ALARP

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

ALARP FOR

ENGINEERS:
A TECHNICAL
SAFETY GUIDE.

Safety and Reliability Group

Improving the world through engineering


The IMechE Safety and
Reliability Group

The IMechE Safety and Reliability Group promotes the development


of safety and reliability requirements for products such as equipment,
systems, or services.

What we do:
• Provide best practice guides and information to engineers associated with designing,
manufacturing, operating or maintaining products.
• Increase the public understanding of risk, while continuing to work on the assessment
of Hazardous events, dissemination of lessons learned and the promotion of risk
reduction strategies.
• Represent the Institution on the Hazards Forum which provides an interdisciplinary
focus for the study of disasters.
• Organise events, such as the annual ALARP Seminar.
• Support Proceeding of the Institution of Mechanical Engineers, Part O: Journal of Risk
and Reliability.

We strive to produce up to date, effective communications and therefore welcome any


comments on this document, or ideas for improving future revisions. Please send your
contributions to: keith.miller@member.imeche.org.

The SRG is a voluntary group, which meets quarterly. We welcome new members
who have experience in, and a passion for, safety. Please send CV to
steve.hillier@member.imeche.org.

Acknowledgements

This document has been developed by Working Group 2 of the Safety & Reliability Group,
with support from the other SRG working groups.

We would like to thank the many external reviewers whose contributions have been
invaluable. Special thanks go to the Hazards Forum, who have made a vital contribution
for getting this revision published.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 1


Contents

4 6 7 10
Glossary of terms Acronyms 1. Introduction 2. UK Safety
and scope legislation

20 27 39 41
3. Overview of 4. Identification 5. Evaluating 6. Analysis
the safety risk reasonably
management foreseeable
process consequences

58 60 68 71
7. Lifecycle criteria Documenting and Upkeep of ALARP Common pitfalls
communicating demonstration
the Demonstration and management
of ALARP of change

73 74 88 94
References Appendix A: Appendix B: Appendix C:
Risk, ITS Technical errors in Compliance
measurement risk quantification checklist
and prediction models
(QRA/PRA/PSA)

2 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


Glossary of terms

Barrier Another term for a Risk Reduction Measure (RRM), generally used in the
context of Bow Ties.
Case law Interpretations of Statutory Law, made by the senior courts.
Cause Anything whose absence may prevent a loss, e.g. errors in design,
manufacture, control, human factors, ergonomics, management systems,
equipment unreliability, RRM flaws, safety culture, conflicts of interest,
cognitive bias. (NB. Terms such as root, direct and indirect causes may be
ambiguous, so they are avoided.)
Complex system One where the person observing the system cannot be expected to
recognise the relevant variables or their effects without further knowledge,
understanding, or analysis, e.g., electronic control system, or sociotechnical
system, (cf. Simple system).
Failure mode A type of failure, e.g., corrosion, fatigue, rupture, unrevealed control failure.
Good Practice Standards, practices, methods, guidance, and procedures conforming to the
law and the degree of skill and care, diligence, prudence, and foresight which
would reasonably and ordinarily be expected from a skilled and experienced
person or body engaged in a similar type of undertaking under the same or
similar circumstances.
NB. The HSE have also defined Good Practice as the generic term for those
standards for controlling risk which have been judged and recognised by
HSE as satisfying the law when applied to a particular relevant case in an
appropriate manner.
Gross disproportion An RRM that is not considered to be reasonably practicable, because the
sacrifice (in time, trouble, or money) is disproportionate to the Risk being
mitigated. See Section 2.3 for a full definition.
Hazard Any reasonably foreseeable object, material, energy, situation, action,
reaction, or behaviour that has the potential to cause harm, for the purpose
of directly identifying appropriate prevention or risk mitigation, e.g., cooking
oil fire in busy kitchen, pressurised release of toxic material from relief
valve upwind of an office building, aircraft stalls whilst turning finals at one
thousand feet. A hazard is simply the starting point of an analysis, the thing
that is identified, so its exact form is not critical, although the more detail
given the more useful it may be. NB. Depending on the analytical objectives
the hazard could be either i) poor control panel layout ii) operator presses
wrong button iii) reactor goes unstable iv) reactor melts down v) radiation
reaches domestic housing vi) people exposed to radiation or vii) people die
from radiation sickness. Any of these could be described as a hazard or a
cause, depending on the analytical context, so hazards may be described
as mutually exclusive risk scenarios that generally represent several causes.
The differences between hazards, risks and causes are not always clear.
Hazard System A set or group of interacting, interrelated or interdependent elements or
parts that achieve a common safety objective, including hardware, software,
human interactions, procedures, management systems, competency/
training, emergency response and the operating environment (natural or
imposed). It could differ for a permanent situation, scenario, or activity.
Legal duty holder The organisation or individual upon which the legal obligation lies.
Lifecycle criteria Safety Critical data that needs to be established at the design stage and
maintained or updated throughout the lifecycle of the product.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 3


Glossary of terms (continued)

Proportionality The test whether sufficient effort has gone into identifying, preventing and/
or mitigating Risks, i.e., whether all that is Reasonably Practicable has been
done, see Section 3.2.
Qualitative argument Non-probabilistic evidence, based on the logical, technical and/or physical
characteristics and responses of a Hazard System.
Quantitative argument An argument based on numerical probabilities and consequences.
Quantitative Risk Assessment Tools to predict risk where there are no robust statistics available.
(QRA/PRA/PSA/TARAM)
Randomness A condition where it would not be reasonably practicable for the variables
effecting the system to be controlled, either due to ignorance, inability, or
conscious decision – see Appendix A.
Reasonable foreseeability A legal concept to define which Hazards fall within legislation –
See Section 2.2.
Reasonably practicable See Section 2.3.
Regulator The UK HSE, ONR, ORR, CAA, local authorities, and the police.
Risk A combination of severity and likelihood, expressed in case law as
‘The possibility of danger’.
Risk quantification This can be by calculation, measurement, or estimation. Measurement is
by statistics, which should be robust (see below).
Risk Reduction Measure (RRM) Any measure that removes a hazard or prevents harm to people, reduces
its likelihood or mitigates the consequences.
Robust statistics Data that complies with the following criteria:
• Representative of the relevant population
• All variables and sample points are random
• Statistically significant
• Free of unfalsifiable chance correlations
• Ergodicity
Safety Critical Any component, function, activity, process, or procedure whose omission,
failure or incorrect operation could increase risks associated with the
Hazard System.
Scenario A specific set of conditions that may be physical, sociological and/or
environmental, which could create a hazardous situation.
Simple system One where the person observing the system could be expected to recognise
the relevant variables and their effects, e.g., crossing the road safely, or the
understanding how a load effects the stress in a beam (cf. Complex system).
Statutory law Laws made by the UK Parliament.
Well-reasoned argument A qualitative, rational explanation of how all reasonably foreseeable hazards
have been systematically identified and all reasonably practicable RRMs
have been implemented – see Section 8.1 and 8.2. It may be supported
by quantitative arguments provided they are based on robust statistics,
or modifications thereof that comply with the Royal Statistical Society,
Practitioner Guides No’s. 1 to 4, Guidance for Judges, Lawyers, Forensic
Scientists and expert witnesses, and are free of any of the errors in
Appendices A and B of this document.

4 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


Acronyms

ACoP Approved Code of Practice MHSWR Management of Health and Safety at Work Regulations

ALARP As Low as Reasonably Practicable ONR Office of Nuclear Regulation

BSL Basic Safety Level ORR Office of Road and Rail

CAA Civil Aviation Authority PDCA Plan Do Check Act

CBA Cost Benefit Analysis PDF Probability Distribution Function

CFD Computational Fluid Dynamics PPE Personal Protective Equipment

COMAH Control of Major Accident Hazards Regulations PRA Probabilistic Risk Analysis

COSHH Control of Substances that may be Hazardous to Health QRA Quantified Risk Analysis

FMEA Failure Modes and Effects Analysis RAM Risk Assessment Matrix

FSA Functional Safety Analysis RRM Risk Reduction Measure

FTA Fault Tree Analysis RSS Royal Statistical Society

GSN Goal Setting Notation SCR Safety Case Regulations

HASAWA Health and Safety at Work Act SFAIRP So Far as Is Reasonably Practicable

HAZID Hazard Identification Methodology SIF Safety Instrumented Function

HAZOP Hazard and Operability Study SIL Safety Integrity Level

HE Human Error STPA Systems Theoretic Process Analysis

HEP Human Error Probability STAMP Systems Theoretic Accident Model and Processes

HF Human Factors TRA Task Risk Analysis

HFA Human Factors Analysis TSL Target Safety Level

HRA Human Reliability Analysis UCC Unfalsifiable Chance Correlation

HSE The UK Health & Safety Executive WRA Well-Reasoned Argument

LOPA Layers of Protection Analysis

Changes for Revision 1.2

Section No. Title Changes


Mostly minor corrections and clarifications,
All General
for those listed below.
Reasonable practicability, risk quantification Additonal text explaining why risk quantification
2.3
and gross disproportion is not a legal requirement.

3.3 The proportionality matrix Revised matrix with clearer descriptions.

6.1 RRM effectiveness review Expanded guideword listing.

Rewritten to emphasise effectiveness as a


6.11 LOPA
reliability assessment tool.

6.12 Risk matrices and QRA Rewritten for clarity around statistical analysis.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 5


1. Introduction and scope

This document explains the UK legal obligation to reduce risks So Far As Is


Reasonably Practicable (SFAIRP), which is more commonly known as As Low
As Reasonably Practicable (ALARP), in an engineering context. Nevertheless,
the principles and methodologies discussed here could be regarded as sound
practice, regardless of a country’s legislative regime.

The document applies to engineering decisions for • Explain the systems approach to risk assessment.
all risks, minor or major, throughout the lifecycle • Highlight some of the common misconceptions
of any product, activity, process, or installation, about legal obligations.
including its design, construction, commissioning,
• Communicate legal precedent with respect to
operation, modification, integrity management,
Reasonable Foreseeability.
decommissioning and disposal.
• Explain the pitfalls and benefits of deterministic,
qualitative, and quantitative analytical techniques.
NB. There are many examples of UK Legislation • Explain the importance of Good Practice,
which are prescriptive as to the safeguards standards, and approved codes of practice.
which must be taken, regardless of the SFAIRP
• Explain the criteria for probabilistic evidence to be
approach, for example the Pressure Systems
admissible in a UK law court.
Safety Regulations, Water Supply (Water Fittings)
Regulations, COSHH, to name only a few. • Explain the common probabilistic error types.
• Describe acceptable methods of demonstrating
gross disproportion.
However, whilst recognising that certain industries
• Describe how to build a Well-Reasoned Argument
have dedicated legislation and have developed
(WRA) to demonstrate legal compliance.
specific guidance for their types of Hazards and
Risk Reduction Measures (RRMs), this guidance is • Outline a risk management process which is
intended to establish the generic principles and logical, objective, contiguous and systematic.
encourage cross-pollination of best practice across
all industries and products. The document has been peer reviewed within the
IMechE and reviewed by other Institutions, lawyers,
There have been several developments since much and safety experts from various industries. It is
of the existing guidance was written, which includes primarily aimed at engineers, but may also be
changes in the law, legal precedent, evidential useful to managers, students, auditors, and accident
admissibility, lessons from accidents, new analytical investigators. Lawyers wanting to know more
techniques, and the discovery of fundamental errors about how engineers can manage risk may also
in some existing methodologies. The need for new find it informative.
advice to supplement and correct those parts of
existing guidance that are weak, to help engineers
comply with the law, improve safety, and avoid
unnecessary costs and studies is therefore clear. The
specific objectives of this document are therefore to:
• Explain the risk management processes involved.
• Explain lifecycle considerations and lessons from
process safety.
The principles and methodologies
discussed here could be regarded
as sound practice, regardless of a
country’s legislative regime.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 7


1. Introduction and scope (continued)

1.1 Why this document is needed 1.1.2 Systems approach to safety

The following text describes some of the relevant After the Grenfell Tower disaster, there has been
changes that may not have been incorporated into, an increased emphasis on the systems approach
or recognised by, existing guidance. to demonstrate that all Reasonably Practicable risk
controls are in place. In this case a Hazard System is
1.1.1 Process safety defined as a set or group of interacting, interrelated
or interdependent elements or parts that achieve
Process safety is a disciplined framework for managing
a common safety objective, including hardware,
the integrity of operating systems and processes that
software, human interactions, procedures, training,
handle hazardous substances. It relies on good design
emergency response and the operating environment
principles, engineering and operating and maintenance
(natural or imposed). System definition is therefore
practices, and management of change procedures
an early stage in the process.
to ensure the prevention and mitigation of events
throughout the lifecycle of the facility.
1.1.3 Reasonable foreseeability

The legal requirement for companies to ensure that Legal precedent has established reasonable
risks are reduced to SFAIRP under the HASAWA has foreseeability as an important criterion for
existed in the UK since 1974. The recommendations determining whether the responsible party (the Legal
of the Baker Report on the BP Texas City Refinery Duty Holder) has met their obligations. However,
disaster in the US in 2005 (1), form the basis of much what may be considered reasonably foreseeable is
of what is generally considered today to be relevant not straightforward and warrants further explanation.
Good Practice in Process Safety Management.
1.1.4 Probabilistic assessment

Although the concept of process safety has existed UK legislation does not require the quantification
since the 1970s, it was greatly strengthened by the of risks, and the methods of estimating or
Baker report. Whilst this was aimed at the process calculating them are prone to unacceptable errors
industries, its principles may be applied to most and uncertainties. Errors of over nine orders of
enterprises, and it is now becoming well established magnitude can result from simple mistakes (Appendix
as Good Practice. It requires a set of criteria to be B6), yet there is no means of verifying or sense
established and used to maintain the integrity of the checking these figures. Although statistical data
plant throughout its lifecycle. Most of these criteria can play a significant role in the management of risk,
need to be developed at the design stage as part of especially for reliability assessments and monitoring
the engineering process and then incorporated into performance during operations, risk prediction can
such things as performance standards, operations be highly deceptive. Caution should therefore be
procedures, maintenance, and inspection routines, exercised if a risk assessment is to use any form of
change control and decommissioning/disposal probabilistic argument.
strategies. They are described here as the Lifecycle
criteria (Section 7).

The recommendations of the Baker Report on the


BP Texas City Refinery disaster in the US in
2005, form the basis of much of what is generally
considered today to be relevant Good Practice in
Process Safety Management.

8 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


1. Introduction and scope (continued)

UK legislation does not require the quantification


of Risks, and the methods of estimating or
calculating them are prone to unacceptable errors
and uncertainties.

Appendix A explains some of the fundamental 1.1.5 Evidential admissibility


statistical and mathematical requirements for
probabilistic arguments and any form of cost Following several miscarriages of justice due to e
benefit analysis. It also discusses the difficulty of rrors in probabilistic evidence much stricter controls
satisfying these in an engineering context, plus have been applied to what is admissible in court
some of the cognitive biases that affect any form (3). These limit probabilistic arguments to only the
of prediction, such as risk matrices. Appendix B simplest of calculations applied to Robust Statistics.
references some of the errors that may occur in This has significant implications for predictive
computerised risk models (QRA/PRA) and their data. modelling, such as QRA.
Many of these errors and uncertainties arise from
a lack of robust data, which may preclude their use Risk matrices are highly subjective and unlikely to
in a stand-alone quantitative model. Nevertheless, constitute reliable evidence. They are commonly
where robust statistical data is available, it may well used to evaluate the level of assessment required,
be useful in supporting a Well-reasoned Argument i.e., Proportionality. Section 3.2 provides an
as deterministic evidence alone may lead to overly alternative to risk matrices, which is more objective
conservative conclusions. and legally admissible.

The Offshore Safety Case Regulations of 1992 1.1.6 Risk management contiguity
introduced the requirement to assess probability but
subsequently removed it in 2005. Guidance such as The strategy for managing any given risk is largely
Reducing Risks, Protecting People (2) was written a matter of professional judgement, but this can
during this period and has not been updated, leaving lead to disparate and incontiguous studies, which
a legacy perception that risks must be quantified may not effectively communicate whether all
and should be Tolerable, which is incorrect (Section Reasonably Practicable analytical efforts have been
2). Nevertheless, many HSE and industry guidance undertaken. This document therefore attempts to
documents still promote the use of risk quantification join the dots by guiding the reader through a more
and risk matrices, risk profiling, risk targets and risk logical and sequential approach, which may improve
ranking, none of which are legal obligations. UK law safety and provide a more cost-effective means
requires that all Reasonably Practicable risk controls of legal compliance.
be in place, no matter how large or small the risk
is. This requires a systematic process of hazard
identification, prevention, and mitigation, which may
need to comply with Good Practice, prescriptive
legislation, standards, approved codes of practice,
guidance, and be based on a WRA.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 9


2. UK safety legislation

Key messages
The UK legal regime for health and safety is based on the Health And Safety At Work Act
(HASAWA), which places an obligation on the Legal Duty Holder to identify all Reasonably
Foreseeable Hazards and ensure, So Far As Is Reasonably Practicable (SFAIRP), that
neither employees nor the public are exposed to Risks to their health or safety. This is often
expressed as an obligation to reduce Risks to As Low As Reasonably Practicable (ALARP).

These legal obligations give discretion to the Legal Duty Holders, as to how they should
best minimise Risks. They cannot be delegated or transferred, but this does not mean that
subordinates or contractors are absolved of their responsibilities either (Section 2.6).

There are also prescriptive laws that apply to certain types of activity and industry.
Furthermore, any standards, guidance, Approved Codes of Practice may be regarded
as Good Practice, which should be complied with, unless a WRA has been provided to
justify deviating from them.

The analysis must be Proportionate to the nature and complexity of the situation and the
severity of its effects if it is to identify all Reasonably Foreseeable Hazards.

The analysis must recognise the social and technical aspects of the Hazard System(s), and
this may include materials, potential failure modes, activities, scenarios, escalations, human
factors, environmental aspects, and any other factor that might influence Risk (Section 6).

There is no legal requirement to quantify Risk, nor does a Risk figure demonstrate SFAIRP or
ALARP. ‘Tolerable’ Risk is not a legal concept.

The legal obligations apply to the whole lifecycle of the Hazard System.

The argument for excluding a Risk Reduction Measure (RRM) on the grounds that it would be
grossly disproportionate would need to be convincing to a reasonable person (Section 2.3).
The inability of a Legal Duty Holder to pay for an RRM is not a justification.

The Reverse Burden of Proof puts the onus on the Legal Duty Holder to demonstrate that
all Reasonably Practicable RRMs have been implemented (Section 2.7). It is therefore
prudent to record all significant decisions with a WRA, regardless of whether a Safety Case
is legally required.

Disclaimer: This Section is intended to provide engineers with a brief description of the
key principles of UK goal setting safety law, to assist with their day to day professional
responsibilities. However, there may be exceptions, nuances, special requirements and
prescriptive laws that may apply to specific industries, activities, or products, that have
not been covered. Some case law examples have been summarised, to assist in this
understanding but these cannot constitute a rigorous explanation; only generalities that
may require further research. Wherever uncertainty exists the reader is strongly advised
to seek legal advice.
Whilst the HASAWA is a broad umbrella obligation, there may be some exemptions,
such as the design of highways.

10 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


2. UK safety legislation (continued)

The HASAWA applies to:


SFAIRP vs. ALARP
• Products, installations, processes, and activities.
• The whole lifecycle, from the initial feasibility UK health and safety law requires the Legal
assessment, through design, construction, Duty Holder to ensure So Far As Is Reasonably
commissioning, operation, maintenance, Practicable (SFAIRP), that employees and anyone
modification, decommissioning and disposal. affected by what he does, is not exposed to risk
• Hazard identification, prevention, mitigation to their safety, health or wellbeing. However,
(whether consequence or likelihood reduction) from 1992 to 2005, the Offshore Safety case
and emergency response. legislation required risks to be reduced to As Low
• The Hazard System relating to each hazard, As Reasonably Practicable (ALARP), but apart from
e.g., any interacting, interrelated or interdependent one reference in Regulation 29 this has now been
elements or parts that achieve a common safety removed because it led to an over-emphasis on
objective, including hardware, software, human risk quantification. Whilst both terms are often
interactions, procedures, management systems, argued to be the same, ALARP is an abstract
procedures, competency/training and the (because it refers to risk) whilst SFAIRP is more
operating environment (natural or imposed). material, referring to actual safety measures.

ALARP has become common parlance to describe


A safety analysis/risk assessment may need to SFAIRP, (which may be because it simply rolls of the
address the problem at any of one or more levels, tongue more easily). Although this document refers
as follows: to SFAIRP and ALARP, both should be interpreted
• Hazards are regarded here as any features that as answering the same basic question, ‘Have all
could endanger people, such as toxic chemicals, reasonably practicable RRMs been implemented,
flammable materials, suspended objects, and in the systems we design and build, to ensure that
thunderstorms. people are safe from the Hazards to which they will
• Consequences relate to the nature and severity of be exposed?’
health and safety affects and the number of people
involved.
• Failure modes are types of loss of control, such NB. Goal setting legislation is supported by
as the failure of a vessel by rupture, corrosion, delegated legislation (normally regulations),
or fatigue. many of which may be prescriptive in nature.
• Causes are anything that if they were absent could This legislation generally relates to specific
prevent the loss, e.g., errors in design, manufacture, industries or types of activity, mandating
control, human factors, ergonomics, management certain criteria, such as the need for protective
systems, safety culture, conflicts of interest, equipment or setting exposure limits to certain
cognitive bias. (NB. Terms such as root, direct and hazard types, such as noise, chemicals, and
indirect causes may be ambiguous, so they are radiation. However, these regulations are beyond
avoided here.) the scope of this document.
• Activities or Scenarios are specific activities or
conditions, such as the removal of a safety item
These categories are not universal, so they are not
for maintenance.
common to all accidents, which may develop in
• Escalations relate to the way hazards develop, different ways. They should therefore only be used
such as an electrical fire spreading throughout as a guide. The type and content of the analysis
a building. will depend upon character and the reasonably
• RRMs relate to controls, mitigations, barriers, foreseeable consequences of the Hazard System
procedures, and any other measures to prevent (Sections 3 & 6). It will need to determine whether
or reduce the risks of loss. the hazard can be eliminated, contained, controlled,

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 11


2. UK safety legislation (continued)

or mitigated and whether any RRMs have flaws The duties set out in HASAWA include the following:
or limitations that would limit their effectiveness
(Section 6.1). RRMs, which are sometimes referred Section 2 General Duties of employers to their
to as barriers, are any measure that reduces the employees: (1) It shall be the duty of every employer
likelihood or consequence of an accident. They are to ensure, so far as is reasonably practicable, the
not limited to hardware and may relate to software, health, safety and welfare at work of all his employees.
human factors, management systems, training/ Section 3 General duties of employers and self-
competence, procedures, proximities to other employed to persons other than their employees:
equipment or hazards, locality, and environment. (1) It shall be the duty of every employer to conduct
his undertaking in such a way as to ensure, so far
Because the regulations relate to all phases of the as is reasonably practicable, that persons not in his
lifecycle, many of the Lifecycle criteria (Section 7) employment who may be affected thereby are not
will need to be established at the design stage and thereby exposed to risks to their health or safety.
maintained or updated throughout the lifecycle. The
concepts have been formally recognised by the Section 6 General duties of manufacturers etc. as
HSE for the process industries since the Baker Report regards articles and substances for use at work.:
on the Texas City disaster (1), and the principles are (1) It shall be the duty of any person who designs,
now established Good Practice, so they should be manufactures, imports or supplies any article for use
equally applicable to other industries and products. at work or any article of fairground equipment—
to ensure, so far as is reasonably practicable, that
the article is so designed and constructed that it will
2.1 Regulatory control and prosecution be safe and without risks to health at all times when
it is being set, used, cleaned or maintained by a
UK safety law is of two types, statutory legislation person at work;
(made by Parliament) and case law1, which is
interpretations of statute made by judges, the The Management of Health and Safety at Work
latter of which is particularly important for goal Regulations (MHSWR) includes the following:
setting regulations. It also includes law made by
judges themselves, such as for example, the tort Section 3 Risk Assessment: (1) Every employer
of negligence. In the UK legal system criminal shall make a suitable and sufficient assessment of—
prosecutions are brought by the state, primarily
under the Health and Safety at Work etc. Act 1974 the risks to the health and safety of his employees to
(HASAWA) and associated sets of regulations. Civil which they are exposed whilst they are at work; and
actions are brought by individuals for compensation the risks to the health and safety of persons not in
due to injury or death caused by negligence (Duty of his employment arising out of or in connection with
Care failings) or case law. The standard of proof for the conduct by him of his undertaking,
civil cases is based on the balance of probabilities,
i.e., it is more likely than not to be true, but for for the purpose of identifying the measures he
criminal cases it is more complex, as explained in needs to take.
Section 2.7. However, the burden of proof differs, The primary aims of this document are to explain
because it lies with the Legal Duty Holder (Section what these terms mean in an engineering context.
2.6) to demonstrate compliance for criminal cases,
and the claimant to prove negligence or breach for
civil ones.

1 Also known as Common Law, as opposed to Statutory Law, which is made by parliament.

12 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


2. UK safety legislation (continued)

Relevant case law examples on foreseeability and everyday risk


Foreseeability: McLean v Remploy, 1994.
The employer was found not liable in a case where a practical joke
played by one employee resulted in injury to another, as it was deemed
to be not Foreseeable.

Foreseeability with respect Baker v Quantum Clothing Group, 2011.


to standards, or generally The court found the employer not liable because, at the time of the
available understanding of, employees hearing damage, there was no recognised guidance on
the risk: acceptable noise levels in the workplace, so it was therefore deemed
not Foreseeable.

Risk must be more than the Dean & Chapter of Rochester Cathedral v Leonard Debell, 2016.
everyday risk: A tripping accident due to a piece of concrete protruding from under a
traffic bollard, where the appeal court found the defendant not liable. The
court concluded that it was a) an extremely small piece of concrete,
and it was unlikely that a pedestrian would walk so close to the bollard and
b) the Risk had to amount to more than the “everyday risk” from normal
blemishes or defects common to any road or path.
Regina v Porter, 2008.
The case involved the death of a three-year old boy, who injured his head
when jumping from steps in his school playground. Unfortunately, having
been taken to hospital he contracted MRSA and died. The judge stated,
‘Where the Risk can truly be said to be part of the incidence of everyday life,
it is less likely that the injured person could be said to have been exposed to
Risk by the conduct of the operations in question’.

Harm does not need to Regina v Board Of Trustees Of The Science Museum, 1993.
have occurred: One of the museums cooling towers was found to contain the bacteria which
causes legionnaire’s disease. No-one had succumbed to that disease, but
there was a Risk to health and safety. A Risk existed, which was regarded as
‘a possibility of danger’. The guilty verdict was upheld by the appeal court.

All appropriate Regina v Tangerine Confectionery Ltd and Veolia, 2011.


means must be used Tangerine involved a man crushed in a machine because he had not followed
toidentify the risk: the company procedure. Veolia involved the death of a litter picker working
on the side of a fast road. In both cases the argument that the incidents were
not Foreseeable as they were an incidence of everyday life was rejected. The
general duties under the HSWA: “command an enquiry into the possibility
of injury” however, “They are not limited, in the risks to which they apply, to
risks which are obvious. They impose, in effect, a duty on employers to think
deliberately about things which are not obvious”.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 13


2. UK safety legislation (continued)

Approved Codes of Practice (ACoPs) have a special to undertake appropriate studies to identify the
legal status and provide practical examples of Good Hazards and how they could be liberated, prevented,
Practice that will be considered by the courts. They or mitigated, i.e., establish a detailed understanding
give advice on how to comply with the law by, for of the technical and/or human factor issues. An
example, providing a guide to what is Reasonably alternative way of stating this could be: ‘The analysis
Practicable and what is required for a risk assessment must be Proportionate to the nature and complexity
to be ‘suitable and sufficient’. Guidance does not have of the situation and the severity of its effects if it is to
the same legal status, but either may be considered identify all Reasonably Foreseeable Hazards’.
Good Practice therefore, if the Legal Duty Holder
chooses to deviate from them, it will always be The guidance to the Offshore Safety Case
prudent to record a full explanation, i.e., a WRA. Regulations states that it is Foreseeable that a
helicopter could crash into an offshore oil and gas
The Regulators and their agencies, such as the installation, but not an airliner. This implies that the
Health & Safety Executive (HSE), Office of Nuclear airliner scenario is not plausible, rather than not
Regulation (ONR), Office of Rail and Road (ORR), and Foreseeable, as it has been foreseen. The premise
the Civil Aviation Authority (CAA) oversee compliance here, is that a reasonable person would agree
and have a duty to accept safety cases/reports for that, although the airliner scenario is possible, the
certain ‘permissioned’ industries, such as nuclear, combination of conditions that could lead to it may be
chemical, process and offshore oil and gas. However, dismissed as not plausible or, in the accepted legal
the final arbiter of any safety case/report, or breach terminology, not Foreseeable. The rationale would
of legislation is the judiciary, who will seek answers to appear to be that there are enough natural or man-
three basic questions: made RRMs to make the collision implausible, e.g.,
1. Was the Risk Reasonably Foreseeable? aviation law, pilot competence, the remote vicinity
of an offshore platform, radar, and visual flight rules.
2. Was the risk anything more than what can truly be
It therefore follows that any event that is provided
said to be part of the incidence of everyday life?
with enough suitable RRMs could be argued to be not
3. Would it have been reasonably practicable to Foreseeable. This conclusion is supported by Case
further reduce or eliminate the risk? Law, R v HTM (Section 2.3).

If the answer is no to any of these questions the This raises the question of what it is that would be
courts are likely to acquit the defendant. However, Reasonably Foreseeable – consequence, scenario,
it is necessary to refer to case law to understand failure mode or cause. Taking the Chernobyl disaster
how the questions will be answered. as an example:
• Was a nuclear meltdown reasonably foreseeable?
2.2 Reasonable foreseeability and the • Was a turbine rundown test a reasonably
foreseeable accident scenario?
‘Incidence of everyday life’
• Was negative void coefficient a reasonably
Reasonable Foreseeability is an important concept foreseeable failure mode?
to engineers because it determines whether a • Were breaches of procedures, or the design of the
Hazard will need to be addressed. The following case core, reasonably foreseeable causes?
law examples are helpful to clarify these issues:
Logically, any one of these questions is a valid
The last example above, R v Tangerine & Veolia, determinant of whether the legal obligations have
is particularly relevant because it imposes a duty been met.

It is Foreseeable that a helicopter


could crash into an offshore oil and gas
installation, but not an airliner.

14 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


2. UK safety legislation (continued)

In this context, a reasonable definition of ‘not If an event is reasonably foreseeable, then the legal
Foreseeable’ could be compliance with the following duty holder must demonstrate that all reasonably
criteria: practicable risk controls have been implemented.
• It is not required by any standard, guidance, code of
practice or accepted Good Practice. 2.3 Reasonable practicability, risk
• Appropriate studies (such as HAZID, HAZOP, FMEA) quantification and gross disproportion
would not identify the Hazard, consequence,
scenario, failure mode or cause. The issue of defining what is, or is not, reasonably
• There is robust statistical evidence that these RRMs, practicable is probably the most disputed aspect
operating under the same conditions, have not failed of this legislation and this has led to many different
in the past. approaches for demonstrating it, some of which
• It is not plausible that it will occur in future, as would be unlikely to provide a sound defence in a
justified by a well-reasoned argument, e.g., it can be law court. There is limited case law on reasonable
demonstrated that there are several RRMs in place, practicability, and this is not without ambiguity.
which are sufficiently effective, diverse, reliable, and Perhaps the most significant misinterpretation of
redundant that total failure would not be plausible. Lord Asquith’s judgment is the assumption that

Case law examples relating to reasonable practicability


Definition: Edwards v National Coal Board, 1949 is the widely accepted definition,
where Lord Asquith stated:
“Reasonably practicable is a narrower term than ‘physically possible’ and implies
that a computation must be made in which the quantum of risk is placed in one
scale and the sacrifice involved in the measures necessary for averting the risk
(whether in time, trouble or money) is placed in the other and that, if it be shown
that there is a great disproportion between them – the risk being insignificant
in relation to the sacrifice – the person upon whom the obligation is imposed
discharges the onus which is upon him.”

The legal duty holder’s R v Howe and Son (Engineers) Ltd, 1999.
ability to pay for risk The Court of Appeal said: “The size of a company and its financial strength or
reduction is irrelevant to weakness cannot affect the degree of care that is required in matters of safety.
the liability: Otherwise, the employee of a small concern would be liable to find himself at
greater risk than the employee of a large one.”
The relationship between R v HTM, 2006.
foreseeability and HTM claimed that two employees who had been trained, coupled with warnings
reasonable practicability on the machinery, nevertheless broke the rules. It was not Foreseeable that
they could have done anything more to prevent their deaths. The company
were found not liable and this was upheld by the court of appeal, who made the
several points, including the following:
• It was correct that evidence of foreseeability should be allowed because that
evidence was potentially relevant to the issue of reasonable practicability.
• Foreseeability was merely a tool with which to assess the likelihood of a risk
eventuating.
• A defendant to a charge under sections 2, 3 or 4 of the HSWA, when asking
a jury to consider whether it had done everything that was reasonably
practicable, could not be prevented from bringing evidence as to the
likelihood of risk occurring.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 15


2. UK safety legislation (continued)

risks must be predicted quantitatively. This may None of these can be quantified because they have
stem from his use of the term computation, but this no mathematical relationships, and they cannot be
was before the advent of commercial computing, measured statistically, so it would be impossible
so its meaning may have been misconstrued. This make any meaningful predictions (Appendices A & B).
perception has been worsened by documents such Nevertheless, it may be reasonably practicable to:
as the HSE’s ‘Reducing Risks, Protecting People’ (2), • identify the Failure Modes and their effects,
which discusses risk quantification, tolerable and
• understand the reasons for these failures and
broadly acceptable risks and risk ranking, none of
how they might escalate, and
which are legal requirements and may not be feasible
either, as there may not be any valid means of making • assess the effectiveness of the preventative RRMs.
such calculations, as demonstrated in Appendices
A & B. There is industry and regulator guidance that These characteristics can be evaluated qualitatively
refers to risk quantification, which may add to the by competent people, especially by undertaking
perception that it is a legal requirement. Most of appropriate studies (Sections 4 & 6), and referring to
these documents were published before the Offshore Good Practice, guidance documents, standards and
Safety Regulations were revoked in 2005. previous accident reports. This, together with the
consequence analysis (Section 5), will provide the
Part of this reluctance to change the guidance may relevant information to make informed judgements
come from PFEER Regulation 5, which states: ‘An as to whether the risks have been reduced to ALARP.
assessment shall consist of – (b) the evaluation of An ‘evaluation of the likelihood’ can therefore only
the likelihood and consequences of such events.’ be demonstrated using a qualitative Well-Reasoned
However, this does not mean that risks must be Argument (Section 8.1).
quantified for the following reasons.
R v HTM gives an insight to the relationship
Firstly, UK legislation always refers to likelihood, between Reasonable Practicability, Reasonably
rather than probability. This is relevant because the Foreseeable and likelihood. The court of appeal
terms have different connotations; probability is makes clear that Foreseeability is one test of
quantitative, whereas likelihood is qualitative. With Reasonable Practicability and that it is also a means
SFAIRP and ALARP the emphasis is on reducing risks of describing likelihood. The arguments for it were
rather than quantifying them. Quantification cannot Qualitative, not Quantitative. The most reliable
demonstrate that risks are ALARP. criteria may therefore be the types of evidence
permissible in court and whether barristers would
Secondly, likelihood is a function of the causes, which be prepared to use them.
may be due to unsafe acts or the failures of barriers.
Accident reports and inquiries show that risk is Although Cost Benefit Analysis (CBA), which is
influenced by the quality of many variables, including the method recommended in R2P2, is ostensibly
the following: the most logical means of demonstrating Gross
• equipment configurations, limitations, design error, Disproportion it may not be legally acceptable,
unless it is based on Robust Statistical data, which is
• hazard identification and assessment,
rarely available for engineered Hazard Systems. The
• management systems, leadership, and judiciary have recognised these problems and the
management of change, RSS guidance (3) sets out four basic criteria for
• authorisations, and permit to work, such evidence:
• planning and logistics, • Expert witnesses must have appropriate
• safety cultures, attitudes, and behaviours, competence in statistics if they are to give
probabilistic evidence. This must therefore
• procedures,
be true for anyone providing such evidence.
• ergonomics, and human factors,
• Methods of modifying statistical base rates are
• competence, training, and communications, limited to a form of deductive Bayesian inference,
• budgets, staffing levels, and productivity discouraging the use of mathematical formulae.
pressures. The guides only refer to one stage of modification,

16 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide


2. UK safety legislation (continued)

(from prior probabilities, known as base rates, If the rejected RRMs would have reduced the
to inferred posteriors), thereby indicating that probability of an event, this should be expressed in
multiple modifications, such as the complicated qualitative terms.
algorithms used in computer models, are too
complex to be admissible. It should consider any risk transfers or trade-offs
• Evidence must be relevant to the case, (which is, in (Section 2.4).
any case, a requirement of the courts). Statistical
base rates must therefore be representative. It should consider the societal expectations for the
• All assumptions must be stated, and independence situation being considered, bearing in mind that
must be demonstrated, never assumed. these may change with time. Society would clearly
expect greater expenditure/sacrifice for fatalities
The limitations of CBA are covered in Appendix than minor injuries and may include an element of risk
A7, which shows that risks calculated by QRA have aversion (where the acceptance of multiple fatalities
unacceptable errors and uncertainties that invalidate is disproportionately less than that of single deaths).
CBA. Nevertheless, there may be cases where CBA The argument should be convincing to a reasonable
is valid, such as drugs trials based on large datasets. person (or the majority of a jury), based on the
Appendices A & B therefore cover the feasibility balance of probabilities.
and major pitfalls of using probabilistic data. For
these reasons gross disproportion would almost It should also be noted that if an RRM would have
inevitably need to be based on a conservative WRA been reasonably practicable to install at the
that would be convincing to a reasonable person. construction stage of a project, it would not be
Given the absence of case law relevant to this, it possible to argue that it is grossly disproportionate
is recommended that any demonstration of gross later because of the increased cost of retrospective
disproportion should abide by the following eight implementation.
principles:
In conclusion, if an RRM cannot be shown to be
1. It should demonstrate that the analysis has been
grossly disproportionate based on these principles,
proportionate (Section 3.1), i.e., undertaken in
then it must be implemented (and operations may
enough detail to understand the hazards and
need to be stopped until it is).
any relevant failure modes, causes, activities or
scenarios that could lead to an accident and how
they may be prevented or mitigated. 2.4 Risk transfer and risk trade-offs
2. It should demonstrate a sufficient understanding
of the technical and social issues associated with Some RRMs may cause risk transfers between
the risk. different groups, such as employees, customers,
3. If appropriate, it should show that any relevant and the public. There are no fixed rules regarding any
standards, approved codes of practice, guidance such compromises and therefore a plausible, morally
and relevant Good Practice are not applicable to justifiable, argument will need to be made, which
the unique set of circumstances being considered. would be acceptable to a reasonable person. Such
arguments may be influenced by the relations between
If the rejected RRMs would have reduced the potential the hazard and the populations involved, which could
consequences, those benefits should be stated range from awareness, acceptance, responsibility, or
in conservative terms, considering the number of blame. For example, the workforce may be aware of,
people affected, their injuries, damage to their health and have tacitly accepted, a degree of risk which the
and/or loss of life. public has not. Societal expectations therefore allow

If an RRM would have been reasonably practicable


to install at the construction stage of a project, it
would not be possible to argue that it is grossly
disportionate later.

Report Version: 1.1 | Last Revision Date: 14 May 2024 ‬ CONTENTS ‬ 17


2. UK safety legislation (continued)

…Protecting a car occupant/driver by putting


innocent pedestrians at greater risk could be
unacceptable - an issue that has challenged the
designers of autonomous vehicles.

their risks to be ten times higher than those of the It would therefore be prudent for the Duty Holder to
public (2). Reducing the hazards for a high-risk worker test the arguments with the appropriate Regulators
by slightly increasing the risks to several members of before finalising any decision.
public may therefore be difficult to justify, even if the
overall population risk is reduced. Equally protecting a
car occupant/driver by putting innocent pedestrians 2.5 Target Safety Levels (TSLs)
at greater risk could be unacceptable (an issue
In certain cases, Regulators, Legal Duty Holders,
that has challenged the designers of autonomous
or standards may set numerical safety criteria,
vehicles). The degree to which blame, responsibility,
sometimes referred to as Target Safety Levels (TSLs)
acceptance and awareness should be accounted
or Basic Safety Levels (BSLs). Although these are
for may not be quantifiable, but the arguments used
not strictly legal requirements and do not constitute
should nevertheless be included.
a demonstration that all Reasonably Practicable risk
controls are in place, they could be regarded as Good
Equally, one risk may be traded for another, e.g., a
Practice, provided they can be quantified with enough
step may be replaced by a slope to reduce the
accuracy. There are three basic types:
tripping Hazard, but it could introduce a slipping
Hazard in wet or icy conditions. It may not be possible 1. Standards
to say which option has the greatest probability Design standards that require systems to
or consequence, so a case should be made that comply with uncertain loads such as natural
acknowledges the differences and takes other events like storm or earthquake that have
factors into account, such as an individual’s right recognised occurrence frequencies, (e.g., offshore
to accessibility. installations designed to survive the 100-year
storm), or structural standards based on real
Other risk Trade-offs can be necessary where two life failure data, which is built in as safety
regulations create the potential for conflict, such factors to cope with those unknown loads.
as safety and environmental, e.g., depressurising Compliance with the standard is therefore part
a gas installation may make it safer but discharge of the ALARP demonstration.
global warming gasses into the atmosphere. The 2. Safety Critical equipment reliabilities
legal principle here is to take the highest-level
These are control systems whose failure may
regulation as the priority, but this may not be
directly lead to a loss. Typical TSLs range from 10-7
clear, as both requirements may exist in the same
to 10-9 failures/operating hour (e.g., rail and aviation),
regulation, e.g., COMAH. However, the ‘Environmental
so Robust Statistical evidence would be impractical
permitting guidance: Core guidance’ relating to because of the timeframe and numbers of items
the ‘Environmental Permitting (England and Wales) that would need to be tested under real operating
Regulations 2010’ states: conditions. The requirements often use the words
prediction and/or estimation, which implies a
‘A.1.14 Regulators should take those requirements qualitative argument, possibly supported by some
into account when setting permit conditions, and both relevant statistics. For example, the new version of
parties should in particular ensure that environmental an aero engine might be able to call on reliability
permitting and Health and Safety requirements do not data from the previous version and demonstrate
impose conflicting obligations.’ that the new one has better design and materials,

18 ‬ CONTENTS ‬ ALARP for Engineers: A Technical Safety Guide

You might also like