Professional Documents
Culture Documents
ALARP GUIDE
Foreword
This ALARP Guide has been completed with help of Technical Safety Engineering
representatives of all Shell businesses (PT, DS, UI, and UA). The objective of the guide is to get
to an improved and more coherent ALARP decision making across Shell, in line with the
mandatory requirements of the HSSE & SP Control Framework. ALARP decision making
involves professional judgement and is not an analytical straightforward calculation. Although
this guidance is now regarded as the best available in the Group, it has been published with a
mindset that it can be developed further, with input and feedback from practitioners. The steer is
to use this guide and to provide feedback to the Technical Safety Engineering discipline, so we
can update and build this guide to a final product.
Calibration of our ALARP decision making will be helped with sharing of good examples. A
template for recording ALARP Decision Records is provided in Appendix A; the Technical Safety
Management Portal on the Shell Web provides completed examples for reference. Guide users
are requested to provide further ALARP decision records that could help to extend our data
base and help to calibrate ALARP decision making across Shell.
For feedback and general enquiries please contact Bud Willoughby, GSUSI-PTD/HHSC
Appreciating some of the ambiguity in ALARP decision making, we are looking forward to
receiving constructive feedback to build towards a first ever comprehensive global ALARP guide
for Shell.
Paul Buijsingh,
Group Process Safety manager
GDH Technical Safety Engineering
Page 1 of 35
Table of Contents
FOREWORD.........................................................................................................1
ABBREVIATIONS...............................................................................................3
ALARP GUIDE...................................................................................................5
1
ALARP CONCEPT.........................................................................................6
1.1
INTRODUCTION
6
Definition.............................................................................................................................................6
3
3.1
3.2
4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
CHARACTERISTICS
OF THE
ALARP DEMONSTRATION............................................12
INTRODUCTION
RISK TOLERABILITY CRITERIA
12
13
15
15
16
17
18
20
21
REFERENCES................................................................................................23
APPENDIX B GETTING
TO
ALARP
25
GUIDING STATEMENTS....................................26
Page 2 of 35
ABBREVIATIONS
Acronym
Definition
ACAL
AI-PSM
ALARP
API
BAT
CBA
CBL
DCAF
DEP
DEM
DP
Design Pressure
DS
Downstream
DSM
Downstream Manufacturing
DT
Design Temperature
EIA
EV
Expecation Value
FAR
FAQ
HAZID
Hazard Identification
HEMP
HFE
HRA
HSSE
HSSE&SP CF
GDH
IRPA
ISO
LOPA
LS[I]R
MAH
MIACC
MOC
Management of Change
ORP
PCAP
Page 3 of 35
PEM
PLL
PS
Process Safety
PSR
PT
Projects Technology
QRA
RAM
SCE
SIL/IPF
SoF
Statement of Fitness
QRA
UA
Upstream Americas
UI
Upstream International
UKOOA
Page 4 of 35
ALARP GUIDE
Purpose
This guidance describes a suitable approach to demonstrating ALARP for a wide range of
HSSE & SP risk management decisions. This guidance together with the HSSE Case guidance
will enable businesses to meet the minimum requirements of the HSSE & SP Control
Framework Managing Risk Manual to provide a documented demonstration of ALARP.
This document outlines the means by which ALARP can be consistently demonstrated for all
assets and projects across Shell.
Background
The Shell Group Control Framework for Health, Security, Safety, Environment and Social
Performance stipulates that risks shall be managed to ALARP.
Project Managers;
Wells Managers
HSSE Professionals.
The responsibility for HSSE DCAF deliverables mentioned in the guidance document is
defined in the PCAP for each project, or for existing assets in the ACAL.
The Technical Authority for the ALARP demonstration report is Technical Safety
Engineering.
Page 5 of 35
ALARP CONCEPT
1.1
Introduction
Within the HSSE & SP Control Framework, the Management System (MS) Manual describes
specific requirements regarding the management of HSSE Risks in assets, facilities, operations,
projects and activities where the HSSE & SP Control Framework applies.
In Particular;
identify and implement controls and recovery measures for hazards with risks in
the yellow and red area of the RAM to reduce the risk to ALARP.
a Hazards and Effects Register that includes reference to the Shell HSSE & SP
CF requirements, legislation or industry codes used to determine ALARP or
reference to the process by which ALARP is determined.
for Hazards that have risk in the red and yellow 5A and 5B areas of the RAM:
identification of criteria for ALARP determination and their consistent application;
provision of a documented demonstration of ALARP.
The Asset Integrity Process Safety Management Application Manual (AIPSM) focuses
on the identification and documentation of hazards with process safety risks in the red
or yellow 5A and 5B areas of the RAM and requires that these are managed to ALARP
as specified in the Managing Risk Manual.
The HSSE&SP Control Framework Projects Manual requires that the HSSE & SP
project risks be identified, assessed documented and managed in line with the
Managing Risk Manual.
The Human Factors Engineering section of the Health manual requires that relevant
results of implementation of the project HFE Strategy are incorporated into the ALARP
demonstration.
This guidance document describes the means by which ALARP may be demonstrated for a
variety of Project, Asset and Activity Risks to support users in meeting the above requirements
of the HSSE & SP Control Framework Manuals. It further provides a description of the ALARP
demonstration process and risk management tools that may be used to support an ALARP
demonstration. The demonstration of ALARP is often documented in a so-called HSE Case
(or Safety Case, if limited to safety aspects of a Project, Asset or Activity only).
Definition
The definition of ALARP is widely accepted, and defined in the HSSE & SP, as:
The point at which the cost (in time, money and effort) of further Risk reduction is grossly
disproportionate to the Risk reduction achieved. 1
1 The principle is based on English Tort Law (Edwards v. The National Coal Board,1949): Reasonably
practicable is a narrower term than physically possible and it seems to me to imply that a computation
must be made by the owner, in which the quantum of risk is placed on one scale and the sacrifice
ALARP Guide Rev B Issue for useMay 2013
Page 6 of 35
For well understood risks in standard situations, the application of applicable codes and
standards together with Good Practice will normally be sufficient to demonstrate ALARP
the assumption is that an ALARP judgement was made in establishing the good practice.
High risks associated with a hazard or hazardous activity typically require more cost and
effort to demonstrate ALARP than lower risks.
ALARP can change over time. Changes in societal values, expectations, technology, codes
and standards and cost reductions in risk reduction techniques will mean ALARP continually
changes.
Projects will typically benefit from early determination of measures to reduce risks to ALARP,
resulting in a safer design with lower impact on the environment.
Legislation, Industry standards and Recommended Practices are used across industry to
manage hazards and their associated risks, however, whilst compliance with regulations and
industry standards is a pre-requisite to demonstrate ALARP; compliance alone may be
insufficient to reduce the risks to ALARP.
Inherent Safety
An inherently safer approach to risk management is one that tries to avoid or eliminate hazards
or reduce the magnitude, severity, or likelihood of occurrence by careful attention to the
fundamental design and layout.
Good risk management depends on a clear understanding of the hazards and their interaction
with the design or activity and its operation. If a design or activity is to be optimised to avoid or
reduce the hazards of operation this ideally needs to be done early in the development of the
design of the asset or activity. The more critical part of any project is at the start, when all the
major decisions are taken regarding for example the location, type of installation, operating
philosophy, and processes to be adopted. Once a concept design is completed, most of an
installations or activitys construction and operational costs will have been fixed and
opportunities to manage the hazards in an (inherently) safer way will have been lost (for
example due to disproportionate cost).
Tolerability
Tolerable is defined by the UK HSE [reference 7] as follows:
In this context, tolerable does not mean acceptable. It refers instead to a willingness
by society as a whole to live with a risk so as to secure certain benefits in the confidence
that the risk is one that is worth taking and that it is being properly controlled. However, it
does not imply that the risk will be acceptable to everyone, i.e. that everyone would
agree without reservation to take the risk or have it imposed on them.
involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed in
the other; and that if it be shown that there is a gross disproportion between them the risk being
insignificant in relation to the sacrifice the defendants discharge the onus on them. Moreover, this
computation falls to be made by the owner at a point of time anterior to the accident.
ALARP Guide Rev B Issue for useMay 2013
Page 7 of 35
A risk that is as low as reasonably practicable might still be so high that it is unacceptable (i.e.
not tolerable). A number of regulatory regimes specify requirements on risk tolerability. Other
criteria are prescribed by the Company for example in DEPs and in the Downstream
Manufacturing standards. Projects are required to establish tolerability criteria (limits between
what is unacceptable and what is tolerable if ALARP) in the early stages of a project. Appendix
C discusses setting tolerability criteria in more detail but it is not the role of this document to
prescribe definitive values. In addition to quantitative criteria discussed in the appendix,
qualitative criteria are also appropriate. Qualitative criteria can be found for example in the
Managing Risk manual of the HSSE & SP Control Framework.
It is important to identify and then recognize Shells vulnerability to the few potentially
catastrophic events that exist across Shell Globally. These events need to be managed based
on their potential consequences rather than (calculated) risk, since Shell, Society and
Stakeholders simply wont accept the consequence. The principle for these events is that they
are so undesirable that their consequences should be avoided. The philosophy is therefore,
that Shell needs to subject these events to a very strong defensibility test rather than a
reasonableness test.
Uncertainty & Gross Disproportion
The more uncertainty about the consequences and/or likelihood, the more conservative must be
the assessment of risk or, correspondingly, the higher the burden of proof of gross disproportion.
Putative consequences mean those that can be envisaged as potentially occurring without proof
of the actual possible severity of the outcome. In other words, with increasing uncertainty
regarding possible consequences expert opinion is used to propose the worse case
consequence erring on the side of increased severity.
Page 8 of 35
The test of gross disproportion requires you to know how close risk is to the tolerability
threshold. Increasing uncertainty for large scale hazardous scenarios increases the burden of
proof. The closer the exposed population is to tolerability threshold, the higher the burden of
proof.
Cost Benefit Analysis (CBA) may be used, with a factor that is appropriate to the burden of proof
of disproportion. For example, if the Individual Risk Per Annum (IRPA) for a worker is near the
threshold of 1x10-3, a risk reduction measure would have to cost more than 10x the risk cost 2 of
accepting the consequences to be considered grossly disproportionate.
Cost Benefit alone is insufficient to demonstrate ALARP. When a Cost Benefit Analysis is
conducted, the upside may be significant to the organization, however, along with the upside a
new or increased risk may be transferred to others who do not derive a defined benefit.
Example, if a new chemical is being used to improve production rates, the cost benefit to the
organization may be significant, however, the risk to environmental emissions or additional road
transport may mean society is being asked to accept a new risk for little or no perceived benefit.
2 risk cost is the estimated cost of asset damage arising from incident including impact to
people, environmental damage and clean up, cost of business interruption and reputation
weighted according to the probability of occurrence during the remaining life of the asset
ALARP Guide Rev B Issue for useMay 2013
Page 9 of 35
The risk tolerance levels for different parties differs and hence this too needs to be evaluated in
the overall cost benefit analysis.
The above concepts contribute to the ALARP determination. To support this, section 4.6 and
Appendix B contains a number of statements to further clarify the ALARP concept.
UKOOA ALARP Decision Framework
Demonstrating ALARP includes justifying that the appropriate hazard management decisions
have been taken. Figure 2, The UKOOA Decision Framework was developed to help industry
determine the decision context. Note that this is currently (2013) being updated by Oil and Gas
UK (which is effectively the successor to UKOOA). Once the context has been identified the
framework can be used to select the most appropriate bases for decision making. Later in this
guidance document, reference is made to the UKOOA decision framework and A, B and C
type decision and how they pertain to delivering an ALARP demonstration to meet the
requirements of HSSE & SP CF.
Significance to Decision
Making Process
Means of Calibration
Codes and Standards
Verification
Peer Review
Benchmarking
Internal Stakeholder
Consultation
External Stakeholder
Consultation
Company
Values
Societal Values
Bow-Ties
One of the HSSE tools to support an ALARP demonstration is the bow-tie. Criteria have been
developed to ensure credit is only taken for valid barriers. Barrier health reviews are required
periodically during the Operational phase of an asset to ensure the barriers continue to perform
to the required functional and performance standards.
For risk assessments it is a pre-requisite that concept process design has been carried out to
provide primary containment specifically defining Design Pressure (DP), Design Temperature
(DT) and material selection. Threat identification is related to breach of this primary
containment.
ALARP Guide Rev B Issue for useMay 2013
Page 10 of 35
Page 11 of 35
Introduction
The guidance in this document describes how to develop an ALARP demonstration that satisfies
the requirements of the HSSE & SP Control Framework.
The ALARP demonstration process begins during the early project phases and continues
through front end design, detailed design, execution and throughout the operational life of the
asset or activity. Figure 4 provides an overview of the process as the project progresses from
initiation through design and execution to operations. The ALARP process in Section 4
describes the various steps and tools available during the project phase to support the
development and ultimately resulting in the ALARP demonstration prior to start-up of an asset.
In addition, Shell owns assets which have been operational for many years and also obtains
new assets through acquisitions. The later part of Section 4 describes the means by which
existing and newly acquired assets can be assessed to support an ALARP demonstration.
Figure 4 is a pictorial representation of the process by which ALARP is delivered during a
project and into the operational phase. The process represented focuses on three aspects of
an ALARP demonstration:
Iterative nature of ALARP with the evaluation of risk reduction options becoming
increasingly more detailed as the project progresses.
The left hand side of the diagram (Figure 4) identifies some of the supporting HEMP studies and
HSSE&SP deliverables typically completed during the project phase to identify, assess and
evaluate hazards and their associated risks. The boxes on the right hand side identify some of
the non-technical and technical inputs that may be required for consideration as part of the
ALARP assessment.
This ALARP guidance document is focussed on describing the process and tools required to
conduct the ALARP assessment and evaluation which culminates in an ALARP demonstration.
As shown in Figure 4, the ALARP demonstration process starts at the Identification phase and
the process is iterative in nature: initial focus is on high level elimination or substitution of
hazards and associated risks and becomes more refined as the project develops.
Page 12 of 35
Eliminate
MOST
EFFECTIVE
Substitute
Isolate/Separate
EIs
ng
eer
oin
late
LEAST
EFFECTIVE
P
PP
PE
Eliminatesourcesof flammablegasrelease
S
ubstitute
SubstituteCompressor Houseforopenarrangement
Separation
Separatecompressorsfromeachother
Separatecompressorsfromrest of plant
Separategascloudfromignitionsources
EngineeredSafeguards
PREVENTIONDesignforprocesscontainmentintegrity
MITIGATION Gasdetection, shutdown, blowdown
Isolationof ignitionsources
Forcedventilation
Erg
na
gnin
rn
O
ise
ae
tio
in
PA
rodcm
ed
ures
Eliminate
Not
assessedin
quantitative
terms
O
rganisational Controls
OperatortrainingforCompressor upsetconditions
Communicationforemergencyresponse
Procedural Controls-
Operatingprocedures
Emergencyresponseprocedures
P
ersonal ProtectiveEquipment
N/AthereisnoPPEeffectiveagainstexplosion
For those projects following the Opportunity Realisation Process (ORP) many of the
deliverables and HSSE Studies are prepared during the development phase in accordance with
the Discipline Controls and Assurance Framework (DCAF). Whilst not all projects use DCAF,
this guidance document cross references key DCAF deliverables.
Compliance with this guidance will enable assets to meet the HSSE Case Guidance document
which specifies the requirements for developing and documenting HSSE Cases including
ALARP demonstration reports for each stage of the ORP.
Section 4.6 provides guidance on questions to discuss as part of an ALARP demonstration
review.
3.2
At the outset of any risk assessment or ALARP demonstration process, it is important to define
the basic parameters for the risk assessment and to set the scope and document the Risk
Tolerability Criteria. The Risk Tolerability Criteria establish the reference point for the evaluation
of the results of the risk assessment and input to the ALARP decision process. The Risk
Tolerability Criteria shall as far as possible reflect the HSE objectives of the project / asset,
including any local legal requirements. In addition they shall be:
Page 13 of 35
Figure
ITERATIVE
DEVELOPMENT
Page 14 of 35
OF
ALARP
DEMONSTRATION
4.1
Select Phase
Objective: To understand the relative risks of all remaining concepts and select the best
qualified concept for further development. Hazards are eliminated, substituted or
segregated where reasonably practicable. Where the best qualified concept is not the
lowest risk, documentation on the reasoning behind the chosen concept is a critical
aspect of an ALARP demonstration.
Responsible: The Business Opportunity Manager, Business Development Leader or
Project Manager
The focus of the Select Phase is to compare the proposed development concepts, decide if one
or more is acceptable, and select the most qualified concept for further development.
For all viable concepts it shall be documented how societal and company expectations have
been addressed. The ALARP demonstration process relies on demonstrating a transparent
evaluation process, recorded in for example an ALARP Demonstration Worksheet (see
Appendix A), as well as continuing to engage key stakeholders.
Philosophies may be developed to guide to goals that company and project are determined to
achieve. Philosophies may function to support options evaluation against the described goals
that are set to be achieved. Philosophies can act as help to overcome disputes in level of
expectations and requirements.
With reference to Figure 4, the intent of the Select Phase is to compare relative risk limits of
each concept. This will enable the project to understand the relative range of risks between
ALARP Guide Rev B Issue for useMay 2013
Page 15 of 35
each option together with uncertainties associated with the risk estimates. The concept
selection shall consider both the relative risks between each option and the likelihood of being
able to deliver the project at the low end of the risk range.
The concept selection phase applies the hazard hierarchy (Figure 3) to each option and focuses
on elimination and substitution of the risks as well as isolation and separation of hazards to
reduce the level of risk.
The HSSE premise for the project is developed during this phase and the ability of
the options to meet the HSSE premise shall be taken into account during concept
selection process.
The HFE strategy is developed which documents HFE standards and quality control
activities to bring human error to ALARP.
The documented demonstration of ALARP shall include the above together with a
transparent evaluation of options against alternatives.
For new installations the residual risk levels should not be greater that those achieved by the
best examples of existing Shell and Industry good practice for comparable functions and
operating locations / conditions.
With reference to the UKOOA decision framework, the focus during the Select phase of the
ORP is to understand and address the hazards associated with B and C type decisions and
define expectations for the management of A type decisions. The process followed should
demonstrate appropriate means of stakeholder involvement.
4.3
Define Phase
Objective: To take the selected concept and further define the configuration and
equipment specifications to ensure the risks are tolerable and continue to be reduced
towards ALARP.
Responsible: Project Manager
The goal is to ensure that key stakeholders are engaged and the conceptual design is optimal.
Major design decisions are taken that reduce risks associated with the design and operations of
the facility and uncertainty around risk levels are reduced using the hazard hierarchy. Technical
ALARP Guide Rev B Issue for useMay 2013
Page 16 of 35
Safety Engineering, Environment and Health tools are applied to evaluate risk reduction
opportunities and implement viable recommendations.
The hazard hierarchy continues to be applied; focus is primarily on main threat identification and
measures to prevent LOC, for example overpressure protection, over/under temperature
protection, isolation and separation of hazards during the early stage of this phase (plot plan
optimization and safe shutdown/isolation of processes). Engineered control and mitigation
measures are assessed to ensure suitable, sufficient controls are included in the design to
prevent and mitigate the hazard scenarios. Technology selection and equipment options are
evaluated for their HSSE risks. The lowest risk options or combination of options should be
selected whilst giving due consideration to other project priorities. Cost Benefit Analysis (CBA),
Quantitative Risk Assessment (QRA) and other quantitative tools may be used to support
ALARP decision and demonstration. For most decisions CBA is not necessary and it is only
needed in the relatively few cases where the benefits of moving to a lower risk option are
unclear and cannot be resolved qualitatively. Operation and maintenance principles, including
HFE are applied during this phase to ensure that longer term operational risks are minimized.
Construction and Commissioning risks for the design are identified and assessed to ensure
these HSSE risks are managed to ALARP. The hazard hierarchy shall be applied to identified
construction / commissioning risks and associated activities. For example, opportunities to
minimize transport risk, working at height etc. to reduce activity based risks to ALARP shall be
assessed.
AI-PSM requirements applied, particularly ensuring Process Safety Basic Requirements are met
and creating documentation for HSSE Critical Equipment.
It is important that the results of the Health, Safety and Environmental risk evaluation Tools are
documented to support the demonstration that risks are reduced to ALARP. Examples of such
studies include:
Demonstration that adequate attention has been given to identifying and mitigating
the risk of human error to performance of safety critical tasks (for example by
compliance with DEP 30.00.60.19-GEN).
Appropriate risk studies used to demonstrate ALARP using Project Guide 1. Risk
Studies support decisions requiring risk tradeoffs.
HSSE Action Register close out. The closeout of actions from HEMP studies (PEM,
HAZID, QRA, HRA, EIA, HFE, Reviews etc.).
Page 17 of 35
4.4
Execute Phase
Objective: To complete the detailed design and construct, install and commission the
facility ready for operations.
Responsible: Project Manager and Construction & Commissioning Manager
The detailed design phase of the project should focus on application of relevant codes,
standards and good engineering practice. Approval processes shall be in-place to ensure
appropriate implementation of HEMP and risk assessment results and the recommendations
from these studies. Follow-up risk studies are completed to verify assumptions during the
concept and define phases and confirm the detailed design continues to demonstrate HSSE
risks are managed to ALARP. Effective Management of Suppliers, Contractors and Change
procedures are required to ensure that the HSSE risks associated with proposed changes are
assessed and evaluated and risk reduction measures continue to be implemented where
reasonably practicable. The Design HSSE Case / ALARP Demonstration Report is signed-off
as detailed design is completed.
As the execute phase progresses into construction and commissioning there is little impact on
the risk profile of the design of the facility, provided no significant changes are made to the basis
of design. The focus is on conformity to the design and delivery of the Safety Critical Equipment
to the Performance Standards. Material control and quality control of installation and
commissioning steps (welding, leak testing, function testing) is crucial to enable the facility to be
handed over for safe operation.
Stakeholder engagement continues to ensure risk and issue management is transparent and
commitments are delivered. Key Stakeholders need to be satisfied that a high quality asset is
being delivered.
HSSE and Technical Safety Engineering studies such as Bow-Tie Assessment and
Safeguarding Reviews are finalized to document the control and mitigation measures (barriers)
in place to manage the hazards and associated risks to ALARP. Operations and maintenance
personnel will be trained and maintenance and operating systems completed to ensure Safety
Critical Equipment is managed within design limits. At this stage of the project life-cycle
ensuring high quality as-built condition as well as effective recording of the as-built state is
crucial to deliver to operations a facility with high design and technical integrity to enable best in
class HSSE performance. Projects shall demonstrate compliance with agreed design
philosophies and minimum functional specifications for all Safety Critical Equipment.
The Execute Phase is completed with the handover of the asset to Operations which includes
the sign-off of the Statement of Fitness, including the ALARP demonstration report (HSE Case).
4.5
Operate Phase
Objective: To operate and maintain the facility in accordance with design codes and
performance standards to ensure control barriers remain valid. Review HSSE Risks on
a regular basis, learn from incidents and demonstrate process safety, HSSE and social
performance risks continue to be managed to ALARP.
Responsible: Asset Manager
Page 18 of 35
The main objective in the operational phase is to demonstrate that the risk level during
operations is maintained at ALARP. In this phase of the lifecycle of an asset the ability to further
reduce HSSE risks is limited however, close monitoring of HSSE and Asset Integrity / Process
Safety performance is critical to ensure risks remain ALARP. Compliance with the requirements
of the HSSE & SP CF, AI-PSM and monitoring of developments in industry, use of best
practices, affordable technology (Best Available Technology - BAT) and Learning From Incidents
(LFI) both within an asset, company and industry, are required to ensure risks remain ALARP.
In the Operate Phase the documented demonstration of ALARP is often contained in the assets
HSSE Case. ALARP decisions and supporting risk analysis must be reviewed throughout the
life of the facility since societys expectations with respect to Health, Safety and Environment
change over time. The ALARP demonstration and HSSE Case shall be regularly reviewed and
maintained to enable the asset to demonstrate the hazards and associated risks continue to be
managed to tolerable and ALARP. In particular the Asset Statement of Fitness confirming that
Process Safety risks have been identified and documented and are managed to ALARP is
required to be developed before commissioning a new Asset or modification to an existing one
and updated:
after the Asset has been subjected to operating conditions outside the Equipment
Constraints;
after the Asset has experienced environmental conditions beyond the original design
parameters.
Page 19 of 35
Periodic review of HSSE Case; Process Safety Review at least every five years.
Evaluate barriers against latest DEPs, Minimum Safety Systems, and best practices.
The evaluation of risk reduction options during the Operations phase may include cost benefit
analysis and quantified risk assessments to determine whether a solution is ALARP. In other
words, are the cost, time and effort required grossly disproportional to the risk reduction
achieved?
The cost of risk reduction measures is a key consideration during the operational phase of a
facility. For example, the layout and location of a pipeline during the early design phase can be
moved to account for new threats, such as an increased set back distance from road / rail
routes. However, during the operational phase of a facility the cost of relocating a pipeline is
likely to be disproportionate to the risk reduction achieved. In this situation, controls lower down
the hierarchy of controls will need to be evaluated, such as crash barriers, improved signage,
reduced speed limits, to minimize the potential for impact.
Where Shell acquires assets the need to demonstrate ALARP remains. However, it is
recognized that HEMP and Safety Studies together with an HSSE Case may not exist. The
initial focus for the asset will be to complete appropriate HEMP studies to identify the hazards
and areas of risk that require most urgent attention. The demonstration that the risks are
reduced to ALARP often includes a bow-tie workshop with operations personnel to identify if any
further barriers are required to bring the facility risks to ALARP. An ALARP demonstration will
require documented assessment of the bow-tie together with justification for any recommended
additional or improved barriers. The ALARP demonstration in these cases relies on the
judgement of specialists and experts. This should be recorded as part the demonstration
process.
All ALARP decisions conducted during the operations phase shall continue to be recorded and
documented in the Operations HSSE Case.
4.6
ALARP
Principles
Demonstration
As has been discussed already in this guidance document, ALARP decisions are not taken in
isolation, but they take into account the implications on interacting and interconnected activities.
ALARP decisions may involve many different processes (design, contracts & procurement,
Page 20 of 35
construction, operations, quality control, management of change, turnarounds, etc.) and input
from appropriately qualified experts in each field should be sought as required.
The ALARP demonstration starts at the onset of a project, and develops throughout all phases,
including in the documented demonstration of ALARP report at the end of design and the
Statement of Fitness that confirms in the operational phase that the Process Safety risks have
been identified, documented and are managed to ALARP (often in an Operations HSSE Case).
Demonstrating ALARP requires documentation of identified risk reduction opportunities through
various HEMP studies, as well as appropriate review and tracking to closure of agreed ALARP
decisions. The documented demonstration of ALARP should discuss two areas:
1) Justification for the selected option with lowest risk or risk reduction options that have been
agreed to
2) Reasons why it is justifiable not to implement the option with lowest risk or other proposed
risk reduction measures.
Appendix B gives guiding mindset statements on getting to ALARP. The questions below are
to be considered in conducting an ALARP demonstration and serve as guidance when
conducting an ALARP workshop or reviewing an ALARP demonstration:
i.
ii.
Are all Shell and local requirements, guidelines, philosophies as well as national and
international standards and recommended practices satisfied?
iii.
Are consistent solutions applied across different Shell companies / business units in
one country / region? Recognize significant variations in ALARP solutions for the
same problem in similar circumstances must be defensible and are likely to come
under increasing scrutiny
iv.
Is the quantified risk level at least on a par with risk levels for similar concepts /
facilities in similar circumstances / locations?
v.
If solutions are being considered which do not meet ii) or iii) can it be shown that no
significant increase in risk level will result as a consequence of these deviations? Are
any deviations from regulatory / Shell requirements approved at the appropriate level
of authority?
vi.
Where quantitative criteria are defined, is there sufficient margin to allow some
increase in risk later in the design process to be absorbed without the need for
massive change or improvement?
vii.
viii.
ix.
Have appropriate HSE risk experts, technical and non-technical disciplines been
involved, taking all relevant aspects into account (individual and societal impacts,
reputation, commercial etc.)?
x.
Has the appropriate level of input from peers, subject matter experts and senior
leaders in the organization been taken into account in the ALARP decision process?
xi.
Page 21 of 35
xii.
Are there unsolved aspects relating to risk to personnel or environment and is there
conflict between these areas (e.g. risk trade off)?
xiii.
xiv.
Are the latest research and development results and new technology aspects
reflected in the solutions adopted?
xv.
xvi.
Are associated costs for lower risk options significantly disproportionate to the risk
reduction achieved?
xvii.
xviii.
Has appropriate attention and effort been given to identifying HSSE critical activities
throughout the design process, and to ensuring the design will support high levels of
reliable human performance on those activities?
4.7
Catalogue
Design
(Package / Skid Units)
For many smaller projects, for example, multi well pad, production packs, compressors, etc.
businesses have developed catalogue designs. The specifications for these designs should
have been developed to comply with relevant Shell DEPs. The designs are intended for
repeatable (manufactured) equipment. The initial catalogue design may be developed following
the Opportunity Realisation Process. When the catalogue design is being applied in the field,
it is important that the HSSE&SP issues associated with its application at the proposed location
are identified and evaluated to ensure the as-built facility continues to be managed to risks
ALARP. For example, the installation of a catalogue compressor may be ALARP, however, once
3 or 4 compressors are installed at the same location, additional noise controls may be required
from a health and/or environmental perspective to manage the hazard to ALARP.
The ALARP demonstration of the catalogue design requires the HSSE Assessments in the
Identify and Assess phases of the ORP to be completed. At the end of this phase the
development should be able to:
Demonstrate that stakeholder and environmental issues at the location have been
met.
The HSSE Philosophy underpinning the catalogue design remains valid taking into
account interconnectivity with new / other facilities.
If the above is demonstrated, the project can implement the Catalogue Design without further
ALARP demonstration. If the premise for the Catalogue Design is no longer valid, it shall be
adapted and appropriate steps of the ORP applied.
Page 22 of 35
References
1. UKOOA Industry Guidelines on A Framework for Risk Related Decision Support
2. Shell Downstream Manufacturing Hazards & Effects Management Process (HEMP) DSM 2500003-ST
3. Shell HSSE & SP Control Framework
4. ISO 10418: 2003 Petroleum and natural gas industries -- Offshore production
installations -- Analysis, design, installation and testing of basic surface process safety
systems
5. API RP 14C: Recommended Practice for Analysis, Design, Installation, and Testing of
Basic Surface Safety Systems for Offshore Production Platforms
6. The Process of Achieving ALARP 16 Nov 2000
7. UK Health and Safety Executive, Reducing Risk, Protecting People: HSEs Decision
Making Process, published 2001. Generally known as R2P2.
8. UK Health and Safety Executive Assessment Principles for Offshore Safety Cases
Published March 2006
9. Shell Downstream Manufacturing: HEMP Hazard Identification and Risk Assessment,
Hazard Analysis, and Management Handshakes, DSM-2500003-SP-01.
10. NORSOK Standard Z-013 Risk and Emergency Preparedness Analysis, Rev 2,
September 2001.
Page 23 of 35
Page 24 of 35
IDENTIFY
ASSESS
Options Considered
A number of controls or mitigation measures have been identified and considered for
reducing risk of enclosing the equipment:
Basis for Selection & Uncertainties
Option Discussion:
Justification for Chosen Option
None
Requirements for the Operations HSSE-Plan
All safety critical equipment to be operated and maintained to the Performance Standards.
Page 25 of 35
Page 26 of 35
Reputation:
Legal:
Tolerable may not be ALARP as tolerable relates to permissible regime. The HSSE & SP CF
(like UK law) requires implementation of ALARP.
Where implementation of ALARP is a legal requirement, it is not just about numbers and
complicated risk models. It is about demonstrating that the cost and effort (time and trouble) of
further risk reduction is grossly disproportionate to the risk reduction achieved
Companies are increasingly held liable if they dont adhere to what was established in the agreed
and approved ALARP determination (do what you say you are going to do e.g. inspection &
maintenance tasks)
Across different Shell companies in one country, significant variations in ALARP solutions for the
same problem in similar circumstances, are hard to explain
Scope:
ALARP decisions are not taken in isolation, but they take into account the implications of
interacting and interconnected activities
ALARP decisions range from conceptual to detailed design decisions through to operational and
decommissioning decisions.
Process:
The ALARP demonstration is started at the onset of a project, and developed throughout all
phases, including the ALARP demonstration report at the end of design and SoF in the
Operations phase.
ALARP decisions are documented and built upon while the decision making process towards the
final product is still ongoing, i.e. they are iterative.
ALARP requires documentation of identified risk reduction opportunities through various HEMP
studies, and appropriate review and closure tracking on implementation decisions.
ALARP decision making is applicable through the whole life cycle of an asset and involves most
processes (design, contracts & procurement, construct, operations, quality control, management
of change, turnarounds, decommissioning, etc.)
ALARP solutions are dynamic, they change over time with changes in societal expectations;
technology advances, availability and cost.
Professionalism:
Page 27 of 35
ALARP is about professional judgement and technical discipline, taking all relevant aspects into
account (society, reputation, commercial, industry standards, discipline engineering etc.)
ALARP decisions seek the right level of input from peers and specialists.
ALARP decision making should make use of multidisciplinary input depending on potential risk
and implications
Making ALARP decisions requires incorporation of good practices across the industry, and
lessons learned from incidents (internal and external)
Page 28 of 35
Page 29 of 35
Note that it may be possible to eliminate this hazard by fully rating the system (step 3 of the
ALARP determination process in Figure 4)
FAQ 5 Reasonably Practicable versus Reasonably Affordable
Q A refinery has established a budget for minor capital projects, which is used to fund asset
integrity upgrades and HSSE improvements. Proposals are ranked using the RAM. The refinery
management is confident that it is applying the RAM consistently and that it is investing the
available capital on proposals that will have the biggest impact in reducing the overall Risk to
the refinery. Are the Risks being reduced to ALARP?
A No. The refinery management is allocating the budgeted resources on the basis of Risk and is
probably reducing the overall Risk of the refinery to as low as reasonably affordable. However,
there may be additional measures that are Reasonably Practicable to reduce the Risk in
individual areas if additional budget was requested. An ALARP determination should be made
for each risk-reducing proposal and if justified (not grossly disproportionate) additional funds
should be sought.
FAQ 6 Less protected situations
Q When the whole idea behind ALARP is to reduce Risks to ALARP, how can we allow a less
protected situation?
A An example related to the effect of new knowledge can be found in the area of selection of
materials. Piping that was installed on a plant has a corrosion allowance of 6 mm. Some years
later a reassessment of the material codes established that 3 mm is sufficient. Subsequently,
during an expansion project the throughput and operating pressure of the pipe could be
increased, whilst remaining within the new corrosion allowance. The real Risk of the pipe failing
was increased, whilst remaining at a very low level, several orders of magnitude below any
Tolerability Criteria. An ALARP determination confirmed that the Risks were still ALARP.
FAQ 7 Transfer of Risks
Q What does this mean?
A We introduce measures to control all kinds of Risks. If the measures introduced involve risks,
we talk about transferring the risk from the original problem to the control measure. We can
distinguish two different situations involving transfer of Risk; same hazard and different
hazard:
Same hazard. As an example, the introduction of mechanical exhaust ventilation in a workshop
may transfer the Risk of welding fumes from the welders to general employees outside the
workshop. The added Risk to the general employees should be offset against the benefits to the
welders in the ALARP determination, as they are subject to the same hazard, although the risk
to individuals should be a lower as long as the ventilation has been properly designed.
Different hazard. Installing a fire/blast wall in a new offshore production platform will reduce
fire/explosion Risks to the future workers on the platform. However, building the fire/blast wall
will involve Risks to the construction workforce. The hazards underpinning the two Risks are
quite different. The hazards of building a wall are well understood and the Risks can be
managed to ALARP. These Risks should therefore not be taken into account in the ALARP
determination for the proposal to install a fire/blast wall.
Transfer of a Risk to the Public should always be avoided.
FAQ 8 Environment and safety Risks(1)
Q A proposal to transport drill cuttings to shore will reduce the environmental impact of an
offshore platform operation, but it will increase the Risks to people because it involves more
boat transfers. Should we reject the proposal?
ALARP Guide Rev B Issue for useMay 2013
Page 30 of 35
A No. The proposal should be evaluated by balancing the cost, effort and personal safety risk
involved against the environmental benefit in an ALARP determination. The Risks of boat
transfers, in particular of the crew being injured, involve quite different hazards from the
environmental hazards related to disposal of the drill cuttings. They are well understood and
there may be only a small increase in Risk from the additional boat journeys, which could be
effectively managed by existing marine transport controls. In some instances the increased
personal safety risk may be judged to outweigh the environmental benefit. Without the proper
analysis of both risks and benefits the risk ALARP decision cannot be made.
FAQ 9 Environment and Safety Risks (2)
Q When building an extension to an onshore gas plant, there are two options to dispose of the
excavated rock, either transport by road to a remote site, or dumping in the sea as part of the
land reclamation to extend the plant. The road transport option will significantly increase the
Risk to the local population and to the drivers. As the prevailing driving standards in this region
are low and the roads are of poor quality it will require a major effort to effectively manage the
road transport Risk. Should the road transport Risks be taken into account when assessing the
environmental Risks of the second option of dumping the excavated rock at sea?
A Yes. The road transport Risks involve quite different hazards from rock dumping at sea.
However, the expectation is that the residual road transport Risks will be quite significant, even
when they have been reduced to ALARP. They should therefore be included in the ALARP
determination. The environmental impact of the road transport should also be considered to
ensure that the scope boundaries of the assessments for the two options are comparable so
that a fair comparison can be made.
FAQ 10 Retroactive upgrading
Q Current practice does not permit the use of screwed fittings in hydrocarbon service. Our
facility was built a lot earlier and has many screwed fittings. Do we have to replace them?
A Possibly but not necessarily. The cost, effort and Risks involved in replacing the screwed
fittings should be balanced against the resulting risk reduction over the remaining lifetime of the
plant in an ALARP determination.
Historically, the cost, effort and Risk involved have proved to be grossly disproportionate on offshore platforms, but on refineries the upgrades have been Reasonably Practicable when made
during turnarounds.
FAQ 11 Hazard Register
Q Does a hazard register (tabulation of hazard, source/release scenarios, consequence, RAM
rating, risk reduction measures) provide sufficient documentation that Risks in the light shaded
area of the ALARP decision matrix (Figure 2) have been reduced to ALARP?
A No. The risk reduction measures column of a hazard register should refer to the procedure,
job hazard analysis, health risk assessment or other document that specifies the barriers to be
adopted. In addition, the person or team making the ALARP determination should confirm their
judgment that the risks are reduced to ALARP and that no further Reasonably Practicable
measures are available. This confirmation should be recorded either in the hazard register or
the referenced document, e.g. a HRA record.
Page 31 of 35
Q How can a Capital Project be expected to make a demonstration that the risk of human error
is ALARP during DEFINE and EXECUTE phase? Ensuring people are competent, and follow
Procedures are Operational issues that a project cannot be expected to control.
A Projects are expected to apply the principles of Human Factors Engineering throughout the
project lifecycle, and to reflect the results of HFE analysis, design and validation in the ALARP
demonstration as appropriate. Poor access, equipment layout, interface design, labelling, or
lighting, etc, can all contribute to making human errors more likely. Similarly, unreasonable
expectations about what people will be able to do, or how well they will be able to perform when
highly automated systems fail or dont work perform to the standards expected can mean that
Barriers are not as effective as is assumed.
As well as complying with relevant technical standards, projects should put reasonable effort
throughout DEFINE and EXECUTE phases into identifying where there is a reliance on human
performance to perform, maintain or support Barriers. And they should maintain a focus on
ensuring the features necessary to support those activities from equipment layout and user
interface design to the design of Procedures and decision aids - are well designed and that lack
of consideration of HFE design issues does not increase the likelihood of human error.
Page 32 of 35
An upper bound above which risks are deemed to be unacceptable and, save in
exceptional circumstances, must either be reduced, whatever the cost, or the activity
giving rise to the risk discontinued.
A lower bound below which risks are regarded as being broadly acceptable and
therefore requiring no significant action to effect further reduction.
A range between the upper and lower bounds in which risks are regarded as being
tolerable provided that they have been reduced to levels that are as low as reasonably
practicable.
Tolerability criteria generally represent the boundary between the Unacceptable and the
Tolerable regions.
Unacceptable
Increasing risks
Tolerable
Broadly acceptable
Figure C.1. UK HSE framework for the tolerability of risk.
In general the Company does not prescribe global tolerability criteria and it is not the role of this
Appendix to do so. Some particular criteria have been specified in DEPs and Downstream
Manufacturing Standards and they are referenced but not duplicated here. The choice of
tolerability criteria depends on the particular circumstances of the project or operation and on
the regulatory environment. They will normally be prescribed in a projects Design HSE
Premises or associated Risk Tolerability Criteria document. The process of developing such
premises should include critically reviewing and discussing what has been done in the past for
similar projects: a document such as this cannot provide a comprehensive list of risk measures
and tolerability criteria that would cover any project.
In the discussion below, we focus on tolerability criteria in relation to QRA as applied to the
cumulative risk from all scenarios. Criteria for LOPA are different, and should not be confused
with these, in that they relate to the risk from individual scenarios rather than the cumulative
risk. Downstream Manufacturing has specified LOPA tolerability criteria in DSM-2500003-SP01Ref 9.
ALARP Guide Rev B Issue for useMay 2013
Page 33 of 35
The criteria discussed here relate to safety (i.e. risk to people) and to asset damage. Major
accidents resulting in multiple fatalities or asset damage can have considerable reputational
impact to the Company and so decisions on what is tolerable must be extended beyond purely
local cost benefit considerations.
When considering such absolute criteria (against which QRA results will be judged), the inherent
uncertainties in QRA should always be borne in mind. QRA relies on a number of imprecise
assumptions. For example, the failure frequencies used in QRA (and LOPA) are based on
statistically averaged historical failure data. QRA is actually more powerful and reliable when
used in a relative sense (such as comparing options in an ALARP demonstration) than in an
absolute sense against set criteria. Moving beyond the risk value quantified by QRA typically
requires the application of less quantifiable risk reduction measures.
Individual Risk
Individual risk relates to the annual risk of fatality of a particular individual taking into account
their exposure, throughout their working year, to all company-induced hazards. It is often
referred to as IRPA (individual risk per annum). It can include aspects such as protection and
escape. Where exposure is limited because an individual works for the Company for a short
time, the risk should be prorated for the full years activities. In other words, benefit should not
be taken for the fact that a diving contractor, for example, might only work for the Company for
one month during a year. Conversely, rotating work patterns where the Company does have
control over the workers activity does give the opportunity to ensure that no single individual is
exposed to too high a risk.
The UK HSE, in relation to Figure C.1, describe the boundary between the Tolerable and
Unacceptable regions as being around 10-3/year and the boundary between the Tolerable and
Broadly Acceptable regions as being around 10 -6/year. This is within the framework of a very
robust ALARP culture as the UK has been applying the concept for over sixty years.
For an offshore project, an IRPA tolerability criterion of 10 -3/year could be appropriate, taking
into account both process and other (e.g. helicopter transport) risks. For a typical onshore
project a criterion of 10-4/year for process safety contribution to individual risk is often applied. In
addition, some onshore projects specify 2x10-4/year for total work-related IRPA (i.e. including
both process safety and personal safety) however this is only really appropriate if the nonprocess safety risks can usefully be estimated through QRA. For some onshore projects, such
as upstream projects involving significant sour gas risks (e.g. 5 bar partial pressure of H 2S), a
value of 10-3/year might be more appropriate for all contributions to individual risk.
For specific criteria relating to the process safety risks to onshore building occupants see the
relevant DEPs including DEP 34.17.10.35-Gen. (Siting of Onshore Occupied Portable Buildings)
and DEP 80.00.10.11-Gen. (Layout of Onshore Facilities).
Location Specific Risk
The location specific risk (LSR) refers to the annual risk of fatality to a hypothetical individual at
a location for 24 hours per day, 365 days per year, unprotected and unable to escape. LSR is
usually represented on a map in terms of contours and so is often referred to by the more
generic term risk contours however this is ambiguous as other risk measures can also be
represented as contours. It is also referred to as Location Specific Individual Risk or,
particularly by some regulators, as Individual Risk. The latter is avoided within Shell as it can
lead to confusion (see the previous section on Individual Risk).
LSR is usually used for onshore projects to represent offsite risk and is the cumulative risk from
all potential scenarios that could cause a hypothetical exposed person at the specific location to
ALARP Guide Rev B Issue for useMay 2013
Page 34 of 35
be fatally injured. When considering a brown field modification to an existing site, a QRA is
sometimes done for the new units to calculate risk contours. In such cases however, if the risks
from the existing site are not included, then the estimated risks are only a contribution to the
total LSR.
Countries with a mature approach to land use planning and safety management will often
specify LSR tolerability criteria. Otherwise projects typically define criteria such as the following.
LSR
10-6/year
10-5/year
These criteria are consistent with the advice in DEP INFORMATIVE 80.00.10.11-Gen. (Layout
of Onshore Facilities), February 2013. The residential criteria are sometimes refined in order to
differentiate between populations of different vulnerabilities (industrial complexes, schools,
hospitals etc.) but values as low as 10-8/year that have sometimes been used (based on
withdrawn Dutch criteria) are inadvisable. The particular fenceline risk criterion needs to be set
in the context of the industrial or other environment. For example a boundary adjacent to a
populated area, or an area with no planning controls, is different in this respect from a boundary
adjacent to an industrial area subject to planning or emergency response controls or a boundary
with a controlled coastline.
Escalation Risk
Escalation here refers to the impact of an initial event causing subsequent events or limiting the
ability of safety critical equipment to operate. For example part of the basis for the separation
between significant individual assets such as LNG trains is often to limit the risk of an event in
one train causing significant damage in the neighbouring train. This would have both
commercial and reputation impacts. Safety critical equipment that is designed to prevent or
minimise escalation may also require adequate robustness to withstand the impact of credible
major accident hazard scenarios. Both the required robustness and the performance to prevent
escalation should be addressed in the Design Performance Standards for Safety Critical
Equipment.
Projects typically apply a criterion that escalation events should happen with a frequency less
than 10-4/year. This is consistent with, for example, the criterion specified in DEP.34.17.10.30Gen. (Design of Blast Resistant Onshore Buildings, Control Rooms and Field Auxiliary Rooms)
for the design load of critical buildings. Also NORSOK(Ref 10) states that loss of main safety
function for preventing escalation between areas; main load carrying capacity; rooms of
significance to combating accidental events; designated safe areas and escape routes shall
each have a risk tolerability criterion of 10-4/year.
Page 35 of 35