Chapter 14 Annex A - Safety Risk Management Process
The SRM process consists of seven sequential steps displayed in Figure A-1. The process is common to both Deliberate and Immediate RM, with differences primarily relating to the proximity of the assessment to the activity, product or service being undertaken, the depth and context of analysis, and requirements for the documentation of risk decisions.
Figure A-1: Safety Risk Management Process
The WHS Act imposes a legal obligation on Defence to ensure health and safety by:
eliminating risks to health and safety, SFARP11
and if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks SFARP22.
Where it is not reasonably practicable to eliminate risks to health and safety, the Hierarchy of Controls (HoC) is applied to minimise risks SFARP33.
Reasonably Practicable
Reasonably practicable44, in relation to the duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:
the likelihood of the risk or hazard concerned occurring
the degree of harm that might result from the hazard or risk
what the person concerned knows, or ought reasonably to know, about including:
the hazard or the risk
ways of eliminating or minimising the risk.
the availability and suitability of ways to eliminate or minimise the risk
after assessing the extent of the risk and available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.
Step 1 – Establish Hazard and Risk Context
The first step in the RM process is to clearly describe and understand the hazard and risk context. The context is a detailed description of the operating environment in which the activity, product or service will be conducted and includes:
activity objectives. These are clear, concise statements regarding the desired outcome(s) of the activities, products or services being considered, including:
its purpose
identifying whether it is a new or existing activity, product or service
determining whether the activity, product or service is discretionary or non-discretionary based on organisational priorities
determining the urgency and scope of the activity, product or service, and its importance and benefit to the delivery of organisational capability.
activity significance. What is the strategic, operational and tactical significance of the activities, products or services? The significance of an activity, product or service will have a direct bearing on the reasonably practicable judgement. Determining the activity significance may include:
the primary purpose of the organisation; this could vary between a commercial design or production organisation, to a Military Air Operator (MAO) conducting work-up activities to support force assignment to operations controlled by CJOPS.
the applicable phase within the Defence Capability Life Cycle (Needs, Requirements, Acquisition, Sustainment and Disposal) and the associated business units involved in these activities.
identifying stakeholders. Stakeholders include individuals, organisations or entities that may have an interest in, effect on, or be affected by, the activities, products or services being considered. Stakeholders that may be appropriate to engage with in the SRM process may include:
personnel with specific safety appointments
operators of the same or similar plant, substances or structures
designers of plant, substances or structures such as CASG, E&IG or Defence Industry
manufacturers of plant, substances or structures (eg E&IG)
importers and or suppliers of plant, substances or structures, such as E&IG, CIOG and CASG
contractors
the general public.
reference material. All related reference information is identified, including:
OEM documentation, type-design data, OIP, Technical Manuals, Flight Manuals, Standing Instructions (SI), and Bench Level Instructions (BLI);
airworthiness documentation from other National Airworthiness Authorities (NAAs) or Military Airworthiness Authorities (MAAs)
local Chain of Command (CoC) or technical directives and orders
other safety risk assessments which relate to the activity, product or service.
assumptions and limitations. Other conditions, assumptions and limitations may include:
Task requirements. Detail the scope of the activity, product or service being conducted, or consider any differences in conditions and objectives compared with previous activities, products or services.
Equipment. What equipment is being used, such as consumables, support equipment, materials and Personal Protective Equipment (PPE), including configuration and serviceability state.
Personnel. Attributes of the personnel involved in the activity, product or service, including qualifications, competency and currency, training and experience, group composition.
Environment. The physical environment in which the activity, product or service is being conducted, including location, lighting, temperature, noise, work areas, distractions.
Step 2 – Be Reasonably Informed of the Risks and All Possible Controls
Risks
Those involved in conducting risk management are to be reasonably informed of all aspects of the activity, product or service being considered. They are to have knowledge about the hazard or risk and any ways of eliminating or minimising the risk. This will be what is known, and what a reasonable person in the circumstances (eg a person in the same industry) ought reasonably to know. This is also referred to as reasonable knowledge.
Knowledge About the Hazard or Risk. The SRM process requires personnel to:
proactively take steps to identify reasonably foreseeable hazards within their organisation before the activity, product or service is undertaken or the circumstances occur that result in the risk
understand the nature and degree of any harm that the identified hazards may cause, how the harm could occur, and the likelihood of the harm occurring.
Knowledge About Other Factors. The SRM process requires personnel to consider and understand how other factors may cause or increase hazards and risk levels, including:
human error or misuse, spontaneity, panic, fatigue or stress
failure of plant, equipment, systems of work or safety measures
provision of goods and services by third party organisations (eg designs, leased equipment, contracted labour, substances and parts)
interaction between multiple hazards that together may cause different risks.
Gaining Reasonable Knowledge. There are various ways of gaining reasonable knowledge55, including:
consulting those workers who are responsible for undertaking the activity, product or service
consulting others in the industry
analysing previous safety events
considering relevant Regulations and Codes of Practice and other sources of information such as:
guidance material issued by the regulator
credible technical standards (eg Standards Australia and International Standards)
industry publications
published scientific and technical literature
the Defence Aviation Safety Design Requirements Manual (DASDRM).
undertaking safety risk assessments. Annex E contains guidance on what may be appropriate for gaining reasonable knowledge and undertaking assessments for aircraft design risk.
Knowledge About Ways of Eliminating or Minimising the Risk. There may be many different ways of eliminating or minimising risks. The SRM process requires personnel to gain reasonable knowledge of all relevant controls to effectively identify those that are available and suitable. Consideration may also include:
Specialist Advice. Within Defence the Military Type Certificate (MTC) Holder, design organisations with access to type-design data, and aviation domain Subject Matter Expertise (SME) organisations provide
Aviation regulation and certification standards. The management of aviation safety and airworthiness risk is largely controlled through the application of the DASR and DASA-approved certification standards applied to the design of aircraft and development of limitations and instructions that control the production, maintenance and operation of aircraft. As such, reference to certification standards, design data and OEM or aviation domain SME publications provides industry best-practice ways of eliminating risk SFARP or minimising risk SFARP. Other credible standards include approved design standards such as published Australian Standards and International Standards.
Codes of Practice (CoP). An approved CoP provides practical guidance on how to achieve the standards of work health and safety required under the WHS Legislation and effective ways to identify hazards and manage risks. Following an approved CoP will assist in achieving compliance with duties in relation to the subject matter of the CoP.
Controls
When identifying all controls, it is important not to prematurely presume the outcome of the Step 3— Eliminate Risk SFARP and Step 4—Minimise Risk SFARP assessments by inadvertently dismissing or filtering out control measures when gaining reasonable knowledge about the hazards, risks and controls.
To prevent prematurely discarding controls, there is a requirement to document the full list of the possible risk controls identified while completing Step 2—Be Reasonably Informed of the Risk and All Possible Controls. This list of possible controls can then be used as inputs to Steps 3 and 4; with every control on the list being worked through the SFARP standard to make determinations if they’re reasonably practicable to implement or not.
Step 3 – Eliminate Risk SFARP
There is a legislated requirement to eliminate risks to health and safety SFARP, in the first instance. Elimination of risks does not necessarily mean ceasing an activity, product or service as this is not automatically the reasonably practicable outcome. For example, consider a situation involving an unserviceable seat restraint in a passenger aircraft. Elimination of the risks associated with the unserviceable passenger seat restraint does not necessarily mean cancelling all tasking for that aircraft until the restraint is fixed. Elimination of the risks may be achieved by removing the seat (if it is reasonably practicable to do this without introducing additional risks), thereby removing any risks associated with a passenger occupying a seat with a faulty restraint.
In assessing whether a hazard or risk can be eliminated SFARP, the SRM process requires personnel to demonstrate for each hazard or risk that they have:
determined the likelihood of the hazard or risk occurring
determined the degree of harm that might result from the hazard or risk
identified ways to eliminate the hazard or risk
determined the availability and suitability of the ways to eliminate the hazard or risk that were identified in Step 2 (refer below for additional guidance on Availability and Suitability)
determined the cost of implementing available and suitable elimination options from Step 2
assessed that the cost of elimination in Step 2 was or was not grossly disproportionate to the extent of the risk (refer below for additional guidance on Grossly Disproportionate Assessments).
Elimination of Hazards and Risks IS NOT Reasonably Practicable. If it IS NOT reasonably practicable to eliminate the hazards and risks associated with the activity, product or service, the reasons for that assessment are documented for deliberate risk management, specifically addressing each of the factors in the previous paragraph before proceeding to Step 4—Minimise Risk SFARP.
Elimination of Hazards and Risks IS Reasonably Practicable. If it IS reasonably practicable to eliminate the hazards and risks associated with the activity, product or service, the next step is to ensure all of the controls that were assessed as being reasonably practicable to eliminate the hazards and risks are immediately implementable before proceeding directly to Step 6—Decision-to-Proceed.
Additionally, it is important to document the supporting rationale for determining the reasonably practicable controls used to eliminate the risks so they can be considered in future monitoring and review (Step 7) of the hazards and risks.
Step 4 – Minimise Risk SFARP
In circumstances where it is not reasonably practicable to eliminate the risk, there is a legislated requirement to minimise the risk SFARP. Minimising risk SFARP is conducted through application of the HoC.
The Hierarchy of Controls
The HoC is only utilised where it is not reasonably practicable to eliminate risks to health and safety. The HoC depicted in Figure A-2, provides a consistent process for identifying controls with the highest benefit to risk minimisation first.
Figure A-2: Hierarchy of Controls
In minimising risks SFARP, personnel consider the risk control measures in accordance with the HoC and ensure those available and suitable controls (that are assessed as being reasonably practicable) are applied in the sequence set out in Figure A–2. This ensures application of the most effective controls (substitution, isolation, engineering) is considered first, before working through the less effective alternatives (administrative and PPE). In practice, a combination of controls may be required to minimise the risk SFARP.
Substitution, Isolation and Engineering Controls. Risk minimisation SFARP may be achieved by implementing one or more of the following:
Substitution. Substitute (wholly or partially) the hazard giving rise to the risk with something that gives rise to a lesser risk (eg replacing solvent-based paints with water-based paints).
Isolation. Isolate the hazard from any person exposed to it – this involves physically separating the source of harm from people via distance or utilising barriers such as installing guard rails around exposed edges and holes in floors; using remote control systems to operate machinery and storing chemicals in a fume cabinet.
Engineering Controls. An engineering control is a control measure that is physical in nature or software.
Administrative Controls. If a risk then remains, it may be minimised SFARP by implementing administrative controls. Administrative controls include work methods or procedures designed to minimise exposure to a hazard.
PPE. If a risk still remains, it may be minimised SFARP by ensuring the provision and use of suitable PPE.
Immediately Implementable. If it is reasonably practicable to minimise the risks associated with the activities, products and services using one or more immediately implementable HoC measures, the SRM process requires personnel to:
verify that the selected control measure(s) will be effective in reducing the likelihood and degree of harm of the risk occurring
consider the cost associated with implementing each available and suitable control measure and determine if the cost of minimisation is or is not grossly disproportionate to the extent of the risk (refer to guidance section for meaning of Grossly Disproportionate Assessments).
Not Immediately Implementable. Where one or more HoC measures cannot be immediately implemented (for example due to procurement or developmental timeframes) or where the control strategy is complex in nature with multiple interdependencies on other stakeholders, the SRM process requires personnel to:
confirm that the SFARP judgment is still valid and the activities, products and services can proceed without the more effective control(s). Consider the risks associated with undertaking the activities, products and services with the less effective control(s) and determine if it is or is not grossly disproportionate to wait until the more effective control(s) can be implemented
determine (if the decision is to proceed with the activities, products and services) if it is appropriate to impose limitations (for example, operating restrictions or additional controls such as inspections) to be enforced in the intervening period
develop a Risk Control Plan (RCP) to document the strategy for monitoring implementation of future controls within the defined timeframe (additional information on RCP is included in Annex G).
It is important to document the supporting rationale for those HoC measures that have been dismissed and for those assessed as being reasonably practicable to minimise the risks so they can be considered in future monitoring and review (Step 7) of the hazards and risks.
Once all available and suitable control measures have been identified, considerations include:
hazards and risks arising from control measures. Occasionally controls implemented to minimise one risk may introduce new hazards and risks. Such hazards and risks; they are to be addressed by using the RM process.
implementing controls. The control measures selected will usually require changes to the way work is carried out. In these situations, it is necessary to support the control measure with mechanisms such as:
work procedures. A safe work procedure is developed that describes the activities, products and services, identifies the hazards and documents how the activities, products and services are to be performed to minimise the risks.
training. Provide personnel with training in the work procedure to ensure that they are able to perform the activities, products and services safely. Training covers the nature of the work, the associated risks and the control measures to be implemented. Training requires personnel to demonstrate that they are competent in performing the activities, products and services according to the procedure and is provided in a form that all personnel can understand. It is insufficient to simply give personnel the procedure and ask them to acknowledge that they understand and are able to perform it.
information and instruction. Information and instruction may also need to be provided to others who enter the workplace, such as visitors and is to be provided in a form that all parties can understand.
supervision. The level of supervision required will depend on the level of risk and the experience of the workers involved. High levels of supervision are necessary where inexperienced workers are expected to follow new procedures or carry out difficult and critical activities, products or services.
maintenance. Control measures require regular monitoring and maintenance to ensure their effectiveness. This involves determining is the requirements at the time of implemented and establishing a schedule for routine checks and maintenance tailored to the specific controls.
Monitoring Risk Control Effectiveness
The requirement for monitoring risk control effectiveness involves the maintenance, review and revision of the risk control measures. Monitoring is to be continuous and it is prudent at this stage of the process to identify how continuous monitoring and detection of risk control failures may be achieved in preparation for Step 7.
Step 5 – Characterise Risk
Unless all hazards and risks associated with the activity, product or service have been eliminated, there will, by definition, be some level of risk remaining after all reasonably practicable control measures have been applied; this is the residual risk.
The WHS Act mandates that more than one person can have a duty for the same matter66, and each discharges that duty to the extent that they have the capacity to influence and control the matter. For example, a design organisation may identify a hazard related to the installation of a modification onto an aircraft; however, the extent of their available SFARP treatments is unable to fully eliminate the risk without affecting the capability. To address the downstream residual risk SFARP, a MAO may apply treatment options that are not available to the design organisation, such as restricting where the modification is operated or limiting the concurrent use of other susceptible equipment.
To support personnel in making risk decisions, and to support downstream managers in meeting their obligations, residual risk needs to be characterised and communicated. The level of residual risk is to be characterised utilising the most appropriate characterisation means for the context.
The DASR does not constrain how initial airworthiness, continuing airworthiness and operational risks are characterised, however organisations are likely to use a characterisation tool mandated by their relevant service or organisation that suits their circumstances or broader organisation requirements. The Risk Matrix (Annex H) is an example of such a tool for operational risks. Where characterisation of a design risk is conducted through a design specific approach, the design organisation should assist downstream duty holders, who share a duty for the residual risk, in understanding that risk within their operational environment.
The matrix will require an assessment of the likelihood of occurrence and consequence (degree of harm) considering all implemented risk controls. Likelihood is usually determined qualitatively using a series of risk descriptors equating to each level of probability or chance of occurrence. Similarly, consequence is determined qualitatively using a series of risk descriptors equating to each degree of harm. These two elements are normally independent of each other (ie one assessment is made for the likelihood of exposure to the hazard and one is made for the degree of harm associated with the risk being realised).
Reverse engineering. Reverse engineering of risk assessments may mislead decision-makers into making risk decisions that are not commensurate with their accountabilities.
Annex H provides further detail on risk characterisation tools, and includes guidance for design organisations and Military Type Certificate (MTC) holders to improve communication of residual risks to downstream personnel.
Step 6 – Decision-To-Proceed
The decision to proceed (or not to proceed) with an activity, product or service after risk characterisation is made at a level of authority commensurate with the level of the residual risk. This is not to be construed as a varying level of risk ‘tolerance’ based upon rank; rather, it reflects that whilst all reasonably practicable control measures have been implemented, a level of oversight is required to validate the correctness of the safety risk assessment, including the gross disproportionality assessment. It also acknowledges that in certain circumstances, it may be justifiable to retain a higher level of risk if the benefits outweigh the potential adverse outcomes; and these decisions need to be made by the appropriate authority.
The risk-based escalation framework does not dilute a worker’s duty to take reasonable care with respect to health and safety. Notwithstanding the guidance below, nothing in Table A–1 requires or permits a worker to take any action, or to refrain from taking action, that would be or could be reasonably expected to be prejudicial to the health and safety of workers and or other persons. For example, it would be contrary to the intent of the WHS Act where immediate action was required to save life, but those involved considered inaction was needed to comply with Table A–1.
The decision to proceed with the task or activity taking into account and weighing up all relevant matters includes:
confirmation that the decision maker has the authority to make both a decision-to-proceed and a decision to implement the risk control measures required (including resources)
verification of the hazard and risk context including the correctness of the assessment relating to activity, product or service objectives, significance and nominal considerations, assumptions and limitations
verification of the reasonable knowledge that underpins the safety risk assessment including confirmation of worker and stakeholder engagement and utilisation of appropriate information sources such as CoPs, Bow Ties or credible standards
verification of the correctness of the safety risk assessment, including whether reasonably practicable judgements and grossly disproportionate assessments are sound and appropriately articulated
confirmation that risk cannot be eliminated SFARP (noting the gross disproportionate assessment and rejecting where necessary)
confirmation that the risk is minimised SFARP, (noting the gross disproportionate assessment and rejecting where necessary)
where appropriate, imposition of special limitations or conditions on proceeding with the activity, product or service, which might include limitations on time, location or specific circumstances.
If, after taking into account and weighing up all relevant matters that were able to be done in relation to ensuring health and safety from Steps 1 through 5, the RMA still considers that the level of residual risk outweighs the significance of the activity, product or service, then the activity, product or service should not proceed.
Immediate Risk Management. Where personnel are faced with conditions or circumstances that may compromise safety immediately prior to or during the conduct of an activity, product or service, then personnel are to stop and reassess the situation to prevent negative outcomes. In the event that unsatisfactory conditions or circumstances cannot be resolved, the issues are raised to the CoC which can then be addressed through the risk-based escalation framework in Table A–1.
Deliberate Risk Management. Where the residual risk is within the risk retention threshold, the decision to proceed with the activity, product or service (subject to resource approval) is to be made at that level or escalated. Where the residual risk is greater than the risk retention threshold, the risk decision is escalated to an RMA with suitable authority.
Risk Retention Thresholds. An example of a risk-based escalation framework is displayed in Table A–1. The framework is used to determine the appropriate Risk Management Authority (RMA) responsible for approving the level of risk that will be retained following deliberate risk management. The levels depicted in Table A–1 are for reference only. The specific levels required to retain a particular level of residual risk level are promulgated by the appropriate Environmental Commander.
When defining the management level within an organisation that retains risk on behalf of the organisation, the following points should be taken into consideration:
do they have the authority and experience to make decisions on behalf of the organisation?
do they have control of resources, both financial and human?
do they have responsibility for ensuring appropriate actions are taken to address safety issues and safety risks and responding to accidents and incidents?
whether the decision may be assigned to individuals, management positions, or committees.
TableA-1: Risk -Based Escalation Framework
Step 7 – Continuous Risk Monitoring and Review
Risk management is an ongoing process that requires the continuous monitoring and review of the workplace, its hazards, risks and their associated control measures.
Review of Control Measures. Any control measure that is implemented to eliminate or minimise risks to health and safety is to be regularly reviewed to ensure that the control measure is and remains:
fit for purpose
suitable for the nature and duration of the activity, product or service
installed, set-up and used correctly.
Change in Context. If the established context of a safety risk assessment has been changed, there are potential impacts for the entire assessment. A significant change in the context would likely require a full review of the safety risk.
Continuous Monitoring of the Workplace for Hazards and Risks. The control measures put in place is to be continuously monitored to make sure they work as planned. It is preferable to review a control measure before something has gone wrong. As a minimum, control measures are reviewed:
when the control measure is not effective in controlling the risk
before a change at the workplace that is likely to give rise to a new or different health and safety risk that the control measure may not effectively control
if a new hazard or risk is identified
if the results of consultation indicate that a review is necessary
efollowing a safety event
if personnel filling safety positions or the Safety Committee identify the need for a review.
Maintaining Risk Awareness (MRA) Technique. The MRA technique is the method that is used during the conduct of all activities, products or services to continuously monitor and review risk control measures. This process enables Defence personnel to maintain risk awareness and assists supervisors to ensure full compliance with all of the identified and present risk control measures (including those in OIP) during activities, products or services. Additional information on the MRA technique is included in Annex F. NOTE: The MRA technique is used to supplement the greater Step 7 processes and not used as the only means of continuous risk monitoring and review.
Periodic Review. All Deliberate Risk Management are reviewed periodically according to the nature and level of the risk.
Post-Accident or Significant Safety Event. If an accident or other significant safety event has occurred, then either one (or more) of the established control measures were ineffective or there was an absence of appropriate control measures. Part of an investigation into the significant safety event is to establish what control measures had been identified and were in place, determine what, how and why measures failed or were absent. It is essential to link safety event investigation outcomes to risk monitoring and review to maintain Aviation Safety and learn to prevent recurrence.