SFAIRP in the Australian Railway Industry

1. Legal Foundations

1.1 Rail Safety National Law Framework and Objectives

The Rail Safety National Law (RSNL) establishes a unified legal framework for rail safety across Australia. Its main purpose is “to provide for safe railway operations in Australia,” supported by specific objectives such as effective risk management, continuous improvement in safety, and promotion of public confidence in rail transport[1][2]. The RSNL created the Office of the National Rail Safety Regulator (ONRSR) and a national system of accreditation to oversee rail operators, emphasizing shared responsibility for safety among all parties[3]. In essence, the RSNL is a principles-based regime: rather than prescribing every safety measure, it imposes general duties on duty holders to ensure safety “so far as is reasonably practicable” (SFAIRP), allowing flexibility in how outcomes are achieved while holding them accountable to a high standard of care.

1.2 SFAIRP Duties in RSNL Sections 46 and 47

Section 46 of the RSNL articulates the core SFAIRP duty. It provides that whenever the law imposes a duty to ensure safety so far as is reasonably practicable, the duty holder is required (a) to eliminate risks to safety so far as is reasonably practicable, and (b) if elimination is not reasonably practicable, to minimize those risks so far as is reasonably practicable[4]. This establishes a clear hierarchy: risk elimination is the first obligation, and only where elimination is infeasible may mitigation be accepted – but even then, mitigation must reduce risk as much as reasonably practicable.

Section 47 defines “reasonably practicable” in detail. It states that what is reasonably able to be done for safety is determined by weighing up all relevant matters including: (a) the likelihood of the hazard or risk occurring, (b) the degree of harm that might result, (c) what the person knows or ought to know about the hazard and ways of mitigating it, (d) the availability and suitability of risk controls, and (e) the cost of those controls, including whether the cost is grossly disproportionate to the risk[5][6]. These five factors mirror the classic test of “reasonably practicable” found in general Work Health and Safety (WHS) laws. They embed a risk-based, evidence-driven approach into rail safety: duty holders must consider how likely an incident is, how severe it could be, what is known about preventing it, what measures exist and how effective they are, and only then consider cost – and even cost is weighed under the strict condition of gross disproportionality (i.e. a control can only be omitted if its cost is manifestly excessive compared to the risk reduction achieved).

1.3 General Duties of Various Parties (Sections 52–54) and SFAIRP Qualification

The RSNL imposes broad safety duties on all key players in railway operations, each qualified by the SFAIRP standard. In Section 52, rail transport operators (RTOs) – encompassing both rail infrastructure managers and rolling stock operators – are obliged to ensure the safety of their railway operations so far as is reasonably practicable[7]. This general duty is expanded with specific expectations. For example, RTOs must, SFAIRP, implement safe systems of work, ensure rail workers are competent and fit, manage drug and fatigue risks, provide adequate safety equipment and information, and so on[8][9]. Section 52 further subdivides duties for particular roles: a rail infrastructure manager must ensure infrastructure is provided and maintained safely and that all its design, construction, maintenance and operational systems ensure safety SFAIRP[10]. Similarly, a rolling stock operator must ensure rolling stock is safe in provision and maintenance, and that its design, use, modification and associated procedures keep operations safe SFAIRP[11]. In short, every facet of running trains and infrastructure – from track condition to train maintenance to operating rules – falls under an SFAIRP duty for the operator responsible.

Section 53 targets designers, manufacturers, suppliers, and installers of rail infrastructure or rolling stock. They must ensure that any equipment or “thing” they provide which is to be used in railway operations is safe for its intended purpose, SFAIRP[12]. They are also required SFAIRP to test and examine such equipment and to provide adequate safety information about its use, testing results, and any conditions necessary for its safe operation[13][14]. This extends the SFAIRP principle into the supply chain: even those who are not operating trains but contribute to their design and construction have to eliminate or minimize risks in the design/manufacture stage as far as practicable.

Section 54 places a duty on persons loading or unloading freight on rolling stock. They must carry out loading/unloading safely and in a manner that ensures the safe operation of the rolling stock, so far as is reasonably practicable[15]. This provision recognizes that cargo handling (e.g. at freight terminals) can introduce risks (such as overloading, imbalance, shifting loads, etc.), and those doing these tasks share responsibility under SFAIRP to prevent accidents like wagon tip-overs or unsecured loads.

Importantly, in all these duties (Sections 52–54), the qualifier “so far as is reasonably practicable” ensures the law is goal-oriented rather than purely prescriptive. The duty holders are not expected to achieve zero risk at all costs; rather, they are expected to do everything reasonably practicable to ensure safety. SFAIRP thus acts as a dynamic standard of care – as knowledge, technology, or circumstances evolve, what is “reasonably practicable” may rise, and duty holders must continuously reassess their controls against the current state of knowledge and risk. Non-compliance with these duties (i.e. failing to eliminate or reduce a safety risk that it was reasonably practicable to address) is an offence attracting significant penalties (up to $1.5 million for corporations)[16][17], underscoring how seriously the law treats the SFAIRP obligation.

2. Regulator’s Interpretation of SFAIRP

2.1 ONRSR Guideline “Meaning of Duty to Ensure Safety SFAIRP”

Australia’s rail safety regulator, ONRSR, has published a dedicated guideline titled “Meaning of Duty to Ensure Safety So Far As Is Reasonably Practicable” (May 2021) to clarify this concept for the rail industry. ONRSR’s guideline confirms that Sections 46 and 47 of the RSNL set the baseline for how SFAIRP is understood[18]. The guideline’s purpose is to assist duty holders in interpreting and applying SFAIRP, essentially translating the legal test into practical expectations. It emphasizes that all the factors in Section 47 must be considered in determining what is reasonably practicable, and it warns against viewing any factor in isolation[19].

The ONRSR guideline was adapted from Safe Work Australia’s interpretive guidance on “reasonably practicable” under the Model WHS Act, but tailored to rail. It stresses that the SFAIRP duty should achieve “the best possible safety outcomes” within what is reasonably practicable[20]. In ONRSR’s view, SFAIRP in rail safety is fundamentally about risk management excellence: identifying hazards, assessing risks, and taking all feasible actions to control those risks. The guideline links SFAIRP compliance directly with having a robust Safety Management System – noting that RSNL Section 99 requires RTOs to have an SMS that includes risk management processes (consistent with standards like ISO 31000 for risk management)[21][22]. It is clear that ONRSR expects duty holders to integrate SFAIRP into their day-to-day safety governance through their SMS (more on this in Section 4).

In summary, ONRSR’s SFAIRP guideline serves as a bridge between the legal theory of SFAIRP and its application in the field. It provides explanations, examples, and advice on topics such as weighing the Section 47 factors, documenting SFAIRP decisions, and continuously improving controls. While not law, this guideline represents the Regulator’s interpretation – effectively a reference point for what ONRSR inspectors will look for when assessing whether an operator is meeting its SFAIRP duties.

2.2 The Five Factors of Section 47 and Railway Examples

ONRSR’s guideline reiterates the five key factors from RSNL Section 47 and illustrates how a rail operator should apply them in practice when deciding on risk controls[23][24]. The factors and some rail-specific examples are:

• Likelihood of the hazard or risk occurring: Duty holders must evaluate how probable an adverse event is. For example, consider a busy level crossing near a highway. If near-miss data and road traffic volumes indicate a high likelihood of collisions, this high probability weighs in favor of stronger controls (e.g. installing active warning signals or closing the crossing). Conversely, for an extremely rare hazard, like a freak natural event affecting a remote rail line, “likelihood” might be low – but this factor must be weighed alongside severity and others, not on its own. ONRSR expects operators to use all available evidence (past incidents, fault data, engineering analysis) to realistically judge likelihood.

• Degree of harm (severity) if the risk eventuates: The potential consequences are critical. In railways, some hazards carry catastrophic severity – for instance, a collision between two passenger trains could result in multiple fatalities, which is intolerable. Even if such a collision is unlikely, the severity is so high that extensive precautions (signals, train protection systems, driver training, etc.) are expected SFAIRP. For a less severe hazard, say a minor injury from a low-speed shunting derailment, the acceptable level of control might be different. The rule is that greater potential harm demands a greater effort to prevent it. A practical example is the treatment of level crossing risks: because any train–vehicle collision can easily cause deaths (high severity), the harm factor justifies substantial safety measures (ground flashing lights, barriers, road signage, speed limits for trains, etc.), even at locations where probability is moderate.

• Knowledge about the hazard/risk and ways to mitigate it: SFAIRP decisions must account for what the duty holder knows or ought to know about the problem and solutions. In rail, there is a vast “state of knowledge” available – incident investigation findings, industry research, standards, and lessons from other jurisdictions. For example, if a specific type of signal passed at danger (SPAD) incident has happened on other networks and a known effective engineering fix (like automatically triggered train braking) exists, an operator “ought to know” this. Ignorance is not a defense. ONRSR’s guidance and the industry’s own standards (from RISSB, etc.) often catalogue known hazards and controls. A railway example: operators are expected to be aware of the well-known hazard of track workers being struck by trains, and of available controls ranging from high-visibility PPE to automatic track warning systems. If an operator failed to implement a known safeguard (like using portable warning devices) and a worker was injured, it would be hard to argue they met SFAIRP, since the hazard and its mitigations were well-known in industry[25].

• Availability and suitability of risk controls: This factor asks what measures are actually possible and appropriate in the situation. “Availability” means whether a control exists and can be obtained or applied, while “suitability” means whether it would effectively address the risk in the specific context. In rail terms, consider platform-train interface accidents (e.g. falls through the gap). Platform screen doors are an available technology (used in metros) that eliminate the risk of falls, but are they suitable for an older open-air station on a mixed-traffic railway? Possibly not, due to curvature or freight operations. The operator must survey all conceivable controls – engineering (technology, design changes), administrative (procedures, training), and others – then judge which ones could realistically work for their operations. If a measure is available and would materially reduce risk, SFAIRP usually demands it, unless there’s a compelling reason it won’t work in that environment. For example, a new automatic train protection (ATP) system that enforces speed limits might be available on the market. If an operator has an overspeed derailment risk, they should assess the suitability: can it be integrated into their trains and signalling? If yes, and it addresses the risk, they likely need to plan for it. ONRSR’s oversight often pushes operators to adopt modern engineering controls as they become available – a current example being the advocacy for European Train Control System (ETCS) Level 2 on passenger networks to mitigate human error in train control[26][27].

• Cost of the controls versus the risk (gross disproportionality): Finally, after considering the above factors, the cost of implementing safety measures can be weighed – but the bar is high. The RSNL (and ONRSR) apply the gross disproportion test[28], meaning a duty holder can only refrain from a safety measure if the cost (in money, time, effort) is grossly disproportionate to the safety benefit gained. In practice, trivial or moderate costs should never be used to avoid a safety fix; only in cases where the expense is extreme and the risk reduction minimal might it be “not reasonably practicable” to do something. For instance, if upgrading a rural level crossing with boom gates would cost a huge sum and that crossing sees one train a week at low speed and near-zero road traffic, a court might consider the cost grossly disproportionate to the very low risk – if all other cheaper controls (signage, speed restriction, etc.) are already in place. Conversely, for a busy suburban level crossing with daily fast trains, installing active protection is plainly reasonably practicable, even if expensive, because the risk of a fatal accident is substantial and well documented. ONRSR expects operators to quantitatively and qualitatively assess the cost-benefit: one useful concept referenced in industry is the “Value of Statistical Life” (VoSL) to gauge proportionality of expenditure on safety[29]. However, the emphasis is that cost is the last filter – an operator must first identify feasible safety measures and should only exclude them on cost grounds if the cost is demonstrably disproportionate to the risk reduction. Rail examples often bear this out: for instance, after a series of overspeed incidents, Sydney Trains was required to consider physical engineering controls at turnouts despite significant cost, because the potential consequence of a high-speed derailment was so severe that interim measures (like speed restrictions and eventual engineering upgrades) were warranted[30][31]. Cost did not excuse inaction; instead, it shaped how and when the controls were implemented (e.g. staging upgrades and seeking additional funding, rather than doing nothing)[32].

In applying these factors, ONRSR’s guideline encourages rail operators to document their reasoning for each. A good practice is performing structured risk assessments for hazards with records showing: the likelihood and consequences considered, what controls were examined, and if any common controls were rejected (e.g. due to technical infeasibility or exorbitant cost), why. One illustrative case is provided in ONRSR’s guideline via “ABC Rail Pty Ltd” – a fictional scenario where a freight operator evaluates upgrading its freight loading process with automation. In that example, the operator weighed the known injury risks of manual loading, identified available technology to automate the task, and despite the high cost, decided to invest in the new system because it significantly reduced risk and the cost was justified by safety benefits[33][34]. This led to a dedicated project and interim risk controls while the new system was procured – demonstrating a thorough SFAIRP approach (identify risk, consider all controls, implement what’s reasonably practicable, and even use temporary measures until permanent ones are in place)[35][36].

In summary, the five factors from Section 47 serve as the pillars of SFAIRP decision-making. ONRSR’s interpretation reinforces that each factor must be addressed for every significant safety decision. Rail operators are expected to use evidence (data, research, standards) and sound judgment at each step – proactively looking for risk reduction opportunities rather than defensively justifying the status quo. By presenting concrete rail examples for each factor, ONRSR underlines that SFAIRP is not an abstract legalism but a practical mindset of systematic safety improvement.

2.3 Continuous Improvement and “Reverse SFAIRP”

The ONRSR guideline places special emphasis on the need for continuous improvement under the SFAIRP regime. Indeed, one of the explicit objects of the RSNL is to “provide for continuous improvement” in rail safety[37]. This means SFAIRP is an ongoing duty – not a one-time compliance checkbox. ONRSR expects that as new knowledge, technology, or changed conditions emerge, rail operators will revisit and upgrade their risk controls accordingly[38][39]. The guideline notes that RTOs must have SMS procedures to monitor and review the adequacy of controls (RSNL s.99 and National Regulations require this)[40][41]. For example, if a previously unknown hazard or failure mode comes to light, or if an innovative safety device becomes available, the operator should reassess whether additional measures are now reasonably practicable. A concrete illustration from the guideline: older passenger trains that originally lacked modern safety features (like traction interlocking on doors, which prevents a train from moving if a door is open) should not be treated as eternally “safe enough” just because they met past standards. If retrofitting such a feature is now feasible and would reduce risk, then over time it likely becomes reasonably practicable to retrofit the older stock to modern safety standards[39]. In other words, existing operations and assets must be periodically benchmarked against current “state of the art” safety practices. ONRSR explicitly states that duty holders are obliged to implement modern practices where reasonably practicable, even if those practices weren’t around when the asset was first introduced[42][43]. This drives continuous improvement: rail companies should not become complacent with legacy systems or controls; they should actively look to improve them as better solutions emerge, provided it’s practicable.

The guideline also discusses the concept of “Reverse SFAIRP” (Section 8 of the document)[44]. This addresses situations where a duty holder might propose to remove or reduce an existing safety measure, claiming it is no longer reasonably practicable to maintain that control. ONRSR is understandably cautious about this. “Reverse SFAIRP” is essentially the reverse application of the test – instead of adding a new control, it’s taking one away. ONRSR acknowledges that in limited circumstances it might be valid to remove a control, but the burden is high[45][46]. The guideline gives examples where removal could potentially be justified: for instance, if the cost of maintaining a particular control has skyrocketed far beyond its safety benefit (and perhaps a more cost-effective alternative control exists), or if the risk has been greatly reduced by other new controls such that an older control adds little value[47]. Another example is if two controls inadvertently conflict (one undermines the other’s effectiveness), or if it turns out a control was over-engineered for a risk that never really needed it[48]. In such cases, an operator might argue that keeping the control is no longer reasonably practicable.

However, ONRSR sets strict expectations for this process: any decision to remove or downgrade a safety measure must be preceded by a thorough risk assessment and justification[49]. The duty holder should essentially demonstrate that even without that control, risk will still be eliminated or minimized SFAIRP by other means. The guideline explicitly lists situations where ONRSR would not consider it acceptable to remove a control. For example, one must not remove a control such that the residual risk is no longer as low as reasonably practicable (i.e. you can’t step back and leave a risk gap)[50]. Also, one cannot justify doing less in one area just because another area has higher risks or more pressing problems; SFAIRP must be met for every risk, not traded off (e.g. diverting resources from a “low-risk” issue in a way that that issue is no longer controlled SFAIRP, is not allowed simply because you have bigger problems elsewhere)[51][52]. Similarly, one party in the rail system shouldn’t relax their controls in a way that shifts burden or risk to another party, unless a formal reallocation of responsibility (via an interface agreement, etc.) is in place[53]. Essentially, “reverse SFAIRP” cannot be used as a loophole to erode safety; it is only permissible if, after removal of a control, the situation still fully complies with SFAIRP duties (or even improves overall safety).

In practice, ONRSR’s stance on reverse SFAIRP means operators should be very cautious about cost-cutting measures or efficiency changes that involve reducing safety defenses. For example, if an operator wanted to discontinue a routine track inspection patrol to save money, arguing that new detection technology makes it unnecessary, they would need solid evidence that safety is still assured SFAIRP (perhaps the new tech provides equal or better risk mitigation). The guideline would demand a comprehensive risk review before such a change, and ONRSR would scrutinize whether that patrol truly was redundant or if its removal leaves a gap. The overall message is that safety measures are “sticky” – once in place, they set a benchmark, and removing them requires as stringent a justification as not implementing them in the first place.

In summary, ONRSR expects rail companies to continually improve their safety risk controls, revisiting old decisions as circumstances evolve, and conversely to be very reluctant to downgrade any existing protections. Continuous improvement is built into both the law (s.99’s SMS requirements) and good practice, ensuring the SFAIRP bar rises over time. Reverse SFAIRP is not prohibited (the law doesn’t freeze controls permanently), but it is an exception scenario: any proposal to remove a control must be carefully justified and must not undermine the overarching duty to keep risk as low as reasonably practicable at all times.

3. Standards and Good Practice in Support of SFAIRP

3.1 RISSB Publications and SFAIRP Decision-Making

The Rail Industry Safety and Standards Board (RISSB) develops standards, codes of practice, and guidelines to promote safety and consistency across the Australian rail industry. These publications are important tools for duty holders to meet SFAIRP, because they distill industry knowledge and “good practice” measures for various risks. One particularly relevant publication is the RISSB “Safe Decisions” Guideline.

Safe Decisions (first published in 2016) provides a structured safety decision-making framework, tailored to Australian rail but heavily based on the UK’s RSSB (Rail Safety and Standards Board) guidance “Taking Safe Decisions”[54][55]. The guideline is essentially a primer on how to make balanced decisions that protect safety, comply with the law, and also consider operational and business factors. It reinforces that achieving safety SFAIRP is a central criterion in any decision that could impact safety. The document outlines key principles, for example: - Decisions impacting safety must first ensure legal duties (SFAIRP) are satisfied; only then can other factors (like cost, service, stakeholder preference) be weighed in. - Use of evidence-based risk assessment, either qualitative or quantitative, to support judgments about what is necessary for safety SFAIRP[56]. - The guideline explicitly states that societal concern (public fear or outrage about a risk) should not influence whether a safety measure is needed for SFAIRP compliance[57]. In other words, duty holders should focus on actual risk and reasonably practicable controls, not on public perception – though they might still address societal concern for reputational reasons separately. - It also clarifies that demonstrating a measure is required (or not required) to meet SFAIRP can involve various forms of risk analysis. In some cases a qualitative argument suffices; in others, a full cost-benefit analysis (CBA) might be appropriate[56]. Safe Decisions acknowledges that both qualitative and quantitative approaches, including CBA, are valid tools as long as the fundamental test of gross disproportion is respected.

By providing a common decision framework, RISSB’s Safe Decisions helps rail companies avoid pitfalls like inconsistent criteria or bias in safety decisions. It encourages documenting the rationale for safety-related decisions, which supports the “burden of proof” aspect of SFAIRP compliance (if later challenged, the operator can show how it decided that a control was or was not reasonably practicable). The guideline is split into principles (for senior managers) and a detailed framework (for safety practitioners)[58]. It covers concepts like escalation of decisions to higher management if the stakes are high, and use of safety justification cases for major projects. Ultimately, Safe Decisions supports SFAIRP by ensuring that safety considerations are embedded in every significant decision, and that those decisions are made in a rigorous, transparent way consistent with the law.

Beyond Safe Decisions, RISSB publishes many standards (Australian Rail Standards) and Codes of Practice that collectively define what can be considered “good practice” controls for specific hazards. For example, RISSB standards exist for signals, rollingstock, level crossings, etc., often developed by expert committees and drawing on research. While compliance with RISSB standards is generally voluntary, they serve as authoritative guidance. In the context of SFAIRP, following a recognized standard is a common way to demonstrate that known risks are being controlled to a good practice level. ONRSR often looks to whether operators meet relevant standards as part of judging if risks are as low as reasonably practicable.

One noteworthy RISSB code is the Code of Practice for Fatigue Risk Management, which supports operators in meeting their SFAIRP obligations to control fatigue risks among rail workers. Similarly, RISSB’s Human Factors guides, Safety Culture materials, etc., all contribute to an industry knowledge base that duty holders can draw from to improve safety.

In sum, RISSB publications function as a toolkit for duty holders to make SFAIRP decisions. They do not replace the need for risk assessment – instead, they inform it. By following a RISSB guideline or code, an operator can more readily identify hazards and controls that the broader industry has recognized. The ONRSR itself references RISSB’s Safe Decisions and other standards in its SFAIRP guideline as part of the “state of knowledge” duty holders should consider[59][60]. Thus, leveraging these publications helps ensure no important factor or control option is overlooked when applying SFAIRP.

3.2 Role of RISSB Codes in Defining “State of Knowledge” and “Available Controls”

Under the SFAIRP test (Section 47 factors (c) and (d)), what an operator ought to know about hazards and the availability of controls is pivotal. RISSB Codes of Practice serve to crystallize the industry’s collective knowledge on specific safety issues – effectively setting a benchmark for the “state of knowledge” and the menu of “available and suitable” risk controls for those issues.

A timely example is the ONRSR Code of Practice – Train Visibility at Level Crossings (developed in collaboration with RISSB and other stakeholders). This code of practice was released as an Australian-first initiative to improve level crossing safety by enhancing how visible trains are to road users. It compiles research on lighting and visibility (including a study by the Monash Institute of Railway Technology) and provides guidance on measures like headlights, flashing beacons, reflective markings, and so forth[61]. By doing so, it clearly lays out what measures are available to reduce the chance of motorists failing to see an oncoming train. An operator, therefore, ought to know about these measures if they run trains over level crossings. The code also discusses different atmospheric and operational conditions, meaning it outlines the suitability of various lighting configurations for different scenarios (e.g., daytime vs nighttime visibility challenges)[62][63].

The legal standing of an approved code of practice is significant: once the Transport Ministers endorse it, the code can be used in court as evidence of what is reasonably practicable[64][65]. In other words, if an operator did everything the code suggests, it’s a strong indication they’ve met SFAIRP for that issue; conversely, if they ignored the code’s recommendations without good reason, they might have a hard time arguing they did all that was reasonably practicable. The Train Visibility code, for instance, sets “train visibility best practice” and ONRSR has said it will use the code to test whether operators are doing as well as, or better than, the code’s provisions[66]. This exemplifies how a code defines the expected safety controls landscape.

Another area where RISSB codes define the state of knowledge is in engineering and operational standards. For example, RISSB’s Australian Standard AS 7531 (Lighting and Visibility for Rolling Stock) is referenced in the new visibility code[67]. The code points out that AS 7531 provides minimum compliance requirements, but operators may need to do more to meet their general duties[67][68]. Here we see the interplay: the standard (AS 7531) is widely known – so an operator should at least meet that as a baseline (since not even doing the standard would likely fall short of known safety practice). But the code of practice pushes the “state of knowledge” further by saying minimum standards might not be sufficient in all cases; higher performance (brighter lights, additional beacons, etc.) might be reasonably practicable if particular risks warrant it.

Similarly, RISSB has codes of practice or guidelines on topics like station passenger safety, track worker safety solutions, and operational communication protocols. Each of these documents encapsulates the lessons learned from incidents and research. They enumerate hazards and controls – for instance, a track worker safety guideline will list methods from high-visibility clothing up to advanced electronic lookout systems[25][69]. An operator that fails to consider one of those listed controls (say, continuing to rely solely on manual lookouts when automatic warning devices are available and effective) might be challenged for neglecting an available safety measure. Essentially, these codes ensure no one can claim “we didn’t know what else to do” – the knowledge of “what to do” is out there, published.

In summary, RISSB codes and standards form a bridge between high-level SFAIRP duties and on-the-ground practice. They collect the collective wisdom of the rail industry on managing specific risks. Under SFAIRP, duty holders must tap into that wisdom: the law’s expectation is that if the industry has identified a particular control as good practice, an operator should either implement it or have a documented, convincing reason why not (perhaps an alternative control is in place or unique local factors make it impractical). The state of knowledge is essentially public and shared – and RISSB is a key disseminator of that knowledge. Thus, compliance with or consideration of RISSB codes is often tantamount to meeting the knowledge test and identifying all available risk controls for SFAIRP.

3.3 Beyond Compliance: Standards as Minimums, Not SFAIRP Ceilings

A critical point in the SFAIRP regime is that compliance with standards or codes alone does not automatically satisfy the duty to eliminate or minimize risks SFAIRP. Standards are by nature general – they often represent consensus on typical or baseline measures for common conditions. But the law requires looking at specific circumstances and doing all that is reasonably practicable for that situation. Therefore, if a risk can be further reduced beyond the standard’s provisions with measures reasonably practicable to implement, the duty holder must do so.

This principle is explicitly acknowledged by regulators and industry leaders. For example, the new Train Visibility Code of Practice states outright that the referenced Australian Standard (AS 7531 for train lighting) is a minimum compliance standard, and operators “may need to do more” to meet their general safety duties[67]. This is essentially a reminder that standards can become outdated or may not cover every risk scenario. If an operator treated the standard as a strict checklist and ignored other improvements, they could still fall foul of SFAIRP if accidents happen that those “extra” measures could have prevented.

Another illustrative statement comes from a rail safety presentation: “Compliance to all standards does not equal safety; evidence of using standards must show they mitigate the risks.”[70]. In other words, simply adhering to standards is not enough – one must ensure that doing so actually achieves risk reduction, and if there are gaps, they must be addressed. A standard might say, for example, “a level crossing must have X signage if road vehicle volume is below a certain threshold.” An operator could meet that, but if local risk factors (sharp road curve, frequent heavy truck traffic, history of close calls) indicate that additional controls (like warning lights or lower train speed) are reasonably practicable, SFAIRP would demand those too. The standard is a floor, not a ceiling.

This perspective also ties into incident investigations and legal scrutiny. If an accident occurs and the operator’s defense is “we complied with the standard,” investigators will ask: was the standard sufficient given what was reasonably practicable? If not, the operator could be deemed negligent despite meeting the letter of a standard. The RSNL even provides that compliance with an approved code of practice can be used as evidence of compliance, but it doesn’t prevent proof that an alternative approach provided an equivalent or better safety outcome[71]. Thus, slavishly following standards without critical thought is a pitfall.

In the rail industry, there are many cases where standards have been exceeded voluntarily to meet SFAIRP. For example, prior to the above-mentioned code, some operators started adding extra locomotive lighting or reflective panels beyond standard requirements, because they identified specific local risk factors (e.g. fog-prone areas) where the minimum wasn’t enough. Similarly, mainline passenger operators often adopt more restrictive operating rules than the bare minimum if they find it reduces risk (like Sydney Trains imposing additional speed checks on approaches to certain signals after incidents, even if signal spacing technically met standards).

From an ONRSR viewpoint, demonstrating SFAIRP compliance means showing a risk-based rationale behind your safety measures, not just a standards compliance matrix. The regulator is looking for evidence that the operator asked “Is there more we should do here given the hazards?” rather than “We’ve done what the standard says, full stop.” This encourages innovation and higher safety performance: operators can’t hide behind compliance if something more could be done at reasonable cost.

In conclusion, while standards and codes are invaluable in guiding rail safety practices, the SFAIRP principle ensures that they are a starting point, not the finish line. Duty holders must be prepared to go beyond standards where needed. This approach balances flexibility with accountability: operators have freedom to tailor solutions (and even deviate from standards if they can prove equal safety), but they also carry the responsibility to continuously ask if enough has been done. It prevents a complacent mentality of “tick-the-box” compliance and fosters an ethos of continual risk reduction. As a recommendation, many rail organizations incorporate in their SMS a process to review compliance against standards and then consider if additional risk controls are warranted – a step specifically to cover the possibility that standards compliance might not equate to SFAIRP in every case.

4. Implementation of SFAIRP in RTOs’ Safety Management Systems

4.1 SMS Requirements (RSNL Section 99 and National Regulation 16)

Rail Transport Operators in Australia are legally required to have an accredited Safety Management System (SMS) that encapsulates how they manage safety risks. RSNL Section 99 spells out the high-level requirements for an SMS, and National Regulations (particularly Regulation 16 and Schedule 1 of the National Regulations) provide more detailed content requirements. In essence, the SMS is the mechanism by which an operator operationalizes the SFAIRP principles throughout its organization.

Key Section 99 provisions include: the SMS must be a formal, documented system approved by the Regulator[72]; it must identify all risks to safety arising from the operator’s railway operations[16]; it must provide for a comprehensive and systematic risk assessment of those identified risks[16]; and it must specify the controls to be used to manage those risks, along with how safety performance will be monitored[73][74]. Additionally, the SMS must include procedures for monitoring, reviewing, and revising risk controls to ensure they remain effective[75] – this ties back to the continuous improvement theme. Section 99 also cross-references various specific programs that must be part of the SMS if applicable (for example: interface risk management plans, security plan, emergency plan, health & fitness program, drug & alcohol program, fatigue management program)[76]. These address particular risk domains but all within the SFAIRP umbrella (e.g., fatigue risks must be controlled SFAIRP via the fatigue program).

The National Regulations Schedule 1 lists around 30 elements that an SMS should cover, including things like safety policy, governance, consultation processes, engineering management, change management, investigation procedures, and documentation requirements. One of those elements (corresponding to Reg 16) explicitly requires risk management as part of the SMS, aligning with Section 99’s mandate[77]. Together, these provisions ensure that an SMS is not just a paper document, but a living system that drives how safety is managed day-to-day, with risk identification and control at its core.

In summary, the legal framework mandates that every accredited operator have an SMS that systematically implements the hierarchy of risk control (eliminate or minimize SFAIRP) throughout their operations. The SMS is effectively the “proof” that an operator has processes in place to identify hazards, assess them, decide on controls, and monitor those controls – which is exactly the process needed to fulfill SFAIRP duties. If an operator cannot demonstrate these processes, it likely isn’t compliant with Section 99, and by extension may not be ensuring safety SFAIRP.

4.2 Mapping the SFAIRP Process into SMS Elements

The generic process to achieve SFAIRP – identify hazards, assess risks, identify controls, assess practicability, implement controls, document decisions, and review over time – is directly reflected in the typical components of a rail operator’s SMS. Here’s how each step corresponds:

• Hazard Identification: An SMS will have a procedure for hazard identification, feeding into a Risk Register or hazard log. Under SFAIRP, operators must proactively identify anything that could potentially cause harm (from technical failures and human errors to external events). The SMS might require workshops, incident data analysis, audits, and employee reporting to uncover hazards. For example, during the introduction of new rollingstock, the SMS’s engineering management procedure would require a hazard analysis (such as a structured HAZID workshop) to list all credible ways the new train could pose risks (braking failures, door faults, etc.). All identified hazards get entered into the risk register.

• Risk Assessment: For each hazard, the SMS mandates a risk assessment – evaluating likelihood and potential consequences, and considering existing controls. Many operators adopt a risk matrix (aligned with standards like ISO 31000) to rank risks. This is where Section 47(a) and (b) factors (likelihood and severity) come into play explicitly. The SMS risk management procedure will likely specify that assessors use empirical data or expert judgment to estimate how often an event might happen and how bad it could be. Importantly, the SMS should encourage looking not just at nominal conditions but also worst-case credible scenarios (to capture catastrophic but rare risks). The output might be a risk level (e.g. “High”, “Medium”) for each hazard, which helps prioritize actions.

• Control Identification (Hierarchy of Controls): Once a hazard’s risk is understood, the SMS guides staff to identify possible risk control measures. Most SMSs embed the hierarchy of controls principle – preferring elimination, then substitution, engineering controls, administrative controls, and PPE, in that order. This corresponds exactly to Section 46’s requirement to eliminate first, then minimize. The SMS may have templates or guides prompting the team to brainstorm controls at all levels. For example, for a hazard “collision at level crossing,” the SMS might list potential controls like closing the crossing (elimination of interface), grade separation (eliminate by design), installing flashing lights or barriers (engineering), enforcing speed limits (administrative), and so on. At this stage, the SMS requires considering all reasonably foreseeable control options.

• Practicability Analysis: After potential controls are identified, the SMS process requires an analysis of which controls should be implemented – i.e., are they reasonably practicable? This is the step where cost, feasibility, and effectiveness are weighed. Some operators formalize this as an “SFAIRP test” or ALARP assessment for high-risk hazards. For each candidate control, the team documents considerations: Does it materially reduce risk? Is it proven technology? How complex or costly is it? The SMS might reference the Section 47 criteria to ensure nothing is missed. If a control is rejected, there should be a clear reason recorded (e.g., “Not reasonably practicable to implement XYZ braking system because it is incompatible with our legacy trains and the cost of retrofitting is $X million, grossly disproportionate to the risk reduction of 1×10^-9 reduction in fatality risk per year.”). Conversely, if a control is deemed practicable, it is selected for implementation. Modern SMS risk tools often have a column in the risk register for “Additional controls considered” and another for “Decision/Justification (SFAIRP)”. This is essentially the evidence that the operator went through the thought process mandated by law.

• Implementation of Controls: Once controls are selected, the SMS ensures they are put in place through action plans, allocation of responsibilities, and change management processes. For example, if an engineering control is chosen (say, installing ATP on certain routes), the SMS’s project management or change control procedure kicks in to plan the design, procurement, testing, and commissioning of that control. Administrative controls might involve updating rule books or training programs, which the SMS manages through document control and competency management elements. The key is that the SMS doesn’t stop at identifying controls – it has mechanisms to execute them. An SMS might include a requirement that all risk treatments must be tracked to completion and verified as effective.

• Documentation and Record-Keeping: A fundamental part of an SMS is documentation of all the above steps. The risk register (or equivalent risk assessment report) is a living document capturing hazards, risk ratings, existing controls, potential new controls, decisions made, and status of actions. ONRSR places heavy emphasis on such documentation; it serves both as an internal tool and, if needed, as evidence to the regulator or courts that the operator is meeting SFAIRP. In practice, an operator will maintain extensive records like meeting minutes from risk assessment workshops, option analysis reports (especially for major decisions like whether to invest in a costly safety upgrade), and sign-offs by relevant managers or safety committees. For instance, if an operator decides not to implement a particular safety upgrade, one would expect to find in the SMS records a documented rationale citing the risk, the considered control, and why it was judged impracticable (perhaps including cost estimates vs risk reduction). These records are crucial for the “burden of proof” – they show the duty holder’s due diligence.

• Review and Continuous Improvement: SMS elements like audit, review, and change management ensure the SFAIRP process is iterative. Section 99 requires procedures for monitoring and reviewing controls[75]. Thus, the SMS will have a process (often annual SMS review or after any incident/change) where risk registers are revisited. New hazards might be added (e.g., introduction of a new technology or a near-miss revelation), and controls re-evaluated. There may also be a requirement that if an incident happens, the risk assessment for that scenario is reviewed to see if controls were missing or insufficient. Additionally, safety performance indicators tracked by the SMS can trigger reviews; for example, if SPAD incidents are rising, the SMS will prompt deeper analysis and perhaps new mitigations (even if procedures were previously deemed adequate). Continuous improvement can also come from external inputs: the SMS should capture learnings from other rail operators’ incidents or any changes in RISSB standards or ONRSR guidelines as triggers to reassess risks. Essentially, the SMS fosters a feedback loop: risk controls are not “set and forget” – they are continually monitored, with data (like incident trends, maintenance findings, etc.) feeding back into hazard identification and risk assessment updates[38][78].

To illustrate this mapping, consider a real SMS excerpt in action: A freight operator’s SMS includes a risk register entry for “Runaway train on downhill grade”. The identified controls might be: locomotive park brakes, procedures for securing trains, trackside catch points, etc. The SMS risk assessment records that the likelihood of a runaway is low but the severity is catastrophic. The team identified an additional control – a new automated park brake locking device – which is available on newer locos. The SMS risk workshop minutes show discussion of its cost and benefit. Suppose they conclude it is reasonably practicable (cost is moderate and it significantly reduces the already low likelihood). The SMS then generates an action: retrofit all older locos with this device within 2 years. This goes into an engineering change plan. Meanwhile, interim measures (like double-checks by a second employee) are documented as immediate enhancements. The SMS documents all these decisions. A year later, an audit checks progress – retrofits are 50% done and no runaways have occurred. The remaining risk is being managed. This is SFAIRP in practice through the SMS: everything from technical upgrades to procedural tweaks managed systematically.

In summary, the SMS is the backbone through which an RTO implements SFAIRP on the ground. It translates the abstract legal duty into concrete processes and records. A strong SMS will ensure hazards are not overlooked, risk controls are exhaustively considered and implemented, and nothing is left to ad-hoc or informal management. That is why ONRSR’s accreditation assessments focus heavily on SMS contents – an operator must show that their SMS aligns with Section 99 requirements, which fundamentally means it must drive the elimination or minimization of risks so far as reasonably practicable across all facets of the operation.

4.3 Embedding SFAIRP in SMS – Real-World Examples

Across the Australian rail industry, many Rail Transport Operators have developed and refined their SMSs to embed the SFAIRP approach, often spurred by hard lessons from incidents. Let’s look at a few concrete examples in different risk domains:

• Level Crossing Upgrades: Level crossings (where rail lines intersect roads or footpaths) are one of the highest risk interfaces. A number of operators and state authorities have programs to improve safety at crossings, guided by SFAIRP principles. For instance, the Australian Rail Track Corporation (ARTC), which manages interstate freight lines, has an ongoing program to assess all passive (stop-or-give-way sign only) crossings and upgrade those that present heightened risk. Using risk modeling in their SMS, ARTC identifies crossings with poor sighting distances or high road traffic as intolerable risks. In one scenario, after multiple near misses at a passive crossing on a high-speed line in Victoria, ARTC’s risk assessment (done in collaboration with the state road authority under an interface agreement) determined that installing active flashing lights was reasonably practicable – the cost was justified by the prevention of a potentially fatal collision. ARTC documented in its risk register that while accidents had not yet occurred, the likelihood was significant and the harm would be severe; cheaper measures (extra signage, rumble strips) had been tried but risk remained. Therefore, the upgrade was scheduled, and interim measures (like temporary speed restrictions during peak road use hours) were instituted until the lights were commissioned. After installation, ARTC monitored that crossing’s incidents, finding a reduction in near-hits. In this example, the SMS facilitated end-to-end SFAIRP: hazard identified (crossing collision), risk assessed, control options evaluated (with community consultation as well), and the highest feasible control (active protection) implemented. Moreover, the SMS’s interface risk management element (as required by RSNL for rail-road interfaces) ensures both road managers and rail managers work together, sharing data and co-funding solutions, so that each can discharge their SFAIRP duty for the same risk.

• Track-Worker Protection Improvements: Protecting maintenance crews and track workers from being struck by trains is a perennial challenge. Historically, methods like Lookout working (assigning a worker to watch for approaching trains and warn the crew) were used, but this relies heavily on human vigilance and has led to tragedies. In the last decade, operators such as Sydney Trains have systematically moved to eliminate or reduce reliance on purely administrative controls in this area – a direct application of the hierarchy of controls and SFAIRP. Sydney Trains’ Worksite Protection Program, initiated around 2010, reviewed all safeworking methods and incidents involving track workers[79][80]. The program identified that “lookout” method, while compliant with rules, left too much residual risk. They piloted and then implemented Automated Track Warning Systems (ATWS) at many worksites – these are portable devices that detect approaching trains and give an audible warning to workers, reducing reliance on a human lookout. They also increased the default level of protection: for any work that can be planned in advance, they aim for full track possession (no trains running) or at least signal-based protection (protecting the work site with signals set at danger), rather than using lookouts. The SMS was updated to practically eliminate lookout working except in extreme circumstances. In fact, Sydney Trains set a strategic goal (as noted in internal safety documents) to end routine lookout working by a certain year, on the basis that continuing it was not SFAIRP when higher forms of protection were available[69][81]. As a result, they invested in more sophisticated protection methods and additional safety coordinators. One real outcome: the number of “workers on track” near-miss incidents has fallen, and the regulator has noted improvements in how Sydney Trains plans work with safety as the first priority (even if it means more possessions that can disrupt service – safety over operational convenience). This shift showcases SFAIRP: even though using lookouts was “accepted practice” and cheaper (no special equipment needed), the operator recognized a reasonably practicable improvement (ATWS and stricter rules) and implemented it. Other operators, like Queensland Rail and Aurizon, have similarly explored new technologies (like wearable GPS-based warning devices) and stricter worksite rules, often sharing best practices via RISSB forums. The Australasian Centre for Rail Innovation’s reports on track worker safety solutions have been fed into SMS updates industry-wide[25][82].

• Rolling Stock Safety Retrofits: Another domain is upgrading existing trains or locomotives with new safety features. In passenger rail, for example, Metro Trains Melbourne undertook a program to retrofit their Comeng train fleet (built in the 1980s) with modern crashworthy couplers and improved interior fittings to reduce injuries in the event of a collision. Their SMS risk assessments following some collision incidents showed that while these trains met older standards, better technology was available that could mitigate harm (e.g., couplers that absorb energy and prevent override). The cost was significant, but using a gross disproportion test, Metro determined it was justified given the high potential casualty count in a worst-case collision. Documentation from that program reveals references to SFAIRP: Metro cited improvements in UK and European train design and concluded it “ought” to apply them to its legacy fleet where practicable, especially after a low-speed accident at Richmond in 2016 caused numerous passenger injuries (highlighting the trains’ crashworthiness limitations). Over several years, they retrofitted and reinforced driver cabs and couplers. This was done alongside operational measures like revised speed limits near terminal stations. The outcome is a reduced risk of severe injury should an incident occur – a clear risk reduction achieved that earlier was not in place. Similarly, in the freight sector, Aurizon (a major freight operator) introduced a “Vital Disabling Release (VDR)” system for certain locomotives operating around level crossings[83][84]. This system, described in a rail conference paper, essentially ensures that when maintenance work is being done at a level crossing (which requires disabling the crossing’s active protection for a short time), the locomotives on that corridor are automatically restricted or alerted – preventing a train from unknowingly running through a crossing where protection is off. This innovation came from analyzing near misses during maintenance windows. It exceeded any explicit regulatory requirement but was a reasonably practicable way to plug a risk gap in procedures (human coordination between maintainers and train control can fail). By embedding this tech solution, Aurizon demonstrated proactive SFAIRP compliance, turning an operational insight into a safety control via their SMS change management process.

• Safety Culture and Training Initiatives: Beyond technical fixes, some SFAIRP implementations are about organizational measures. An example is Queensland Rail’s introduction of a robust “Close Call Reporting” system and safety culture program after some serious safeworking incidents. The SMS was modified to encourage voluntary reporting of hazards and near misses by staff without fear of reprisal. This led to a surge in reports of things like signals passed at danger, track workers nearly hit, etc., which in turn fed the hazard identification process. QR could then address these issues (often minor fixes like better signage or retraining drivers) before they led to accidents. While it’s hard to quantify, fostering an open reporting culture is arguably an SFAIRP measure: the cost is relatively low (mostly training and system setup) and the benefit – identifying and fixing latent risks – is high. Now most rail operators in Australia have such systems, a practice learned from industries like aviation. Their SMS includes commitments to consultation and reporting (indeed RSNL Section 99(3) requires consultation with workers when reviewing the SMS[85]), showing that safety is managed not only by hardware, but by ensuring the humans in the system are engaged in risk management too.

These examples illustrate how diverse SFAIRP measures can be, and how SMS frameworks accommodate them – from physical infrastructure upgrades to procedural changes and cultural initiatives. A common thread is documentation and justification: in each case, the decision to implement a safety measure (or to upgrade one) was backed by risk assessment records, cost-benefit analyses, or at least qualitative reasoning captured in the SMS. This is vital when demonstrating SFAIRP to regulators. ONRSR often requires, as evidence, details like risk ratings before and after a control, and why certain alternatives were not adopted. For instance, in the Sydney Trains turnout overspeed case (Section 4.3’s first example), after a series of overspeed incidents, ONRSR issued an improvement notice precisely to ensure Sydney Trains documented a comprehensive review of controls for that risk and made a plan to implement all reasonably practicable improvements (e.g., more speed signage, new driver awareness training, and ultimately speeding up ETCS rollout)[86][87]. Sydney Trains had to report back with an SMS-integrated action plan, which ONRSR monitored to confirm SFAIRP was achieved in the interim period before the new signaling system is completed[88][89].

In conclusion, Australian RTOs have been actively embedding SFAIRP in their SMS through continuous risk assessments and targeted improvement programs. Whether it’s engineering upgrades at level crossings, better protection for track workers, or technological retrofits on trains, the SMS provides the structure to plan and execute these safety enhancements. Real-world examples show SFAIRP is not an abstract ideal but manifests in tangible changes that have likely prevented accidents or reduced their severity. The key lessons from these implementations are: always use data and lessons learned to drive improvements, involve all stakeholders (including frontline staff and interface parties) in identifying practicable solutions, and maintain rigorous documentation to demonstrate that at every decision point, the question “Can we do more to make this safer?” is asked and answered.

5. SFAIRP vs ALARP: A Comparative Perspective

5.1 Definition and Origins of ALARP (As Low As Reasonably Practicable)

ALARP stands for “As Low As Reasonably Practicable” and is a concept originating in the United Kingdom’s safety regulatory regime. It embodies the same basic principle as SFAIRP – that safety risks should be reduced to a level that is as low as is reasonably practicable. The phrase “so far as is reasonably practicable” actually appears in UK legislation (notably the UK Health and Safety at Work etc. Act 1974), and ALARP became a shorthand in UK practice and guidance.

The ALARP principle was notably developed and popularized through UK industries like nuclear power, offshore oil, and rail, largely via guidance from the UK Health and Safety Executive (HSE). The HSE’s 2001 document “Reducing Risks, Protecting People” (R2P2) set out the ALARP framework for tolerability of risk[90]. In it, HSE introduced the idea of a “tolerability of risk” triangle divided into three regions: - An unacceptable risk region (where risk is too high to be allowed at all); - A middle ALARP region (where risk is tolerable only if further reduction is impracticable or grossly disproportionate to the benefit); - A broadly acceptable region (where risk is so low that it is broadly acceptable, though still must be monitored).

This ALARP framework has been influential internationally. In UK rail specifically, the Office of Rail and Road (ORR) expects duty holders (like Network Rail and train operators) to demonstrate that risks are ALARP. The UK’s Rail Safety and Standards Board (RSSB) provides detailed guidance (like “Taking Safe Decisions” and various Risk Assessment Guides) on how to perform ALARP evaluations, cost-benefit analysis, and use risk criteria to judge whether enough has been done. For instance, RSSB’s guidance might include using quantitative risk assessment to compare the cost per statistical life saved of a safety measure against benchmark values, to decide if the cost is grossly disproportionate or not.

Internationally, ALARP (or its SFAIRP equivalent) is a cornerstone in safety engineering for industries like aviation, chemical processing, etc. Many countries use the terminology “ALARP” in regulations or at least in guidance, whereas Australia’s rail law explicitly uses SFAIRP. There’s no conceptual daylight between the two in principle – both are about doing everything reasonably practicable – but ALARP often refers to the structured process and graphical framework developed in the UK. For example, in the UK rail context, one might refer to “ALARP demonstration” meaning a documented argument (often part of a safety case) that all reasonably practicable risk controls have been implemented for a given system.

Thus, ALARP’s origins lie in common law and regulatory practice in the UK, refined through court cases (such as the landmark 1949 case Edwards v. National Coal Board which articulated the concept of balancing risk and sacrifice) and formalized through HSE guidance. While SFAIRP is written into the Australian law (and indeed also appears in UK law text), ALARP is more a term of art used in guidance, especially when setting risk tolerability thresholds.

5.2 Legal Status: SFAIRP Codification vs ALARP Guidance

A key distinction between SFAIRP in the Australian rail context and ALARP in the UK is their legislative status. In the RSNL, the exact term “so far as is reasonably practicable” is codified in law – it is a legal test that regulators and courts must apply. In contrast, “ALARP” as an acronym is not usually spelled out in UK Acts (they use the same phrasing SFAIRP in law), but ALARP is extensively embedded in approved codes of practice and guidance documents.

What this means in practice is that in Australia’s rail safety enforcement, the primary reference is the statutory duty (SFAIRP) and any argument about what is or isn’t reasonably practicable is anchored in Section 47 and related case law. In the UK, while the law also implies the same requirement, the formal ALARP framework as per HSE can sometimes be seen as quasi-regulatory even if not an Act of Parliament itself. For example, the UK’s Railway (Safety Case) Regulations (now superseded by EU Common Safety Method on Risk Evaluation) required rail companies to show risks are ALARP in their safety cases, referencing HSE guidance.

In essence, SFAIRP is explicitly legislative in RSNL, whereas ALARP is generally non-legislative terminology (except in some UK-specific contexts like the Offshore Safety Regulations which explicitly mention ALARP). ONRSR’s guideline notes that some Australian safety laws (outside rail) cite ALARP, but RSNL uses SFAIRP[91][92]. Regardless, Australian rail practitioners are expected to use the term SFAIRP in official communication, and ALARP is seen as an equivalent concept imported via industry practice. In court, one would argue about whether risk was reduced SFAIRP (if in Australia) or ALARP (in UK) but effectively meaning the same test. However, because ALARP is backed by a rich body of UK guidance, sometimes Australian operators reference UK ALARP documents for methodology – ONRSR generally accepts this, as long as the outcome meets RSNL’s requirements[91].

It’s worth noting that both the UK and Australia treat the duty as an absolute duty qualified by reasonableness. There is no numerical threshold in law (like “reduce risk to 10^−6 per year or else”); instead, it’s about judgement. The difference is simply that Australia’s rail law codified its own definition (with the five factors), while the UK relies on the established common law interpretation.

5.3 Philosophical and Practical Distinctions

Though SFAIRP and ALARP are philosophically aligned, in practice some distinctions have emerged in how they are applied. Below are key comparative points:

• Approach to Risk Reduction (“Precaution-first” vs “Cost-benefit orientation”): SFAIRP, as applied by ONRSR, emphasizes a precautionary approach. The duty holder should start with the presumption that a hazard must be controlled – i.e., assume you will implement the safety measure – unless you can demonstrate it’s not reasonably practicable. This is a subtle inversion of thinking compared to a pure cost-benefit mindset. Under a strict cost-benefit approach (often associated with ALARP analyses), one might calculate the monetary value of risk reduction and compare it to cost, potentially giving an impression that safety measures are only taken if economically justified. SFAIRP flips this: safety is paramount unless the sacrifice is excessive. UK’s ALARP in theory uses the same test (don’t spend grossly disproportionate amounts for little benefit), but some have observed that ALARP discussions can become heavily quantitative, focusing on finding where cost equals benefit. The precautionary ethos can thus seem stronger in SFAIRP enforcement – for example, ONRSR expects operators to implement known safety improvements first and use cost arguments sparingly, rather than starting with a cost-benefit analysis to decide if a safety improvement is needed. In short, SFAIRP by design and wording puts safety first, whereas ALARP analyses sometimes give the appearance of optimizing safety to an economic curve (even though in principle they should not allow cost to override significant safety improvements either).

• Role and Timing of Cost Considerations: Both frameworks include cost as a factor, but SFAIRP (as per Section 47(e)) explicitly frames it as “including whether the cost is grossly disproportionate to the risk”[28]. This codification in RSNL reinforces that normal or proportional costs should not sway the decision – only grossly excessive costs relative to safety gain can. UK ALARP uses the gross disproportion concept too, but often this is implemented via implicit multipliers (HSE has sometimes suggested that if the cost of saving a statistical life is more than, say, 2 to 10 times the nominal value of life, it may be grossly disproportionate). The nuance is that in ALARP assessments, cost enters a bit earlier as part of a trade-off analysis in the ALARP region, whereas SFAIRP implies you do everything possible up to that gross disproportion point. Practically, in SFAIRP compliance, a duty holder might list all conceivable controls then cross out those whose costs are extremely high compared to benefit. In an ALARP-centric process, one might rate options by cost-effectiveness and potentially stop when incremental benefits become marginal relative to cost (using a somewhat more continuous reasoning). The end result should be the same if done correctly – but SFAIRP’s language ensures that unless a cost is clearly unreasonable, the expectation is to implement the safety measure. This curbs any tendency to prematurely drop a safety option due to cost. It’s a safeguard against subjective biases: the requirement for gross disproportionality sets a high bar for saying no to a safety investment.

• Risk Tolerability Thresholds (“No free pass” for low risks): In the UK ALARP framework, especially as visualized in the risk tolerability triangle, risks in the “Broadly Acceptable” region (very low risks) are considered essentially tolerable without further reduction – as long as they are monitored and kept under review. The idea is that if a risk is negligible, it might not be worth even minor effort to reduce it further. However, ONRSR’s approach to SFAIRP explicitly rejects giving a complete free pass to low risks. The ONRSR guideline cautions that defining a “broadly acceptable” risk region in one’s risk criteria does not exempt those risks from the duty to eliminate or minimize them SFAIRP[93][94]. In their words, even if a risk is assessed as “small”, the duty holder is still expected to apply any easy/cheap safety measures – you can’t say “it’s below our threshold, so we won’t bother doing more”[95][96]. In contrast, some UK practices might allow that if a risk is below a certain probability (like 1 in a million per year for an individual fatality risk), and you’ve met good practice, you need not actively seek further reduction. The Australian stance (in rail at least) is more stringent in theory: every risk, even very low ones, must be checked for possible controls, though in reality if a risk is truly very low, most likely the available controls would either be already in place or any further ones would be grossly disproportionate – thus satisfying the test. But the philosophical difference is noteworthy: SFAIRP has no explicit lower bound of tolerability – it’s a continuous challenge to improve if feasible. ALARP frameworks explicitly articulate lower bounds (e.g., “broadly acceptable” criteria). The advantage of SFAIRP’s way is it prevents complacency, while ALARP’s tolerability criteria help focus efforts on bigger risks. Many Australian operators do use risk matrices with tolerability thresholds for internal management, but they understand that those thresholds cannot be used as an excuse not to fix a low risk if a fix is simple. For instance, if a very low probability risk of minor injury exists, and a $100 solution could eliminate it, SFAIRP says do it; ALARP’s broadly acceptable zone might say the risk is negligible – but ALARP as properly applied would also say $100 is not grossly disproportionate, so it should be done too. So both should conclude the same – do it – but the framing differs slightly.

• Burden of Proof and Documentation: Under SFAIRP (being law), if a rail incident leads to prosecution, the burden is formally on the prosecution to prove a breach (i.e., that the defendant did not do what was reasonably practicable). However, in practical terms the duty holder must be ready to demonstrate what they did and why it was sufficient – hence the need for strong documentation (risk assessments, option analyses, etc.) as discussed earlier. In the UK, the ALARP demonstration is often proactively documented as part of safety cases or explicit risk assessment reports for major systems. UK rail companies routinely produce “ALARP demonstrations” for changes – which is analogous to what Australian operators do for SFAIRP but it might be less formal outside of accreditation variations. ONRSR doesn’t require a safety case document in the same way, but they do require evidence during audits or investigations. So both regimes expect duty holders to carry the practical burden of showing compliance. A subtle difference is that, because ALARP has been around as a concept longer in safety-critical industries, there are more established quantitative tools and benchmarks for demonstrating it (e.g., use of quantified risk assessment and cost per life-saved calculations in the UK). In Australia, especially in rail, quantitative ALARP demonstrations are less commonly mandated; qualitative justification is often acceptable. Nonetheless, ONRSR will ask, “Show us that you considered more controls and why you didn’t implement them.” This effectively puts the onus on the operator to justify their decisions – a concept sometimes called the “reverse onus” in SFAIRP, meaning the duty holder must prove they did enough rather than the regulator having to prove they didn’t. In both UK and Australian practice, the safest position for a duty holder is to keep detailed records of all safety-related decisions. If, for example, a court is examining a fatal accident, an Australian operator’s fate might rest on documents that show they identified the hazard and consciously decided on controls, including reasons for not adopting any further measure. If those documents are missing or scant, it’s hard to argue after the fact that something was impracticable.

• Use of Risk Criteria and Industry Guidance: ALARP in the UK rail context often involves formal risk criteria (numerical risk targets or reference classes) set by organizations or by regulators as guidance. For instance, the UK might say that for passengers, a risk of fatality below 1×10^−9 per journey is broadly acceptable. These numbers come from historical precedent and societal risk tolerance studies. Australia’s SFAIRP has not generally incorporated explicit numeric criteria in regulation. ONRSR avoided endorsing any specific risk tolerability numbers, emphasizing instead the qualitative test. Operators can set their own internal criteria, but they must be careful – as ONRSR notes, those cannot limit the legal duty[93]. The benefit in the UK system is clarity on when a risk is “so small” that it’s considered OK, and when it’s “so high” it must urgently be reduced. In Australia, the absence of formal criteria means each case is judged on its merits (which could lead to more conservative decisions to be safe). The flip side is flexibility: Australian operators aren’t constrained by possibly outdated numeric targets; they can argue based on current context. This is largely an implementation difference: ALARP tends to bring a structured risk tolerance framework, whereas SFAIRP relies on case-by-case judgement guided by general principles.

In practice, experienced safety professionals often use the terms interchangeably in conversation (“we’ve done an ALARP assessment” vs “SFAIRP assessment”), and many of the tools (risk matrices, ALARP checklists, CBA) are used under both regimes. The critical distinctions emerge in enforcement philosophy: ONRSR’s communications suggest a somewhat stricter interpretation – ensuring no one interprets ALARP as “a cost-benefit game” or assumes any risk is negligible enough to ignore[94][95]. They have explicitly stated that ALARP and SFAIRP call for the same tests to be applied, with the only difference being terminology depending on legislation[91]. However, they also caution duty holders not to misapply over-segmented ALARP ideas that could undermine the absolute nature of the duty.

To summarize, SFAIRP vs ALARP differences are mostly in emphasis and execution, not fundamental intent. SFAIRP is enshrined in law for Australian rail, making it the direct yardstick for compliance, whereas ALARP is the prevalent concept in UK rail safety guidance, shaping how compliance is demonstrated. SFAIRP pushes a precautionary, all-risks-matter outlook (with gross disproportionality as the only escape clause) and leaves little room for “We think this risk is small enough to do nothing.” ALARP in the UK similarly requires everything reasonably practicable but frames it within a structured tolerability model. In both systems, ultimately, if a serious accident occurs and it was preventable by a measure not taken, the organization will likely be found at fault unless it can convincingly show that measure was not reasonably practicable. That legal reality drives both SFAIRP and ALARP to the same end point: an ever-improving safety standard with an expectation of rigorous justification for any risk left uncontrolled.

6. Synthesis and Recommendations

6.1 Balancing Flexibility, Innovation, and Enforceability in Australia’s SFAIRP Regime

The Australian rail industry’s SFAIRP regime strives to strike a balance between giving operators flexibility to innovate in safety and ensuring there is enough regulatory “teeth” to enforce high standards. By using a performance-based duty (rather than hundreds of prescriptive rules), the RSNL allows different operators to tailor their Safety Management Systems to their unique operations – heavy haul freight, high-speed passenger, suburban metro, or heritage railway – and to adopt the latest technologies and methods that best control their risks. This flexibility is crucial in a diverse industry: for example, what’s reasonably practicable for a major city metro (with high revenue and advanced signalling) might be different from a small tourist railway (with limited funds and lower speeds). SFAIRP accommodates that, focusing on outcomes (risk minimization) rather than one-size-fits-all inputs.

At the same time, SFAIRP is a stringent standard that drives innovation. Because the duty is open-ended (always do more if you reasonably can), it naturally encourages companies to look for new solutions. If a novel safety device appears on the market, the question immediately arises: is it reasonably practicable for us to adopt it? This has led Australian operators to trial and implement new technologies – examples include drone inspections of track (reducing risk to track workers), driver vigilance devices and medical screenings (to manage human performance risks), and advanced train control systems. There is a culture of sharing safety innovations through RISSB and ONRSR forums, partly because demonstrating SFAIRP might eventually require adopting what has been proven to work elsewhere. Thus, rather than stifling innovation, SFAIRP often pulls innovation into practice faster: once a practice is proven and cost-effective, it can rapidly become the “new reasonably practicable standard” expected industry-wide.

From an enforceability perspective, SFAIRP can be challenging – it requires regulators and courts to make nuanced judgments on what is “reasonably practicable” after the fact. However, Australia has bolstered enforceability by providing ONRSR with investigatory powers and the ability to issue improvement notices, prohibition notices, and even prosecute when they believe SFAIRP is not being met. The open-textured nature of SFAIRP means the regulator’s opinion carries weight: if ONRSR believes a certain control is necessary, they can pressure the operator to implement it (as seen in the Sydney Trains turnout case where an improvement notice led to immediate safety actions)[31][32]. ONRSR also uses tools like codes of practice to firm up the expectations (effectively semi-codifying what SFAIRP looks like for specific risks). This combination of a broad duty plus practical guidance makes enforcement more concrete. When it comes to legal proceedings, courts in Australia (and similarly in UK) have tended to interpret “reasonably practicable” in a way that is protective of safety – giving the benefit of the doubt to safety rather than cost excuses. Thus, the framework is enforceable because duty holders know that if an accident happens and they skipped a measure that in hindsight looks affordable and effective, liability is likely. The fear of such legal outcomes provides strong incentive for compliance.

In balancing flexibility and enforceability, one could critique that SFAIRP’s vagueness might lead to inconsistency – different operators might have different views on what’s sufficient. However, through industry standards and ONRSR’s oversight, a lot of convergence occurs. Another possible tension is innovation vs. proven measures: does SFAIRP encourage trying untested controls? Generally, it doesn’t force experimental measures – a control should be available and suitable (which implies some level of proven efficacy). But it doesn’t forbid innovation either; if anything, it mandates continual consideration of better ways to do things, which could include trialing new approaches in a controlled way.

Overall, the SFAIRP regime in Australian rail has fostered a safety culture where compliance is not about ticking boxes but about actively managing risk. It provides flexibility in how to achieve safety (operators can choose technologies or methods that fit their business) but not in the level of safety to be achieved (that is inflexibly set at “as safe as reasonably practicable”). That dynamic tension has generally been healthy: the industry has seen significant safety improvements over the last decade (declining accident rates in many categories), attributable in part to the systematic risk management ethos that SFAIRP embeds.

6.2 Challenges and Common Pitfalls

Despite its strengths, implementing SFAIRP in the rail industry comes with challenges and potential pitfalls, some of which have been observed in practice:

• Over-reliance on Administrative Controls: One pitfall is that operators might stop at easier, lower-tier controls (procedures, training, signage) and consider a risk “managed”, while neglecting more effective but perhaps costlier engineering controls. Administrative controls are notoriously prone to human error and often don’t reduce risk as reliably. Under SFAIRP, this is a compliance risk: if a higher-order control was reasonably practicable, relying on a procedure is not enough. Yet, historically and even today, some safety management plans lean heavily on rules and training. For example, prior to ONRSR’s more aggressive stance, some operators used “employee awareness” as the main control for certain hazards where technology existed that could serve as a safeguard. The challenge is sometimes internal resistance or budget constraints push toward the cheaper admin fixes. To avoid this pitfall, companies must rigorously apply the hierarchy of controls and be honest about the limitations of administrative measures. ONRSR has been known to push back – e.g., telling an operator that simply briefing drivers to “be vigilant” at certain crossings is insufficient when engineering options are available.

• Treating Standards as Absolutes: As discussed, another pitfall is the mindset of “if we meet the standard, we’re safe.” Standards can become a ceiling in some organizational cultures, leading to complacency. This is particularly risky if the standard is outdated or not fully applicable to a specific context. A related trap is to treat compliance as a purely technical exercise and ignore the spirit of SFAIRP. For instance, an operator might technically meet a track geometry standard but have data showing certain track sections still pose risk under unusual conditions (like extreme heat causing buckling). If they don’t act because “we meet the standard”, they may be caught out by SFAIRP which would demand action (maybe increased inspections or speed restrictions on very hot days). The challenge is ensuring teams see standards as minimum requirements and keep a questioning attitude – “Is there more we should do here given what we know?”

• Documentation Burden and Quality: Proper SFAIRP implementation requires considerable documentation – risk registers, analyses of options, etc. A pitfall is treating documentation as a formality, with boilerplate text or retroactive justifications, rather than a genuine analysis tool. Some operators have been criticized for creating ALARP reports after a decision was already made, essentially to justify it on paper. This backwards approach can lead to shallow analysis and even blind spots (since the decision wasn’t truly scrutinized). Additionally, maintaining up-to-date risk registers is labour-intensive; it’s easy for these to become stale, not reflecting current operations or recent incidents. A stale risk register is dangerous – it can give false confidence. There’s also a skill challenge: staff must be trained to do high-quality risk assessments and ALARP evaluations; without skill, the documentation might tick the boxes but miss critical insights. Rail companies need to invest in training safety engineers and risk analysts, and perhaps using specialists for complex issues (e.g., human factors experts to assess a new signaling interface). If not, the SFAIRP process can become a paperwork exercise rather than real risk management.

• Human and Organizational Factors Overlooked: Technical risk controls are relatively straightforward to identify, but organizational factors (like safety culture, fatigue management, supervision quality) can be harder. A pitfall is underestimating these “soft” risks because they’re not as tangible as equipment failures. For example, if incidents are happening due to staff not following procedures, the root might be poor training, rushing due to workload, or insufficient supervision. SFAIRP means you must address those underlying causes – perhaps by hiring more staff to reduce time pressure (a cost item often resisted) or by changing rostering practices to reduce fatigue. It can be challenging to justify such measures in a business case because the benefit is avoiding an abstract risk, not fixing a concrete hazard. Nonetheless, failing to tackle these factors can leave serious risks unmitigated. Regulators and investigators increasingly focus on whether organizations are learning from small errors and near misses to improve these systemic factors.

• Interface and Coordination Gaps: Many rail safety risks span multiple organizations (rail infrastructure managers, train operators, road authorities, contractors, etc.). A common pitfall is each party thinking “I’ve done my bit” without fully coordinating with others. SFAIRP duties apply to each interface party, and the law requires Interface Agreements to manage shared risks. If communication fails (for example, an infrastructure manager upgrades a crossing but the train operator isn’t aware and doesn’t update driver info, or vice versa), safety can slip. Ensuring effective collaboration is challenging, particularly where responsibilities overlap. A pitfall is assuming someone else has it covered. The 2016 Port Botany freight train collision with a truck (in NSW) illustrated that multiple parties had pieces of the puzzle – the port operator, the track lessee, the trucking company – and gaps in coordination contributed to the incident. The lesson is that SFAIRP extends beyond your own organization; you must reach across organizational boundaries to collectively achieve ALARP, which is easier said than done.

• Resource Constraints and Economic Pressures: In practice, rail operators face budget and time pressures. There is always a temptation to do the minimum necessary to satisfy the regulator and keep operations moving efficiently. If senior management is not deeply committed to safety, “reasonably practicable” might be interpreted in a self-serving way (emphasizing what’s not practicable due to cost or inconvenience). This can manifest as chronic underinvestment in infrastructure maintenance or safety upgrades – until a serious accident forces the issue. The pitfall is short-term thinking. Regulators try to counter this by highlighting the long-term cost of accidents and by enforcing compliance, but it remains a tension. It requires leadership to truly integrate SFAIRP into business planning (so that safety projects get funded as priority, not as afterthought).

• Reverse SFAIRP Misuse: As discussed, removing controls is tricky. A pitfall would be an operator too eagerly removing safety measures to save money or improve service, under the claim they are no longer needed. Without rigorous risk assessment, this can lead to increased risk. For example, say a railway decides to remove guards from trains (making them driver-only operated) to cut costs, arguing new technology (CCTV) makes it safe. If they do this without thorough analysis and maybe external review, they might miss scenarios where a second crew member prevented incidents. The decision might be justified if truly the new measures cover all hazards, but this must be convincingly demonstrated. Misapplying reverse SFAIRP can degrade safety.

In summary, the challenges of SFAIRP revolve around doing it earnestly and thoroughly, not superficially. It requires continuous vigilance, resources, and a genuine safety-first culture to avoid these pitfalls.

6.3 Best-Practice Recommendations for Demonstrating and Maintaining SFAIRP Compliance

To ensure RTOs not only comply with SFAIRP but also make it an integral part of how they run their business, the following best practices are recommended:

• Adopt a Structured “SFAIRP Demonstration” Template: Develop a standard template or checklist that must be completed for significant decisions (new projects, changes, or when addressing major hazards). This template should prompt the user to document: the hazard and risk analysis, options considered across the hierarchy of controls, evaluation of each option (including cost and risk reduction), and a conclusion on which options will be implemented and which will not (with justification). Having a consistent format makes it easier to review and ensures no factor is forgotten. Some organizations call this an “ALARP worksheet” or “Risk Treatment Analysis”. It can be part of the risk register or a separate attachment. Ensure the template explicitly asks, “Is there any further measure (even if risk is low) that is reasonably practicable?” to enforce that mindset.

• Use a Robust Risk Register and Tracking System: The risk register should be a living database, ideally software-based for ease of updates and querying. Each risk entry should list existing controls and additional controls under consideration, along with status. Link the register to action tracking – if a control is approved for implementation, it should generate an action item assigned to an owner with a deadline. The system should send reminders and escalate if overdue. This ensures no agreed safety action falls through the cracks. The register should also allow linking evidence (like cost estimates, meeting minutes, studies) to support why something was or was not done. Regulators often appreciate when operators can pull up a risk entry and show attachments with detailed analysis.

• Implement Hierarchy of Controls in Procedures: Make the hierarchy not just a poster on the wall but embed it in procedures. For instance, the SMS change management procedure should have a step: “Identify if the change introduces new hazards; if so, apply hierarchy of controls to mitigate.” Maintenance planning procedures should include a question: “Can this maintenance task be done with the track de-energized or blocked instead of live?” (elimination vs administrative). By institutionalizing these questions, you drive people to think SFAIRP in every relevant activity. Additionally, consider requiring that any proposal that opts for an administrative control when an engineering control is available gets a higher level of approval – a way to challenge decisions that might be sub-optimal.

• Continuous Improvement and Periodic Review Cycles: Set up regular (e.g., annual or biennial) SFAIRP review workshops. These could involve cross-functional teams revisiting high-level risks in the register and scanning for any changes in context: new technology, new learnings from incidents, or creeping risks. Periodically take a few known hazards and do a fresh SFAIRP analysis from scratch – this can catch “analysis drift” where over time people forgot certain options. Also perform periodic benchmarking: see what peer operators are doing. For example, if another operator implemented a novel control (like automated drone inspections for bridges) and found it beneficial, evaluate if it’s applicable to you. Consider an annual “innovation scan” where the safety team catalogs new safety solutions or research findings and cross-checks them against your risk controls. These processes ensure the SMS evolves.

• Engage Frontline Employees and Experts in SFAIRP: Those who do the job daily often have the best insight into hazards and what might or might not work to control them. Establish channels for workers to give input on risk controls – e.g., safety committees, hazard reporting systems – and ensure those inputs are considered in risk assessments. A train driver might say, “This new warning system is confusing,” or a track worker might suggest a new tool to reduce manual handling. Treat these as valuable information for SFAIRP decisions. Also involve subject matter experts (engineers, ergonomists, data analysts) when evaluating controls, especially for complex issues. For example, if deciding on cab design changes for safety, involve human factors specialists and drivers. This inclusive approach leads to more practicable solutions and buy-in.

• Develop Clear Documentation of Gross Disproportionality Arguments: If you ever reject a potential safety measure on the grounds of cost vs benefit, document that decision extremely clearly. Ideally quantify the risk reduction (even approximately: e.g., “expected to prevent 1 derailment in 20 years, avoiding ~$5M in damages and potential fatalities”) and the cost ($50M to implement). Show the comparison transparently. Perhaps use a ratio or a qualitative statement like “cost is grossly disproportionate (10-20 times) the safety benefit”. By articulating it, you test the logic – maybe the cost initially seemed high, but when put in perspective, it might not be that disproportionate. Or if it truly is, you’ll have a solid record for regulators. It’s wise to have a peer review or safety governance group review such decisions. If possible, quantify using accepted values (e.g., Value of Statistical Life, which in Australia might be around AUD $5-7 million) and discount rates for future harms. This level of rigor shows you didn’t lightly dismiss a control. Keep these records organized – maybe flagged in the risk register or a dedicated “SFAIRP justification file”.

• Strengthen Interface Agreements and Joint Safety Exercises: For risks shared with other parties (like road crossings, or where one company’s train runs on another’s track), ensure that interface agreements are not just legal formalities but active documents. Set up joint risk workshops with the other party periodically to review interface risks and controls – essentially an inter-company SFAIRP review. Also, conduct joint emergency drills and scenario analyses to test if controls are sufficient. A best practice is to have a standing interface safety committee for significant interfaces (e.g., major stations, junctions between networks, etc.). Such forums can identify gaps where each thought the other was handling something. By collaboratively addressing them, both parties fulfill SFAIRP (and avoid finger-pointing in case of an incident).

• Leverage Tools and Technology for SFAIRP Evidence: Use available software tools to aid in risk assessment and data analysis. Bowtie analysis, for example, is a great visual tool that maps hazards to consequences with controls in between; it can help ensure multiple layers of controls are considered and identify any weak links. Some operators use Monte Carlo simulations or fault tree analysis for complex systems to quantify risk – useful to evaluate the benefit of potential controls. Moreover, data from real operations (e.g., event recorders, track condition monitoring, near-miss reports) can be analyzed with data analytics to spot emerging risks or confirm control effectiveness. Make such analysis part of your SMS’s routine. If you can show ONRSR that, for example, you analyze every SPAD with a special algorithm to see if there’s a pattern and then act on it, that demonstrates a proactive SFAIRP culture.

• Cultivate a Documentation Culture without Blame: Encourage personnel to document hazards and near misses, and to participate in risk assessments, by maintaining a just culture. People should not fear that admitting a problem will result in punitive action. This is vital to get the information needed for good SFAIRP decisions. Alongside, train staff in the why and how of SFAIRP – when people understand that every safety improvement suggestion is valued and might prevent harm, they are more likely to contribute meaningfully. Some operators include a module on SFAIRP in their safety inductions and leadership training, so that it’s understood from top to bottom.

• Regular Audit and External Review: Lastly, have regular audits of your SFAIRP processes. This can be internal (safety department auditing a sample of risk assessments each quarter) and external (engage independent auditors or participate in ONRSR’s audit schemes). Fresh eyes can catch if a team has gotten into a rubber-stamp routine or if any risk is being underestimated. For major new projects or technology introductions, consider a peer review panel or even an expert safety assurance team to do a thorough ALARP study – akin to how UK’s ORR might require an independent safety assessment for certain high-risk systems. While not mandated here, it’s a best practice for, say, implementing driver-only operations or a new signaling system.

Implementing these best practices requires commitment and resources, but they pay dividends in safer operations and in confidence during regulatory scrutiny. An operator that can produce a well-maintained risk register, thorough option analyses, and evidence of continuous improvement will be well-placed to demonstrate compliance with SFAIRP at any time. This not only avoids enforcement action but also, most importantly, reduces the likelihood of accidents. In the end, SFAIRP compliance is not just about avoiding legal penalties – it is about ensuring that everything that reasonably can be done to protect workers, passengers, and the public is being done. A robust SMS underpinned by the practices above is the best way to live up to that duty.

Conclusion: SFAIRP vs ALARP in Context

In summary, the Australian rail industry’s commitment to SFAIRP ensures that safety is a dynamic, ever-improving pursuit. While SFAIRP and ALARP share the same DNA – minimizing risk within the bounds of what is reasonably practicable – the Australian approach legislates this principle and, through ONRSR’s oversight, imbues it with a precautionary, all-encompassing ethos. The UK’s ALARP practices, particularly in rail, offer structured techniques and a wealth of experience, especially with quantitative methods and tolerability criteria. Australian rail operators do well to learn from these (indeed RISSB’s Safe Decisions was drawn from RSSB’s guidance). However, they must frame their efforts in terms of SFAIRP as defined in the RSNL, keeping in mind the nuances: no risk is too small to consider, cost only comes into play to rule out extreme measures, and the burden is on the duty holder to show they’ve left no reasonable stone unturned. The end goal is the same: whether one says “as low as reasonably practicable” or “so far as is reasonably practicable,” the objective is a rail network where risks are reduced to the lowest level that sensible measures allow. By harnessing flexible innovation within a strong regulatory framework, and by diligently avoiding the pitfalls, the Australian rail industry can continue to advance safety, protecting all who depend on it.

References:

1. Rail Safety National Law (Queensland Consolidated Act, current as of May 2025), Sections 46–47 and 52–54. (Contains the legal definition of SFAIRP duties and the meaning of “reasonably practicable”, with five factors.)[4][5]

2. ONRSR Guideline – “Meaning of Duty to Ensure Safety So Far As Is Reasonably Practicable”, May 2021. (Regulator’s guidance on interpreting SFAIRP, including Section 47 factors, continuous improvement expectations, and reverse SFAIRP.)[40][45]

3. Rail Safety National Law (Queensland) – Section 99 and related provisions. (Legislative requirements for Rail Transport Operators’ Safety Management Systems, emphasizing risk identification, assessment, control, and review.)[16][73]

4. RISSB Guideline – “Safe Decisions” (2016). (Industry guideline on safety decision-making framework, reinforcing SFAIRP/ALARP principles in practice, adapted from UK RSSB guidance.)[57][56]

5. ONRSR Code of Practice – “Train Visibility at Level Crossings” (2024). (Example of an approved code defining good practice controls for train visibility, illustrating how standards are treated as minimum and additional measures might be required for SFAIRP.)[67][97]

6. RISSB/Industry Paper – “Expectations and Experience in Safety Risk” (Rob Scarbro, Dept of Transport, 2021). (Contains insights that compliance with standards alone is not sufficient for safety – evidence of risk mitigation is required.)[70]

7. ONRSR Safety Improvement Case Study – Sydney Trains High-Risk Turnouts and ATP (2025). (Case study demonstrating regulator-driven SFAIRP action: speeding risk through turnouts addressed via interim controls and planned engineering solutions.)[30][31]

8. RISSB Guideline – “Good Practice in Mitigating Safety Risks when Planning Works in the Rail Corridor” (2021). (Highlights hierarchy of protection for track work, encouraging highest level of protection practicable and use of new technology for track worker safety.)[69][98]

9. ONRSR Media Release – “Australian First LX Code of Practice Released” (Dec 2024). (Background on the development and legal standing of the level crossing visibility code, reinforces that courts and ONRSR will use such codes in determining SFAIRP compliance.)[66][99]

10. ONRSR Guideline – “Safety Management System Guideline”, Jul 2022. (Provides guidance on implementing SMS requirements under RSNL, aligning ISO 31000 risk management with legislative specifics; underscores the need for ongoing monitoring, consultation, and documentation in SMS.)[60][100]

---

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] Rail Safety National Law (Queensland)

• 16
• 17
• 24
• 28
• 71
• 72
• 73
• 74
• 75
• 76
• 85

ONRSR Guideline – Duty to Ensure Safety (SFAIRP)

• 18

• 19

• 20

• 21

• 22

• 23

• 33

• 34

• 35

• 36

• 37 [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] Meaning of Duty to Ensure Safety (ONRSR Guideline)

• 51

• 52

• 53

• 60

• 77

• 78

• 90

• 91

• 92

• 93

• 94

• 95

• 96

• 100

RISSB Guideline Template (Planning Works)

• 25
• 69
• 81
• 82
• 98

[26] [27] [30] Automatic Train Protection – ONRSR & Sydney Trains (Case Study)

• 31
• 32
• 86
• 87
• 88
• 89

Guidelines – ONRSR

• 29
• 59

Safe Decisions (RISSB)

• 54
• 55
• 56
• 57
• 58

Media – ONRSR

• 61
• 62
• 63
• 64
• 65
• 66
• 67
• 68
• 97
• 99

Application of SFAIRP and Ensuring a Sustainable Rail Future

• 70

Rail Safety – RTSA Collection

• 79
• 80
• 83
• 84