On the Use of Standards and Guidelines as a Tool to Fulfil Regulatory Requirements

Over the years, industrial safety regulation has shifted from a “hard” command and control regime to a “soft” regime. A “hard” regime includes the use of strict prescriptive requirements which explain how industry should solve particular issues. A “soft” regime, uses more functional requirements, pointing out what goals are to be achieved. In a “soft” regime, prescriptive standards might still exist, but they are considered suggested solutions, with alternative solutions also being considered if they achieve the overall regulatory goals. The purpose of such a shift is to create regulations that are more flexible, meaning that they are more open for the use of novel technology and for the use of risk assessments as a basis for decision making. However, it is not clear that the shift from a hard to a soft regime has made it easier to use risk assessments for such a purpose in practice. In the present article, we discuss the limitations caused by strict adherence to prescriptive requirements presented in standards or regulations and present our perspective on why and how these can limit risk management in practice. The article aims to discuss the strengths and weaknesses, with regard to risk management, when regulations are strictly dependent on prescriptive or specification‐based standards and guidelines. Several examples are used to illustrate some of the main challenges related to the use of specification‐based technical standards and how the regulatory shift from “hard” to “soft” has not necessarily made it easier to implement technological solutions based on risk assessments.


INTRODUCTION
Like most other aspects of society, safety regulations are going through constant development. One significant step in safety regulations is the shift from a "hard" to a more "soft" regulatory regime (Lindøe & Baram, 2019;Penny, Eaton, Bishop, & Bloomfield, 2001). A "soft law" regime refers to the use of rules that set goals, also known as functional requirements.
It is the opposite of a "hard law" regime, containing more prescriptive requirements, which presents how something is to be achieved, rather than using functional requirements that focus on what is to be achieved. The regulatory regime for the Norwegian oil and gas industry is an example of a shift from a "hard law" to a "soft law" regime (Bang, 2019). Several aspects motivated the shift from "hard laws" to a more "soft law" regime, including (Bang, 2019): • The ability to use risk assessments as a basis for decision making • Increased flexibility with regard to the implementation of novel technology However, the prescriptive requirements from the "hard law" regime were indirectly retained, by 1744 0272-4332/21/0100-1744$22.00/1 © 2021 The Authors. Risk Analysis published by Wiley Periodicals LLC on behalf of Society for Risk Analysis This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited. moving them to related standards and guidelines. These standards and guidelines provide guidance and suggestions of solutions that could be used to fulfill the new "soft law" requirements. As these solutions are only considered suggestions, there is the possibility of using alternatives. However, the industry/operators would then need to document that the alternative solution is at least as good as the solution provided by the standard. In our experience, this leads to the adoption, in most cases, of the solutions in the guidelines and standards, unless there is a substantial potential for increased efficiency or cost savings related to the novel solution. The tendency to adopt a known solution to a problem rather than engaging in a possibly time-consuming and costly search for alternatives is not unique to the present context. Research in naturalistic decision making (NDM) has documented similar tendencies in many different domains, see for example Klein (2008).
Consequently, the prescriptive requirements were, and still are, a significant part of the regulatory regime. Standards and guidelines also play a vital role for other industries that have moved from a hard to a soft law regime; see, for example, Foliente (2000); Lindøe and Baram (2019); Straube (2001). Not all these standards are prescriptive, and many offer a combination of functional and prescriptive requirements (Sinclair, 1997;Straube, 2001). Lately, there has also been an increased awareness of the need for standards based on the use of functional requirements (Foliente, 2000). However, and as described by Lindøe and Baram (2019) and Straube (2001), the industry's attention is typically drawn to instructive specification-based standards and guidelines. A similar argument is made by Aven and Ylönen (2019), who argue that standards (such as ISO 31000) have an increasing influence on the risk and safety field, even though the criticism against the standard's quality has increased.
The research by Lindøe and Baram (2019), Straube (2001), and Aven and Ylönen (2019) supports our argument, namely that industry prefers, or are, due to the standards strong power almost "forced" to prefer, standards which provide (detailed) guidance on how to comply with regulatory requirements, including demonstrating that a sufficient safety level is achieved. However, it is a paradox that strict compliance with the specification-based standards provides challenges similar to those which motivated the regulatory shift. The purpose of the shift can partly be explained by the need to create more flexible regulations, in the sense that they are more open to the use of novel technology by allowing risk assessments as a basis for decision making. As mentioned above, the shift entailed a possibility to demonstrate that an alternative solution is at least as good or safe as the solution presented in the standards. However, little guidance on how to compare an existing and novel solution exists. Consequently, the preferred solution is still to comply with the prescriptive requirements, and industry still struggles with the implementation of novel technology. It is therefore not evident that the shift from a hard to a soft regime makes it easier to use risk assessments as a basis for decisions or to implement novel solutions.
The present article aims to draw attention to and provide insights into how strict adherence to prescriptive guidelines and standards can limit risk management. The article focuses on when, why, and how the use of prescriptive standard requirements limits risk management, meaning that the prescriptive standards can hinder innovative solutions that, if implemented, could reduce risk. Several examples of how prescriptive requirements hinder the implementation of solutions with considerable risk-reducing potential will be presented in Section 3. First, however, Section 2 presents the main explanations of when, why, and how specification-based standards can limit risk management. Finally, Section 4 provides some concluding thoughts.

When does the use of specification-based standards limit risk management?
First, as previously mentioned, the use of specification-based standards is not always a challenge to risk management. In some situations, such standards are a benefit, as they provide cost-effective solutions based on the knowledge of a large group of experts that have collaborated to identify the best solutions to particular issues. As commented by one of the reviewers, this is the situations where the experts "know what works." Specification-based standards then save time and costs on exploring alternative solutions and demonstrate compliance with regulations. An additional explanation of why people tend to prefer specification-based standards might also be found in the recognition primes decision making model (see e.g., Klein, 2008), and also Rasmussen's three-level model of human behavior (Rasmussen, 1983), that is, skills, rules, and knowledge-based behavior.
In other situations, it can be more challenging to apply the solutions presented in the specificationbased standards. In particular, standard solutions can be difficult to apply in situations where relevant stakeholders (e.g., designers, operators, analysts, management, the whole industry) have, for example, less experience with the relevant activity or the related technologies that will be used to carry out the activity. In these circumstances, specification-based standards can be difficult to use, as the instructions therein can be less relevant, costly, or impossible to implement for alternative risk-reducing solutions. Even when implemented, the specified approach may be an inefficient way to manage risk relative to other known approaches that are not allowed by the specification.
The implementation of novel technology is an example of a situation in which the circumstances are not well known and where existing standards are less relevant or do not provide useful guidance on how to comply with regulatory requirements. As novel solutions, potentially, do not adhere to the existing specification-based standard, the solution/technology might not be considered or implemented. When a novel technology/solution, which potentially increases safety, is not even considered, this limits the risk management process. The following section discusses potential causes as to how and why specification-based standards might limit risk management. Section 3 provides some examples as to when existing specification-based standards limits the risk management process. In Section 4, we point to potential solutions and research topics that can contribute to improve the situation.

How and why does the use of specification-based standards limit risk management?
Consequently, the use of specification-based standards limits the flexibility and possibility to manage risk. In the present article, we focus on three main reasons for this: (1) The standard specifies minimum (safety) solutions (2) The standard becomes outdated (a) New knowledge becomes available (b) New alternative solutions become available/developed (3) The standard is not developed for the contextspecific conditions (a) The technology is too costly compared to the benefits (b) The standard requires wrong or unnecessary risk-reducing measures compared to the alternative, maybe cheaper, measures with a greater potential to reduce risk The prescriptive requirements in a specificationbased standard usually set a floor, in the sense that they establish the minimum allowable solutions (e.g., design level), which fulfill the regulatory requirements, highlighted in point 1 above. In many cases, designers are allowed to go above this, but there are few incentives to consider additional risk-reducing measures. For example, if choosing different solutions from those presented in the standards, the uncertainty of whether they will be accepted or not increases. Such uncertainty will, most likely, be considered unfavorable and something which threatens the success of the project/operation. Also, it can be costly to suggest solutions that deviate from those presented in the standards, as it then becomes the owner's/manager's responsibility to document that the alternative solution is comparable or better (see, e.g., § 24 of the framework regulations; PSA, 2019b).
Point 2 above addresses two situations where it would be beneficial to be able to consider the implementation of alternative solutions that are not presented in the standards. First, point 2a, as the standard gets older, new knowledge becomes available, and the existing solution may no longer represent the optimal solution from a risk management perspective (see, e.g., Cullen, 1990, Chapter 21). New research and other activities or experience with the existing solutions may provide information suggesting that the standard approach (existing solution) should be improved. However, once the standards are published, and primarily if they are referred to in the regulations, it can prove challenging to differ from the standard solution, even if improved alternative solutions exist.
New knowledge can, for example, indicate that the use of a particular solution presented in a prescriptive standard introduces a previously unknown hazard. Such situations are particularly relevant with regard to the detection of consequences of the use of various types of chemicals (see, e.g., Ateagroup, 2018;Herzke, Olsson, & Posner, 2012;Sheinson et al., n.d.).
The requirement in many building codes for interior vapor control is another example; recent scientific advances have shown that the types of measures required by traditional prescriptive building codes introduce a significant probability of mold and structural degradation in many climates (Straube, 2001). Such issues are not only a limitation to the risk management process; there is also a potential risk source. However, it can be challenging and time-consuming to update the standards. In some cases, even if the standards are updated to allow performance-based alternatives, regulators may continue to require the previously specified solutions (e.g., Straube, 2001). Any incentives to challenge an existing standard are most likely related to increased income or system performance and not increased safety.
Second, linked to point 2b, are the situations where new solutions that are preferable from a risk management perspective become available with time. These alternatives were not necessarily present when the standards were produced, and the requirements presented in the standards are not written in a manner that allows for the use of the novel technological solutions. Consequently, strict adherence to and the use of specification-based standards work to hinder the implementation of new alternative solutions, which can, from a risk management perspective, be better than the solution presented in the established standard. This can, in turn, decrease the incentive for industry to develop new, improved risk management measures if they face a costly and uncertain path to approval for the use of these measures. Also, as stated in Penny et al. (2001, 1), it is the "innovator that is best placed to ensure the safety of their design." For a further discussion on how prescriptive requirements can limit innovation, see, for example, Penny et al. (2001) and Foliente (2000).
The last argument listed above is related to the lack of ability to reflect all types of relevant site/situation-specific circumstances. This can have two different consequences. First (3a), the prescriptive requirements may represent a "floor" that is too strict, in the sense that the requirements imply a safety level that is so high that it becomes too costly to justify the implementation of the solution. The avoidance of new solutions can be reasonable if they reduce the overall safety (e.g., the activity can be carried out more safely without the new solution) but not if the overall safety level could be increased (e.g., a technology which replaces a dangerous manual process). An example will be presented in the following section.
The second potential consequence of a standard that does not reflect the relevant site, context, or situation-specific circumstances (3b) is related to requiring risk-reducing measures that are reasonable in some places but not all. When a standard is created, it is often based on a set of assumptions, some of which might be tacit. For example, the standards related to the building of a bridge can be written by experienced bridging engineers. However, they are used to building bridges in a certain environment (e.g., high temperatures and high traffic loads) that is not universal. If these variations are not taken into account, the solutions presented in the standard can consequently reflect preaccepted design solutions which lead to the building of bridges with an extensive expenditure of resources on hazards not faced in every situation. For implementation elsewhere, the standards would need to be adjusted to local conditions.

ILLUSTRATIVE EXAMPLES
The present section provides a set of examples to illustrate and explain the risk management limitations of strict adherence to prescriptive requirements. The examples are linked to points 1-3 presented in the previous section and to three different industries.
On the Norwegian continental shelf, offshore oil and gas activities have been carried out since the 1960s. Some of the old oil and gas wells no longer produce enough and are ready to be permanently plugged and abandoned. The Norwegian petroleum regulations require at least two independent barriers to protect against unacceptable consequences, such as loss of hydrocarbons from a plugged and abandoned oil and gas well. Consequently, the NORSOK D-010 (2013) standard suggests solutions that require two independent plugs. These plugs should ideally be designed in a manner that can prevent leakage from the well in all possible future scenarios. Today, these plugs are trusted, and there are no requirements related to a possible follow up to secure and check that the plugs remain tight; for example, there are no surveillance requirements.
The follow-up of abandoned oil and gas wells does not even fall under the responsibility of the Norwegian Petroleum Authorities (PSA, n.d.). There can be several explanations for why follow up and monitoring or surveillance is not included as part of the PSA responsibility. However, it is reasonable to assume that, at the time when the regulations were written and the responsibilities divided, the technology available for such monitoring did not exist or was too expensive compared with the benefits gained (see also Kamal, 2014;. Over the last 10 years, new technology has become available. This technology, which uses fiber-optic sensors (Boone, Ridge, Crickmore, & Onen, 2014;Kamal, 2014;Wu, 2019;Wu et al., 2019), is expected to provide real-time and in situ monitoring of the cement bond and zonal isolation in either active or abandoned wells, without the need for wellbore entry. Since this technology is relatively new, it was not a viable option when the regulations were written.
The question is then: What now? Is it still reasonable not to require any follow-up activities? It can possibly be argued that these techniques are less costly than the alternative (or lack of alternative) was when the regulations were written, and the costbenefit balance has altered. Consequently, from a risk management perspective, it might now or in the near future be more reasonable to increase the focus and requirements related to surveillance activities of abandoned wells. However, there are few incentives for the industry, in particular oil and gas operators, to initiate such a development, even if it has the potential to reduce risk further. In addition, from a risk management perspective, it can be discussed if the "new" possibility to constantly monitor a plugged well can have a more substantial risk-reducing potential than some of the existing risk-reducing measures. For example, could it be an alternative to implement novel plug and abandonment techniques, if they were combined with surveillance that could provide information used to secure the well if there are signals of lost barrier (e.g., plug) integrity? By complying with today's regulations, and NORSOK D-010 (2013) in particular, there are no incentives to carry out a new risk assessment to evaluate whether constant monitoring/surveillance is a more effective risk-reducing measure than the alternatives used today.
The second example addresses point 3a presented in the previous section. The example relates to the building of tunnels in Norway. Many Norwegian tunnels are old, and the safety measures included in older tunnels are, even with updates, limited, compared to today's standard. Still, it can be considered safer to drive through these tunnels at some locations, especially if the alternative is to drive on roads with a significant danger of rockfalls, landslides, and snow avalanches. For such situations, where it would be safer to drive through a tunnel, there are additional evaluations, such as cost-benefit assessments, that are carried out to decide whether a new tun-nel should be built. Consequently, it is sometimes decided not to build new tunnels, even if it would reduce the overall risk relative to the existing road. The Norwegian tunnel regulations require that all new tunnels (built after 2006 and that are more than 500 m long) are built with a set of minimum safety measures, adopted from the European Economic Area (EEA) agreement (see directive 2004/54/EF). While it is possible to deviate from some of these minimum safety measures, alternative measures should be implemented to ensure that the new tunnel will meet the same minimum safety level as required by the tunnel regulations. However, regardless of the risk-reducing measures used, the required minimum safety level is, for some of these roads, too costly to justify the benefits gained, and a new tunnel is consequently not built.
In some situations, even a new tunnel with a lower safety level would increase the overall road safety compared with today's situations (by avoiding the danger from rock/landslides, avalanches, or even driving off the road and into the fjord or the mountain wall on the other side of the road). A tunnel with a lower safety level would be cheaper to build, and the relationship between cost and benefit might no longer be disproportionate, making it possible to build a tunnel.
The required minimum safety level is based on EEA directive 2004/54/EF, and the requirements may represent a reasonable safety level in situations where the alternative transportation route is safer. The uniqueness and danger of the existing roads along the Norwegian fjords or steep valleys are not necessarily reflected in the European requirements, which do, consequently, limit risk management.
As a third example, consider building codes, particularly those for vapor control and insulation in residential wood-frame structures. This is an important part of the building code because failure to control moisture can lead to both health issues caused by mold and structural damage due to rot. In many areas, including the United States, traditional building standards have called for a vapor barrier (e.g., a sheet of plastic) on the side of the insulation that is warm in the winter (i.e., the interior in much of the United States). However, recent regulations have required exterior insulation beneath the wall cladding, and the usual insulation used for this is not vapor permeable. Relatively recent research has shown that if a vapor barrier is required on the interior and a vapor impermeable external insulation is used, mold and structural deterioration can result (e.g., Straube, 2001), see point 2a presented above. The most recent international building code has provisions for not using an interior vapor barrier, as long as the designers demonstrate through calculations appropriate for their climate that the exterior insulation is thick enough so that the probability of condensation buildup is minimal. However, in practice, U.S. building inspectors still often rely on the traditional prescriptive, specification-based standards and require an interior vapor barrier which potentially has a higher probability for condensation. This leads to an increased risk related to vapor accumulation and the corresponding health and structural risks.

DISCUSSION AND CONCLUSIONS
The above examples are included to illustrate how strict adherence to specification-based standards can limit risk management. We argue that strict adherence to such standards limits risk management, by reducing flexibility, creativity, innovation, and the ability to choose alternative solutions that have a greater risk-reducing potential than the solutions described in the standards.
However, it is vital to remember that the use of specification-based standards also has some pros with regard to risk management. These benefits are mainly related to the value of standardized processes, developed as a collaboration between several experts. The results presented in these standards can be based on the unified "best available knowledge" and can reduce the potential for events caused by socalled "unknown knowns." Unknown knowns are often linked to unwanted incidents that are caused by phenomena that, if known to those involved in the process, could be avoided; see, for example, Aven (2014). By sharing knowledge through the use of standards, the potential for these types of events can be reduced. Specification-based standards can, as such, also be beneficial for proper risk management.
To ensure that the risk management process is as successful as possible, we argue that it is essential to be aware of the situational context. For example, if there is a low degree of novelty, and the situation is not characterized by any of the challenges mentioned above, the use of prescriptive standards can be beneficial. Still, and as discussed in the previous section, there are some situations characterized by some degree of novelty where strict compliance with prescriptive requirements should be avoided. In such situations, there is a need for an al-ternative process for safety demonstration and risk management.
Several authorities, such as the Norwegian Petroleum Authority (PSA, 2019a), which represents a soft regulatory regime, present an alternative strategy for risk management or safety demonstration when a specification-based standard is not applicable. The novel technology can then follow a technology qualification regime (DNV GL, 2019) and document that the technology fulfills all "soft" regulator requirements (see § 24 The framework regulations; PSA, 2019b). The PSA suggests demonstrating that an alternative solution is "as good as, or better than" the traditional solution, and search for continuous improvements. Such an approach seems reasonable, particularly as long as "good" refers to the overall risk level. In other words, in situations presented in point 1-3 above, it is necessary to demonstrate that the risk level related to the use of the (novel) solution is as low as or lower than the solution suggested in the standard, or lower than the risk level with the existing solution (e.g., no tunnel at all, in the tunnel example). However, if the opportunity of comparing the risk level of different solutions is not utilized, and the focus is on the fulfillment of regulatory requirements (soft or hard), a soft regime will be prone to many of the same risk management limitations, which initiated the shift from a hard to a soft regulatory regime. For example, it is possible to imagine situations where functional requirements, used in "soft" law regulations, become more prescriptive than they were when the regulations were written, due to the same situations as does present in point 1-3 above. Consider, for example, the requirement for a ballast system for floating facilities at the Norwegian Continental Shelf, see § 39 the facilities regulations; PSA (2020). A novel technology, with the same function as a ballast system, for example, to "bring the facility to a safe condition following an unintended draught, trim or heel," will never fulfill § 39 of the facilities regulations as this regulation states the need for a ballast system. If the safety of a novel technology is considered as better than the safety of the existing system, for example the ballast system, it is vital that also such "soft" requirements, can be challenged (and that strict adherence is avoided). However, how to document the safety of such novel technology is not straight forward.
To improve the situation, securing regulations that encourage the comparison of the risk related to novel and existing solutions, we suggest to look into the following: 1. Study more closely the reason why people tend to prefer specification-based standards, including the situations and contexts where specification-based standards are preferred but alternative (safer) solutions exist. 2. Identify solutions that can be used to influence the contexts and situations identified during the study for point 1. 3. Developing risk assessment methods with a particular focus on comparing the risk level associated with various (technological) solutions; see also Berner Nyvik, Falck, and Flage (2020).

ACKNOWLEDGMENTS
This work is part of the Safety 4.0 project funded by the Research Council of Norway under the PETROMAKS 2 program (Project no.: 281877). For more information about the Safety 4.0 project, see https://www.dnvgl.com/research/oil-gas/ safety40/. The project support is appreciated, thank you. We would also thank two anonymous reviewers for useful and constructive comments on earlier versions of the article.