Front End Engineering
Consultancy
UNACCEPTABLE>10⁻³/yrALARPtolerableBROADLYACCEPTABLE<10⁻⁶/yrrisk ↑risk ↓GDP factor 3:1 → 10:1Edwards v NCB · HSE
Back to Blog
EngineeringSafetyProject Management

ALARP Demonstration in Practice

Ian Bissett··10 min read

Introduction

The acronym ALARPAs Low As Reasonably Practicable — is one of the most consequential phrases in the safety case lexicon. Originating in UK case law (Edwards v National Coal Board, 1949) and codified by the Health and Safety at Work Act 1974, it is the expected standard of risk reduction for any hazard that is not already negligible. The regulator (in UK offshore, the HSE) does not accept "we built it to the standard" as a safety case; the operator must demonstrate that all further reasonably practicable measures have been taken to drive the risk down.

The demonstration is where engineering and law collide. ALARP is not a calculation; it is an argument supported by calculations. Done well, it gives the regulator confidence that the asset is being run responsibly. Done poorly, it reads like a justification for not doing something — and is rejected.

This post walks through the structure of an ALARP demonstration as actually built in practice: the carrot diagram, the cost-benefit analysis with gross disproportion factored in, the role of good practice and recognised standards, and the documentation that turns it into a defensible safety case argument.

The Tolerability of Risk Framework — The Carrot Diagram

UK safety case practice frames risk in three regions, often drawn as the carrot diagram:

  • Unacceptable region — risks so high that no business or social benefit justifies them. They must be eliminated regardless of cost. (For workers, the boundary is conventionally 1 × 10⁻³ per person per year for fatal risk.)
  • Tolerable region (the ALARP region) — risks that can be accepted only if all reasonably practicable measures have been taken to reduce them. The carrot narrows in this region; the further down you go, the easier it is to demonstrate ALARP.
  • Broadly acceptable region — risks so low that no further action is required. (Conventionally below 1 × 10⁻⁶ per person per year.)

The ALARP argument applies to any risk that falls in the middle region. If your quantitative risk assessment (QRA) puts the individual risk to a worker at 4 × 10⁻⁵ per year — tolerable on its face — the operator still has to demonstrate that every reasonable measure to drive it lower has been considered and implemented or rejected with justification.

What "Reasonably Practicable" Actually Means

The Edwards v NCB judgment defined the test:

"Reasonably practicable" is a narrower term than "physically possible" and seems to me to imply that a computation must be made by the owner in which the quantum of risk is placed on one scale and the sacrifice involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed in the other.

In modern practice, that is a cost-benefit comparison with one critical asymmetry: gross disproportion. The cost of the measure must be grossly disproportionate to the benefit before it can be rejected.

The HSE's guidance suggests gross disproportion factors typically between 3:1 and 10:1, scaling with where on the carrot the risk sits:

  • Near the top of the ALARP region (just below unacceptable) — factor 10:1 or higher. The presumption is that any practicable measure should be implemented.
  • Near the bottom of the ALARP region (just above broadly acceptable) — factor 3:1 or lower. Less burden of proof.

So if a measure would prevent 0.05 expected fatalities over the asset life, valued at the conventional Value of Preventing a Fatality (VPF) of about £2 million, the gross benefit is £100,000. With a 10:1 gross disproportion factor near the high end, the measure can be rejected only if the cost is above £1,000,000. At £500,000 it must be implemented even though strict cost-benefit is unfavourable.

This is what makes ALARP demonstrably different from a textbook cost-benefit analysis: the asymmetry is built in to favour risk reduction.

The Hierarchy of Controls

Before any cost-benefit comparison, an ALARP argument must show that the higher tiers of the control hierarchy have been exhausted:

  1. Eliminate the hazard at source (delete the inventory, redesign the process to avoid the operation).
  2. Substitute with a less hazardous material or method (replace the high-pressure system with a lower-pressure equivalent, replace H₂S service with sweet service if production allows).
  3. Engineer controls — passive measures (segregation, blast walls, drainage, layout), then active measures (SIS, fire & gas, ESD).
  4. Administrative controls — procedures, training, permits-to-work, lone-worker controls.
  5. Personal protective equipment — the last line, never the primary defence.

The argument "we considered eliminating the hazard but it was not practicable for production reasons" is acceptable only if it is documented with the alternatives considered. The argument "we did not consider it" is not acceptable.

A common failure mode in ALARP demonstrations is jumping straight to active controls (a SIS, a F&G zone) without documenting why the passive or substitution options were not viable. The regulator will ask, and the answer must be on record.

Good Practice and Recognised Standards

The first plank of any ALARP argument is compliance with relevant good practice. If the design follows a recognised industry standard — API 521 for relief, IEC 61511 for SIS, NORSOK for offshore process — the assumption is that the standard already embeds an ALARP judgment within its scope. The argument becomes:

  1. The design complies with [standard].
  2. The standard is recognised as defining good practice for this hazard.
  3. Therefore the residual risk after compliance has been driven to a level the industry collectively considers reasonable.

But — and this is where many demonstrations stop too early — compliance is necessary but not sufficient. The ALARP argument must go on to consider whether further measures beyond the standard are reasonably practicable. The standard sets the floor; the asset-specific argument must show whether the floor is enough for this particular installation, or whether further enhancement is justified.

Examples of "beyond the standard" measures that recur in offshore ALARP demonstrations:

  • Subsea isolation valves in addition to the topsides ESD valves required by NORSOK.
  • Higher SIL on a specific function than the LOPA strictly demands.
  • Additional fire & gas coverage in a high-occupancy area beyond minimum performance standards.
  • Active blast protection for accommodation modules beyond the explosion overpressure design case.

Each of these is a candidate for the cost-benefit comparison.

Building the Cost-Benefit Comparison

For a measure that goes beyond compliance, the comparison needs four numbers:

  1. Cost — total cost of implementation over the asset life. Include capital, installation, operating cost, maintenance burden, training, and the cost of any process disruption during installation. Discount future costs at the regulator's accepted rate (typically 3.5% or 5% in real terms for UK practice).
  2. Benefit (statistical fatalities prevented) — reduction in QRA's predicted fatalities × asset life. For environmental benefit, use the equivalent Value of Preventing a Major Accident factor.
  3. Gross disproportion factor — chosen based on where on the carrot the risk sits.
  4. Adjusted comparison — is the cost greater than (benefit × gross disproportion)?

If yes (cost is grossly disproportionate to benefit), the measure is rejected with the reasoning documented. If no (cost is not grossly disproportionate), the measure must be implemented.

Example: a proposed second-stage gas detection upgrade is costed at £350,000 over the asset life. The QRA shows it would reduce the expected fatalities by 0.04 statistical fatalities over 20 years. At VPF = £2 million, the benefit is £80,000. With a 5:1 gross disproportion factor (mid-ALARP region), the threshold cost is £400,000. The measure cost of £350,000 is below the threshold — so it must be implemented even though pure cost-benefit (£350k > £80k) is unfavourable.

If the cost had been £600,000, it would have exceeded the £400,000 threshold and could be rejected with documented reasoning.

Where ALARP Demonstrations Go Wrong

After many safety case reviews, the recurring failure modes are surprisingly consistent:

1. Reverse-engineering the gross disproportion factor

The temptation is to choose the factor after the cost is known so that the measure can be rejected. This is the single most common — and most easily spotted — flaw. Regulators look for an a-priori, documented choice of GDP factor tied to the risk position, then applied consistently across all measures considered.

2. Cost padding

Including marginal or hypothetical costs (loss of future production, NPV of an unlikely outage, opportunity cost of the engineering effort) inflates the cost side. The HSE guidance is explicit: include only direct, defensible costs.

3. Benefit understatement

Counting fatalities-prevented but ignoring lesser injuries, environmental release, equipment loss, and reputational damage. The VPF is conventionally extended to a disutility-per-fatality figure that includes injury and asset loss.

4. Pre-defining the "feasible" set

Limiting consideration to measures the project team is comfortable with, and not documenting the harder alternatives that were dismissed early. The demonstration should show the full set considered, including the ones that were rejected, with the reasons.

5. Stopping at compliance

"We meet the standard" is a starting point, not a conclusion. A robust demonstration goes further to consider what beyond the standard would be reasonable.

6. No revisiting

ALARP is not a one-shot exercise. Operating experience, technology developments, and changes in good practice should trigger periodic re-demonstration — typically every five years for the UK safety case regime, sooner after a significant incident or modification.

A Defensible Structure

The format that consistently survives regulatory review:

  1. Define the hazard, scenario, and consequence (from HAZID / HAZOP / QRA).
  2. Document the inherent and engineered controls already in place — the baseline.
  3. State the residual risk from the QRA at the baseline (individual risk, societal risk).
  4. Identify the position on the carrot — and the corresponding GDP factor.
  5. List candidate further measures — the comprehensive set, not just the convenient ones. Source: HAZID/HAZOP recommendations, peer-asset learning, expert workshops.
  6. For each candidate, document: technical description, cost estimate, benefit estimate, comparison against GDP threshold, decision (implement / reject), reasoning.
  7. Aggregate — confirm that the implemented set drives the risk into the broadly-acceptable region, or shows that further measures have been considered and rejected on a defensible cost-benefit basis.
  8. Sign-off — by an authorised person who has reviewed the technical and commercial assumptions.

The output is an auditable trail, not a number. Done well, the audit trail itself is the argument.

A Note on Operational ALARP

ALARP does not end at the design phase. Operating decisions — when to defer a maintenance task, when to accept a temporary operating restriction, when to take a SIS function out of service for testing — are ALARP decisions in miniature. The same logic applies:

  • What is the hazard?
  • What is the residual risk during the proposed action?
  • What measures could be taken to reduce it?
  • Are those measures reasonably practicable?

Many operational ALARP decisions are well-trodden ground (the operator has a standard temporary-overrides procedure, for instance). But non-standard decisions — a longer-than-usual SIS bypass, deferring a proof test past its due date, a one-off operating excursion — should trigger an explicit ALARP review with documentation.

Conclusion

ALARP is the framework that turns "we are safe" from a marketing claim into a defensible engineering argument. Its discipline is not in the calculation but in the documentation — the systematic consideration of all reasonably practicable measures, the consistent application of the gross disproportion test, and the transparent recording of decisions and their reasoning.

A robust ALARP demonstration is one a regulator can read and follow without needing to fill in gaps. A weak one is one where the conclusion is obvious before the analysis begins.

The art is to do the work upfront — at the design stage, before the cost of changes makes ALARP a paper exercise. By the time the asset is built, the ALARP register should already contain every measure considered, the decision on each, and the rationale. That is what gives the safety case its weight.

Related Project · Offshore · Technical Due Diligence

Block 5 MOPU — Independent Engineering Review

About the Author

Ian Bissett

Ian Bissett

Principal Consultant — Process Engineering · 34+ years

Chartered Chemical Engineer and IChemE Fellow. 34 years spanning process engineering and the operator side — including roles at Total, Marathon Oil, and Talisman Sinopec — before joining FEEC as a principal consultant.

Share
All articlesHave a question? Get in touch →

Keep Reading

Related Articles

flame ctr30001500500windhelideckBTU/hr·ft² · API 521
EngineeringSafety

Flare Radiation and Siting — API 521 Thermal Contour Analysis

10 min readRead
kickerPIGventPSPSLauncherReceiverUtility / Intelligent Pig — full-bore line
EngineeringProcess

Pigging Philosophy and Pig Launcher / Receiver Design

12 min readRead
wear zoneflow + sandER ∝ ms · v²·⁶DNV-RP-O501SDacousticChoke / first elbow
EngineeringProcess

Sand Erosion Management Beyond API 14E — DNV-RP-O501 in Practice

10 min readRead