DIRECTOR GENERAL TECHNICAL AIRWORTHINESS TECHNCAL ... · extent to which the person has the capacity to influence and control the matter ... ". Section 46 of the Act adds that, "

Objective Id: U10553346

DIRECTOR GENERAL TECHNICAL AIRWORTHINESS TECHNCAL AIRWORTHINESS DIRECTIVE CANCELLATION NOTICE ________________________________________________________________________________

TAD No Title Status Comment

05/2015 Risk Management in Aircraft Design

CANCELLED as of 27 Sep 18

Superseded by 27 Sep 18 DASR release; and AC 003/2018 - Risk Management in Aircraft Design.

Australian Government

Department of Defence Defence Aviation Safety Program

AII AEO SDEs AllDARs

DGTA TAD 05/2015

DGTA-TECHNICALAIRWORTHINESS DIRECTIVE 05/2015:

RISK MANAGEMENT IN AIRCRAFT DESIGN

This Technical Airworthiness Directive requires that the action set out in the Instructions section herein (being action that the ADF Technical Airworthiness Regulator considers necessary to correct an unsafe or unsatisfactory condition) be taken by the nominated Action Agencies. (ADF Technical Airworthiness Regulation 1.1.5 refers).

References:

A. DDAAFS/OUT/2015/AB21469833, Introduction of SF ARP into Defence Aviation Policyand Regulations of 15 Apr 15

B. AS/NZS ISO31000:2009, Risk Management - Principles and GuidelinesC. Joint Directive 30/2015, The Management of Risk in Defence, of 12 Jun 15

Applicability

1. This TAD applies to Authorised Engineering Organisations (AEOs) responsible for DesignApproval and/or Design Acceptance of aircraft and/or aeronautical product.

Action Agencies

2. The following agencies and individuals are responsible for acting upon, to the extentnecessary, the direction contained in this TAD:

a. AEO Senior Design Engineers (SDEs), and

b. Design Acceptance Representatives (DARs).

Urgency

3. SDEs/DARs are to resolve incongruence (if any) between AEO plans/processes/tools andthis TAD, with all reasonable haste, to ensure compliance with WHS legislation.

4. DGTA shall assess compliance to this TAD through ongoing surveillance activities, andimplementation of the new Defence Aviation Safety Regulations beginning in September 2016.

5. Note: DGTA has no authority to approve exemptions or temporary deviations to WHSlegislation.

Objective ID: U10553346

Background

6. Reference A recognised the Work Health and Safety Act 2011 (WHS Act) and the WorkHealth and Safety Regulations 2011 (collectively referred to as WHS legislation) have introduceduncertainty and confusion among some duty holders with respect to current risk managementpractices in Defence aviation. Particular consternation surrounds the meaning of, and obligationsassociated with, the expression 'so far as is reasonably practicable'.

7. Few duty holders in Defence aviation have a complete understanding of the WHSlegislation. Aviation risks are typically managed with reference to common management standardsand/or reliance on historical business techniques/tools, many of which are clearly inadequate orincorrectly cite an ALARP acronym.

8. Duty holders are thus led into error, believing they have discharged their obligations undercommon law and WHS legislation when this is not necessarily the case. The following fourscenarios are of particular concern in the aviation safety domain:

a. An underlying dependence on a predetermined 'acceptable or tolerable' level of risk,which may cause treatment to cease prematurely when the level of risk is achieved,irrespective of whether further risk reduction is reasonably practicable in the circumstance.

b. A failure to recognise that more than one organisation can have a duty for the same risk, sorisk assessments completed in isolation may not consider risk controls from otherorganisations that are reasonably practicable in the circumstance.

c. Incorrect analysis techniques/tools being used to characterise risks, which may lead to risktreatment ceasing prematurely - in contravention of WHS legislation.

d. An assumption by some duty holders that managing risks to safe aircraft operation willinherently satisfy all of their obligations under WHS legislation.

9. Each of these four concerns is entirely relevant to engineering organisations in the Defenceaviation community. Their activities in supplying and supporting aircraft that are suitable for flight -a direct contributor to safe aircraft operation - must remain congruent with the WHS legislation.

10. There is, however, no intent to clarify these concerns in the extant TAREGs. Rather, theseconcerns shall be resolved in the future Defence aviation safety policy and regulation, which isscheduled for release in late 2016.

11. Reason for TAD. Accordingly, this TAD:

a. clarifies that hazards and risks in aircraft design are to be eliminated or reduced so far as isreasonably practicable in the circumstance;

b. clarifies that safe aircraft operation is a shared duty, and aviation engineeringorganisations must consult, coordinate and communicate with other duty holders to satisfythe WHS legislation;

c. clarifies the appropriateness of different engineering analysis techniques so that aviationsafety risks are not incorrectly characterised or mistreated; and

d. confirms that aviation engineering staff have wider obligations imposed on them by theWHS legislation, beyond that imposed by the T AREGs.


Page 2 of24

12. The TAD also examines how ASINZS ISO 31000:2009 Risk Management Principles andGuidelines needs to be adapted if aircraft design risks are to be managed in a manner compliantwith WHS legislation.

WHS LEGISLATION AND DEFENCE AVIATION SAFETY POLICY/REGULATION

13. As per reference A, while WHS legislation permits CDF to exclude or limit the Act toavoid prejudice of Australia's defence, no application has been made, or is expected to be made, toexclude or limit WHS provisions in relation to Defence aviation broadly. Hence, WHS legislationapplies to all aspects of Defence aviation.

14. However, the Defence aviation safety program and regulation provides specialistamplification for those hazards (defined somewhat narrowly) that threaten safe aircraft operation.

The hazards associated with safe aircraft operation are considered so unique, that additional andspecialist regulation is required - in accordance with international convention - to ensure that thesehazards have been eliminated or reduced so far as is reasonably practicable in the circumstance.

15. This concept is illustrated at figure 1, which shows how the Defence aviation safetyagencies, program and regulation contribute to Defence satisfying its obligations under theencompassing WHS legislation.

DASAgencies - DGTA

- DDAAFS

-DACPA

DASProgram - Policy/ regulation

- Promotion /education

- Initial Safety Case

- Ongoing Assurance

DASRegulation - Basic

- Design/ Maintenance

- Maintainer Licencing

- Aircrew Licencing

- Flight operations

Poor reportingLead Poor training

Fire "' __________ ChemicalsPoor health monitoring (Explosives

Contaminated air Lifting Falling objects Demolition

ExcavatingPoor labels

Figure 1: Safe aircraft operation requires specialist treatment/controls


Page 3 of24

16. The remainder of this TAD is constrained to risk management within the technicalairworthiness domain and assurance that aircraft are suitable for flight ( as a key contributor to safeaircraft operation). However, as a subset of the encompassing WHS obligations faced bySDE/DARs, the principles provided herein are equally relevant across the entire safety spectrumthat must be managed by engineering organisations.

17. Also, for brevity, the discussion is limited to in-service manned aircraft engineeringmanagement, but equally applies to aircraft acquisitions, unmanned aircraft, aeronautical productand aviation support systems. This necessarily means some adaption of this TAD will be needed forother than in-service manned aircraft AEOs. Where more than minor adaption is needed, AEOs areto petition the TAR with an alternative arrangement that meets the intent of the TAD.

Some key WHS duties for aviation engineers

18. A manned aircraft is a flying workplace for crew/passengers while m operation, andbecomes an item of equipment within a workplace when being maintained.

19. Section 20 of the WHS Act states that, " ... the person with management or control of aworkplace must ensure, so far as is reasonably practicable, that the workplace . . . and anythingarising from the workplace are without risks to the health and safety of any person". SinceDefence's operational command chain has management/control of the aircraft while in operation, ithas a clear WHS duty for aircrew/passengers (and indeed third-parties that may have their health orsafety compromised while the aircraft is in operation). Similarly, when an aircraft is undergoingmaintenance (and therefore is an item of equipment within a workplace), the maintenance commandchain has management/control of the workplace, so they have a clear WHS duty for maintenanceand other ground staff.

20. Section 22 of the WHS Act also imposes specific duties on designers of plant/structure thatare to be used as, or at, a workplace. In the aviation context, the plant/structure would includeaircraft, and the designers would include AEO engineers providing engineering management of theaircraft. The Act requires (amongst other things1) that, " ... the designer must ensure, so far as is

reasonably practicable, that the plant ... or structure is designed to be without risks to the healthand safety of persons ... " who use the plant/structure or carry out reasonably foreseeable activitiesat a workplace. Consequently, AEO engineers have a clear WHS duty for aircrew/passengers andalso for maintenance and other ground staff.

21. Finally, the WHS Act accepts that more than one person can have a duty for the samematter. Section 16 of the Act states that each person" ... must discharge the person's duty to theextent to which the person has the capacity to influence and control the matter ... ". Section 46 of theAct adds that, " ... each person with the duty must, so far as is reasonably practicable, consult, cooperate and co-ordinate activities with all other persons who have a duty in relation to the samematter". Given the quantity and complexity of aircraft hazards, and the number of persons with aWHS duty, aircraft present a particularly complex workplace from a safety perspective.

22. The T AREGs assist aviation engineers with executing the above WHS Act obligations.Importantly, however, TAREGs focus directly on assuring an aircraft's suitability for flight. Assuch, they do not comprehensively assure the safety of an aircraft as a workplace, nor as an item ofequipment within a workplace: they do not satisfy (in full) the Section 20 or Section 22 duty holderresponsibilities under the WHS Act. Rather, they make a substantial but constrained contribution to

1

The full text of Section 22 of the WHS Act is included at annex A. The annex also presents other WHS Act and Regulation excerpts that are relevant to the scope of this TAD.


Page 4 of24

these outcomes by assuring an aircraft's suitability for flight. Importantly, further engineering effort is required, beyond compliance with the T AREGs, to assure the overall safety of aircraft occupants, maintenance staff, and other people in contact with the aircraft2

.

EFFECTIVE RISK MANAGEMENT BY ENGINEERING ORGANISATIONS

23. As stated earlier, WHS legislation applies to all aspects of Defence aviation. Consequently,all engineering organisation in the Defence aviation community are subject comprehensively toWHS legislation, and they must use the legislated definition of reasonably practicable (and theassociated hierarchy of controls) to demonstrated that hazards have been eliminated, or risksreduced, so far as is reasonably practicable in the circumstance.

24. . Many organisations mandate the use of ASINZS 1S031000:2009 (reference B) for riskmanagement3

• This international standard can be applied across many industries to manage differenttypes of risks. However, the international standard needs to be applied carefully in the managementof aviation safety hazards to ensure that risk treatment does not cease prematurely when a supposed'acceptable' level of risk is achieved. Further risk reduction might be reasonably practicable in thecircumstance. Duty holders can be easily led into error by blindly following ASINZS1SO31000:2009, believing they have discharged their obligations under common law and WHSlegislation when this is not necessarily the case

25. Since ASINZS 1SO31000:2009 is employed by most engineering organisations, this TADclarifies the adaption required to ensure congruence and compliance with WHS legislation. Thissection will not be relevant to those organisations that already employ a WHS compliant adaptionof ASINZS 1SO31000:2009 (or equivalent). Each heading below is extracted from the riskmanagement standard.

Establishing the (Risk) Context

"defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy" (ISO 31000)

26. The WHS legislation requires risks to be eliminated, or where this is not possible, the riskmust be minimised so far is reasonably practicable. This statement provides essential context thataffects all AEO safety risk management effort.

27. Some AEOs do not apply the above context to their safety risk management decisions.This is partly because extant DASP policy (including reference B) refers to the ALARP concept,and also because many engineers are comfortable with ALARP. While it is possible for a wellconsidered ALARP-based risk management system to comply with the WHS legislation, in alllikelihood it will fail to do so. For example:

a. ALARP explicitly promotes the concept of 'acceptable' or 'tolerable' levels of risk, ratherthan requiring all measures to further reduce the risk to be implemented if they are

2

AAP 7001.054 Section 1 Chapter 2 describes the incomplete contribution of'airworthiness' to the overall goal ofa safe (ie WHS Legislation compliant) aircraft. For example, airworthiness does not cover the use of hazardous materials in aircraft design, the long-tenn health effects ofradiation and noise exposure, safe maintenance practices, an absence of sharp protrusions, and so on. It also provides a list of relevant WHS standards, as provided by DDAAFS, in an annex. 3 The recent Joint Directive (JD) at reference C, and associated guidance material on the Enterprise Governance Branch

website, states that Defence is to manage risk in accordance with the 1SO31000 standard.


Page 5 of24

reasonably practicable in the circumstance (regardless of risk level);

b. ALARP does not emphasise the requirement to eliminate risks wherever possible; and

c. ALARP does not explicitly demand that a 'hierarchy of controls' (where more effectiverisk controls take precedence over less effective controls), be employed.

28. Further, the TAR has observed that few engineers seem fully conversant with the WHSlegislation. Many are unaware of the explicit obligations placed on them as engineers (for exampleat Sections 22 and 27 of the WHS Act), and the actions required by them to be compliant with theWHS legislation.

29. Summarised, the WHS legislation provides essential risk context for all AEO riskmanagement endeavours.

30. Actions required. SDEs are to ensure that:

a. the engineering management system complies with the legislated definition of reasonablypracticable (and the associated hierarchy of controls) and ensures that aviation safetyhazards have been eliminated, or risks reduced, so far as is reasonably practicable in thecircumstance; and .

b. engineering staff are aware of the obligations placed on them by the WHS legislation,beyond that imposed by the TAREGs.

Risk Identification

"process of finding, recognising and describing risks" (JSO31000)

31. The Australian Military Type Certificate (Ai\.1TC), issued by the Defence AviationAuthority (Defence AA), confirms an aircraft design is airworthy (ie suitable for flight). Theunderlying Certification Basis (CB) and compliance findings against that CB set the safety baselinefor the aircraft from an airworthiness perspective

4•

32. Throughout the 'continuing airworthiness' lifecycle phase of an aircraft, Defence mayrealise the aircraft design does not meet the agreed CB. It may be discovered through routinemaintenance, incident investigations, Technical Information (TI) from the OEM or other users,maintenance policy reviews, and so on. The design deficiency may be a result of a latent designdefect, a production defect, Instructions for Continued Airworthiness (ICA) not sufficiently cateringfor Defence's harsh operating environment, and so on.

33. A design deficiency against the CB presents a hazard. Per the WHS legislation, Defencehas an obligation to eliminate the risk, or where this was not possible then the risk must beminimised so far as is reasonably practicable (in the circumstance).

34. A well-defined and comprehensive certification basis is therefore fundamental to effectiverisk identification. However, there is some variation in coverage and completeness of CBs acrossDefence aircraft, and considerable variation between SPOs in the sufficiency of CB maintenance

4 The AMTC is a partial contributor to the confidence ofDefence's various WHS duty holders that the aircraft presents a safe workplace per the WHS Legislation. Other design activities such as PO assessments of hazardous materials on the aircraft, plus robust operational risk controls ( eg aircrew training, procedures, helmets, etc), plus various other PO activities, also contribute to that confidence.


Page 6 of 24

throughout the aircraft lifecycle. Two TAR actions are underway to address these shortfalls, as follows:

a. A TAD will be released prior to September 2016, defining a standardised scope andcontent of the CB, and requiring aircraft SPOs to migrate their CBs to conform with theserequirements; and

b. The Military Type Certificate Holder function under the new DASRs has firmrequirements for CB management, and execution of these requirements will be subject toTAR regulatory oversight.

35. These issues do not yet require action by AEOs; they are merely included for information.

Risk Analysis

"process to comprehend the nature of risk and to determine the level of risk" (!SO31000)

36. All AEOs recognise that risks must be robustly analysed if they are to be effectivelytreated. However, the TAR has observed several AEOs performing inconsistently in this domain. Ofparticular concern is the use of tools and processes for analysing risks that are not compatible withthe risk context, leading to (sometimes grossly) misleading results. To compound the error, someAEOs have not been seeking Subject Matter Expert (SME) advice to confirm their analysis iscomprehensive and valid. Consequently, the analysis may not be sufficiently robust to supportcompliance with the WHS legislation5

•

3 7. The selection of appropriate tools and processes for analysing risks is fundamentally dependent on the nature of the design deficiency. The following sections broadly group such deficiencies as follows:

a. Design deficiencies in systems that fail probabilistically (mostly aircraft avionic systemsand some mechanical systems);

b. Design deficiencies in aircraft structures and engines;

c. Design deficiencies in systems that do not fail probabilistically ( eg software);

d. Design deficiencies in systems with simple failure modes that cannot be determinedprobabilistically or deterministically; and

e. Design deficiencies in systems that are not included in the certification basis ( eg hazardousmaterials and other non-specified design deficiencies).

38. Design deficiencies in systems that fail probabilistically. System safety programs (SSPs)provide a range of tools for analysing failures in systems that fail probabilistically. The Hazard RiskIndex (HRI) matrix, for example, can be a particularly useful tool for characterising safety riskswhen a design fails to meet the aircraft Certification Basis. The HRI approach is primarilyapplicable to systems whose failure can be probabilistically determined on a usage scale such as'failures per flight hour'. Most often, these are the same systems that were designed to meet a

5

Note that the concerns in this section are independent of whether Defence AEOs employ an ALARP-based approach, a WHS Legislation-compliant approach, or any other approach for that matter. Regardless of the risk management system, inadequate (and therefore potentially misleading) risk analysis is not acceptable. The TAR's concerns regarding inadequate risk analysis are included in this TAD, rather than issued as a separate TAD, simply for convenience.

Objective ID: U10553346 Page 7 of24

Failure Probability Objective (FPO) by the OEM during initial aircraft design. These FPOs are extremely small, typically in the order of 10-6 to 10-9 failures per flight hour, depending on the typeof aircraft, criticality of a particular function, and the requirements of the certificating authority.

FPOs are used by designers to demonstrate that a particular upper level aircraft function will satisfy the overall safety goals of the aircraft, during both normal and degraded operations. Consequently, FPOs and the HRI can be a particularly useful tool for characterising the safety risk due to an observed in-service design deficiency.

39. A common mistake, however, is to use these tools to characterise risk for systems whosefailure cannot be probabilistically modelled. This is covered in paragraphs 42 to 45 below.

40. Another common mistake is to use these same tools to characterise risk for systems that areused infrequently. For example, characterising risk on an annual basis for a system that is usedeither rarely (eg ejection seats, crash protection measures) or only a few times per year (egchaff/flares systems, aerial refuelling) is likely to be grossly misleading. Characterising these risksthrough the HRI will almost inevitably, and misleadingly, result in an assessment of 'low' riskregardless of the severity of the latent defect. Such systems pose hazards that are better assessed ona per usage basis ( or perhaps the total number of uses through to aircraft Planned Withdrawal Date),rather than per flight hour.

41. Summarised, the system safety tools and framework are only appropriate for characterisingrisks for certain aircraft systems and functions. For the remainder, different approaches are neededto characterise and communicate the risk.

42. Design deficiencies with Structure and Engines. Primary aircraft structure,including critical engine/airframe dynamic components, have a catastrophic failure condition byvirtue of their role, and defects such as cracks, corrosion and disbonds cannot be easily or reliablystatistically modelled. Progression to failure is also very sensitive to flight and ground usage, and assuch, the risk cannot always be well characterised into the future. Respective Aircraft and EngineStructural Integrity Programs (ASIP/ESIP) are the primary framework through which tocharacterise risk in these areas. Given the complexity in making such judgements, and thepotentially catastrophic consequences of incorrect assumptions and actions, DA VENG-DGTAengagement is mandatory in all risk determinations and treatments for primary structure and criticalengine/airframe dynamic components.

43. Design deficiencies in systems that do not fail probabilistically. This includes systemssuch as software or other system hazards that arise systematically from logic failures of a design,not component failures. These risks are best characterised through the consequences of their failure,or through a framework such as the MIL-STD-882E Software Control Category. Assistance isavailable from DAVCERT-DGTA ifrequired.

44. Design deficiencies in systems with simple failure modes that cannot be determinedprobabilistically or deterministically. Technologies such as oxygen delivery systems will reliablyfulfil their role, but can quickly degrade due to a variety of external factors. This degradation isusually controlled through on-condition maintenance and inspection, or provision ofemergency/backup systems. Similar to the above, HRis may be misleading if used to characterisethe risk posed by a particular design deficiency. A qualitative assessment against the original designstandard might be more appropriate.

45. Design deficiencies in systems that are not included in the CB. Defence's concept of aCertification Basis is drawn from the civilian airworthiness domain. This precludes aircraft stores,some life support equipment, fuels, securing of aircraft loads, hazardous materials, and so on. Sincethese items are not included in the CB, their contribution to the overall aircraft-level catastrophic


Page 8 of24

failure rate was not taken into account by the aircraft designers. Given the complexity in characterising risks due to design deficiencies in these domains, SME advice (for example from the relevant Airworthiness Standards Representative, DDAAFS for hazardous materials, etc) will normally be required.

46. Actions required. SDEs and DARs are to ensure:

a. the engineering management system, inclusive of the System Safety Program, requires theuse of risk analysis techniques/tools that are suitable for characterising a risk in a givencontext, for the full spectrum of aircraft systems and functions, per this TAD.

b. that engineers are aware that aviation safety risk can be incorrectly characterised and risktreatment ceased prematurely - in contravention of WHS legislation - if incorrect analysistechniques/tools are used to characterise aviation safety risk.

c. SME advice is sought where specialist knowledge or techniques are needed to properlycharacterise aviation safety risks.

Risk Evaluation

''process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable" (1SO31000)

47. Risk evaluation using ASINZS 1SO31000:2009 is fundamentally incongruent with the WHSlegislation and may cause risk treatment to cease prematurely when an 'acceptable or tolerable'level of risk is achieved, but further risk reduction is reasonably practicable in the circumstance.

48. The risk evaluation step inASINZS 1SO31000:2009 assesses whether the risk is 'acceptable ortolerable' and prioritises treatment on this basis. While this might be suitable for many types ofrisks in Defence (capability, reputation, cost, schedule, etc.), and allow the redistribution of internalresources to better achieve corporate goals, the technique does not comply with Australia's WHSlegislation.

49. WHS legislation requires safety hazards to be eliminated, or where this is not possible, safetyrisk to be reduced so far as is reasonably practicable in the circumstance. This obligation enduresirrespective of the level ofrisk. Treatment cannot be ceased for 'mere convenience', or on the basisthat someone judges the level of safety risk to be 'acceptable or tolerable', if further treatment isreasonably practicable in the circumstance.

50. WHS legislation emphasises the need for credible and defensible risk controls; not the'acceptability or tolerability' of risk.

51. Accordingly, while AEOs would reasonably adopt the first part of the risk evaluation process(ie "comparing the results of risk analysis with risk criteria"), it should merely be used to assist incharacterising risks so they can be effectively communicated to other duty holders. The historicaluse of 'acceptable and tolerable' levels risk must be discarded for Defence aviation safety sincethey are fundamentally incongruent with the WHS Legislation.


a. that risk evaluation processes within the engineering management system do not use'acceptable or tolerable' levels ofrisk to decide whether treatment is, or is not, required foran aviation safety hazard/risk.


Page 9 of24

b. that risk evaluation processes within the engineering management system complies withthe legislated requirement for aviation safety hazards to be eliminated, or risks reduced sofar as is reasonably practicable in the circumstance.

Risk Treatment

''process to modify risk" (ISO 31000)

53. Under AS/NZS ISO 31000:2009, 'risk treatment' encompasses actions to avoid or reduce risk,and where necessary to retain residual risk. These concepts are broadly congruent \\tith the WHSLegislation, but require intelligent application if the WHS Legislation is to be satisfied. Thefollowing sections separately cover risk reduction (including elimination) and risk retention.

54. Risk reduction. The WHS Legislation requirements for treating risk are resident in theconcepts of 'reasonably practicable' and 'hierarchy of control measures', as follows:

Reasonably practicable:

"In this Act, reasonably practicable, in relation to a duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:

(a) the likelihood of the hazard or the risk concerned occurring; and

(b) the degree of harm that might result from the hazard or the risk; and

(c) what the person concerned knows, or ought reasonably to know, about:

(i) the hazard or the risk; and

(ii) ways of eliminating or minimising the risk; and

(d) the availability and suitability of ways to eliminate or minimise the risk; and

(e) after assessing the extent of the risk and the available ways of eliminating or minimisingthe risk, the cost associated with available ways of eliminating or minimising the risk,including whether the cost is grossly disproportionate to the risk"

Hierarchy of control measures

(1) This regulation applies ifit is not reasonably practicable for a duty holder to eliminaterisks to health and safety.

(2) A duty holder, in minimising risks to health and safety, must implement risk control measures in accordance with this regulation.

(3) The duty holder must minimise risks, so far as is reasonably practicable, by doing 1 ormore of the following:

(a) substituting (wholly or partly) the hazard giving rise to the risk with something thatgives rise to a lesser risk;

rb) isolating the hazard from any person exposed to it;

(c) implementing engineering controls.

(4) If a risk then remains, the duty holder must minimise the remaining risk, so far as isreasonably practicable, by implementing administrative controls.

(5) If a risk then remains, the duty holder must minimise the remaining risk, so far as isreasonably practicable, by ensuring the provision and use of suitable personal protectiveequipment.


Page 10 of 24

Note A combination of the controls set out in this regulation may be used to minimise risks, so far as is reasonably practicable, if a single control is not sufficient for the purpose.

55. Of note the WHS legislation requires the risk reduction step of ASINZS ISO 31000:2009 to:

a. eliminate risks (so risks are only treated where it is not reasonably practicable to eliminatethe risk);

b. identify all possible ways to treat the risk, regardless of practicality, before assessing thetreatments;

c. implement a 'hierarchy of risk controls' approach, where more effective risk treatmentsmust be robustly assessed and discounted before resorting to less effective risk treatments6

;

d. prevent premature cessation of risk treatment, which may be caused by the incorrect use of'acceptable' or 'tolerable' risk levels, meaning risks must be reduced so far as isreasonably practicable in the circumstance;

e. related to the above, risk controls must be implemented unless the cost is grosslydisproportionate to the benefit (unlike some ALARP-based approaches where the grossdisproportion test is only applicable to 'tolerable' risks).

56. Each of the above WHS Legislation requirements might be included in an intelligentapplication of ASINZS ISO 31000:2009, and indeed AEOs may have included some of theseelements in their risk management processes. However, unless all are applied, the approach will beincongruent and therefore noncompliant with WHS legislation.

57. Risk Retention. Under the WHS Act, the term 'risk retention' is neither used nor necessary,since aircraft operation should not proceed unless risks have been minimised so far as is reasonablypracticable in the circumstance (noting that one option for reducing risks is to cancel plannedaircraft operation). Defence's business, however, includes many inherently hazardous operationsand training, and includes a clear command chain structure with different levels of authority andcontextual knowledge. As such, Defence must sensibly use the command chain to determinewhether risks have been reduced so far as is reasonably practicable, which includes whether theresidual risk is commensurate with the importance of the operation and/or conduct of effectivetraining. For convenience this decision will be termed 'residual risk retention' in Defence. Itincludes an inherent requirement to confirm that all other people with a shared duty for aircraftsafety (which will include AEO engineers in certain situations, usually where a design deficiency isdiscovered in service) have implemented all reasonably practicable measures to reduce the risk.

58. Consequently, in certain situations, AEO engineers will contribute to a 'residual riskretention' decision by the operational command chain. First, AEO engineers will confirm that allreasonably practicable technical measures have been implemented to reduce the risk. Secondly,AEO engineers will convey information that characterises the risk to the 'residual risk retention'authority. The following extract from Section 22 of the Act is particularly germane to the lattercontribution:

(4) The designer must give adequate information to each person who is provided with thedesign/or the purpose of giving effect to it concerning:

6 The 'hierarchy of risk controls' in the WHS Legislation is broadly equivalent to the 'design order of precedence' in

MIL-STD-882(A-D) and the 'safety order of precedence' in the FAA System Safety Handbook. The key difference in the latter two approaches is a technical focus on the method to reduce the risk.


Page 11 of24

(a) (b) (c) any conditions necessary to ensure that the plant, substance or structure iswithout risks to health and safety when used for a purpose for which it wasdesigned or when carrying out any activity referred to in subsection (2)(a) to (e)

59. For new aircraft, the issue of an Australian Military Type Certificate (AMTC) confirms theabove Section 22 obligation has been comprehensively completed. Consequently, provided theaircraft design continues to meet the Certification Basis (CB) that underpins the AMTC whilethe aircraft is in-service, the Section 22 obligation should continue to be met.

60. Where a design deficiency against the CB is discovered in service, on the other hand, theabove Section 22 obligation would normally require additional information be provided to theoperational command chain. However, this could quickly become unworkable. Modem Defenceaircraft are exceptionally complex examples of plant/structure, and consequently a myriad ofsmaller design deficiencies will inevitably be identified either locally or by international operators.If AEO engineers were to notify each small design deficiency to the operational command chain,who would then confirm that no operational limitations are reasonably practicable to eliminate orreduce the risk, it would quickly swamp them, and in many cases would not add to the level ofsafety for aircraft occupants. Hence, a pragmatic compromise is required, that provides some muchneeded autonomy to AEOs 7•

61. Three risk retention scenarios. Consider the following three scenarios where an aircraftdesign deficiency is discovered in service:

a. the aircraft design, even with the minor design deficiency, might still continue to meet theCB;

b. the design deficiency might cause the aircraft to fail to meet the CB, but engineeringjudgement based on experience might conclude there are no reasonably practicableoperational treatments to reduce or eliminate the risk; or

c. the design deficiency might cause the aircraft to fail to meet the CB, and activeparticipation by all concurrent duty holders is required to assess whether the risk has beenminimised so far as is reasonably practicable.

While each of the above scenarios will result in risks being minimised so far as is reasonably practicable8, each has different communication requirements between technical and operational duty holders. All three scenarios are dealt ,vith below.

62. AEO concludes the design deficiency still meets the CB. The issue of an AMTC confirmsthat an aircraft design is suitable for flight, and that any conditions/limitations on its safe use have

7 DGTA-ADF previously attempted to introduce some autonomy through a standardised approach to delegation ofrisk

retention authority to DARs, proposed to OAAs at DGTA-ADF 05878701 of22 Sep 14. While OAAs agreed in principle to the concept, each was critical ofDGTA-ADF's proposed standardised execution of the arrangements, particularly for non-civil-derivative aircraft. The approach in this TAD supersedes that proposal, and overcomes the OAA criticisms by building on the duty holder requirements in the WHS Legislation.

8

Attention is again drawn to paragraph 42, which states that DAVENG-DGTA engagement is mandatory in all risk determinations and treatments for primary structure and critical engine/airframe dynamic components. This is necessary given the complexity in making such judgements and the potentially catastrophic consequences of incorrect assumptions and actions.


Page 12 of24

been conveyed to the operational command chain. Some design deficiencies discovered in-service may not jeopardise this status quo. For example, a design might be deficient but still meet the CB, or additional technical measures ( eg additional maintenance inspections) may restore the level of safety inherent in the AMTC. In normal situations, no communication with the operational command chain should be required and therefore AEO engineers will not be sharing the duty.

63. DAR concludes that operational treatments are not reasonably practicable9• For some

minor design deficiencies discovered in-service, judgement by the DAR based on experience might conclude that there are no reasonably practicable operational risk treatments to reduce the risk10

•

The DAR would also need to judge that risk elimination through cessation of flying would not be contemplated by the operational command chain in the circumstance. If the DAR is to draw these conclusions, the TAR imposes the following limitations:

a. Trivial design deficiencies. For 'trivial' design deficiencies, meaning the deficiency isbarely outside the certification basis:

(1) The resulting risk level must result in a maximum A VRM (Safety) level of LOW,and the conversion of risk to A VRM must be obvious and not require advice fromthe operational command chain.

(2) The risk must not have a CATASTROPHIC (AVRM) or CRITICAL (AVRM)consequence.

(3) The risk judgement (based on experience) is that no operational mitigations (apartfrom cessation of flying) would reduce the risk.

(4) The risk judgement (based on experience) is that cessation of flying operationswould not be contemplated by the operational command chain in the circumstance.

(5) The risk must be minimised so far as is reasonably practicable (in thecircumstance).

(6) The risk must be added to the hazard log and raised at the next System SafetyWorking Group (or equivalent). This provides the OAAR (or delegate) with theopportunity to monitor and review the DAR's judgements.

b. Non-trivial design deficiencies. For 'non-trivial' design deficiencies (meaning thedeficiency is somewhat, but not markedly, outside the certification basis):

(1) The risk must not have a CATASTROPHIC (A VRM) consequence.

(2) The resulting risk level must be a maximum A VRM (Safety) level of LOW and,where necessary, input from the operational command chain ( delegate of the

9

This does not apply to DARs for new aircraft acquisitions. Since the effect of a risk treatment will often be fixed through to aircraft Life of Type, and consequently the residual risk will be borne by aircrew for many years, the OAAR(Acq) must concur with every risk treatment decision proposed by AEO engineers that does not eliminate the risk. This includes engineers proposing a 'Non Compliant - Acceptable' compliance finding that has a minor safety impact or requires minor operational risk mitigations. The OAAR(Acq) may elect to delegate and/or batch such approvals.

10

One option to eliminate risk is to cease further flight. It must therefore be obvious to engineers that the gravity of the shortfall would not conceivably lead to this outcome. Examples might include systems falling slightly short of meeting assigned Failure Probability Objectives, minor software assurance shortfalls, minor production shortfalls in wiring looms, and so on.


Page 13 of24

OAA/R) must be sought to confirm accuracy of assessment m the A VRl\1 construct.

(3) For those aircraft where the system-level FPOs that under-pin the CB are known(usually civilian-derivative aircraft), the likelihood of occurrence must not beexceeded by two orders of magnitude if it is a safety critical system, noting thatwhere the system-level FPOs are not known, equivalent qualitative arrangementsmay be agreed.

(4) The risk must be minimised so far as is reasonably practicable in the circumstance.

(5) The risk judgement (based on experience) is that no operational mitigations (apartfrom cessation of flying) would reduce the risk.

(6) The risk judgement (based on experience) is that cessation of flying would not becontemplated by the military aircraft operator in the circumstance.

(7) The DAR must not routinely make such decisions, and must be confident that thisparticular decision does not greatly increase the likelihood of aggregated risk beingrealised.

(8) The DAR must immediately communicate the decision to the military aircraftoperator.

64. Active participation by all concurrent duty holders is required. Some design deficienciesdiscovered in-service may require active participation by all concurrent duty holders, in order toconfirm that all reasonably practicable risk treatments have been implemented. AEO engineerswould confirm there are no further reasonably practicable technical treatments, and wouldcharacterise the residual risk for operational treatment. The air operator would then evaluatewhether reasonably practicable operational treatments exist (including cessation of flying), andpresent their recommendation to the command appointment with authority to make the 'residualrisk retention' decision. This would normally occur in any circumstance where:

a. the risk level is equal to, or greater than, A VRM (Safety) level of LOW and has aCATASTROPHIC (A VRM) consequence;

b. the risk level is uncertain, and therefore might extend beyond A VRM LOW;

c. there are reasonably practicable operational treatments to eliminate or further reduce therisk, and the DAR's judgement is that an operational commander would seriously considerimplementing those operational treatments; and/or

d. in any other circumstance where safety appears compromised to the point where it appearsinappropriate for engineers to be solely making decisions11

•

All duty holders must confirm that all reasonably practicable measures to reduce risk have been implemented, and the operational commander must agree to retain the residual risk.

65. As noted in paragraph 62, where a design deficiency against the CB is discovered inservice, Section 22 obligations would normally require additional information be provided to the

11

For example, if there is potential for long-term adverse health effects to aircraft occupants (albeit this is outside

the scope of airworthiness).

Objective JD: U10553346 Page 14 of 24

operational command chain. Paragraph 63 defines several mediums for this communication depending on the risk characterisation, including through periodic System Safety Working Groups, through subsequent notifications of DAR decisions, or through requesting operational command chain participation in the risk treatment process. It is incumbent on the DAR to confirm all duty holders12 comprehensively understand their respective roles in this communication process.

66. Overarching requirements. Finally, the TAR imposes the following overarchingprinciples on risk treatment:

a. Irrespective of the level of residua] risk, if a particular risk decision is to be escalated to theOAA or Defence AA, only the T AA will provide the technical advice.

b. Professional judgement must always be exercised by AEO engineers in applying theminimum requirements in paragraph 63. In atypical circumstances, these requirements maynot be appropriate, in which case the default position must always be to engage allconcurrent duty holders (per paragraph 63 ), and for each to confirm the risk has beenreduced so far as is reasonably practicable.

c. Design Acceptance Certification decisions must be supported by a suitable characterisationof risk.

67. Actions required. DARs are to ensure:

a. all duty holders understand their respective obligations, including communicationrequirements, as defined in paragraph 63 to 66.

Monitoring and Review

"continual checking, supervising, critically observing to determining the status in order to identify change from the performance level required or expected", and an "activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives" (1SO31000)

68. Any decision that a risk has been reduced so far as is reasonably practicable will alwaysbe influenced by the particular circumstance. Consequently, any change to the circumstance canpotentially invalidate the claim that the risk has been reduced so far as is reasonably practicable,because other risk treatments may now become practicable. From an engineering perspective,improvements in technology, the emergence of less expensive solutions to a design deficiency,identification of additional related design shortfalls, a change in aircraft operating environment, andso on, can all change the circumstance. Also, for a long lead-time design change, the risk might bereduced so far as is reasonably practicable in the short-term, but this circumstance will change atthe expiry of that time.

69. Consequently, any determination that a risk has been reduced so far as is reasonablypracticable, should also include the period and conditions of validity for the decision, which will setthe criteria for future monitoring and review of the risk. This may be different to extant AEO riskreview processes, where lower risks might never be reviewed, and higher risks might only be reassessed at fixed periods (for example, 'noteworthy' risks reviewed every year).

12 This includes DHs outside the technical domain, for example operational DHs. Per the WHS legislation, all DHs must consult, cooperate and coordinate activities with other DHs. Since this TAD focuses on design deficiencies, it makes sense for the engineering DHs to take the lead in ensuring other DHs fully understand their own role as a concurrent DH for these deficiencies.


Page 15 of24

70. Review of risks is more than a paperwork exercise. It should include re-assessment ofpreviously-discounted risk controls that might now be 'reasonably practicable', evaluation ofadditional risk controls, a physical inspection of extant risk controls to confirm their effectiveness,and confirmation whether the estimate of residual risk was accurate.


a. the engineering management system requires the period and condition of validity to berecorded for all aviation safety risk retention decisions; and for risks and technical controlsto be monitored based on the validity criteria.

b. that engineers understand the WHS requirement for continuous monitoring of risks andcontrol measures to ensure ongoing validity, so that additional controls can be applied ifreasonably practicable to do so.

Communication and Consultation

"continual and iterative processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk" (1SO31000)

72. Effective communication and consultation has always been of critical importance to riskmanagement in the aviation domain. The WHS Legislation emphasises this importance throughSection 46 of the Act, which states that, " ... each person with the duty must, so far as is reasonablypracticable, consult, co-operate and co-ordinate activities with all other persons who have a duty inrelation to the same matter". Section 22 of the Act also contributes, through requiring designers to," ... give adequate information to each person who is provided with the design for the purpose ofgiving effect to it ... ".

73. The TAR expects that AEOs will already enact robust risk communications andconsultation processes, both internally and externally. This communication must be ongoing, as partof the risk review cycle. The implementation of the numerous Actions throughout this TAD willreinforce these requirements.

INSTRUCTIONS

74. SDEs and DARs are to resolve incongruence (if any) between AEO plans/processes/toolsand this TAD, with all reasonable haste, to ensure compliance with WHS legislation.

75. For many engineering organisations, no action will be required. The relationship betweenDefence aviation safety regulation and WHS legislation is well understood, and engineers acceptthat further action, beyond compliance with TAREGs, is required to comprehensively dischargetheir WHS obligations. Risk analysis tools/techniques are appropriate to the risk context and theorganisation ensures that aviation risks are eliminated or reduced so far as is reasonably practicablein each circumstance.

76. Other organisations may suffer a number of deficiencies against the TAD that requireremediation. SDE and DARs are to make the necessary changes to the engineering managementsystem and/or educate engineers accordingly. DGTA cannot grant exemptions or temporarydeviations to the WHS Act so duty holders are encourage to make such changes with all reasonablehaste. SDEs and DARs are best placed to decide what constitutes a defensible argument ofreasonable haste in their circumstance.


Page 16 of24

Original signed 27 Nov 15

DAVCERT.


Objective ID: U10553346 Page 18 of24

WHS LEGISLATION EXCERPTS

ANNEXATO TAD 05/2015

Excerpts from the WHS Act and WHS Regulations central to this TAD are reproduced below. However, there are other sections of the WHS Act and WHS Regulations that warrant either a detailed or broad understanding by all AEO engineers. While both the Act and the Regulations are lengthy, their tables of contents quickly reveal that much of the Act is dedicated to administrative process that is oflimited relevance to AEOs, and much of the Regulations is dedicated to specific hazards that would only be read in depth when a relevant hazard is identified. Consequently, the Act and Regulations are not difficult to comprehend.

WHS Act 2011 - Health and safety duties

14 Duties not transferrable

A duty cannot be transferred to another person.

15 Person may have more than 1 duty

A person can have more than 1 duty by virtue of being in more than I class of duty holder.

16 More than 1 person can have a duty

(1) More than 1 person can concurrently have the same duty.

(2) Each duty holder must comply with that duty to the standard required by this Act even if another dutyholder has the same duty.

(3) If more than 1 person has a duty for the same matter, each person:

(a) retains responsibility for the person's duty in relation to the matter; and

(b) must discharge the person's duty to the extent to which the person has thecapacity to influence and control the matter or would have had that capacity but for anagreement or arrangement purporting to limit or remove that capacity.

17 Management of risks

A duty imposed on a person to ensure health and safety requires the person:

(a) to eliminate risks to health and safety, so far as is reasonably practicable; and

(b) if it is not reasonably practicable to eliminate risks to health and safety, to minimise thoserisks so far as is reasonably practicable.


Page 19 of24

18 What is reasonably practicable in ensuring health and safety

In this Act, reasonably practicable, in relation to a duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:

(a) the likelihood of the hazard or the risk concerned occurring; and

(b) the degree of harm that might result from the hazard or the risk; and

(c) what the person concerned knows, or ought reasonably to know, about:

(i) the hazard or the risk; and

(ii) ways of eliminating or minimising the risk; and

( d) the availability and suitability of ways to eliminate or minimise the risk; and

( e) after assessing the extent of the risk and the available ways of eliminating or minimisingthe risk, the cost associated with available ways of eliminating or minimising the risk, includingwhether the cost is grossly disproportionate to the risk.

20 Duty of persons conducting businesses or undertakings involving management or

control of workplaces

( 1) In this section, person with management or control of a workplace means a person conducting abusiness or undertaking to the extent that the business or undertaking involves the management or control, inwhole or in part, of the workplace but does not include:

(a) the occupier of a residence, unless the residence is occupied for the purposes of, or as partof, the conduct of a business or undertaking; or

(b) a prescribed person.

(2) The person with management or control of a workplace must ensure, so far as is reasonablypracticable, that the workplace, the means of entering and exiting the workplace and anything arisingfrom the workplace are without risks to the health and safety of any person.

22 Duties of persons conducting businesses or undertakings that design plant, substances or structures

(1) This section applies to a person (the designer) who conducts a business or undertaking that designs:

(a) plant that is to be used, or could reasonably be expected to be used, as, or at, a workplace;

(b) a substance that is to be used, or could reasonably be expected to be used, at a workplace;or

( c) a structure that is to be used, or could reasonably be expected to be used, as, or at, aworkplace.

(2) The designer must ensure, so far as is reasonably practicable, that the plant, substance or structure isdesigned to be without risks to the health and safety of persons:


Page 20 of24

(a) who, at a workplace, use the plant, substance or structure for a purpose for which it wasdesigned; or

(b) who handle the substance at a workplace; or

( c) who store the plant or substance at a workplace; or

(d) who construct the structure at a_workplace; or

(e) who carry out any reasonably foreseeable activity at a workplace in relation to:

(i) the manufacture, assembly or use of the plant for a purpose for which it wasdesigned, or the proper storage, decommissioning, dismantling or disposal of the plant; or

(ii) the manufacture or use of the substance for a purpose for which it was designed orthe proper handling, storage or disposal of the substance; or

(iii) the manufacture, assembly or use of the structure for a purpose for which it wasdesigned or the proper demolition or disposal of the structure; or

(f) who are at or in the vicinity of a workplace and who are exposed to the plant, substanceor structure at the workplace or whose health or safety may be affected·by a use or activityreferred to in paragraph (a), (b), (c), (d) or (e).

(3) The designer must carry out, or arrange the carrying out of, any calculations, analysis, testing orexamination that may be necessary for the performance of the duty imposed by subsection (2).

( 4) The designer must give adequate information to each person who is provided with the design for thepurpose of giving effect to it concerning:

(a) each purpose for which the plant, substance or structure was designed; and

(b) the results of any calculations, analysis, testing or examination referred to in subsection(3), including, in relation to a substance, any hazardous properties of the substance identified bytesting; and

( c) any conditions necessary to ensure that the plant, substance or structure is without risks tohealth and safety when used for a purpose for which it was designed or when carrying out anyactivity referred to in subsection (2)(a) to (e).

(5) The designer, on request, must, so far as is reasonably practicable, give current relevant informationon the matters referred to in subsection (4) to a person who carries out, or is to carry out, any of the activitiesreferred to in subsection (2)(a) to (e).


Page 21 of24

WHS Act 2011 - Consultation, representation and participation

46 Duty to consult with other duty holders

If more than one person has a duty in relation to the same matter under this Act, each person with the duty

must, so far as is reasonably practicable, consult, co-operate and co-ordinate activities with all other persons who have a duty in relation to the same matter

WHS Regulations 2011, Part 3.1 Managing risks to health and safety

32 Application of Part 3.1

This Part applies to a person conducting a business or undertaking who has a duty under these Regulations to manage risks to health and safety.

33 Specific requirements must be complied with

Any specific requirements under these Regulations for the management of risk must be complied with when implementing the requirements of this Part.

Examples

1 A requirement not to exceed an exposure standard.

2 A duty to implement a specific control measure.

3 A duty to assess risk.

34 Duty to identify hazards

A duty holder, in managing risks to health and safety, must identify reasonably foreseeable hazards that could give rise to risks to health and safety.

35 Managing risks to health and safety

A duty holder, in managing risks to health and safety, must:

(a) eliminate risks to health and safety so far as is reasonably practicable; and

(b) if it is not reasonably practicable to eliminate risks to health and safety-minimise thoserisks so far as is reasonably practicable.

36 Hierarchy of control measures

(1) This regulation applies if it is not reasonably practicable for a duty holder to eliminate risksto health and safety.

(2) A duty holder, in minimising risks to health and safety, must implement risk controlmeasures in accordance with this regulation.

(3) The duty holder must minimise risks, so far as is reasonably practicable, by doing 1 ormore of the following:


Page 22 of24

(a)substituting (wholly or partly) the hazard giving rise to the risk with somethingthat gives rise to a lesser risk;

(b )isolating the hazard from any person exposed to it;

(c)implementing engineering controls.

( 4) If a risk then remains, the duty holder must minimise the remaining risk, so far as isreasonably practicable, by implementing administrative controls.

(5) If a risk then remains, the duty holder must minimise the remaining risk, so far as isreasonably practicable, by ensuring the provision and use of suitable personal protective equipment.

Note A combination of the controls set out in this regulation may be used to minimise risks, so far as is reasonably practicable, if a single control is not sufficient for the purpose.

37 Maintenance of control measures

A duty holder who implements a control measure to eliminate or minimise risks to health and safety must ensure that the control measure is, and is maintained so that it remains, effective, including by ensuring that the control measure is and remains:

(a)fit for purpose; and

(b )suitable for the nature and duration of the work; and

(c)installed, set up and used correctly.

38 Review of control measures

( 1) A duty holder must review and as necessary revise control measures implemented underthese Regulations so as to maintain, so far as is reasonably practicable, a work environment that iswithout risks to health or safety.

(2) Without limiting subregulation (1), the duty holder must review and as necessary revise acontrol measure in the following circumstances:

(a)the control measure does not control the risk it was implemented to control so faras is reasonably practicable;

Examples

1 The results of monitoring show that the control measure does not control the risk.


Page 23 of24

2 A notifiable incident occurs because of the risk.

(b )before a change at the workplace that is likely to give rise to a new or different risk to health or safety that the measure may not effectively control;

(c)a new relevant hazard or risk is identified;

( d)the results of consultation by the duty holder under the Act or these Regulationsindicate that a review is necessary;

(e)a health and safety representative requests a review under subregulation (4).

(3) Without limiting paragraph (2) (b), a change at the workplace includes:

(a)a change to the workplace itself or any aspect of the work environment; or

(b)a change to a system of work, a process or a procedure.

( 4) A health and safety representative for workers at a workplace may request a review of acontrol measure if the representative reasonably believes that:

(a)a circumstance referred to in paragraph (2) (a), (b), (c) or (d) affects or may affectthe health and safety of a member of the work group represented by the health andsafety representative; and

(b) the duty holder has not adequately reviewed the control measure in response to thecircumstance.


Page 24 of 24

Documents

DIRECTOR GENERAL TECHNICAL AIRWORTHINESS TECHNCAL ... · extent to which the person has the capacity to influence and control the matter ... ". Section 46 of the Act adds that, "