or tramway system:• as a driver, second person, trainee driver, guard, conductor, supervisor, observer or
authorised officer;
• as a signal operator, shunter or person who performs other work relating to the
movement of trains or trams;
• in repairs, maintenance, or upgrade of railway infrastructure, including for rolling stock
or associated works or equipment;
• in construction or as a look out for construction or maintenance; or
• Any other work that may be included by regulation.
Residual Risk – The level of risk that exists after controls or treatments have been
applied.
Risk – The chance of something happening that will have an impact on objectives. Risk:• is often specified in terms of an event or circumstance and the consequence that may
flow from it;
• may have positive or negative impacts;
• is measured in terms of a combination of the consequences and their likelihood.
Risk Analysis – Process for understanding the impacts and potential risks arising from
duty holder’s operations taking into account the duty holder’s existing risks, current
performance, accident/incident register, nature of proposed changes, etc.
Risk Assessment – An overall process of hazard identification, risk analysis and risk
evaluation.
Risk Control – That part of risk management which involves implementation of policies,
standards, procedures and physical changes to eliminate or minimise adverse risks (AS
4360).
Risk Evaluation – The process of comparing the level of risk and the impacts of the
change identified during the risk analysis process with appropriate risk and performance
criteria, including evaluation of the effects of alternatives and options.
Risk Management – An overall process of hazard identification, risk assessment and the
implementation, active monitoring and review of controls, policies, procedures and
practises to manage risks, so they are maintained at level that is reasonably practicable.
Page 48
Draft: March 2007
National SFAIRP Guideline
Risk Management Strategy – A clearly documented strategy for management of all risks
identified by the risk assessment process including risks associated with accreditation.
Risk Register – A document that records risk information. Specific guidance in relation to
the essential features of a risk register is provided in the National Rail Safety Accreditation
Guideline (Section 3.4.3).
Risk Profile – The overall extent and nature of all risks associated with the duty holder,
which may be incorporated in its Risk Register.
Safety Management System (SMS): – A formal framework for integrating safety into the
organisation’s policies, systems, standards, practices and activities. The purpose of the
SMS is to ensure safe operation. The SMS includes development, implementation,
documentation, monitoring, review and improvement.
Sub-contractor – A person or company contracted to supply goods or services to the
contractor.
Supplier – A person or company contracted by a duty holder or another party to supply
equipment or material to a duty holder that will or may have an impact on rail safety.
National SFAIRP Guideline
Draft March 2007
Page 49
REFERENCES
Railtrack/Network Rail and Praxis Critical Systems, 2000 Engineering Safety Management
(Yellow Book). Available at http://www.yellowbook-rail.org.uk/site/contents.html
GE/GN8561 Guidance on Preparation of Risk Assessments within Railway Safety Cases,
Railway Safety, UK, 2002.
The United Kingdom’s Health & Safety Executive Reducing Risks, Protecting People –
HSE’s decision making process publication issued in 2001.
The United Kingdom’s Railway Group Guidance Note GE/GN8561 Guidance on the
Preparation of Risk Assessments within Railway Safety Cases. June 2002.
AS 61508 1999 Functional safety of electrical/ electronic/ programmable electronic safetyrelated systems.
BS EN 50126:1999 Railway Applications – The specification and demonstration of
Reliability, Availability, Maintainability and Safety (RAMS).
BS EN 50128:2001 Railway Applications – Communications, signalling and processing
systems – software for railway control and protection systems.
BS EN 50129:2001 Railway Applications – Communications, signalling and processing
systems – Safety related electronic systems for signalling.
Australian/New Zealand Standard AS/NZ4360:2004 Risk Management (2004).
AS/NZ 3931 Risk Analysis of Technical Systems – Application Guide (1998).
HMRI ALARP Guidance and Principles, 2005, p. 12.
Bluff L & Johnstone R, The Relationship between ‘Reasonably Practicable’ and Risk
Management Regulation, Working Paper 27, National Research Centre for OHS
Regulation, ANU. September 2004.
Section 20, Occupational Health and Safety Act 2004, Parliament of Victoria.
WorkSafe Victoria, Major Hazardous Facilities Regulations Guidance Note MHD GN-16.
WorkSafe Victoria, Guidance On So Far As Reasonable Practicable (yet to be released).
Chris Maxwell QC, Occupational Health and Safety Act Review, (Victoria) March 2004.
Standards Australia, AS 4292.1:1997, Railway Safety Management, Part 1: General and
interstate requirements.
Standards Australia, AS 4292.4:1997, Railway Safety Management, Part 4: Signalling and
Telecommunications systems and equipment.
HSE Research report 151: “Good practice and pitfalls in risk assessment” (2003).
Peirson and Birds “Business Finance” 7th edition 1998.