This document is S&EP Leaflet 03/2011
This document provides guidance to DE&S about the management of Safety and Environmental Protection risks from equipment, which DE&S assesses as very high. It describes a means of communicating such risks within DE&S and, when beyond the level at which DE&S has authority to decide action, transferring the decision to the relevant Duty Holder in the Front Line Commands (FLCs) including Permanent Joint Headquarters (PJHQ). The management of risk within the user’s area of responsibility will ultimately be governed by the user’s management system; this guidance presents DE&S understanding of how communication would flow therefore it indicates the potential interaction between DE&S and the user Duty Holder chain.
Military operations may exceptionally demand that personnel or environmental receptors are exposed to levels of risk that, in civilian operations, would be considered abnormal. Decisions to tolerate such risks in order to preserve or enable an essential military capability must always be made at appropriate levels of seniority. This guidance describes a formal process for referring high levels of equipment Safety & Environmental Protection (SEP) risk to senior management and commands (Including Chief Joint Operations (CJO) when in the Duty Holder Chain for the deployment i.e. on operations). In the case of the highest level risks, Ministers may need to be informed.
Whilst the guidance is written for application by DE&S, which is required to manage risks inherent in the equipment it supplies, the risk referral methodology has been designed to be compatible with processes used in other Duty Holder areas, primarily Front Line Commands (FLCs) and Operating Authorities (having been extensively reviewed by FLCs and Domain Safety Management Offices). The process provides a means of recording decisions at each stage of the referral process to create the essential audit trail.
Occasionally, managers and commanders will be asked to endorse judgements by Front Line Commands to tolerate very high levels of SEP risks to particular groups of people such as the crew of a vehicle or an aircraft, or specific environmental receptors. Outwith Defence, these levels of risk may be considered intolerable. However, military operations may justify a decision to tolerate these risks in order to preserve or enable an essential capability, balancing the identified SEP risk with the counter-risk to people which the capability aims to mitigate. The risk referral process provides an auditable mechanism for formally raising the risk to appropriate levels of seniority.
The process records decisions at each stage of the referral process. These decisions may involve the release of funds or changes to operating procedures which mitigate the risk, referral of the risk to a higher-level authority or a decision to tolerate the risk due to exceptional operational circumstances. Authority to implement these measures will depend on several factors, one of which is the level of delegated SEP authority held. In the case of the most serious, Ministers may be asked to note those decisions taken at the highest level, because they are ultimately accountable for them.
Referral of such issues to successive levels in the Duty Holder chain will follow a judgement that further action to mitigate risk to a tolerable level is not reasonably practicable because the resulting loss of defence capability, e.g. by withdrawal of equipment from service, delaying entry to service and reduction of operational performance, is grossly disproportionate to the benefit of removing or reducing the safety risk. The consequence of loss of defence capability in this context includes harm to people directly or indirectly protected by the capability.
This guidance is written for application by DE&S, which is required to manage risks inherent in the equipment it supplies. Where very high levels of SEP risks are identified which the DE&S project cannot mitigate, the process informs users and Capability teams of the risk. The FLC, as the Duty Holder responsible for controlling activities which potentially expose people and/or environmental receptors to the risk, and as the organisation with the duty to manage risks within their area of responsibility, then has the authority to change operations, training regimes etc to manage the risk.
The risk referral methodology has been designed to be compatible with similar processes used by both FLCs and operating organisations, and provides a means to respond when those processes have been initiated. These operationally-focused processes have primacy over this supporting DE&S process; however it promotes the referral of risk up the DE&S and FLC Duty Holder chains using consistent submissions by providing a standard format.
When risks arise in current operations, urgent decisions must be taken to determine whether the activity can continue. Other risks, such as those that would only arise in defined potential operations or those emerging early in the project acquisition phase, can be managed through decisions in planning rounds.
Whilst the process concentrates on the interface between DE&S and the Front Line Command to achieve effective management of high-level equipment safety risks, the Capability group retains ownership of the requirement at all times. As SEP issues invariably have an impact upon capability, the Capability group continues to provide an over watch, but the management of that requirement is delegated to different organisations during successive stages of the CADMID/T cycle. The emphasis must be on ensuring the close involvement of all stakeholders at each stage of the risk referral process.
4.2.1. Process Overview
This process requires that referred risks are assessed at progressively higher levels of authority and that relevant stakeholders are involved. As a minimum, the stakeholders in equipment issues will be the Capability Sponsor (Senior Responsible Owner of the capability), DE&S (the manager of technical mitigation) and, most importantly, the user Top Level Budget holder (TLB, the owner of risk to the people) or their appropriate representative. The risk evaluation will provide options for reducing risk and the level and tolerability of residual risk following mitigation.
For equipment-related risks, the referral process usually starts at the Project SEP Committee (PSC). The risk may be identified by any stakeholder (For Land Systems see Note below). The first level of screening within DE&S occurs when the PSC refers a risk through the Project Team Leader to the DE&S Operating Centre Director (OCD) who, if not able to provide sufficient risk reduction through technical or financial resources, will refer the issue to the Centre (Capability Sponsor) to seek new funding to mitigate the risk.
Note: For Land Systems the project team would normally be notified of a risk identified in current operations through the Operational Dispensation Process. For Air Systems the Operational Emergency Clearances systems are initiated where equipment will be operated outside of its declared safety target and Sea use the Operational Deficiency system which considers risks when operating outside the design envelope.
The process to seek new funding will require key stakeholder involvement, in particular the Customer. The Planning Round process requires endorsement at every level up to Defence Board and decisions at each stage of the approval process are referred back to the risk owner (FLC/User). If a solution is not funded the issue will be referred to the user 2* representative.
The pace of decision making will be driven by operational urgency and the risks associated with continued operations must be balanced against the consequences of withdrawing the capability. This means for equipment employed in active operations, CJO or the FLC will have primacy throughout with DE&S and Capability in support.
If the user 2* is not able to reduce the risk to a tolerable level then the risk will be referred up the relevant Duty Holder chains, if necessary to the relevant Service Chiefs and/or Chief of Joint Operations (CJO) for decision. Risks may be reduced through the funding of technical solutions or by revising operations e.g. by withdrawing equipment from service, reducing operational limits such as speed or loading, providing improved information, training and supervision.
The following questions should be addressed in formal referral of risks to higher levels of authority:
a. What are the hazards causing concern?
a. To implement the identified controls, what activities would need to stop or what capability removed or reduced?
b. What are the associated risks?
b. What is the impact of not authorising the use of the equipment?
c. What has been done to minimise risk?
c. What level of risk does that present?
d. What more could reduce the risk further?
d. What could be done to reduce that risk?
e. Why have we not done that?
e. Why have we not done that?
f. What can I do to help?
f. What can I do to help?
Organisations that can assist in the validation of decisions include Operating Centre safety and environmental teams and the S&EP Team within QSEP which sponsors this publication.
Stage 1 Project Team/1* Level
i. Within PTs, SEP is managed in accordance with a defined SEP management system. This will normally state the level at which different categories of SEP risk may be signed off. Typically safety risks below Class A may be signed off in-house by individuals or groups with the appropriate level of delegated authority. Authority to tolerate the highest level risks is outside DE&S juristication and they may only be accepted when there are exceptional operational reasons for doing so. Consequently, such risks must be referred upwards through the Duty Holder chain, where the decision will be taken whether the operational circumstances justify tolerating the risk or whether the equipment use should be changed or it should be removed from service.
ii. If risk assessment identifies a risk in the Class A region, the PT should initially ensure that the classification is accurate, then strive to reduce it. Mitigation measures should be considered in a hierarchical manner; eradication of the hazard is most effective and alternative DLoD mechanisms such as training, personal protective equipment (PPE) or warning signs are less desirable. Where technical mitigations fail to achieve adequate levels of risk reduction, input from the HoC and FLC representatives will be essential to determine the validity of the requirement and whether operational changes are a valid option. The PSC will play an important role by bringing together all the key stakeholders, including representatives of the HoC and FLC. This allows the full range of risk reduction options to be investigated.
iii. If it is not reasonably practicable to reduce the level of residual risk or practicable mitigations are insufficiently resourced to proceed, then the PT shall refer the risk through the Duty Holder chain using the DE&S Risk Referral Template (Annex A). As a parallel activity, the PT, through the PSC, should seek advice and guidance from the appropriate OC Safety Office to confirm the validity of the risk assessment process and ensure that parameters such as tolerability criteria have been correctly applied. Review by an Independent Safety Assessor (ISA), or Independent Environmental Assessor (IEA) can also be undertaken. The Risk Referral Template requires a description of the hazard, details of each mitigation measure considered and an explanation of why the introduction of each measure has been assessed to be impracticable (financially or operationally). It should include a request for funds via Capability or RP to enable the risk to be reduced, or, if this is not reasonably practicable, the risk to be referred upwards. Alternatively, the submission may recommend immediate withdrawal of the platform or equipment from service with the associated impact on capability.
Stage 2. 2* Operating Centre Director level
Prior to referral to 2* level, the PT will have demonstrated the validity of the risk category and assessment process, confirmed that resources are not available to fund remedial measures and established that changes to the requirement or operational envelope are impracticable. The 2* review is generally the final opportunity for DE&S to identify internal mechanisms and funding for achieving a reduction in risk. If it is not practicable to resource mitigation internally, the issue should be referred to the Capability Sponsor to look for new money in the Equipment Programme. The submission of risks to 2* OCD is again template-based and the review of risks will mirror the activities undertaken at Stage 1, primarily considering whether additional assets can be made available to the PT to mitigate the risk. Where mitigation measures are identified the PT, in conjunction with the PSC, should review the hazards and reassess the level of residual risk. If mitigation is not achievable or not approved in the planning round, the 2* OCD must make a formal Risk Declaration. This is a statement which declares that the DE&S PT has been unable to achieve a level of risk which DE&S can tolerate in normal circumstances. The declaration is presented to the FLC Duty Holder (DH) who must acknowledge it in writing.
Stage 3. 2* Front Line Command Duty Holder/User Level
The Risk Declaration from the 2* OCD provides the 2* FLC DH/User with the opportunity to compare the recommendation derived from the DE&S risk matrix with that derived from the user’s equivalent process; this may result in the risk falling within the delegated authority of the 2* to tolerate it without formal referral up the Duty Holder chain. But if the resulting recommendation is the same, then the user has the options of withdrawing the equipment from service, modifying the way that the equipment is used to achieve a reduced level of risk, resourcing technical mitigation or referring the decision to a higher level. The DE&S PT retains responsibility for supporting the equipment but responsibility for achieving further risk reduction or seeking endorsement of the existing level of risk transfers to the FLC. The involvement of the PT and all other major stakeholders is important. Where the decision is taken to withdraw the equipment from service or modify use, the PT will re-assess the effect this has on risk levels and determine whether they are reduced to ALARP and tolerable levels, seeking sign-off by the relevant authority. If risk reduction is achieved by modifying the way the equipment is used, measures are to be implemented to ensure the revised procedures are applied. Should the operational imperative justify tolerating the level of risk, endorsement at a more senior level must be sought and the risk referred; the user’s management system should provide a process to authorise continued use in the meantime.
Stage 4. 3* Front Line Command Duty Holder/User Level (equivalent to DE&S Chief Executive Officer
By the time referral reaches 3* level, opportunities to reduce risk through the introduction of an engineered solution will usually have been exhausted and the emphasis will be on operational changes. The lead authority is therefore the FLC but it will act in conjunction with the relevant CoM and the MCB. Their submission will outline the options available for achieving a lower risk solution and the operational consequences of adopting them. It will also quantify the risk which would need to be tolerated if the measures were not introduced and provide a justification for tolerating them. If the 3* review concludes that the level of risk cannot be tolerated under any circumstances and agrees to revised operational procedures, the risk is reverted to the project. Further risk assessment is conducted to establish how these affect the level of risk and a revised risk category is generated. Where mitigation is not achievable and the risk remains at a level normally considered intolerable, endorsement of the risk is sought at 4* level, seeking authority to tolerate the risk, or prohibit use of the equipment for the activity that gives rise to the very high risk
Stage 5. 4* Service Chiefs (equivalent to DE&S Chief Executiive Officer)
The process followed at 4* level mirrors that which has previously been undertaken and which is described above. The data pack that is presented will demonstrate due process and show the involvement of appropriate and competent authorities and personnel. It will outline the hazards and associated risks, risk reduction measures which have been implemented and those which have been discounted as unreasonable due to financial or operational reasons. In addition, the submission will outline the options available to the 4* reviewer(s): these will essentially be to release resources to mitigate the risk, prohibit use, or tolerate the risk and inform Ministers.
Stage 6. Ministerial Level
- By noting the decision, the Minister will be acknowledging that equipment is operated at a level of risk which in normal circumstances might be intolerable.
- In order to provide a holistic view of SEP measures introduced, the Secretary of State will be provided with an annual summary of risks about which he has been informed.
Adherence to this procedure is required under circumstances where there is a need to refer significant risks: the Risk referal methodology has been designed to be compatible with processe used in other Duty Holder areas, primarily Front Line Commands and Operating Authorities.
4.5. Required Inputs
Guidance contained within this procedure should be supported by the processes described in:
- POSMS SMP07 (Risk & ALARP Evaluation) and SMP08 (Risk Reduction);
- POEMS EMP05 (Impact Priority Evaluation), EMP07 (Environmental Reporting), and EMP06 (Objectives and Targets);
- Def Stan 00-056 (Safety Management Requirements for Defence Systems), noting that some of the requirement of this Def Stan relate to environmental management requirements such as hazardous and restricted materials.
- Regulatory standards issued by the MOD’s internal Regulators.
It also sits alongside the Operational Dispensation Processes (see Note 1 below) used in each domain to authorise deviation from norms (see Note 2 below) e.g. standards and safety case requirements, which embody similar risk referral principles. The principles in this guidance are fully compatible with the DE&S corporate approach to general risk escalation.
1) For example, in Land, JSP 454 Part 2 – Operational Dispensation Process
2) These processes authorise change, for which safety risk must be assessed; whereas the DE&S Risk Referral Guidelines are for risks which are found to be very high.
4.6. Required Outputs
The DE&S Risk Referral Template is to be used whenever DE&S safety and environmental protection risk assessment activities identify very high level risks which will not, or are unlikely to be sufficiently mitigated at the stage they are presented to users, third parties or the environment. Should this situation arise, referral to a higher authority must be sought. This applies irrespective of the lifecycle stage and is not limited to operational use. For such high-level risks, the referral process seeks to achieve:
- the release of appropriate funds to implement an engineered solution,
- the introduction of changes to the way the equipment is deployed or operated, or
- decision to tolerate the risk at a level with the appropriate authority.
At each stage of the risk referral process, authorities may recommend immediate withdrawal of the equipment or platform from the activities which give rise to the high risk, authorise interim continued use through the user’s authorisation processes or decide to tolerate the risk within their delegated authority
Risk Referral Stage Templates
- Risk Referal Stage 1 Project Team/ Team Leader Referral
- Risk Referral Stage 2 2Star OC Director
- Risk Referral Stage 3 2Star FLC
- Risk Referral Stage 4 3Star FLC
- Risk Referral Stage 5 Service Chiefs
- Risk Referral Stage 6 Ministerial Response
4.7. Further Guidance
The following sections describe the risk referral process in more detail. Templates have been produced for each stage to provide consistency and an auditable trail of decisions. The templates can be supplemented by other documents where greater detail and analysis is appropriate.
DE&S Project Teams (PTs) determine the levels of risk presented by the equipment, platforms and services which they manage through the application of formal risk identification and assessment. The essential requirement (for safety risk) is to manage the reduction of these risks to levels which are As Low As Reasonably Practicable (ALARP) (See GMP02 ALARP in a Military Equipment Capability Context) and tolerable, and establish the levels of residual risk. An equivalent level of residual risk for environmental protection shall be met, this being often Best Available Technique (BAT) or Best Practicable Environmental Option (BPEO). Appropriate mitigation measures must be considered and, where reasonably practicable, introduced to reduce the severity or likelihood of the hazardous event or impacts, thereby achieving a reduction in levels of overall risk. Whether mitigation is considered reasonable is a function of its cost (financial, effort, resources etc) or the operational requirement. A further factor which must be considered is the negative consequences for capability of implementing the mitigation. Operational changes or revisions to requirements can only be introduced after consultation with the FLC and the Capability Sponsor. When all reasonably practicable measures have been introduced, the resultant level of residual risk is determined. The decision to tolerate the residual risk must be taken by a Duty Holder with the appropriate level of competence and delegation, normally in the FLC or Operating Authority for In-Service equipment.
Within DE&S, the preferred method for assessing levels of safety risk is the risk matrix, which combines values of severity and likelihood to categorise risk in the range A to D, where Class A risks are the highest. In the case of environmental protection risk, the preferred method is the Environmental Impact Assessment (EIA) (POEMS EMP07 Environmental Reporting ). However, POEMS (EMP05 Impact Priority Evaluation) also describes an earlier risk identification and prioritisation process which uses a prioritisation matrix. Usually undertaken as a generic exercise, this approach combines values of severity and frequency (more appropriate to utilise ‘likelihood’) to categorise outputs in the range high, medium and low priority. This EMP05 output can be used to aid early identification of a potential significant impact, although the actual level of risk is not described until completion of the EMP07 Environmental Impact Assessment (EIA). It is the EIA which will determine whether environmental risks are sufficiently significant to require referral.
A risk which DE&S assesses as “Intolerable, unless there are exceptional reasons for the activity to take place.” (POSMS Procedure SMP 06)
All of the safety and environmental process described above are primarily intended to aid judgement by ranking risks; the individual risk classifications should not be seen as representing a precise measure of risk. In addition, the classification bands are broad and the boundaries conservatively placed. Consequently, risk class alone should not be the sole parameter that determines whether risks are to be subject to risk referral action, and the principles can equally be applied to risks of a lower level which would not normally be considered tolerable (for instance, safety risks that are close to the Class A/B classification boundary). In such cases, the decision to refer should be clearly justified. This promotes a conservative approach to SEP risk management but does not prevent imaginative or rapid action. It enables risk management processes and associated risk acceptance guidelines used by the FLCs to be applied to the final decision.
Assessing the tolerability of a risk which DE&S considers to be sufficiently high to justify referral must take into account many factors, most of which are related to operational issues. For that reason DE&S must refer the decision to the user FLC for its operational perspective. The level of risk presented by the use of the equipment is assessed by the user organisation, taking account of the DE&S risk analysis and its own knowledge and influence over the other Defence Lines of Development (DLoDs).
At the early stages of a project, DE&S hazard analysis (Impact Priority Analysis) and risk assessment activities are likely to identify a number of hazards which will be assessed as presenting a high level of risk until mitigation measures can be shown to be implemented. When the PT sees a reasonable prospect of reducing those risks, it will not need to refer them up the Duty Holder chain. As the project matures and mitigation measures are introduced, the level of risk will reduce. The majority of risks will be low, allowing acceptance at PT level. Where risk levels are higher and reasonably practicable risk reduction measures cannot be identified, the risk must be referred to senior levels for decision. Referrals should include a clear description of the hazard, the level of assessed risk and the options available for reducing that risk, including costings. Funding requirements will need to interface with the planning round through Capability.
For Environmental Protection this is the definition in Guidelines for Environmental Risk Assessment and Management ‘Green Leaves III’ November 2011
Reasonably practicable here must take account of the counter-effect of mitigation on capability.
At each stage of the referral process, the FLC or Operating Authority, supported by DE&S, must decide whether it can justify the continued use of the equipment in the circumstances giving rise to the very high risk. If not and the level of risk cannot be reduced, immediate withdrawal of the defined capability must be considered. Where decisions are taken to tolerate a risk, these must be formally recorded. Subsequent to acceptance, hazards which pose a high level of risk should be kept under close review until circumstances change and the level of risk is reduced.
The risk referral process is graphically represented on the accompanying flowchart. The Responsibilities section (sub-section Accountability), aligns with the flowchart and provides additional guidance on the actions that should occur at each successive stage.
4.8. Version Control
4.8.1. Version 2.3 to 3.0 uplift
Major uplift from the Acquisition System Guidance (ASG) to online version.