See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/274677545

The ALARP Argument

Article · May 2013

CITATIONS READS
0 2,985

1 author:

Sirous Yasseri
Brunel University London
121 PUBLICATIONS   126 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Remaining useful life prediction of subsea equipment for prognosis View project

All content following this page was uploaded by Sirous Yasseri on 08 April 2015.

The user has requested enhancement of the downloaded file.

 The ALARP Argument

Sirous Yasseri, Safe Sight Technology, UK

ABSTRACT

The ALARP (As Low As Reasonably Practicable) principle assumes that there is a level of risk which is
tolerable and requires that the risk be at least below that level. The qualifying term "reasonably practicable"
determines how low risks should be pushed towards the region of negligible risks. An infinite amount of
effort could reduce the risk to an infinitely low level, but an infinite amount of effort will be infinitely
expensive to implement. So ALARP assumes that there is a risk level which is so low that "it is not worth
the cost" to reduce it further. In essence this means that risk reduction measures should be implemented
until no further risk reduction is possible without very significant capital investment, or other resources
expenditure that would be grossly disproportionate to the amount of risk reduction achieved. This paper
examines the ALARP principle in the context of cost effectiveness using a case study.

ALAR As Low as Reasonably Achievable

BACT Best Available Control Technology
CBA Cost-Benefit Analysis
LQI Life Quality Index
ICAF Implied Cost of Averting a Fatality
QALE Quality Adjusted Life Year
GCAF Gross Cost of Averting a Fatality
NCAF Net Cost of Averting a Fatality;
NCAF =
(∆Cost-∆Economic - Benefits)/∆PLL
∆ Incremental, or marginal, change
PLL Potential Loss of Life
RRM Risk Reduction Measures

1. Introduction
The UK’s 1974 Health and Safety at Work Act (HSWA) requires those who conduct undertakings
(generally employers) to ensure, So Far As Is Reasonably Practicable (SFAIRP), the health, safety and
welfare of their employees, of self-employed persons under their control, and of third persons (generally,
the public). The HSWA system implies a dialogue between duty holders and an informed regulator. The
burden of proof on the duty holder is defined by a “demonstration on balance of probabilities”, rather than
by “proof beyond reasonable doubt” (the condition used in the criminal law). The term “reasonable
practicability” implies that cost can be taken into account in relation to risk reduction. However, SFAIRP
cannot be pleaded as a defence in a failure to observe good practice, since accepted good practice is, almost
by definition, always “reasonably practicable”. The SFAIRP defence can only arise where good practice is
unclear, or does not fully cover a given situation, or where an inspector is seeking to persuade a duty-holder
to move forward from “good” to “best” practice as technology changes. The term “as low as reasonably
practicable” - ALARP - is identical in meaning to SFAIRP, but is applied particularly where risk in
principle can be quantified. The ALARP can only be demonstrated if the risk is properly assessed,
understood and the results used to determine controls. If a risk had not been identified, assessed and
controlled, it would not be deemed as being managed, even though the risk evaluation might put it in the
tolerable area. Another issue associated with ALARP is the requirement that the set of all risk reduction
measures must be complete before it can be claimed that the risk is ALARP.

1
Though improvements in management of risk are always very important; an equally important engine for
continuous risk reduction is technological advance, which produces greater plant reliability together with
the opportunity to provide better protection at lower cost. In all countries the aim has been to identify good
practice and then standardise it, using legal or other instruments to secure conformity, and acting on the
principle that new methods should at least maintain the existing risk position and if possible improve on it.
In the UK, this approach is represented by the doctrine of tolerability, supported by the SFAIRP/ALARP
principle. Existing good practice is taken as the minimum acceptable position, and the aim, implicit in the
doctrine and in UK law is continuously to identify best practice as it emerges, and then seek to ensure that
it becomes the general “good practice” of tomorrow.

Figure 1 demonstrates the decrease of risk against increasing costs of eliminating hazards. The solid red
curve sloping upward from undesirable to desirable state shows the cost of eliminating hazards. The other
red solid curve sloping in reverse direction shows the cost of clean-up if something goes wrong. The
summation of these two curves gives the total cost of the eliminating all hazard. When risks are very high, a
relatively small investment generally allows reducing risks quickly whereas investments increase
asymptotically when risks are reduced beyond a certain level. The graph shows the point at which an
acceptable threshold of risk mitigation might be settled – stating explicitly that the costs of mitigation will
realistically be too high to achieve a theoretical total abatement of risk. The blue vertical line is set in the
ALARA/ALARP/BACT zone, i.e. a zone where risks are As Low as Reasonably Achievable (ALARA), As
Low as Reasonably Practical (ALARP), or obey to the Best Available Control Technology (BACT)
concept. Needless to say that the definition of these risk abatement levels is not common in many industries.

Risk Total Costs

“Acceptable”
Cost of Failure Mitigation
Threshold

Initial
Costs

Tolerable Residual Risk

Cost of achieving
tolerable Risk

Mitigated Hazards Residual Hazards 100%

Undesirable HAZARD Desirable

Figure 1: Risk and its mitigation costs

2. Risk Based Approach

The purpose of risk management is to ensure that adequate measures are taken to protect people, the
environment, and assets from harmful consequences of the activities being undertaken, while assuring the
activities are economically viable and socially desirable. Risk management includes measures both to avoid
the occurrence of hazards and to reduce their potential harms. Traditionally, risk management was based on
a prescriptive approach, in which the regulator prescribed detailed requirements. This regime has gradually
been replaced by a more goal oriented regime, putting emphasis on what to achieve rather than how to
achieve them. Risk management is an integral aspect of a goal oriented regime and it is acknowledged that
risk cannot be eliminated but must be managed.

2
By far, the use of codified methods is the most common approach in controlling major hazards. Such
methods are based on “deemed to satisfy” solutions laid out in the general guidelines of the codes of
practice. These guidelines (SOLAS, ISO, API, etc.) become mandatory if the prescriptive design method is
used. They are formulated as detailed demands, which affect the equipment & arrangement as well as what
can or must be performed. In the prescriptive design method, fire and explosion protection is often dealt
with in isolation from the other technical areas, and requires some specified passive and active measures
such as classification areas, fire fighting systems, type of equipment that can be used, strengthening and fire
proofing. Generally, trade-offs are not allowed as each of these measures constitute a layer of protection
(defence), since the concept of defence in depth can only be satisfied if all measures considered together.

One compelling reason against prescriptive methods is that their usefulness is based on a certain vision of
how a system works and needs protection. Such vision may be in gross error for new concepts and may
therefore not be very cost effective. Structures constructed today are of a widely varying nature, and the
conditions envisioned in codes may not be appropriate. Adapting a risk reduction strategy for an individual
installation makes way for more cost-effective fire protection measures while retaining the same level of
safety, as compared to a prescriptive design.

Definition of Goals, Systems and Operation Step 0

Preparation

Hazard Identification
Step 1
Hazard Identification
Scenario definition

Cause and Consequence

Frequency Analysis
Analysis

Step2
Risk Summation Hazard Identification

Option to Option to
No No Step3
decrease Is Risk mitigate
frequencies Tolerable Risk
consequences
? Control
Ye
s Step 4
Cost Benefit Analysis Cost Benefit Assessment

Reporting Step5
Conclusions & Recommendations

Figure 2: Risk-based Safety Management

Risk-based design follows the well-established path of quantitative risk assessment. The following steps are
needed to identify the optimal design solution (Figure 2). The common definition of risk (associated with a

3
hazard) is a combination of the probability that hazard will occur and the (usually negative) consequences
of that hazard. The following definition is used in risk analysis:
n
R= ∑P
i =1
fi × C fi

where:
R = risk [fatalities/year];
Pf = probability of failure per year;
C f = consequence of the unwanted event.
Risk is therefore a summation over all possible hazards (scenarios) with their consequences.

2. Accident Statistics
Accident statistics provide one of the most “hard” and reliable data sets available for scrutiny. Available
statistics cover events of differing levels of severity, which include:
• Accidents, defined as events which involve injury and fatality;
• Accidents, defined as events which involve injury;
• Damage incidents, or non-fatal accidents which caused a worker to stay away for more than three
days;
• Incidents, judged as such by workers as serious;
• Incidents, defined, essentially, as near-misses;

While the above are listed in descending order of severity, severity (except for the first one) is a subjective
judgement. There is no universally accepted measure of the severity of these events. It may be judged that
the event just experienced could very well have resulted in a fatal accident or injury but if by chance it did
not; there may be no cost, no damage and possibly even no report. An overall picture of the accident rate in
an industry may be displayed by the Frequency-Consequence diagram as shown in Figure 3. The horizontal
axis is the consequence, in this case in terms of fatalities, N. The vertical axis is the frequency of N or more
fatalities per accident. Figures 3 & 4 are the frequency of fatalities plots in a log-log scale. As it can be
seen, there is an indication of a power law (straight line) relationship.

Figure 3: Comparison of frequency- Figure 4: Comparison of frequency-consequence

consequence curves for full energy chains in curves for full energy chains in non-OECD
OECD countries for the period 1969-2000. The countries for the period 1969-2000. The curves
curves for coal, oil, natural gas, LPG and for coal w/o China, coal China, oil, natural gas,
hydro are based on historical accidents and LPG and Hydro are based on historical accidents
show immediate fatalities. For the nuclear and show immediate fatalities. For the nuclear
chain, the results originate from the plant- chain, the immediate fatalities are represented by
specific Probabilistic Safety Assessment (PSA) one point (Chernobyl); for the estimated
for the Swiss nuclear power [ 1] Chernobyl-specific latent fatalities lower and
upper bound are given. Dashed vertical lines
represent maximum numbers of fatalities in fossil
energy chains [ 1]

4
3. Power Law and F-N curve
The power law distribution for a random variable X is defined as:
α
k
Pr ( X ≥ x ) =   (1)
 x
Where x is a value in the range defined for X , k > 0 is the location parameter and α > 0 is the slope
parameter.

For instance, if X is a random variable representing the number of accidents, and that this variable follows
a power law distribution with parameters k = 0.1 and α = 2 . Then the probability of having more than
one fatality is 1/100, the probability of having 10 or more fatalities is 1/10000 and the probability of having
100 fatalities is 1/1000000.

The Probability Density Function (PDF) may be easily obtained through derivation of Equation 1:
f ( x ) = αk α x −α −1 (2)
The above has infinite mean for α ≤ 1 and infinite variance for α ≤ 2 (these are not rare values for α in
real-world scenarios. For instance, α was found to be approximately 2.1 for earthquakes).

When X is discrete, the distribution is inverse polynomial:

 1 
Pr ( X = x ) = C  α +1  (3)
x 
and therefore:

ln (Pr ( X = x )) = (− α − 1) ln x + ln C (4)

Equation 4 is useful for visualizing the PDF and for determining α using linear regression of the sampled
data.

Power law distributions are also called scale free distributions since they are invariant with scale. For
example, if k is arbitrary and α = 2 , then as before 1/100 events leads to more than one fatality, 1/10000
event would lead to more than 10 fatalities and 1/1000000 of events would cause more than 100 fatalities,
regardless of scale. Only power law distributions have this property.

Figure5: Fig. 6. Some international standards in F-N format

F (n ) = P( N d ≥ n ) < An − k require
ment for one year (from ISO
2304).

5
The societal risk to human life is often expressed as a power law (see for instance ISO 2394).

F (n ) = P( N d ≥ n ) < An − k (5)
Here N d is the number of fatalities in a year in one accident. The value of A may range from 0.001/year to
1/year and the value of k from 1 to 2. A is the tolerable risk for one fatality, n = 1 . Two examples of F-N
curves are shown in Figure 5 and 6.

Curves with a slope of k = 1 are called risk neutral. If the steepness of the curve is k = 2 , the standard is
called risk averse. In this case larger accidents are weighted more heavily and are thus only accepted with a
relatively lower probability. Figure 6 shows some national standards. Note that the curves used by the
Hong Kong and UK standards have a slope of 1, whilst for Danish and Dutch standards a curve with slope
of 2 is used.

Fore F-N curves, FN is the frequency of N or more fatalities while f N is the frequency of exactly N
fatalities. Equation (5) can be re-written as:
FN = F1 N b (6)

4. Construction of societal risk criteria on f-N curves

Societal risk criteria were introduced as a measure of how much risk society, rather than the individual, can
tolerate as a result of a specific activity. For example, an individual risk of 10-4 for a population of 10 will
result in one death in the next thousand years. The same risk for a population of one million will result in
100 fatalities during the next year. Is society willing to accept such a death toll? What if those 100 fatalities
were caused due to one single event? Would that make any difference in society’s decision? These are the
kind of questions that societal criteria try to answer.

Societal risk criteria are closely associated with f-N curves. Such curves plot the cumulative frequency of N
or more fatalities against the number of fatalities, N, in a log-log diagram. The criterion lines are applied as
straight lines on the log-log plot which include both upper and lower bounds. Between the two, the ALARP
principle applies. Risks above the upper bound are considered intolerable and should be reduced at all costs.
Risks below the lower bound are considered very small for any risk Reduction Measures to be applied.
Inside the ALARP area, risks are reduced to the extent that it is practically possible. What is practically
possible is currently determined through cost-benefit analysis.

Literature offers two ways of determining the upper bound line. Both consist of defining one point and then
drawing a line that passes from this point with a slope that has been pre-decided. In both cases the limit line
is of the form of Equation (6). One approach makes use of the so called ‘anchor-points’. Those are points
on the F-N curves that represent experts’ judgments on what risks can be tolerated by society and often
reflect the amount of risk that has been tolerated in various circumstances. Quite a few anchor points have
been used over the years, such as the Canvey point and the ACMH point. One of the most recent and
important anchor points is the R2P2 criterion that states that ‘accidents resulting in 50 or more fatalities
should happen no more often than once in 5000 years’ [2]. On an F-N diagram this translates to the point
(50, 1/5000).

The second method relies on mathematical formulation in order to calculate the upper bound of acceptance
for fatal accidents for a specific activity, hence the definition of F1 . Vrijling [9] proposed an upper bound
F1 as,

2
 β × 100 
F1 =  i  (7)
 k × NA 

6
where, β i ∈ (0.01, 100) is an indicator of the degree to which the individual voluntarily takes part in an
activity. Activities with a large degree of voluntariness such as mountaineering suggest large β i . Hence
activities with little or no voluntariness suggest respectively smaller β i ; k is an index of the law-makers
risk aversion (the proposed value is 3); N A is the number of independent installations (for the offshore
industry this would mean the total number of installation in the region).

5. Implied Cost of Averting Fatality (ICAF)

Allowing some level of risk to persist in return for economic benefits implies putting a finite value on
human life (or at least health). Some consider this to be inappropriate as human life is invaluable. The
ALARP principle is under increased pressure as it requires all costs and benefits to be expressed in
monetary terms. In the context of a market economy, it transforms the vague ethical concept of safety into a
good with a price worth paying. In practice the majority of risks fall in the ALARP region, and should
therefore be managed to be as low as reasonably practicable. The cost benefit analysis focuses on the
market price, but prices are influenced by the geographical region of the world, or even within a single
country.

The cost, or investment made to save an additional life (the investment divided by the decrease in expected
number of fatalities due to the action) is known as Cost of Statistical Life saved (CSL), or Implied Cost of
Averting one Fatality (ICAF). The ICAF value seems to be able to serve as a valuation of human life, as it
indicates the willingness to pay for the saving of a life. The problem with this approach is that the resulting
ICAF values differ widely across the globe. ICAF is neither a value placed on a human life nor the amount
of compensation for an accidental loss of life paid by insurance or as the result of legal proceedings. Rather,
ICAF is the cost of achieving an increment of life safety risk reduction. For example, the ICAF for
reducing the risk to an individual by 1 in 10 000 per year at an annualised cost of $1 000 per year is $10M
= $1000/ (1/10 000).

Some researchers suggest that an objective method is to use the present value of the Net National Product
(NNP) per capita of the country of operation (Net National Product = Gross National Product (GNP) minus
depreciation). For the UK the NNP per head equals approximately $ 27,000 per year. Thus, the value of a
human life, being the present value of this amount over an average lifetime of, say, 75 years, is estimated in
the range from $ 750,000 to $ 1,500,000, depending on the real rate of interest - this is similar to what is
used in the UK for ICAF. The consequence of this approach is that the value of human life in a developing
country is considerably lower.

To put a monetary value to human life, there are two main methods in use: the human capital method and
the willingness-to-pay method. In the human capital approach, the major component of the cost of a fatality
or injury is the lost economic output of the victim. The principle objection to this approach, is that most
people do not value their life for its contribution to economic output, but rather because it has intrinsic
value to them and to their relatives. In that case, the value of safety, or of reductions in risk to life, should
be taken to be the amount that people are willing to pay for it, i.e. the willingness-to-pay approach.

An important concept which helps to quantify the necessary investments into safety i.e. the investments to
save human lives (Nathwani, [6]), has recently generated increased interest. The concept is based on a
social indicator that reflects the quality of life in a society or group of individuals in terms of an
individual’s contribution to GNP, life expectancy, time for enjoyment of life, such as the Human
Development Index or Life Quality Index L, [10]. The Life Quality Index L is a compound societal
indicator, which is defined as a monotonously increasing function of two aggregated societal indicators,
namely the gross domestic product per person per year g, and the life expectancy at birth e:
L = g w e1− w (8)
The exponent w is the proportion of life spent in economic activity. In developed countries is assumed
that w = 1 / 8 . The Life Quality Index Criterion for acceptable risk implies that an option is preferred or

7
accepted as long as the change in the Life Quality Index owing to the implementation of the option is
positive. As an example, consider the safety of a railway tunnel and the marginal cost of improving this
safety by the implementation of a particular measure (such as a service tunnel). The improved safety by
implementation of this measure is expressed through a positive change ∆e in the life expectancy e. The
cost of implementing the measure is expressed through a change ∆g in the gross domestic product g. The
Life Quality Index Criterion implies that the measure is implemented when:
∆e ∆g w
>− × (9)
e g 1− w
This is obtained by differentiation of the expression that defines the Life Quality Index L and by requiring
∆L > 0 . Optimality is achieved when the inequality of the Life Quality Index Criterion is turned into an
equality, as then the implementation of the considered option implies that status quo is just maintained
(indeed, the implementation of a safety measure that is less cost-effective than the optimum would lead to a
reduction of the Life Quality Index). Implementation of a safety measure has several consequences
including one or more averted fatalities, which imply a number of life years saved i.e. an increased life
expectancy ∆e . It also implies a cost due to the investment in the safety measure. This cost is expressed as
a change ∆g in the gross domestic product. Consider now the prevention of one fatality. Under the
assumption that the remaining life of an arbitrary individual in a population at a given point in time on
average equals half the life expectancy e at birth, the number of years saved by averting one fatality is
given by ∆e = e 2 . According to the Life Quality Index Criterion, the upper limiting value on the
reduction in the gross domestic product then becomes

g w g w
∆g max = × ∆e = (10)
e 1− w 2 1− w
With reference to the definition of g as the annual gross domestic product per person, this can be
interpreted as the optimum acceptable cost per life year saved, and the optimum acceptable implied cost of
averting a fatality, ICAF, can then be calculated as

ge w
ICAF = ∆g max
⋅ ∆e = (11)
4 1− w
Table 1 shows gross domestic products g and life expectancies e together with derived optimum acceptable
implied costs of averting a fatality ICAF for a few developed countries in 1998 for w=0.125. As a
consequence the acceptable risk associated with a long railway tunnel project depends on the specific
characteristics of the project. Major safety measures such as service tunnel, rescue stations etc. can be
selected on the basis of the ICAF criterion.

Country GDP ($/capita) Life Exp. at Birth (years) ICAF ($M/year)

UK 27,700 78.27 3.794
USA 37,800 77.43 5.122
Germany 27,600 78.54 3.793
Norway 37,700 79.25 5.229
China 5,000 71.96 0.630
Japan 28,000 81.04 3.971
Luxemburg 55,100 78.58 7.577
Tanzania 600 44.39 0.047
World 8,200 64.05 0.919

Table 1 GDP, Life Expectancy and ICAF (From CIA Fact book 2003 - estimated)

8
Figure 7: Comparison of values of implied cost of averting a fatality between the years 1984 and 1994
and between various countries [8]

The Life Quality Index Criterion for acceptable risk implies that an option is preferred or accepted as long
as the change in the Life Quality Index, because of the implementation of the option, is positive [8]. The
Life Quality Index contains indicators such as GDP/capita and life expectancy at birth. As a risk control
option using these two indicators, an optimum acceptable NCAF can be derived, and as GDP and life
expectancy vary between countries there are variations in NCAF. Within OECD member countries with
sustained memberships (representing some 95% of the global GDP), the variation is not very large as
shown in Figure 7.

It should be noticed that a CAF acceptance criterion of $3m based on the average value for years 1984-
1994 as shown in Figure 7. In Figure 7, the average ICAF (for all OECD countries) for the above
mentioned period is at about $2.7M.

Based on the above, a NCAF criterion of $3M or £2M was proposed for use in international regulations, in
cases where the risk of injuries and ill health, in addition to the risk of fatalities, are also considered. The
NCAF criterion is updated every year according to the average risk free rate of return (some 5%).

6. Cost-Benefit Analysis Method

Since CBA determines a monetary equivalent of each benefit and dis-benefit in a decision problem it is also
capable of making comparisons of these benefits through time. The mechanism of discounting with a
yearly discount rate to take into account the notional loss (or gain) of interest accrued through time enables
the analyst to determine the net present value (NPV) of each benefit and dis-benefit. The preferences of the
decision maker (society in this case) are determined substantially by the choice of discount rate. Discount
rates have the property of reducing large future differences to almost negligible present value differences.
For long periods, the discounting rules of CBA give outcomes that often seem unreasonable and in
contradiction with other legal requirements. It should also be noted that actual discount rates are non-
constant and highly uncertain.

Although most risk control and reduction measures safety risk treatments reflect the implementation of
good practice or contemporary technology, there are often numerous options available for controlling a
particular risk. For example, a state-of-the-art gas detection system may represent both good practice and
current technology. There are always numerous risk reduction measures with varying degrees of
effectiveness in reducing risk and cost. In other words, the cost of an option may be grossly
disproportionate to the benefits.

Benefits (in monetary terms) and costs at various times during the economic lifetime of an installation are
not directly comparable. One method of comparing investments where payments are made at different

9
times is the net present value method. The net present value method is based on the assumption that there is
a yield requirement on the capital. If the capital is not tied up in the installation from the beginning, it can
be used for other investments. This transformation is done with the aid of an interest rate calculated for
costing purposes. The real rate of interest for calculating purposes reflects the yield requirement, and also
takes inflation into account, see Equation(12). This is a variable that determines how advantageous it is to
postpone payments to a later date.

 1 + rc 
r =   − 1 (12)
 1 + rinf 

r =real or effective interest rate

rc = Interest rate for costing
rinf =Rate of inflation

Despite the fact that a relationship can be defined between the two rates of interest, it is difficult to find a
rate of interest suitable for use in investment calculations, as both the future interest rate calculated for
costing purposes and inflation are uncertain. In cost-benefit analyses, a real interest rate ranging from 5 to
7% is used for costing purposes. In the UK a value of 6% is adopted for rc , and rinf is assumed to be 4%.

7. Disproportionality factor
The consideration of costs relative to benefits requires a value judgement to be made. Case law indicates
that duty holders should err in favour of making the expenditure on risk controls. The decision to not act
should only be made where the likelihood of injury is remote or the cost is so disproportionate to the
potential benefit that it would clearly be unreasonable to require the expenditure. It is not required to
implement every possible measure to eliminate or reduce risk. It is up to the duty holder to demonstrate (or
be in a position to demonstrate) that the cost of additional risk reduction measures (over and above
measures already in place) would be grossly disproportionate to the benefit of implementing these
additional measures.

10
 Risk cannot be justified except in extraordinary
circumstances. Even then, control measures must
be introduced in order to drive the residual risk in
this region towards the ALARP region.

Intolerable Boundary
10
If residual risk remains in this
9
region, and society desires the
8 benefit of the activity, the
residual risk is tolerable only if
If risk is further risk reduction is
6 here impracticable or requires action
that is grossly disproportionate
4 in time, trouble and effort to the
reduction in risk achieved
3
2 If risk is
Broadly Acceptable Boundary
here
DPF Level of residual risk regarded as insignificant
and further effort to reduce risk not likely to be
required as resources to reduce risks likely to
be grossly disproportionate to the risk
reduction achieved

Figure 8: Disproportionality factor

Example

Consider a hypothetical case where five Risk Reduction Measures (RRM) have been identified (Table 2)
and where the risk assessment assuming each one in place has been performed (Figure 9).

RRM1 would reduce risk to below the tolerable level for 10 fatalities. However, the combined RRM2 to
RRM5 (assuming no overlap) would not reduce risk to below the tolerable level. Generally there are
overlaps between measures.

PLL ∆PLL Cost ICAF($M)

Base Case 2.76E-02
RRM 1 2.60E-03 2.50E-02 300000 12
RRM 2 1.76E-02 1.00E-02 30000 3
RRM 3 2.56E-02 2.00E-03 7200 3.6
RRM 4 2.56E-02 2.00E-03 8400 4.2
RRM 5 2.66E-02 1.00E-03 80000 80

Table 2: Five risk reduction measures for this example.

Now consider that RRM1 is implemented and it is required to demonstrate that the risk is ALARP. Another
Quantitative Risk Assessment (QRA) analysis yields the ∆PLL for RRM2 to RRM4 (assuming one
implemented at a time). There is no point to pursue RRM5, as the corresponding ICAF is significantly
higher than for the other measures. Table 3 presents the results for the second analysis.

11
 Sequential implementation of Risk Reduction
Likelihood of N or more fatality Measures
1.00E+00
1.00E-01
1.00E-02
1.00E-03
1.00E-04
1.00E-05
1.00E-06
1.00E-07
1.00E-08
1 10 100 1000 10000
Fatality

Broadly Acceptable Tolerability limit The base Case

RRM1 RRM4

Figure 9: F-N diagram for Example.

PLL ∆PLL Cost ICAF($M)

New base case 2.60E-03
RRM 2 1.10E-03 1.50E-03 30000 20.0
RRM 3 1.29E-03 1.31E-03 7200 5.5
RRM 4 1.07E-03 1.53E-03 8400 5.5

Table 3: Risk analysis results for Example after implementing RRM1

Both RRM3 and RRM4 give ICAF equal to 5.5, but RRM4 reduces risk more than RRM3 and hence it will
be chosen for implementation.

RRM2 should be dropped as its ICAF will increase. The only remaining option is RRM3. Table 4 shows
the effect of its implementation (accounting for the implementation of RRM1 and RRM4).

It can be seen that implementation of RRM1 and RRM4 has reduced the effectiveness of RRM3 to the
extent that the ICAF is 60. It is concluded that the risk is ALARP for this design; provided $3M is
applicable for this case.

PLL ∆PLL Cost ICAF($M)

New base case 1.07E-03
RRM 3 9.53E-04 1.20E-04 7200 60.0

Table 4: ICAF for RRM3 of Example

8. A Case Study
An existing production platform which is bridge linked to another platform is undergoing major
modification for addition of new equipment. This platform will act as a hub for new developments which
will be tied back to it. Consequently more potential leak sources will be added which could lead to
enhanced risk of fire and explosion and hence requires risk reduction measures to mitigate risks.

12
The relevant regulations set a maximum limit on the frequency of annual impairment either for Temporary
Refuge-TR- (and means of escape) or individually for each type of hazard. The goal is to make rescue
possible in the case of an extreme event. In general, existing platforms undergoing refurbishment trigger re-
certification but it is not generally required to comply with the current regulations. The ALARP approach
to risk is a very useful tool to generate all possible options and determine their effectiveness. The ALARP
principle, with its flexibility, can assure that all risk reduction measures are identified and implemented as
far as they are reasonably practicable.

8.1 Basic Assumptions and data

This ALARP evaluation only addresses the aspect of adding new equipment and ancillary piping. The
platform has been in operation since 1992 and no major incident has been reported since then. The
following assumptions are made:
• Interest rate 6% (inflation adjusted)
• Remaining service life 30 years
• Persons on Board (POB) 45
• 100,000 bbl
• Cost of averting one fatality is $2M and increases by 4% annually
• Taxes and insurance not considered

The intention of a risk assessment is to identify all risks and ways of dealing with them, and finally to
determine the residual risks and assuring they are below the tolerable level. Dealing with risk requires
addressing the following questions:
• Have all regulatory requirements been satisfied?
• Have all local authority requirements been satisfied?
• Have all company’s requirements been satisfied?
• Have all project requirements been met?
• Are risks comparable with other company’s installations, worldwide or in the region?
• Are all current good practices met?
• Have adequate reliability, robustness and resiliency been built into the concept?
• Are recommendations of current codes and standard satisfied?
• Are safety critical element are tested and qualified?
• Have the principles of sound engineering judgment been followed?
• Is the chosen solution inherently safe?
• Have the best available technologies been used?
• Has cost-benefit analysis proved that the “best” solution has been adopted?
• Is there a programme for continuous improvement in place?
• Is there a credible plan to deal with emergencies?
• Are the allocated sources to deal with emergencies adequate?
• Etc.

The first two columns of Table 5 gives the results of QRA organised in ascending order of fatalities. The
third column gives the likelihood of N or more fatalities. A plot of the first column against the third column
(the F-N curve) is given in Figure 10 using log-log scale (shown as dots). Lines of ‘Broadly Acceptable’
and ‘Tolerability Limit’ are also shown in the figure.

It can be seen that f-N for this installation falls within the ALARP region. Adding new equipment would
aggravate the problem, but the new f-N curve (dots in Figure 10) is still remains in ALARP zone.

The purpose of this exercise is to show that risks are ALARP. The existing condition is used as the base
case, which gives a slightly higher estimate of ∆PPL as compared to using the situation where new leak
sources are introduced as the base case.

13
Inspection of Figure 10 shows that having 10 and more fatalities is closer to the tolerability limit as
compared to the other points. This situation can be seen more clearly using the F-N curve shown in Figure
11. Further investigation reveals that this anomaly is due to 10 workers becoming causalities as a result of
unavailability of the escape route due to heat and smoke.

Base case After Implementation of Option 3

Fatality, Likelihood Likelihood of Likelihood of N Likelihood of N,
N and of N N, or more, fatality (after or more (after
more fatality fatality (Base implementation implementation
(Base Case) case) of Option 3 ) of Option 3)
1 1.25E-03 2.83E-03 1.25E-03 2.05E-03
3 2.45E-04 1.58E-03 2.45E-04 7.98E-04
4 1.95E-04 1.34E-03 1.95E-04 5.53E-04
6 1.20E-04 1.14E-03 1.20E-04 3.58E-04
8 7.50E-05 1.02E-03 7.50E-05 2.38E-04
10 8.50E-04 9.48E-04 6.50E-05 1.63E-04
12 6.00E-05 9.78E-05 6.00E-05 9.78E-05
18 2.50E-05 3.78E-05 2.50E-05 3.78E-05
24 4.00E-06 1.28E-05 4.00E-06 1.28E-05
27 3.50E-06 8.75E-06 3.50E-06 8.75E-06
30 2.00E-06 5.25E-06 2.00E-06 5.25E-06
34 1.50E-06 3.25E-06 1.50E-06 3.25E-06
38 1.00E-06 1.75E-06 1.00E-06 1.75E-06
45 7.50E-07 7.50E-07 7.50E-07 7.50E-07

Table 5: Results of quantitative risk assessment of the case study installation

f-N Curve

1.00E+00

1.00E-01
Frequency of N or more fatalities

1.00E-02

1.00E-03

1.00E-04

1.00E-05

1.00E-06

1.00E-07

1.00E-08
1 10 100
Number of fatality (N) per accident

Broadly Acceptable
Tolerability Limit
f-N for the original case
f-N afetr adding equipmnet and imrovment

14
Figure 10: F-N diagram of the case study. The base case is shown as dots and the improved case is
shown by solid blue line with crosses.

Frequency of N Fatality
1.00E+00

1.00E-01
Frequency of N fatalities

1.00E-02

1.00E-03

1.00E-04

1.00E-05

1.00E-06

1.00E-07

1.00E-08
1 10 100
Number of fatality (N) per accident

Esxiting case isorisk

Figure 11: Frequency of N fatality

The Hazard Identification (HAZID) process identified that the availability of escape routes is a major
contributor to the risk as they may be impaired in several ways e.g. severe structural distortion due to
explosion would make them inaccessible, or extreme heat and/or dense poisonous smoke make them
unusable. It is also possible that fire blocks access to or from the TR. Figures 12 and 13 show this higher
than usual contribution to the accident. These figures show that the main sources of risk are located on the
lower deck. The contribution to fatalities during escape, evaluation and rescue (EER) is quite high and is
dominated by the unavailability of an escape route.

Contribution to risk from each deck

Relative Contribution

100%
80%
cellar Deck
60%
Interm. Deck
40%
upper deck
20%
0%
fire explosion
Hazard

Figure 12: Fire and explosion contributions to risk

15
 Distribution of Fatality

100%
90%
Relative Contribution

80%
70% Cellar deck
60% Intermediate
50%
40% Upper deck
30%
20%
10%
0%
EER fatality Immediate
falaity
Source of Fatality

Figure 13: Immediate and EER fatalities distribution

A number of risk reducing measures (RRM) were identified, and the following RRM were the most
promising:

• Reduction of leak sources by replacing bolted flanges with welded ones

• Opening up the cellar deck area, but only limited opportunity exists
• Protective cladding for the escape routes
• Addition of free fall lifeboat
• Change the blow down and deluge policy
• Change the rescue and evacuation policy, e.g. create additional escape route and TR.

In order to offset any increase in capital costs by possible savings in operational costs, all attempts should
be made to identify possible technical and/or operational improvements for the installation as these may
contribute to risk reduction without substantial capital/operational costs, or other operational drawbacks.

When all measures that may fulfil the above criteria have been exhausted, the following assessments should
be made for these alternatives:
• Overall expected net present value of all costs and income per fatality averted
• Cost distribution (material damage and delayed/deferred production income) for relevant years,
given the occurrence of a major accident, with respect to scenarios which are influenced by the
measures being considered
• Overall expected net present value of all costs and income per statistically expected reduced clean-
up costs
• Cost distribution (clean up costs, compensation claims, etc.) for relevant years, given the
occurrence of a major accident, with respect to scenarios which are influenced by the measures
being considered
• Loss of reputation given the occurrence of a major accident or major oil spill, with respect to
scenarios that are influenced by the measures being considered.

The values which are computed above may be compared to reference values, if stated, for:
• Cost per fatality averted;
• Cost per statistically expected 1000 tons of reduced oil spill;
• Maximum loss that the company is able to survive in one single year.

Finally, whether higher limits may be adopted under special circumstances should be considered:
• Higher costs per averted statistical life lost, if the initial risk level is high
• Higher costs per statistically expected 1000 tons of oil spill, if the initial environmental risk is high

16
• Higher costs per statistically expected 1000 tons of oil spill, if the areas that may be exposed to
spills are particularly sensitive.

The present ALARP evaluation is limited to protection of escape routes in case of fire, and is thus limited
to personnel safety. Environmental risk is therefore not addressed in this case study.

8.2 Reduction of leak sources

Reduction of leak sources would require replacing the majority of flanged connections in the process area
with welded connections. This would be particularly important in the crude oil export pumping area, which
is the main source of fire risk relatively to the escape ways.
Removal of leak sources is in accordance with good practice and codes & standards. However, an
evaluation of this option should emphasize its implications as it would involve very extensive
modifications of the process systems. There would be large amount of hot work in the process area and
some of it could not be conducted in a shut down and depressurised condition. It is therefore considered
that the increase of risk during modifications is substantial, and would likely be considerably higher than
the risk reduction per year.
It was noted that a reduction of the impairment risk by 95% is required to move to below the limit of 10-4
per year; this means that leak frequencies also need to be reduced by 95%. It was also noted that export
pumps are important leak sources, and that the relevant leak scenarios are almost impossible to eliminate. It
became clear that, it is unlikely that this option will provide the necessary risk reduction. As it would also
substantially increase the risk during implementation of modifications, this option is therefore not
recommended for further study.

8.3 Passive Measure

It is possible to implement a number of measures to control the impact of an accident (fire and blast for this
study), which are listed below.

8.3.1 Relief Panels in the cellar deck area and application of deluge on gas detection
The platform is in a cold region and openings would aggravate the working environment. It is however
possible to add blast relief panels which reduce the blast severity. Although the addition of blast relief
panels is in accordance with good practice, its effect on fire likelihood is marginal. Activating the deluge
system, immediately after gas detection, would inevitably lead to some unnecessary water release requiring
clean up and shutdown of production during false alarms.

8.3.2 Protective cladding of the escape routes and improvement of the blowdown system
Installation of protective shielding that can withstand blast overpressure on existing escape routes would
prevent smoke ingress into the enclosed escape routes. This option certainly fulfils relevant requirements.
Shielding and overpressure protection of exposed escape routes are commonly used on offshore production
systems. The protective shielding may be a good solution to resist high heat loads, but it needs to be
combined with against smoke ingress as well as overpressure protection in order to ensure that the escape
routes are not made unusable due to excessive distortion or smoke ingress.

This option tuned out to be the favourite solution and its effect on risk has been calculated and the results
are as shown in Table 6. It can be seen that this option leads to a substantial reduction in the impairment
frequency of escape routes and also reduction of PLL is reasonable.

8.3.3 Addition of free fall lifeboat

Installation of freefall lifeboats (two boats for redundancy purposes) may reduce the need to use escape
routes in case of fire. This is not usually a preferred solution, but may act as a compensatory measure if no
other solution can be found. Obviously, the protection of escape routes is unchanged, but the need for
escape to the shelter area will be theoretically reduced. This is more a theoretical solution than a practical
one. For escape purposes, escape over bridges to a shelter area on a separate installation is distinctly
preferable to using lifeboats, including freefall lifeboats.

8.3.4 Addition of another escape route

17
Provision of an additional escape route with sufficient shielding is the ultimate solution. This is the best
solution for a new installation, but it may not be practical to alter an existing installation. Another
advantage of the additional escape route is building redundancy into the design, as it would be unlikely for
both escape routes to be impaired at the same time, especially when one of these is thoroughly protected.

The effect on risk has been calculated, and the results are presented in Table 6. The provision of an
additional escape route leads to a substantial reduction of the impairment frequency of escape routes, and
also a substantial reduction in PLL value.

Likelihood of being Initial Maintenance

a fatality for a Cost & Running
Options Description group ten ($M) /Year PLL
Base Case 9.50E-04 9.50E-03
Option1 Do nothing 9.95E-04 9.95E-03
Add Relief panels &
Activation of
Option2 Deluge system 7.93E-04 $ 1.385 0.0045 7.93E-03
Protection around
escape routes &
Option3 Blow-down 3.90E-05 $ 1.835 0.0035 3.90E-04
Additional escape
Option4 route 9.45E-06 $14.750 0.004 9.45E-05
Table 6: Incremental reduction of fatalities following implementation of various options

The Gross Disproportionality factor corresponding to the level of risk for 10 or more casualties is about 5.9
(Figure 14). Hence the ratio of cost to benefit should be less than 5.9 to be cost effective. Table 7 shows
that only Option 3 is close to this requirement (with a CB ratio of 6.86, which is just outside what is
considered to be cost effective). As the choice is not a clear cut, one needs to examine parameters
uncertainties.

If the number of people at risk is 12 rather than 10 (20% error) the cost benefit ratio drops down to 5.7. The
same statement is true if the cost of averting one fatality goes up by 20% or the cost of implementing RRM
reduces by 20%. One also should examine the rules used in QRA to determine the likelihood and
consequence. It can be seen that the margin for rejecting Option 3 is very narrow and accounting for usual
uncertainties would make this option acceptable. Accounting for parameter uncertainties for other options
would not make them cost effective.

Options ∆PLL PV of cost ($M) PV benefit ($M) CB ratio

Base Case 0 0
Option1 0 0
Option2 1.57E-03 1.45E+00 4.75E-02 30.57
Option3 9.11E-03 1.89E+00 2.76E-01 6.86
Option4 9.41E-03 1.48E+01 2.85E-01 52.01

Table 7: Cost benefit analysis for all options

18
 Disproportionality Factor (DPF)
-2
Intolerability boundary (10 )
10.00
9.00
8.00
7.00 -4
Initial Hazard (9.50x10 )
6.00 DPF=5.91
DPF

5.00
4.00 -4
Final Hazard (1.63x10 )
3.00
2.00
1.00 -4
Broadly Acceptable (10 )
0.00
1.00E-04 1.00E-03 1.00E-02
Likelihood

DPF Profile Final Position

Boradly Acceptable Tolerability Limit
Initial position

Figure 14: Determining the Disproportionality Factor (DPF)

Implementing Option 3(i.e. shielding around scrape routes) would reduce the likelihood of 10 fatalities to
1.63E-04. The last two columns of Table 5 show the likelihood having N fatalities, and N and more
fatalities. This is also shown in Figure 10 as the solid blue line (with crosses). It can be seen that the new f-
N curve is much closer to the broadly acceptable line. Other solutions identified here are too costly for the
benefit they provide, hence other options, as listed in Table 7, would not be cost effective.

10. Discussion and Conclusions

In order to demonstrate that a risk is ALARP, it is necessary to demonstrate that applying further credible
risk reduction methods is not practicable. To do this, it is first necessary to identify all credible risk
reduction methods, with such task being a group activity (analogous to HAZOPS). Then, a significant
problem is that applying the ALARP principle fully and accurately can be expensive (just to determine the
ALARP status of risks and not even actually reducing risks by for instance re-designing a system). This is
because accurately determining the cost and benefit of risk reduction can be difficult and time-consuming.
To counteract this, demonstrating that risks are ALARP should be in two stages. The first stage should be a
relatively inexpensive and quick assessment to identify risks that can quickly and clearly be shown to be
ALARP. For the risks which cannot quickly be shown to be ALARP, either because they probably aren’t or
because they are marginal, detailed costing and risk analyses would be carried out in a second stage.

The following aspects of ALARP require attention:

1. The concept of tolerability can only fully address risk conditions where some quantitative estimate
of existing or future risks can be made either by applying QRA or on the basis of historical accident
frequencies. QRA also involves a considerable margin of uncertainty (Yasseri [10]).
2. Judgement using the ALARP principles must not be allowed to override considerations of “good”
or “best” engineering practice.
3. Regulatory framework - An ALARP regulator needs to be technically competent to conduct the
necessary dialogue, and the regulatory framework, including the applicable laws, must encourage
discretionary and judgmental decision-making.
4. Indeterminacy of ALARP - ALARP decisions are often judgmental rather than determined by
some precise rule or criterion, and ALARP can be open to difficulties and problems less apparent in more
dogmatic approaches.
5. Cost escalation - Because ALARP insists on the possibility that more can be done to achieve
safety, it has sometimes been accused in the UK of driving up industrial costs. It is in fact not proven that

19
 properly administered ALARP system imposes higher costs than more “directive” systems, and using
ALARP provides greater scope for discussion before costly action is required.
6. ALARP was criticised as less suitable for smaller firms who are said to need a more “directive”
approach. HSE’s view is that guidance to small firms can be simplified and made explicit, and many such
guidance documents now exist. However, no guidance can deal with all situations. Thus, no company,
irrespective of its size, can be excused from the duty of taking common sense view of the hazards in its
establishment and implement necessary precautions.

The process for determining the reasonable risk reduction measures includes a comparison of the additional
cost (in terms of time, money and effort) to reduce risks to a demonstrably lower level. This is a complex
but well established safety process. Some operators have put forward proposals for accepting a higher level
risk within their safety case due to an escalation of cost and this process is known as “reverse ALARP”.
The legal requirement to reduce risks to ALARP would prevent the regulator from accepting a less-
protected approach for the control of risks on the grounds of reducing cost. Upgrading a facility will
inevitably increase the hazards. The expectation is the upgrade should not increase the total risk above what
it was before. That is the ALARP process cannot be used to justify an increase in risk by arguing the cost of
improving the upgrade is prohibitive.

11. References
1. Burgherr, P. and Hirschberg, S., Comparative Assessment of Natural Gas Accident Risks, PSI
Bericht Nr. 05-01 January 2005 ISSN 1019-0643.
2. HSE (2001), “Reducing Risks, Protecting People”, HSE Books & Publications, 2001. HSE
(Health and Safety Executive). 2002a. The Health and Safety System in Great Britain. HSE Books, Her
Majesty’s Stationery Office, London, England
3. HSE (Health and Safety Executive). 2002b. Principles and Guidelines to Assist HSE in its
Judgments that Duty -Holders Have Risk as Low as Reasonable Practicable.
http://www.hse.gov.uk/dst/alarp1.htm.
4. HSE (Health and Safety Executive). 2002c. Assessing Compliance with the Law in Individual
Cases and the Use of Good Practice. http://www.hse.gov.uk/dst/ alarp2.htm.
5. HSE (Health and Safety Executive). 2002d. Policy and Guidance on Reducing Risks as Low as
Reasonably in Design. http://www.hse.gov.uk/dst/alarp3.htm.
6. Nathwani J.S., Lind N.C. and Pandley, M.D., (1997). Affordable Safety by Choice: The Life
Quality Method, Institute for Risk Research, University of Waterloo, Canada.
7. Rackwitz, R. 2004, Sustainability and Risk-based Optimization of Lifecycle Cost for Civil
Engineering Infrastructures1, In Proceedings of ASRANet 2004, Barcelona, June 2004.
8. Skjong, R. (2005), “Safety Assessment and Risk Acceptance Criteria”, Training Course on Risk-
Based Ship Design, Glasgow, UK
9. Vrijling, J.K. (2004), “A Framework for Risk Criteria for Critical Infrastructures, Fundamentals
and Case Studies in the Netherlands”, Journal of Risk Research, Vol. 7
10. Yasseri, S., (2004), Costing for ALARP, OMAE 2004.

20

View publication stats