PFAS and the Risk of “Safe Enough”: Why HSE Leaders Must Keep Re-Testing Assumptions

PFAS has returned to the national spotlight following the Australian Government’s legal action against 3M over alleged contamination linked to legacy firefighting foams used at Defence sites.

While the case itself is a matter for the courts, the broader HSE lesson is already clear: risk does not stand still.

PFAS is not only a story about chemicals, firefighting foam or environmental remediation. It is also a reminder that workplace and environmental risks can evolve over time. Materials, processes and controls that were once considered acceptable can later become the subject of intense scrutiny as science, regulation and public expectations change.

For HSE leaders, the key question is not simply, “Are we compliant today?” It is also, “Are we regularly challenging the assumptions our controls are built on?”

When accepted practice becomes future risk

Many long-term HSE challenges do not begin as obvious failures. In some cases, they begin as accepted practice.

Firefighting foam containing PFAS was historically used because it performed an important safety function. It helped control dangerous fires and protect people, assets and infrastructure. That is what makes the issue so relevant to HSE professionals: a control can be introduced for good reasons and still create future risk if its broader impacts are not understood, monitored or reviewed over time.

This is not unique to PFAS.

Across industries, organisations rely on equipment, substances, systems, procedures and work methods that may have been introduced years ago. Some have become so familiar that they are rarely questioned. They sit in risk registers, procedures, training materials and maintenance schedules as part of the normal way of operating.

But “normal” does not always mean safe. And “previously accepted” does not always mean fit for purpose today.

The danger of “we’ve always done it this way”

One of the most persistent risks in HSE is organisational familiarity.

When a control has been in place for a long time, people can stop seeing it as something that needs to be reviewed. It becomes part of the background. Workers are trained in it. Supervisors expect it. Procurement keeps ordering it. Auditors may check that the process exists, but not always whether the underlying assumption is still valid.

This is where legacy risk can build quietly.

A procedure may have been written before new research emerged. A piece of equipment may no longer reflect best practice. A contractor process may have been inherited from a previous operating model. A material may still be in use because no one has been asked to reassess it. A control may exist on paper, but no longer match the real-world risk.

The PFAS issue highlights a much broader HSE principle: assumptions need expiry dates.

If a control is important enough to manage a serious risk, it is important enough to review. Not once, but repeatedly.

Risk registers are not archives

Risk registers are essential tools, but they are not meant to be archives of past decisions. They should be living records that reflect current knowledge, current operations and current exposure.

A static risk register can create a false sense of assurance. It may show that a risk has been identified and that controls have been assigned, but it may not show whether those controls remain effective, whether new information has emerged, or whether the organisation has reconsidered its position.

For HSE teams, this is where active governance matters.

A mature risk process should ask:

• Has anything changed in the way the work is performed?

• Has new scientific, technical or regulatory guidance emerged?

• Have incidents, near misses or audit findings challenged the current control?

• Are workers still exposed in the way the original assessment assumed?

• Are contractors using the same controls and standards?

• Has the organisation documented why the current approach remains appropriate?

These questions are not just administrative. They are central to due diligence.

Due diligence depends on evidence

When a risk is questioned years later, organisations may need to show more than good intentions. They may need to show what they knew, when they knew it, what decisions were made, and how those decisions were reviewed.

That evidence can include risk assessments, inspection records, training records, meeting minutes, incident investigations, audit findings, expert advice, corrective actions and management reviews.

The absence of evidence can create a problem even where people acted in good faith. If decisions were made informally, if reviews were not recorded, or if actions were not followed through, it becomes much harder to demonstrate that risks were actively managed.

This is particularly important for long-tail risks. Some hazards do not reveal their full consequences immediately. Their impact may become clearer over years or decades, especially where environmental exposure, worker health, community impact or regulatory change is involved.

In that context, HSE documentation is not just a compliance exercise. It is the organisation’s memory.

Emerging risk is not always new risk

When people talk about emerging risk, they often think of new technology, new materials or new ways of working. But emerging risk can also come from old hazards being understood in new ways.

That distinction matters.

PFAS did not become relevant because it suddenly appeared. It became more prominent as knowledge, testing, regulation and public awareness developed. The risk was connected to legacy use, but the scrutiny increased as understanding changed.

HSE leaders should apply the same thinking to other areas of their operations.

Which historical controls have not been reviewed in years?

Which materials, systems or assets were inherited from previous operations?

Which practices are accepted because they are common across the industry?

Which risks rely heavily on supplier assurances or outdated documentation?

Which controls would be difficult to defend if challenged by a regulator, worker, community member or court?

These are uncomfortable questions, but they are valuable ones.

Building review into the rhythm of HSE

The answer is not to treat every legacy issue as a crisis. It is to build review into the rhythm of HSE management.

That means making it clear who owns each significant risk, how often controls are reviewed, what triggers an earlier review, and how decisions are recorded.

Triggers may include regulatory updates, new research, industry incidents, audit findings, worker concerns, supplier changes, changes in exposure, new contractors, changes in operating conditions, or community complaints.

This approach helps move HSE beyond a reactive model. Instead of waiting for an incident or headline to force action, organisations can create systems that regularly test whether their current controls still make sense.

The leadership lesson from PFAS

PFAS is a timely reminder that risk management is not a one-off activity. It is an ongoing discipline.

The lesson for HSE leaders is not simply to look for one class of chemicals or one type of exposure. It is to look more broadly at the assumptions that sit beneath the organisation’s controls.

Every workplace has them.

Assumptions that a process is safe because it has always been done that way.

Assumptions that a supplier’s information is complete.

Assumptions that a control is effective because it exists on paper.

Assumptions that old risks have already been dealt with.

Assumptions that compliance today will be enough tomorrow.

Good HSE governance challenges those assumptions before they become failures.

Risk does not stand still

The PFAS headlines show how long the life of a workplace or environmental risk can be. A decision made years ago can continue to affect workers, communities, land, water, reputation and cost well into the future.

For HSE professionals, this reinforces a simple but important truth: risk does not stand still.

Controls must be reviewed. Evidence must be maintained. Legacy risks must be revisited. And “safe enough” should never become a permanent conclusion.

The strongest HSE systems are not the ones that assume they have all the answers. They are the ones that keep asking better questions.