beatrize rituerto & greg newman - snc lavalin rail & transit

24
PRIAFS The “Reverse SFAIRP” Argument RISSB Rail Safety Conference 2017: Enhancing Safety Through Collaboration Candice Augur, Section Lead, Safety & Assurance SNC-Lavalin Rail & Transit Greg Newman, Principal Consultant SNC-Lavalin Rail & Transit

Upload: informa-australia

Post on 21-Apr-2017

139 views

Category:

Automotive


2 download

TRANSCRIPT

Page 1: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

›PRIAFS ›The “Reverse SFAIRP” Argument

RISSB Rail Safety Conference 2017: Enhancing Safety Through CollaborationCandice Augur, Section Lead, Safety & Assurance SNC-Lavalin Rail & TransitGreg Newman, Principal Consultant SNC-Lavalin Rail & Transit

Page 2: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Abstract

›It has been some time now since the ONRSR first issued its “Meaning of Duty to Ensure Safety So Far As Is Reasonably Practicable Guideline” and nearly two years since it updated the document to include a discussion on what it refers to as “Reverse SFAIRP” justifications for the removal of risk controls. Since then, projects around the country have struggled with presenting a credible argument that risks have been eliminated or reduced so far as is reasonably practicable by the incorporation or addition of risk control mechanisms, but very few have attempted successfully to present an argument that removing a risk control still manages that risk so far as is reasonably practicable. Given that, in the current economic climate, many railways are seeking to “take costs out of their business”, being able to justify the removal of such risk controls to their respective Regulators would seem to be an important capability.

›Based loosely on the experience of the authors, this presentation provides a brief summary of the ONRSR’s guidance on “Reverse SFAIRP” and presents two contrasting “safety arguments” in relation to a fictitious proposed removal of a risk control.

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 2

Page 3: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Overview

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 3

› Foundation in Legislation› What is the ONRSR SFAIRP Guideline?› The relevant bits from ONRSR.› Yes, but what does it mean?› When might it be necessary?› A not-so-good example of a reverse SFAIRP argument.› A somewhat better way of presenting a reverse SFAIRP argument› Conclusion

Page 4: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Caveat!

4

› This presentation is not intended to be a legal discussion.› We are not Lawyers!› It is derived on the “Meaning of Duty to Ensure Safety So Far As Is Reasonably

Practicable Guideline” Rev 2.0 dated 24th December 2014 issued by the ONRSR.

› It is based on work reviewed by the presenters, sanitised to protect the “protagonists”, and embellished to emphasise the relevant points of process.

› With thanks and acknowledgement to Gene Roddenberry.

Page 5: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

SFAIRP…the foundations in legislation

“Reasonably practicable is a narrower term than “physically possible” and implies that a computation must be made . . In which the quantum of risk is placed in one scale and the sacrifice involved in the measures necessary for averting the risk (whether in time, trouble or money) is placed on the other and that, if it be shown that there is a great disproportion between them – the risk being insignificant in relation to the sacrifice – the person upon whom the obligation is imposed, discharges the onus which is upon him.”

Lord Asquith - Edwards V’s National Coal Board 1949

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 5

Page 6: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

SFAIRP…the foundations in legislation

›Duty holders may on occasion wish to remove a risk control that they believe to be no longer reasonably practicable. The ONRSR acknowledges there may be very specific, albeit limited, occasions when it may be shown that an existing control is no longer necessary to ensure safety SFAIRP. These include:

› Where the cost of maintaining the control has substantially increased (however in this instance, it may be reasonably practicable to introduce a new control measure rather than accept an increase in residual risk);

› The risk reduction provided by the control has reduced due to the risk reduction achieved by other controls

› Where a risk control interacts with another risk control; or› It can be shown that the introduction of the control was not necessary to ensure

safety SFAIRP in the first place

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 6

Page 7: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 7

Effort Harm

SFAIRP…the foundations in legislation

Page 8: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Rail Safety National Law

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 8

Rail Transport OperatorsA rail transport operator must ensure, so far as is reasonably practicable, the railway’s safe operations.

SuppliersA person who designs, commissions, manufacturers, supplies, installs, or erects any thing…must ensure, so far as is reasonably practicable, that the thing is safe if it is used for a purpose for which it was designed, commissioned, manufactured, supplied, installed, or erected.

Page 9: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

What Is The ONRSR SFAIRP Guideline?

›First issued 20 Jan 2013.›Now at rev 2.0 24 December 2014.›16 pages J›Free from https://www.onrsr.com.au/news/news-stories/so-far-as-is-reasonably-practicable-sfairp

ØDefinition

ØObjective Test

ØThe Process

ØContinuous Improvement

ØALARP V’s SFAIRP

ØReverse SFAIRP

9

Page 10: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 10

›“PRIAFS”

Page 11: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Why Railways Want to Remove Controls?

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 11

›A few specific examples, most of which we are working on NOW.›Obsolescence•Examples:

› Removal of Electric Staff safeworking (move to Train Order Working)

›Changes in Operational Conditions•Examples:

› Move from two driver operation to driver only operation;

›Cost Reductions•Examples:

› Extending the maintenance and overhaul interval of infrastructure (or eliminating preventative maintenance activities altogether)

› Removal of the driver by the introduction of driverless technology.

Page 12: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Why Railways Want to Remove Controls?

RISSB Conference: PRIAFS The “Reverse SFAIRP” Argument 12

Program Specific problem

Current Risk Control (removed)

Alternative Risk control

Autonomous / driverless trains

Lack of skilled drivers

Driver (Procedural)

ATP/ATO(Technology)

Maintenance cost reductions

Reduced budget for maintenance

Periodic preventive maintenance

Luck

Driver Only Operation

Increasing cost of operational staff

Second driver (Procedural)

Vigilance controls, ATP, flashing lights (Technology)

Removal of Electric Staff

Electric Staff is obsolete technology

Electric staff(Technology)

Train order working (Procedures)

Page 13: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

What the Guideline says . . .

› Duty holders may on occasion wish to remove a risk control that they believe to be no longer reasonably practicable. The ONRSR acknowledges there may be very specific, albeit limited, occasions when it may be shown that an existing control is no longer necessary to ensure safety SFAIRP. These include:

13

› Where the cost of maintaining the control has substantially increased (however in this instance, it may be reasonably practicable to introduce a new control measure rather than accept an increase in residual risk);

› The risk reduction provided by the control has reduced due to the risk reduction achieved by other controls;

› Where a risk control interacts with another risk control; or

› It can be shown that the introduction of the control was not necessary to ensure safety SFAIRP in the first place.

$ Harm

Page 14: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

And Further. . .

› An argument to remove risk controls should be subject to comprehensive risk assessment undertaken before the removal has taken place.

14

Page 15: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

And Further. . .

› Examples of circumstances where ONRSR would not consider it appropriate to remove a control include:

15

› Where the residual risk is no longer eliminated SFAIRP;

› Transferring resources from areas, activities or exposed groups with lower risk to those experiencing higher risk. The RSNL requires every risk to be eliminated or minimised SFAIRP, and it is not acceptable to do less than this simply because risk is even higher elsewhere;

› Where the duty holder (e.g. the rollingstock operator) relaxes risk controls at the expense of another (e.g. the rail infrastructure manager) without documented risk transfer through an appropriate instrument (e.g. An Interface Agreement);

› Where changes result in a level of risk to the public, passengers or workforce which the duty holder’s SMS rates as intolerable; or

› Where a control is removed to reduce operational costs or increase operating profit without consideration of whether the control is reasonably practicable.

Page 16: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

And when you have removed a control (even if you have justified it). . .

› Monitor the safety performance (near misses, incidents, accidents, etc.)

› It might have been worse that you thought!

› The removed control might have also have been controlling a different risk

› Monitor the operational conditions

› They may change again

16

› Constant Vigilance!

Page 17: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

How it might be interpreted . . .

› You had a risk.

17

› The control (probably along with others) was there for a purpose.

› You wanted to take the control away or substitute a cheaper one for it.

› Was the money you saved grosslydisproportionate to the increased risk exposure?

Page 18: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

A Little Diversion. . .

› The following is an abstraction and amalgamation of some of the instances over the last 5 years where a reverse SFAIRP argument was attempted – what was presented and what might have been better.

› A little humour to hide the “protagonists”.› Sub-text provided in red for clarity.

18

Page 19: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Not Quite a SFAIRP Argument . . .

› I want to take the second pilot out of my Starships on the Kessel run.› Move to Driver Only Operation

› Why?› Other Empires elsewhere have done it.› DOO used elsewhere in country

› Yes, but they use Auto-Pilot.› ATP/ATO

› Auto-Pilot is expensive.› What about pilot fatigue and vigilance?

› OK, we could maybe perhaps think about planning to do some In-Human/Ferengi Factors analysis, I suppose.

› Human Factors› What about asteroid spotting and hypervelocity?

› Driver route observance and overspeeding› The second pilot in the cockpit can be a distraction.› Second driver can distract primary driver

19

Star ship (Train) OperatorGalactic (Rail) Regulator

Page 20: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Not Quite a SFAIRP Argument . . .

› What about observance of Galactic Bypasses?› Observance of open level crossings

› OK, OK, we might consider upgrading them with flashing Moons (or flashing asteroids – they are cheaper).

› Consider installing flashing lights› What about attending to a failed Starship and applying the inertial brakes

(on a dark, airless, frozen asteroid)?Failed train and applying train brakes by hand on a dark, cold, rainy night

› Oh, hadn’t thought of that. We’ll issue an instruction to the pilot to be really careful!› Procedural instruction› Now can I run my Single Pilot Crewing?

› No. You haven’t demonstrated that the risks are still managed SFAIRP.

20

Star ship (Train) OperatorGalactic (Rail) Regulator

Page 21: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Maybe a Better SFAIRP Argument . . .

21

› I want to take the second pilot out of my Starships on the Kessel run.

› Move to Driver Only Operation

› Why?

› It now costs 8 GigaCredits per year to have the second pilot.

› (1 GigaCredit is about $12 million on the ANZ ForEx market)

› OK, have you considered Auto-Pilot?

› ATP/ATO.

› Auto-Pilot costs 17 GigaCredits per year to run.

› What about pilot fatigue and vigilance?

› Our Ferengi Factors analysis indicated only a marginal increase in FAID scores.

› Human Factors

Star ship (Train) OperatorGalactic (Rail) Regulator

Page 22: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Maybe a Better SFAIRP Argument . . .

22

› What about asteroid spotting, Galactic Bypasses, hypervelocity and Starship failures?

› Observance of route, level crossings, overspeeding and train failures

› There are no asteroid fields on the Kessel Run (closed, fenced railway), we upgraded the Kenobi Galactic Bypass (at a cost of 1.5 GigaCredits per year) (installation of flashing lights at open level crossings), the ships are speed limited to Warp 2 (in a Warp 5 Hyper-spatial corridor) , and a maintenance droid costs 1.2 GigaCredits per year to run.

› Net saving 8-(1.5+1.2)=5.3 GigaCredits/yr.

› What is your risk profile now?

› An increase of 0.4 of an Ouch! per year.

› Fatality and weighted injury

Star ship (Train) OperatorGalactic (Rail) Regulator

Page 23: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Maybe a Better SFAIRP Argument . . .

23

› So have you managed this increased risk So Far As Is Reasonably Practicable?

› Yes. At a VoSO (Value of a Statistical Ouch!) of 6GC/Ouch!,

› the safety dis-benefit is an increase of 0.4x 6= 2.4GC per year

› The operational cost savings are 5.3 GC per year

› The operational savings are disproportionate to the increased operational risk by a factor of 5.3/2.4=2.2

› Now can I run my Single Pilot Crewing?

› Yes. You have demonstrated that the risks are still SFAIRP!

Star ship (Train) OperatorGalactic (Rail) Regulator

Page 24: Beatrize Rituerto & Greg Newman - SNC Lavalin Rail & Transit

Conclusion

› The concept of “Reverse SFAIRP” is part of ONRSR’s guideline.

› It does not feature strongly (in terms of page/word count).

› It is just as likely to be required in today's cost cutting environment as it was in the days of strong infrastructure building.

› It is neither difficult nor time-consuming to prepare an acceptable “Reverse SFAIRP” argument

› It IS possible - You just need to do your homework!

24