the legal context to qra · 2018-07-13 · 1 the legal context to qra tim procter mieaust cpeng,...

15
1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence Engineers Level 1, 55 Hardware Lane, Melbourne, Australia SUMMARY One of the most difficult aspects regarding the use of quantified risk assessment (QRA) has manifested in the debate over SFAIRP (so far as is reasonably practicable) as enshrined in WHS 1 (work health and safety) legislation and ALARP (as low as reasonably practicable) as typified by the risk management process shown in ISO/AS31000, particularly using the notion of target (tolerable or acceptable) levels of risk. The conflict arises when the question is posed: How safe is safe enough? Both SFAIRP and ALARP endeavour to achieve the same outcome, safety risk equity for affected parties. But each provides a different meaning of ‘safe enough’ through their respective decision-making processes. The ALARP approach endeavours to ensure that no one is exposed to unacceptable (i.e. maximum) levels of risk, whereas the SFAIRP approach endeavours to ensure that everyone is afforded (at least) a minimum level of precaution. ALARP vs SFAIRP The diagram above shows the essential differences in the foundations and applications of the ALARP and SFAIRP approaches. On every occasion to date that R2A has had to review a fire design based on the ALARP-based target risk approach, the design has required retrospectively alteration, usually by direction from relevant legal counsel. And, interestingly, the Victorian Building Authority’s report into the External Wall Cladding Audit Report 2 (arising from the 2014 Lacrosse building fire) appears to support this position - that ensuring equal minimum protection is a more sensible design concept than attempting to calculate equitable, low risk. INTRODUCTION 1 Model Work Health and Safety Bill. Model Bill 23/6/2011 2 Victorian Building Authority (17 February 2016). VBA External Wall Cladding Audit Parliaments & Courts (the laws of man) Scientists (the laws of nature) Legal Practitioners Engineering Practitioners Equal maximum level of risk Equal minimum level of precaution ALARP SFAIRP

Upload: others

Post on 25-May-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

1

THE LEGAL CONTEXT TO QRA

Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners

R2A Due Diligence Engineers Level 1, 55 Hardware Lane, Melbourne, Australia

SUMMARY One of the most difficult aspects regarding the use of quantified risk assessment (QRA) has manifested in the debate over SFAIRP (so far as is reasonably practicable) as enshrined in WHS1 (work health and safety) legislation and ALARP (as low as reasonably practicable) as typified by the risk management process shown in ISO/AS31000, particularly using the notion of target (tolerable or acceptable) levels of risk. The conflict arises when the question is posed: How safe is safe enough? Both SFAIRP and ALARP endeavour to achieve the same outcome, safety risk equity for affected parties. But each provides a different meaning of ‘safe enough’ through their respective decision-making processes. The ALARP approach endeavours to ensure that no one is exposed to unacceptable (i.e. maximum) levels of risk, whereas the SFAIRP approach endeavours to ensure that everyone is afforded (at least) a minimum level of precaution.

ALARP vs SFAIRP The diagram above shows the essential differences in the foundations and applications of the ALARP and SFAIRP approaches. On every occasion to date that R2A has had to review a fire design based on the ALARP-based target risk approach, the design has required retrospectively alteration, usually by direction from relevant legal counsel. And, interestingly, the Victorian Building Authority’s report into the External Wall Cladding Audit Report2 (arising from the 2014 Lacrosse building fire) appears to support this position - that ensuring equal minimum protection is a more sensible design concept than attempting to calculate equitable, low risk. INTRODUCTION

1 Model Work Health and Safety Bill. Model Bill 23/6/2011 2 Victorian Building Authority (17 February 2016). VBA External Wall Cladding Audit

Parliaments & Courts(the laws of man)

Scientists (the laws of nature)

Legal PractitionersEngineering Practitioners

Equal maximum level of risk Equal minimum level of precautionALARP SFAIRP

Page 2: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

2

A fundamental principle of an egalitarian society is that no one should be inequitably exposed to safety risk. This principle has been adopted in a number of ways, the two most prominent being the drive to ensure no one is exposed to an inequitable level of safety risk, and the second being that everyone is entitled to a minimum level of protection. The former was first prescribed in the ALARP principle, and the latter first in common law duties of care and subsequently in WHS legislation SFAIRP requirements. The notion of tolerable risk arose from UK Health and Safety Executive (HSE) studies in the 1980s which attempted to quantify the background level of risk, from car crashes through to workplace accidents through to lightning strikes, to which society demonstrates acceptance through its ongoing behaviour.3 These tolerable risk criteria were put forward as a means of demonstrating safety risk equity; as a level of risk that demonstrates that no one is exposed to intolerable risk arising from the enterprise at hand. The HSE study proposed a risk value of 1/1000,000 fatalities per year as 1980s UK society’s lower tolerable level of risk, with a risk value of 1/10,000 fatalities per year considered intolerable for members of the public. Between these two values the HSE suggested that risk ought to be reduced as far as possible given constraints and available resources. Below this zone risk was deemed ‘broadly acceptable’ and needing no further action. Quantified ‘tolerable risk’ values similar to this are identified for many fire safety studies, based on further scientific and engineering research. Engineers using foresight to consider fire safety in their designs then often adopt these tolerable risk criteria as quantified targets. That is, if the design fire safety risk is quantified and shown to be less than the lower tolerable risk criteria, the design (with respect to fire safety) is ‘safe enough’. Necessarily, this has a focus on likelihood for rare, catastrophic events, as this is generally the most uncertain element of the risk calculus. In contrast, our courts particularly consider critical incidents in hindsight. Necessarily this has a focus on consequences for catastrophic events since the event in question has actually happened (i.e. the likelihood of occurrence is unity). At this point the notion of a quantified value of tolerable risk is moot; regardless of whether the target criteria was met the event occurred. The courts’ objective, post-event test instead focuses on the precautions that were in place, further precautions that were available, and the reasonableness of these further options. Rather than inquiring to see if no one was exposed to an intolerable level of safety risk pre-event, the courts determine whether the people injured or killed as a result of the event were provided with a reasonable level of protection. Quantification of risk may be useful in demonstrating that precautions adopted were reasonable, but of itself it does not satisfy the courts’ test. The contrast between the ALARP and SFAIRP philosophies does not mean that either quantified or non-quantified risk assessment is conceptually better than the other. However, it does mean that the suitable applications of each must be

3UK Health and Safety Executive (1988) The Tolerability of Risk from Nuclear Power Stations.

Page 3: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

3

understood, and it certainly prescribes limits for the appropriate use of quantified risk assessment. This paper will explore these applications and limits, and the arising implications. SFAIRP VS ALARP The Different Perspectives of the Courts and Engineers To understand the appropriate applications and limits of safety risk quantification it is necessary first to understand the context in which decisions based on risk assessments are examined. Risk assessment is predicting the future. If a risk assessment served its function perfectly no consequences would manifest; all risks would have been either eliminated or controlled to an extent that any consequences were negligible. In general, risk decisions are examined4 only when a specific risk that the risk assessment (ought to have) identified manifests. That is, risk assessments are subject to post-event scrutiny. This happens in a number of ways (internal reviews, incident investigations etc), but the most critical, from a safety risk perspective, is the review conducted by the courts after an accident. This typically occurs following high consequence, low likelihood events. The courts’ examination may be via prosecution under certain legislation (e.g. a WHS or rail safety act) or via litigation under the common law (i.e. suing for negligence). In either case the approach used is: determining what precautions were adopted prior to a safety incident, identifying further precautions that could have been adopted, making judgements as to whether these were reasonable. That is, the SFAIRP approach (in the case of prosecution) or the common law test of negligence (in the case of litigation). The courts in this respect serve as society’s conscience, helping oversee society’s objective that we ought not unnecessarily harm our neighbours, determining what measures ought to have been in place to prevent specific incidents and, if these measures were not, determining what recompense ought to be made by the perpetrator, or to the victim, or both. Whenever investigating, the courts are considering only one specific past event. This gives a very tight, hindsight-driven focus to the inquiries. However engineers designing for fire safety must consider all (credible) fire scenarios. This requires foresight across the wide range of potential fire scenarios, and designing reasonable precautions to address them all. Engineers are thus in a difficult position; they can never know if their design is reasonable unless a fire occurs and a court investigates and informs them. The engineers’ and the courts’ different perspectives on safety events are shown as the red arrowheads in the diagram below.

4As opposed to being periodically reviewed as part of the risk management process.

Page 4: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

4

In this position engineers must consider how their designs may be reviewed post-event, and make decisions within their (financial, physical, etc.) constraints that (they hope) a court would consider diligent.

Engineers’ and the courts’ perspective on safety events Engineering Decision-making on Safety Risks As implemented by engineers, the ALARP and SFAIRP approaches to fire safety design decisions are both intended to demonstrate due diligence. That is, both approaches aim to demonstrate to a court that, if something goes wrong, the fire safety design decisions made prior to the event were reasonable. However, whilst the two approaches may set out to achieve this same outcome, the assumption that using QRA calculations to achieve an ALARP-based target risk level will forensically satisfy a common law or SFAIRP-based inquiry post event is naïvely courageous. This is simply because the process required to demonstrate tolerable risk is achieved is markedly different from that needed to demonstrate all reasonable precautions are in place. This is especially the case for high consequence, low likelihood events, the ones that are most often the subject of post-event judicial scrutiny. The possibility of the results of the two processes being identical is, in the authors’ opinion and experience, nil. This is a serious issue for engineers generally, and for fire protection engineers in particular. The figure below shows the difference between the two approaches, especially for high consequence, low likelihood events.

Societal objectiveDon't harm neighbours, either deliberately or inadvertently

The laws of nature(scientists)

The laws of man(Parliament & the Courts)

Due diligence(engineers using

foresight)Physical realitySafe?

Legal prescriptionsActs of parliament (SFAIRP) and

the common lawScrutiny(the Courts using

hindsight)

Safety incident

Flow of knowledge

Page 5: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

5

Hazard vs precaution focused risk management5 The top loop describes the ALARP approach. This process requires that engineers look forward in time to identify potential hazards. The risk (likelihood and consequence) associated with them must then be determined and compared to criteria for acceptable or tolerable risk. If the criteria are not satisfied then risk treatments (i.e. precautions) are applied until they are. In a fire safety engineering context this often involves quantified risk levels and criteria. If the risk criteria were achieved in reality, the hazards of concern would not eventuate in the engineer’s lifetime. But this is not the way of the world. Sometimes bad things will happen and the courts will examine the results. Caveats to this approach can be applied, such as mandates to avoid avoidable risk and to test if further precautions can be justified even if the target level of risk has been met, but these are afterthoughts. They are not inherent in the ALARP process and are presumably an attempt to legally recover the situation. The bottom loop describes the common law and SFAIRP process applied by the courts. This is necessarily hindsight biased. The courts simply do not care how often matters went well. By definition, the courts only examine the minority of things that went wrong. And, after the event, the fact is certain. This means that, from the court’s viewpoint, prior-to-the-event estimates of rarity for serious events were presumably flawed and that, prima facie, those who made such estimates have provided beyond-reasonable-doubt proof of negligence. As a judge in NSW has been reported as saying to engineers after a major rail accident:

What do you mean you did not think it could happen? There are 7 dead. The way the courts assess the situation post-event is to consult expert witnesses as to what could have been done to prevent the disaster. Being an expert with the 5Robinson Richard M, Gaye E Francis, Tim Procter et al (2017). Engineering Due Diligence (10th Edition, Updated). R2A Pty Ltd.

Judicial Scrutiny

TimeDecision re hazard Unwanted Event/s Judgement

Precaution focussed

Hazard focussed

Future uncertainty

Future uncertainty

Technical risk

targets

Safety critical

Page 6: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

6

advantage of hindsight is a comparatively straightforward task. The only time the notion of risk is used in court is when the court is testing to see if the precautions suggested by such experts (after the event) were reasonable in view of what was known at the time of the fire safety engineering decision. The following figure describes the two approaches in a different way. The left hand side of the loop describes the legal approach which results in risk being eliminated or minimised SFAIRP. The right hand side of the loop describes the ALARP process.

Precaution vs hazard based approaches to risk management6 The purpose of the SFAIRP process is to demonstrate that all reasonable practicable precautions are in place by firstly identifying the practicable precautions and then testing for reasonableness using relevant case law. As Work Safe Australia notes7, this is an objective test.

There are two elements to what is ‘reasonably practicable’. A duty-holder must first consider what can be done - that is, what is possible in the circumstances for ensuring health and safety. They must then consider whether it is reasonable, in the circumstances to do all that is possible. This means that what can be done should be done unless it is reasonable in the circumstances for the duty-holder to do something less.

6 Robinson Richard M, Gaye E Francis, Tim Procter et al (2017). Engineering Due Diligence (10th Edition, Updated). R2A Pty Ltd7http://www.safeworkaustralia.gov.au/sites/SWA/about/Publications/Documents/607/Interpretive%20guideline%20-%20reasonably%20practicable.pdf viewed 9 March 2017

Risk Management of downside (negative or pure) risk

Hazard identification(Foreseeability)

Implementationof reasonably practicable

precautions

PreventabilityIdentify all practicable

precautions for each critical hazard following the hierarchy

of controls

Reasonableness Determine which practicable precautions are reasonable

based on the High Court established balance (disproportionality)

Hazard analysis and risk calculationprocess to determine the nature of risk

and the level of risk(inherently unrepeatable)

Compare against criteriaprocess of comparing the results of risk

analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable

(may eliminate further consideration of acceptable or tolerable risks)

Selected risk criteriaterms of reference against which the

significance of a risk is evaluated (inherently subjective)

Risk mitigation and management optionsprocess to modify risk.

(may not follow the hierarchy of controls)

Monitoring and Review(Quality assurance)

Due Diligence

Common law approach(precaution based and criticality driven)

Target risk approach(hazard based and risk driven)

SFAIRP ALARP

CriticalityEstablish critical

hazards

Page 7: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

7

The level of risk resulting from this process might be as low as reasonably practicable (ALARP) but that’s not the test that’s applied by the courts after the event. The courts test for the level of precautions, not the level of risk. The SFAIRP concept embodies this outcome. The ALARP approach, shown on the right hand side, attempts to demonstrate that a tolerable risk level has been achieved for the hazard in question. But there are major difficulties with each step of this approach as noted in blue. Firstly, hazard analysis and risk calculations are inherently unrepeatable. Two independent risk experts assessing the same circumstances or situation never come up with the same answer (unless they use deliberately identical assumptions and processes in which case the assessment is not independent). Risk calculations and characterisations to enable a comparison with risk criteria are always imperfect especially with regard to human failings and management systems. Quoting Mark Tweeddale8:

In the case of the process industry, most of the major disasters in recent years have resulted primarily from failures of management systems, which would not have been included in the quantitative assessment of risk, and not from random equipment failures such as are statistically assessable using data from data banks. This is a most serious limitation...

Secondly, risk criteria are subjective. The old adage should probably be extended to; there are lies, damned lies, statistics and then there are target risk criteria. Most risk criteria are based on statistical analyses. The traditional way to determine them is to consider mortality and injury statistics. But they are just that, statistics. The numbers change according to the exposed group selected. For example, the lightning strike death rate of around 1 in 10 million (for the whole population) is often selected as the lower limit to risk scrutiny for individual risk. However, if the mortality figures for the group of people who play golf during lightning storms is considered, it will be much higher. Which number ought to be used? Further, the inconsistency in individual and societal risk criteria between industries (dam and air safety for example) and states, especially Victoria and NSW dating from the mid-nineties is problematic. Thirdly, if the risk associated with a hazard is below the acceptable or tolerable threshold, there is a tendency to say that nothing further needs to be done, which is always problematic with low frequency, high severity events. The overall situation is perhaps best summarised by Chief Justice Gibbs9 of the High Court of Australia:

Where it is possible to guard against a foreseeable risk, which, though perhaps not great, nevertheless cannot be called remote or fanciful, by

8Tweeddale M, 2003. Managing Risk and Reliability of Process Plants. Boston: Gulf Professional Publishing.9Turner v. The State of South Australia (1982). High Court of Australia before Gibbs CJ, Murphy, Brennan, Deane and Dawson JJ

Page 8: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

8

adopting a means, which involves little difficulty or expense, the failure to adopt such means will in general be negligent.

That is, it does not matter how low the risk estimate is, if more can be done for very little effort, then the failure to do so will be negligent, in the event of an incident. This leads to the fourth concern; that the temptation is to implement a precaution that reaches the target risk threshold without formally considering the hierarchy of controls. Engineers often argue that, if you set the law aside, the only way to demonstrate due diligence is the target risk level approach. This is simply not a viable proposition. The laws of man may not be ignored. Our parliaments and courts necessarily reject this. It has always been clear that the courts will interpret the circumstances surrounding death, injury or damage in legal terms. This proposition is easily confirmed by consulting in-house legal counsel. Recognised Good Practice and Intolerable Risk While a quantified risk level deemed ‘intolerable’ is generally included in ALARP-type QRAs, it is not usually used. Aiming to design so fire safety risks fall below the ‘tolerable risk’ zone means that a level of risk that would be deemed intolerable in an ALARP sense almost never eventuates. However, the courts’ again have a different view on what is considered intolerable exposure to safety risk. When a judicial investigation is underway, experts are called to propose further precautions that could have been in place to prevent the incident in question. The most obvious place to identify such options is to look at what measures are in place in other similar situations. If a precaution is adopted in most other similar situations it may be considered recognised good practice, and deemed reasonable by virtue of the many other organisations implementing it. As such, in common law and SFAIRP-based examinations, the failure to adopt recognised good practice would likely be viewed as providing an intolerably low level of protection to those exposed to the risk in question, regardless of the level of risk (quantified or otherwise). That is, recognised good practice must be implemented to meet common law and SFAIRP requirements. Recognised good practice may be identified in a number of ways, including through ideas contained in Australian and international standards, and through industry guidelines and fact-finding tours. IMPLICATIONS AND LIMITS OF QRA In light of the discussion above, it is clear that quantified risk assessment is inappropriate for ALARP-type assessments, and must be used in a SFAIRP context. Particularly useful applications include:

• Identifying critical issues through detailed consequence modelling. This may be required, for instance, in new and unusual designs.

Page 9: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

9

• The selection of competing options through comparison of quantified risk

levels. This allows engineers to decide on the most appropriate option on a number of bases, such as pure risk, risk reduction per dollar outlay, traditional risk contour mapping, and so on. This use of quantified risk on a relative comparative basis fits well within the SFAIRP precautionary analysis.

• Comparison of portfolio assets on a safety risk basis. The quantification of

safety risk levels for each of a portfolio of assets allows benchmarks and outliers to be identified. This is useful for mapping trends over time as assets are maintained or upgraded, and for identifying areas of concern for more detailed investigation.

A recent example of QRA used within these limitations is described in the report to the Victorian cabinet by the Powerline Bushfire Safety Taskforce10 arising from the Victorian Royal Commission into the Black Saturday bushfires that killed 173 people in 2009. This report explicitly uses the SFAIRP approach supported by quantification in the formulation of its recommendations, which were all accepted by the Victorian government. CASE STUDY In Australia, there appears to be no single agreed approach to tunnel design and fire protection. In more recent times, the Fire Engineering Brief process described in the International Fire Engineering Guidelines11 has been used. Many designers appear to have interpreted this to mean that technical acceptable risk criteria determined by technical specialists is the way to go. However, it is interesting to note that the introduction of this document states: In particular, and to avoid doubt, the use of the Guidelines does not:

• guarantee acceptance of a design or building by any entity authorised to do

so under any law • guarantee fire safety within a building, or • absolve any user from complying with any legal requirements.

Over the years, R2A has been commissioned to complete a number of due diligence reviews for various tunnels in Australia including the Legacy Way Tunnel in Brisbane, the Tugun Bypass Tunnel and the Brisbane Inner Bypass City Tunnel. R2A has always used the common law due diligence approach to fire design, but with the introduction of the model WHS legislation, it seems that this sort of approach is now mandated. An example tunnel ‘case study’ based on a number of projects and reviews follows. R2A’s Fire Safety Due Diligence Approach 10 http://www.esv.vic.gov.au/Portals/0/About%20ESV/Files/RoyalCommission/PBST%20final%20report%20.pdf viewed 9 March 2017. See Section 3.6 Precautionary approach to bushfire risk reduction (page 52) and Appendix E Threat-barrier analysis (page 146). 11 Australian Building Codes Board (2005). International Fire Engineering Guidelines (Edition 2005). ISBN 1741 614 562.

Page 10: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

10

In view of the courts’ common law and SFAIRP-based process of examination of engineering safety decisions, the legally required process for engineering safety decision-making in Australia involves:

1. Identifying all credible critical safety issues, and 2. Completing a precautionary review:

• Identifying the technically possible (i.e. practicable) precautionary options for each identified safety issue,

• Determining which precautions to implement based on the common law balance of the significance of the risk versus the effort required to reduce it.

All precautions must then be implemented and maintained. The R2A ‘Y’ Model below represents this process.

R2A ‘Y’ Model 1. Credible Critical Issues A typical credible worst case fire scenario is a heavy commercial vehicle (HCV) fire blocking a longitudinally ventilated tunnel, shown diagrammatically below. The unwanted outcome is multiple fatalities, especially amongst vehicle occupants in stopped traffic downstream of the fire.

Heavy Commercial Vehicle Fire in Tunnel

But this is only one possible hazard amongst a large number of potential hazard scenarios. In order to ensure a completeness check of all credible issues for a tunnel, a vulnerability assessment identifying the exposed groups & assets, and the credible

All credible, critical issues

identified

All practicable precautionary

options identified

Agreed precautions implemented with supporting quality assurance system

Disproportionality decision making engine

used to determine 'reasonableness'

Stopped upstream traffic in clear air

Jet fans Jet fans

Smoke

Stopped downstream traffic in smoke

Page 11: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

11

threat scenarios to which they are exposed is developed such as shown in the table below.

Assets (critical exposed groups) Threat scenarios

Travelling public including

disabled, elderly, small children,

people who behave

erratically

Operator Staff

including contractors, breakdown

services

Emergency services

fire brigade,

ambulance & police

Local residents

Habitat/ environ-

ment air quality

Infra-structure

& third party

Motorcycle breakdown x x - - - -

Passenger car breakdown x x - - - -

Bus breakdown xx x x - - - HCV load fire stationary vehicle in free flowing traffic

xx xx xxx x x x

HCV vehicle fire burning vehicle in stationary traffic

xxx xxx xxx x x x

Injury/entrapment accident - all lanes blocked

xx x x - - -

Fatal accident - all lanes blocked xx x x - - -

Pedestrians in Tunnel on walkway x x x - - -

Cyclist in Tunnel xx x x - - - In this example, safety vulnerabilities are characterised as follows:

Critical vulnerability (multiple fatalities) xxx Major vulnerability (single fatality) xx Minor vulnerability (injuries) x No vulnerability detected -

In order to ensure precautionary effort is appropriately applied, the legal loss of control point for each critical scenario needs to be determined. The loss of control point for the HCV fire appears to be that which overwhelms the usual air handling system when there are stationary vehicles in the tunnel (therefore exposing the vehicle occupants). There are several arguments for defining the loss of control point as above. The simplest, legally, probably revolves around confined spaces. The tunnels should only have sweet, decent air whenever they are occupied, even during a fire/smoke incident. Otherwise they would be considered a confined space. Emergency ventilation to prevent a situation becoming a confined space is an attempt to restore control and acts after the event. On an open freeway a fire is mostly an isolated event since the heat and smoke go up and exposed persons (beyond those trapped in the burning vehicle/s) basically stay away from the inferno until the brigade arrives or the fire burns out. In a tunnel this is potentially far more problematic because of the contained environment. Even

Page 12: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

12

an unmanaged 5 MW fire can create substantial problems for persons remote from the fire unless special precautions are taken. This means that it is the change of the tunnel environment by the fire that creates the loss of control. Another way to think of this relates to different size fires in the tunnel. Suppose that a car engine catches fire, the driver pulls over and a passing truck driver stops and extinguishes the fire with a fire extinguisher. Other than the lane restriction and the possibility of collision, from the point of view of the tunnel environment, there has been no loss of control since the smoke and heat will have been dissipated in the overall tunnel air movement (usually due to the piston effect of moving vehicles and the jet fans). However, there is a certain size fire that will disrupt the air flow, place remote persons at risk and thus bring about the need to impose emergency measures including an emergency ventilation system and the like. This appears to be the loss of control point, that is, the point at which the laws of nature and the laws of man align. 2. Precautionary Review The following threat barrier diagram documents the typical barriers (precautions and mitigations) in place to manage a fire in a tunnel. The WHS legislation requires that risk control must be based upon the hierarchy of controls which is typically (in the order of most to least preferred):

i. Elimination ii. Substitution iii. Engineering controls iv. Administrative controls v. Personal Protective Equipment and Clothing.

Following the hierarchy above, controls should be tested from left to right on the diagram, starting with the elimination option, paying particular attention to the requirements of recognised good practice. Legally, controls to the left of the loss of control point are precautions, while controls after the loss of control point are mitigations.

Page 13: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

13

Sample Threat Barrier Diagram for Vehicle Fire in a Road Tunnel Threat reduction (or elimination) reduces the source of fire, for example, by limiting the number of trucks with large combustible loads such as dangerous goods (DG) vehicles. The two key precautions are the deluge fire sprinkler system that can control the fire before the normal air handling system is overloaded, and the congestion control systems that ensure that downstream traffic can escape and further upstream traffic is stopped. Mitigations to minimise the consequences (multiple fatalities) including emergency ventilation, manual fire control and evacuation systems act after the loss of control point and are therefore low down in the hierarchy of controls. The use of vulnerability assessment supported by precautionary analysis to assess risk in tunnels seems a peculiarly efficient form of due diligence. Control focuses on prevention in the first instance that parallels the WHS hierarchy of controls: elimination, substitution, engineering, administration and PPE. The latter can only be adopted as the sole mitigation if the other options are not viable. Viable in this sense seems to mean the common law test of negligence. That is, the balance of the significance of the risk verses the effort required to reduce it. The lawyers (and regulators to whom such arguments have been presented) have always confirmed that precautions implemented before the loss of control point are the best place for the precautionary dollar. Complex, expensive, hard to model and unpredictable emergency measures invoked after the loss of control point, attempting to bring a situation back under control, are legally difficult to defend especially when a sensible pre-loss of control point precaution was available. This approach shows that automatic fire control systems like automatic deluge and traffic control systems provide superior risk reduction for fires in stalled traffic compared to emergency longitudinal ventilation systems. At this point risk quantification is useful in identifying key areas of concern within the existing precautionary framework. An example of this is shown in the reliability block diagram below.

Page 14: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

14

Typical current good practice installation for a transversely ventilated tunnel This shows the high level redundancy that ventilation and deluge systems provide when addressing a fire in a road tunnel. In either case the main objective is to ensure drivers are not in smoke. This can be done via a) controlling smoke location by ventilation, or b) minimising fire size through water deluge to minimise the smoke generated. Each of these measures provide time to allow drivers to escape through the downstream tunnel portal before smoke levels increase. In conjunction they increase the overall reliability of the safety system. Quantification of the reliability of the system elements provides a number of benefits in this context. It identifies reliability ‘bottlenecks’. For instance, in the example above it is clear that the reliability of the sequence for automatic activation of deluge (the bottom line) is low compared to the activation of the ventilation system. In practice, the deluge system will almost always be manually activated by a tunnel operator (the dotted line from the yellow box to the purple box) when operators are alerted to a potential fire by chemical smoke detection and CCTV. In R2A’s experience, the combination of CCTV, smoke detection and operator monitoring is quite superior to linear heat detection in both accuracy and speed of detection of tunnels fires. This provides context for any proposal to enhance linear heat detection reliability, i.e. that it is truly a backup function for the very unlikely scenario of an operator not identifying a tunnel fire, and is not the sole method for deluge activation. A better case may be made for enhancing the reliability of the deluge system itself, as it would be manually activated in most fire scenarios. This would involve a more detailed study of the deluge system elements and the underlying reliability factors. This may in turn raise potential options to enhance:

• Town mains water supply through a redundant supply, • Firewater pumping through additional or better pumps, • Tunnel piping by implementing a firewater ring main, • Activation valves through provision of backups or more reliable units • Deluge sprinkler heads coverage through more units or better locations

And so on. Each of these options may then be tested on a risk reduction (i.e. reliability enhancement) per dollar basis to identify the best-justified precaution(s) for implementation. In this manner an argument may developed that due diligence is demonstrated through QRA methods in a SFAIRP context.

Linear detection

CCTV + operator detection

Fire indicator panel Deluge system

Operators + operations control system Ventilation system

Fire incidentin road tunnel

Controlled fire incident in road

tunnel

0.9 0.999

0.99 0.99 0.999

0.95

0.997

Page 15: THE LEGAL CONTEXT TO QRA · 2018-07-13 · 1 THE LEGAL CONTEXT TO QRA Tim Procter MIEAust CPEng, Gaye Francis FIEAust, and Richard Robinson FIEAust MSFPE, Partners R2A Due Diligence

15

CONCLUSION While the quantification of safety risk is not problematic in and of itself, when it is used in an ALARP-based framework to demonstrate that ‘tolerable risk criteria’ are met it is clear that it will not satisfy post-event judicial scrutiny. To obtain QRA’s considerable benefits while maintaining a diligent decision-making process, risk quantification should be used within a common law or SFAIRP-based framework. This precaution-based approach provides for better, legally explicable, output focused safety outcomes.