What happens when AS 61508 meets the law

04/02/2015 — 2 Comments

Work-Health-and-Safety

I’ll give you a hint it’s not pretty

Current Australian rail and workplace safety legislation requires that safety risks be either eliminated, or if that’s not possible be reduced, ‘so far as is reasonably practicable’. The intent is to ensure that all reasonable practicable precautions are in place, not to achieve some target level of risk.

There are two elements to what is ‘reasonably practicable’. A duty-holder must first consider what can be done – that is, what is possible in the circumstances for ensuring health and safety. They must then consider whether it is reasonable, in the circumstances to do all that is possible. This means that what can be done should be done unless it is reasonable in the circumstances for the duty-holder to do something less.

Worksafe  Australia

This is a real and intractable problem for standards that determine the degree of effort applied to treat a hazard using an initial assessment of risk (1). Nor can the legislation be put aside through appeals to such formalisms as the ALARP principle, or the invocation of a standard such as AS 61508 (2). In essence if you can do something, regardless of the degree of risk, then something should be done. 

An illustrative scenario. We are an Australian supplier of a control system for a laser cutting machine, and our scope of supply includes a guarding function. We elect to provide this function using software, because of its flexibility. We are a reputable company, we’ve done this before, and know our customers risk appetite, so we do the risk analysis using the risk approach of AS 61508, assess the safety integrity level (SIL 2 for arguments sake) we carry out the work to the required assurance level, are duly independently assessed as having done so and deliver our product, yay us… A year later after several hundred hours of operation a worker is severely injured by a failure of the guarding function. In the subsequent Workcover NSW investigation it turns out that a software error was the cause. Worse yet for the software team Workcover NSW also finds that there is prima facie a breach of the act, as the safety process applied by the company failed to meet the acts standard for due diligence.

Why this determination? Because the company had deliberately excluded, consideration of SIL 3 and 4 techniques that might have eliminated the error, and which (given that they are part of the standard) would also be considered as reasonably practical to implement.

Question. You are the EGM in charge of product development, as the designated officer under the terms of the act what is your legal defence?

Discussion. Now you might think that the issue  here is that we did not apply a specific technique. But in fact the breach does not turn on whether the error could, or could not have been eliminated by technique X, but upon the failure to consider all reasonable and practicable steps. To put it another way, there is an absolute duty of care under the act and the only defence is one of due diligence which requires the application of the SFAIRP principle. Applying risk criteria as an upfront decision, does not comply with the act and therefore fails the test of due diligence.

Engineers should remember that in the eyes of the courts, in the absence of any legislative or contractual requirement, an Australian Standard amounts only to an expert opinion about usual or recommended practice. Also, that in the performance of any design, reliance on an Australian Standard does not relieve an engineer from the duty to exercise his or her own skill and expertise

Paul Wentworth, Minter Ellison

As a final though while I situated the above scenario in the aftermath of an industrial accident under the current WHS and Rail safety acts there need be no accident for a breach to occur, as both impose a duty of care regardless of whether an accident has or has not occurred. So my advice? Don’t get too comfy with those AS 61508 SIL levels, you may find yourself standing out on the windy corner one day because of them.

Notes

1. In contrast a traditional system safety approach focuses on acting to eliminate or reduce hazards first, followed by an  evaluation of residual risk.

2. Bluntly put, in publishing AS 61508 Australian Standards is touting advice that is contrary to the law. Weasel word disclaimers not withstanding. 🙂

2 responses to What happens when AS 61508 meets the law

  1. 
    Daniel Grivicic 09/12/2015 at 9:50 pm

    Hi Matthew,

    Would you have any opinion on this problem where WHS legislation and AS61508 intersect?

    I’m installing a new gas fired appliance in NSW so I follow the Gas Supply (Consumer Safety) Regulation 2012. Clause 22 of the regulation requires that I follow AS 5601 (Gas installations -Part 1: General installations}. AS 5601 requires that I follow AS 3814 ( Industrial and commercial gas-fired appliances) as I have a “Type B” gas appliance. I want to use my shiny new programmable safety controller and AS 3814 instruct me to use AS 61508 to implement this. My understanding is that AS 61508 is now law (subordinate legislation?).

    One day the unit explodes.

    An inspector from Workcover arrives and begins down the WHS SFAIRP path. I pull out my copy of AS 61508 and use the ALARP argument.

    Who will win?

    Cheers,

    Daniel.

    • 
      Matthew Squair 10/12/2015 at 10:15 am

      Hi Daniel,

      Legal disclaimer to start with, please be aware that I am not a lawyer, and below does not constitute legal advice.

      The executive summary is that it’s not like thunder-dome, ‘two laws enter, one law leaves’ 🙂 The detail follows.

      The WHS legislation has caught a number of jurisdictions out where they have used risk based standards. Some (such as QLD) have made an effort to align their other industrial safety legislation to meet the SFAIRP criteria, some have not. In fact I’m currently working on a project where the industry regulator requires ALARP to be applied, which conflicts with the SFAIRP principles of the WHS Act, happy days. The legislation represents a paradigm shift in managing industrial safety, and like all paradigm shifts it takes a while to percolate through. Note ALARP does not equal SFAIRP and the differences are more than just cosmetic.

      To answer your question, having applied AS 61508 as a standard and selecting yout SIL level based on a risk assessment you would still need to justify that SIL ‘X’ was all that could reasonably and practicably be done in the circumstances. The imposition of AS 61508 does not magically wash out your obligation to comply with the WHS Act. In the example you give it would then be up to the courts to interpret the statute and determine whether your reliance on SIL ‘X’ satisfied the WHS SFAIRP criteria. The court ‘could’ decide that applying 61508 was ‘OK’, and satisfied the SFAIRP criteria, but my opinion is that that such a construction of the statutes is unlikely. I think it much more likely that the court would interpret that the application of 61508 did not negate the requirement to consider whether all that reasonably and practicably could be done had been done.

      If (for example) your PLC caused the explosion because of a programming error the courts question would be as to whether the hazard represented by such a design error could have reasonably and practicably been eliminated? All I would have to do as an expert witness would be to show that there was a technique in a higher SIL level that could have eliminated that error, given that you would have failed to consider this (and the standard is silent on cost vs benefit as we increase our SIL levels) you are now in a very awkward position.

      For example, say the design error was a race condition in the PLC ladder logic. A expert witness would then point out that formal methods can be applied to the construction of ladder logic to detect such race conditions and that further such formal methods are recommended for SIL 2/3 and highly recommended for SIL 4. Thus he would conclude such methods are demonstrably practicable as there are plenty of companies that apply such methods and that the standard actually recommends them (industry practice). Your problem is that you had assessed the risk via your Functional Hazard Analysis (deposed in evidence) and from it derived SIL 3 as the corresponding safety requirement in the safety specification (also deposed in evidence) you had decided not to apply it after some discussion with your supplier as they were unfamiliar with formal methods, this decision being documented in the software QA plan (deposed as more evidence). Your job now is to show how you had at the time considered ‘all’ that could be done (SIL 4 in effect) in a cost benefit analysis that utilises the rule of gross disproportion. Where is your evidence of such consideration? In the worst case you have no contemporaneous evidence, in the best case you have costs from the supplier for SIL 4 compliance, but it’s unlikely that a cost escalation of 10% to 30% (for arguments sake) would satisfy the court as being grossly disproportionate.

      I’d also note that the standard uses the terms ‘recommended’ and ‘highly recommended’ which are basically weasel words to avoid legal liability intended to place the onus of responsibility back onto the user of the standard. By including every technique under the sun into 61508 (it’s a huge zeppelin of a standard) effectively you now have to withstand a legal ‘attack in detail’ on whether technique ‘A’ or technique ‘B’ or even technique ‘C’ could have reasonably and practicably been applied. Do you have an answer for each? Regrettably the standard does not provide this sort of backing evidence. So all in all I tend to view 61508 as something of a poison chalice within the Australian legislative environment.

      The most defensible approach would simply be one of attempting to apply SIL 4 techniques across the board, and only where they were demonstrated as having a cost disproportionate to benefit not doing so. There it is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s