The BIM Protocol second edition… three months on

A number of significant changes have been made in the second edition of the CIC BIM Protocol, not least in relation to the security of BIM related data in light of the recent PAS 1192-5 document devoted to this subject. Chris Hallam, Shona Frame and Aidan Steensma of law firm CMS consider the changes in detail, together with their likely uptake in the industry.  

The National BIM Report 2018 recently published by the NBS shows that BIM use in the UK is moving forward at a considerable pace: a record 74% of respondents to the survey are aware of and using BIM, a 12% increase on the previous year and the highest year-on-year growth since 2014.

Notwithstanding this, there remains a real wish within the industry for there to be more standardisation. The report notes that BIM, as a collaborative process, needs to be governed by shared and agreed ways of working.

The PAS standards produced go some way towards this but 70% of respondents agreed with the statement that “BIM is not sufficiently standardised yet” and 42% considered one of the main barriers to adoption of BIM to be a lack of standardised tools and protocols. With regard to the standards used by participants, 29% used the CIC BIM Protocol.

The Protocol was first published in 2013. The CIC has, since then, taken on board comments and feedback from users along with adapting it to issues which have arisen since 2013. They published a second edition of the Protocol in April 2018. 

Structure and terminology

The structure of the new Protocol is broadly the same as the first edition, but much of the terminology has changed. The Protocol now refers to “information” and not just “models”, reflecting more closely the terms of PAS 1192-2.

This should also help those uninitiated with the sometime tortuous jargon and acronyms regularly used in the industry familiarise themselves with the intent and purpose of Protocol.

The new Protocol now contains three appendices:

  • A Responsibility Matrix, serving very much the same purpose as the old Model Production and Delivery Table.
  • Information Particulars. This roughly aligns with the previous Information Requirements Appendix, in that it includes both the Employer’s Information Requirements and the Project Procedures, but also now allows for a BIM Execution Plan.
  • A new Security Requirements Appendix.


A more flexible approach has been adopted as regards precedence over the primary contact terms and conditions. Only clauses 3 and 4 (the obligations of each party) plus Appendices 1 and 2 are to prevail over the primary contract terms and conditions. No explanation is given as to why Appendix 3 (Security Requirements) is not included in this list given that it applies by virtue of clause 4.

The intellectual property provisions no longer trump the primary contract terms and conditions, but rather the primary contract terms and conditions are said to be varied insofar as is necessary to achieve certain aims. A number of other clauses are said to vary the primary contract terms and conditions (e.g. liability, security breaches).

Of course, these provisions will only work if the BIM Protocol as a whole is stipulated as taking precedence over the primary contract terms and conditions. If the primary terms and conditions take precedence, then those parts of the Protocol which are said to take precedence over and/or vary the primary terms and conditions will simply fail.

Any pre-existing precedence clauses used by parties will therefore need to be carefully considered and contracts adapted accordingly.


The revised Protocol imposes new obligations on the employer to:

  • Comply with its obligations under the project standards, methods and procedures set out in the Information Particulars (eg PAS 1192-2). This is said to be because “these standards often assume that certain tasks will be carried out by the procurer of a Project”.
  • Allow the project team member to access the Common Data Environment (CDE) to fulfil their obligations and to retain a record copy of the relevant information at the end of the Project or upon termination. In the context of latent defects claims, this ability to access information could prove very beneficial and it is something parties should consider taking advantage of at completion of the construction phase of the project.
  • To review and update the security requirements and to maintain the appointment of a built asset security manager (see further below).

There are also new obligations on the project team member (eg contractor, consultant etc) to:

  • Produce information and models within the times stated in the Responsibility Matrix or elsewhere, subject to any entitlement to an extension of time under the primary contract terms and conditions (formerly only an obligation to use reasonable endeavours). This is an aspect requiring to be dovetailed in with the contractual provisions.
  • Attend coordination meetings with the information manager and other project team members as stipulated in the information particulars.
  • Cooperate with the built asset security manager (but still nothing similar in relation to the information manager).
  • Comply with the security requirements and any reasonable instructions from the Employer in relation to the same.

The project team member’s right to claim a variation in respect of any update to the Responsibility Matrix and security requirements, and for any instruction in relation to the security requirements, is also expressly preserved. This is a further aspect where the interaction with existing contract terms requires to be considered.

Security requirements

New provisions have been included to deal with security issues to reflect PAS 1192-5. The NBS describes this PAS as containing “requirements for security-minded management of BIM and digital built environments. It outlines the cyber-security vulnerabilities to hostile attack when using BIM and provides an assessment process to determine the levels of cyber-security for BIM collaboration which should be applied during all phases of the site and building lifecycle.”

The PAS is said to be applicable to any built asset which is deemed to be sensitive. Examples include buildings which:

  • Fulfil a defence, policing, law enforcement, national security or diplomatic function.
  • Form part of critical national infrastructure.
  • Involve the creation, trading or storage of significant volumes of valuable materials, currency, pharmaceuticals, chemicals, petrochemicals, or gases.
  • Will be used to host events of security significance.

The Protocol requires the project team member to comply with the security requirements contained in Appendix 3. Notices may be given to prevent likely breaches or to remedy/mitigate existing breaches.

Of particular note, the primary contract terms and conditions are to be amended to provide for an immediate right of termination where:

  • Notices to prevent, remedy or mitigate are not complied with; or
  • A breach of the security requirements relates to sensitive information (to be defined in the appendix) or is not capable of being remedied or mitigated.
  • The consequences of such termination are to be same as that provided by the primary contract terms and conditions in relation to terminations for breach generally.

Given that this would in many cases carry with it a right to recover loss of profit and additional costs to complete, this is a very significant right. Potential for abuse could potentially arise were parties to seek to rely on breaches of the Security Requirements in order to terminate the contract for unrelated commercial reasons.


A new built asset security manager is to undertake “the role of security management in relation to the project”. He has the power to issue a “notice to prevent” in relation to likely breaches of the security requirements.

Given the draconian consequences of this, it is important to recognise this role and the powers of the individual holding it within the underlying contract.

The information manager post remains largely as was. Uncertainty continues over the legal status of the role, however, and is now made worse by the express obligation to cooperate with the built asset security manager not being replicated for the information manager. 


The exclusion of liability for onward modification, amendment, transmission, copying or use of information remains. However, the exclusion as to the “integrity” of data has been removed in the place of an exclusion as to interoperability (i.e. whether data formats and software will be compatible).

Ambiguities and conflicts

To the extent not covered in the primary contract terms and conditions, a new duty has been included to notify “ambiguity, conflict or inconsistency in or between” the project information or otherwise as stated in the information requirements.

The parties are to seek to agree how such issues are to be resolved. Failing agreement, the parties shall meet together with the information manager and any other relevant project team members “in order to seek to resolve the ambiguity, conflict or inconsistency”.

The scope of this new duty is potentially very broad in that project information includes information submitted by other project team members. The scope of the duty is, however, limited to some extent by applying only to matters which the party is aware of and stopping short of a duty to actively seek out issues.

Conclusion and implications

Overall, the changes to the Protocol resolve a number of difficulties with the first edition and would appear to provide a more effective “fit” for most contractual situations. The security provisions are the largest addition and some parties may not be prepared to agree to them, particularly given the very significant sanctions for non-compliance.

However, security remains a hot topic in the BIM sphere, particularly where government-procured assets are concerned and keeping in mind the threats this presents if information falls into the wrong hands and for those projects this is likely to be a key requirement.

Given the need for the Protocol to amend or take precedence over other terms and conditions, implementation is not quite as simple as including it in contractual appendices. This is complicated by the standard form drafting bodies not taking a consistent approach.

Whilst NEC has included guidance and clauses suitable for incorporating the CIC BIM Protocol into its contracts, JCT has chosen not to, leaving parties to select a protocol. It is therefore necessary to consider in each case an “incorporation clause” as well as adaptation of affected clauses of the underlying contract to allow the contract and Protocol provisions to be coordinated and effective.

The Protocol contains a draft of such a clause, but parties will need to consider the most appropriate approach on a contract by contract basis. This may of course change in future if the views of the respondents to the BIM Survey are taken into account where there is a clear appetite for increased standardisation.

Chris Hallam and Shona Frame are both partners and Aidan Steensma is Of Counsel at CMS. For more information contact [email protected][email protected] and [email protected].

A version of this article first appeared on the CMS Law-Now service. To subscribe to Law-Now for free go to www.cms-lawnow.com. CMS has also produced an e-Guide to BIM across nine different countries. To access this click here

Story for BIM+? Get in touch via email: [email protected]

Latest articles in Explainers