Process Safety Guidance

ALARP GUIDE

Foreword
This ALARP Guide has been completed with help of Technical Safety Engineering
representatives of all Shell businesses (PT, DS, UI, and UA). The objective of the guide is to get
to an improved and more coherent ALARP decision making across Shell, in line with the
mandatory requirements of the HSSE & SP Control Framework. ALARP decision making
involves professional judgement and is not an analytical straightforward calculation. Although
this guidance is now regarded as the best available in the Group, it has been published with a
mindset that it can be developed further, with input and feedback from practitioners. The steer is
to use this guide and to provide feedback to the Technical Safety Engineering discipline, so we
can update and build this guide to a final product.
Calibration of our ALARP decision making will be helped with sharing of good examples. A
template for recording ALARP Decision Records is provided in Appendix A; the Technical Safety
Management Portal on the Shell Web provides completed examples for reference. Guide users
are requested to provide further ALARP decision records that could help to extend our data
base and help to calibrate ALARP decision making across Shell.
For feedback and general enquiries please contact Bud Willoughby, GSUSI-PTD/HHSC
Appreciating some of the ambiguity in ALARP decision making, we are looking forward to
receiving constructive feedback to build towards a first ever comprehensive global ALARP guide
for Shell.
Paul Buijsingh,
Group Process Safety manager
GDH Technical Safety Engineering

ALARP Guide Rev B Issue for useMay 2013

Page 1 of 35

Process Safety Guidance

Table of Contents
FOREWORD.........................................................................................................1
ABBREVIATIONS...............................................................................................3
ALARP GUIDE...................................................................................................5
1

ALARP CONCEPT.........................................................................................6

1.1

INTRODUCTION
6
Definition.............................................................................................................................................6

ALARP RELATED CONCEPTS.......................................................................7

Inherent Safety.....................................................................................................................................7
Tolerability...........................................................................................................................................7
Uncertainty & Gross Disproportion.....................................................................................................8
UKOOA ALARP Decision Framework..............................................................................................9
Bow-Ties............................................................................................................................................10

3
3.1
3.2

4
4.1
4.2
4.3
4.4
4.5
4.6
4.7

CHARACTERISTICS

OF THE

ALARP DEMONSTRATION............................................12

INTRODUCTION
RISK TOLERABILITY CRITERIA

12
13

ALARP DEMONSTRATION PROCESS..................................................................15

IDENTIFY & ASSESS PHASE
SELECT PHASE
DEFINE PHASE
EXECUTE PHASE
OPERATE PHASE
ALARP DEMONSTRATION PRINCIPLES
CATALOGUE DESIGN (PACKAGE / SKID UNITS)

15
15
16
17
18
20
21

REFERENCES................................................................................................23

APPENDIX A ALARP DEMONSTRATION WORKSHEET TEMPLATE................24

EXAMPLE ALARP WORKSHEET TEMPLATE

APPENDIX B GETTING

TO

ALARP

25
GUIDING STATEMENTS....................................26

APPENDIX C RISK TOLERABILITY CRITERIA............................................................32

ALARP Guide Rev B Issue for useMay 2013

Page 2 of 35

Process Safety Guidance

ABBREVIATIONS
Acronym

Definition

ACAL

Asset Controls and Assurance List

AI-PSM

Asset Integrity Process Safety Management

ALARP

As Low As Reasonably Practicable

API

American Petroleum Institute

BAT

Best Available Technology

CBA

Cost Benefit Analysis

CBL

Consequential Business Loss

DCAF

Discipline Control Assurance Framework

DEP

Design Engineering Practices

DEM

Design Engineering Manual

DP

Design Pressure

DS

Downstream

DSM

Downstream Manufacturing

DT

Design Temperature

EIA

Environmental Impact Assessment

EV

Expecation Value

FAR

Fatal Accident Rate

FAQ

Frequently Asked Question

HAZID

Hazard Identification

HEMP

Hazard Effects Management Process

HFE

Human Factors Engineering

HRA

Health Risk Assessment

HSSE

Health, Safety, Security & Environment

HSSE&SP CF
GDH

Health, Safety Security Environment & Social Performance Control

Framework
Global Discipline Head

IRPA

Individual Risk per Annum

ISO

International Standards Organization

LOPA

Layer of Protection Analysis

LS[I]R

Location Specific [Individual] Risk

MAH

Major Accident Hazard

MIACC

Major Incident Accident Council Canada

MOC

Management of Change

ORP

Opportunity Realisation Process

PCAP

Project Controls Assurance Plan

ALARP Guide Rev B Issue for useMay 2013

Page 3 of 35

Process Safety Guidance

PEM

Physical Effects Modelling

PLL

Potential Loss of Life

PS

Process Safety

PSR

Process Safety Review

PT

Projects Technology

QRA

Quantitative Risk Assessment

RAM

Risk Assessment Matrix

SCE

Safety Critical Equipment or Safety Critical Element

SIL/IPF

Safety Integrity Level / Instrument Protective Function

SoF

Statement of Fitness

QRA

Quantitative Risk Assessment

UA

Upstream Americas

UI

Upstream International

UKOOA

Unitied Kingdom Offshore Operators Assocation (which has

effectively been replaced, since 2007, by Oil & Gas UK)

ALARP Guide Rev B Issue for useMay 2013

Page 4 of 35

Process Safety Guidance

ALARP GUIDE
Purpose
This guidance describes a suitable approach to demonstrating ALARP for a wide range of
HSSE & SP risk management decisions. This guidance together with the HSSE Case guidance
will enable businesses to meet the minimum requirements of the HSSE & SP Control
Framework Managing Risk Manual to provide a documented demonstration of ALARP.
This document outlines the means by which ALARP can be consistently demonstrated for all
assets and projects across Shell.
Background
The Shell Group Control Framework for Health, Security, Safety, Environment and Social
Performance stipulates that risks shall be managed to ALARP.

Who is this for?

Business Opportunity Managers and Business Leaders

Project Managers;

Asset Managers / Operations Managers

Wells Managers

Technical Safety Engineering Authorities

HSSE Professionals.

Accountability & Responsibility

The accountability for demonstration of ALARP, as stipulated in the HSSE&SP Control

Framework, is with the Business Leaders, Asset Managers and Project Managers.

The responsibility for HSSE DCAF deliverables mentioned in the guidance document is
defined in the PCAP for each project, or for existing assets in the ACAL.

The Technical Authority for the ALARP demonstration report is Technical Safety
Engineering.

ALARP Guide Rev B Issue for useMay 2013

Page 5 of 35

Process Safety Guidance

ALARP CONCEPT
1.1

Introduction

Within the HSSE & SP Control Framework, the Management System (MS) Manual describes
specific requirements regarding the management of HSSE Risks in assets, facilities, operations,
projects and activities where the HSSE & SP Control Framework applies.
In Particular;

The Managing Risk Manual requires:

o

where reasonably practicable, eliminate hazards or substitute hazards that have

risk in the yellow and red area of the RAM with ones having lower risk.

identify and implement controls and recovery measures for hazards with risks in
the yellow and red area of the RAM to reduce the risk to ALARP.

a Hazards and Effects Register that includes reference to the Shell HSSE & SP
CF requirements, legislation or industry codes used to determine ALARP or
reference to the process by which ALARP is determined.

for Hazards that have risk in the red and yellow 5A and 5B areas of the RAM:
identification of criteria for ALARP determination and their consistent application;
provision of a documented demonstration of ALARP.

The Asset Integrity Process Safety Management Application Manual (AIPSM) focuses
on the identification and documentation of hazards with process safety risks in the red
or yellow 5A and 5B areas of the RAM and requires that these are managed to ALARP
as specified in the Managing Risk Manual.

The HSSE&SP Control Framework Projects Manual requires that the HSSE & SP
project risks be identified, assessed documented and managed in line with the
Managing Risk Manual.

The Human Factors Engineering section of the Health manual requires that relevant
results of implementation of the project HFE Strategy are incorporated into the ALARP
demonstration.

This guidance document describes the means by which ALARP may be demonstrated for a
variety of Project, Asset and Activity Risks to support users in meeting the above requirements
of the HSSE & SP Control Framework Manuals. It further provides a description of the ALARP
demonstration process and risk management tools that may be used to support an ALARP
demonstration. The demonstration of ALARP is often documented in a so-called HSE Case
(or Safety Case, if limited to safety aspects of a Project, Asset or Activity only).
Definition
The definition of ALARP is widely accepted, and defined in the HSSE & SP, as:
The point at which the cost (in time, money and effort) of further Risk reduction is grossly
disproportionate to the Risk reduction achieved. 1
1 The principle is based on English Tort Law (Edwards v. The National Coal Board,1949): Reasonably
practicable is a narrower term than physically possible and it seems to me to imply that a computation
must be made by the owner, in which the quantum of risk is placed on one scale and the sacrifice
ALARP Guide Rev B Issue for useMay 2013

Page 6 of 35

Process Safety Guidance

The characteristics of ALARP are:

A risk must be understood and assessed in detail before making an ALARP decision. If the
risk is not well understood, a precautionary approach should be adopted.

For well understood risks in standard situations, the application of applicable codes and
standards together with Good Practice will normally be sufficient to demonstrate ALARP
the assumption is that an ALARP judgement was made in establishing the good practice.

High risks associated with a hazard or hazardous activity typically require more cost and
effort to demonstrate ALARP than lower risks.

ALARP can change over time. Changes in societal values, expectations, technology, codes
and standards and cost reductions in risk reduction techniques will mean ALARP continually
changes.

Projects will typically benefit from early determination of measures to reduce risks to ALARP,
resulting in a safer design with lower impact on the environment.
Legislation, Industry standards and Recommended Practices are used across industry to
manage hazards and their associated risks, however, whilst compliance with regulations and
industry standards is a pre-requisite to demonstrate ALARP; compliance alone may be
insufficient to reduce the risks to ALARP.

ALARP RELATED CONCEPTS

Inherent Safety
An inherently safer approach to risk management is one that tries to avoid or eliminate hazards
or reduce the magnitude, severity, or likelihood of occurrence by careful attention to the
fundamental design and layout.
Good risk management depends on a clear understanding of the hazards and their interaction
with the design or activity and its operation. If a design or activity is to be optimised to avoid or
reduce the hazards of operation this ideally needs to be done early in the development of the
design of the asset or activity. The more critical part of any project is at the start, when all the
major decisions are taken regarding for example the location, type of installation, operating
philosophy, and processes to be adopted. Once a concept design is completed, most of an
installations or activitys construction and operational costs will have been fixed and
opportunities to manage the hazards in an (inherently) safer way will have been lost (for
example due to disproportionate cost).
Tolerability
Tolerable is defined by the UK HSE [reference 7] as follows:
In this context, tolerable does not mean acceptable. It refers instead to a willingness
by society as a whole to live with a risk so as to secure certain benefits in the confidence
that the risk is one that is worth taking and that it is being properly controlled. However, it
does not imply that the risk will be acceptable to everyone, i.e. that everyone would
agree without reservation to take the risk or have it imposed on them.
involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed in
the other; and that if it be shown that there is a gross disproportion between them the risk being
insignificant in relation to the sacrifice the defendants discharge the onus on them. Moreover, this
computation falls to be made by the owner at a point of time anterior to the accident.
ALARP Guide Rev B Issue for useMay 2013

Page 7 of 35

Process Safety Guidance

A risk that is as low as reasonably practicable might still be so high that it is unacceptable (i.e.
not tolerable). A number of regulatory regimes specify requirements on risk tolerability. Other
criteria are prescribed by the Company for example in DEPs and in the Downstream
Manufacturing standards. Projects are required to establish tolerability criteria (limits between
what is unacceptable and what is tolerable if ALARP) in the early stages of a project. Appendix
C discusses setting tolerability criteria in more detail but it is not the role of this document to
prescribe definitive values. In addition to quantitative criteria discussed in the appendix,
qualitative criteria are also appropriate. Qualitative criteria can be found for example in the
Managing Risk manual of the HSSE & SP Control Framework.
It is important to identify and then recognize Shells vulnerability to the few potentially
catastrophic events that exist across Shell Globally. These events need to be managed based
on their potential consequences rather than (calculated) risk, since Shell, Society and
Stakeholders simply wont accept the consequence. The principle for these events is that they
are so undesirable that their consequences should be avoided. The philosophy is therefore,
that Shell needs to subject these events to a very strong defensibility test rather than a
reasonableness test.
Uncertainty & Gross Disproportion
The more uncertainty about the consequences and/or likelihood, the more conservative must be
the assessment of risk or, correspondingly, the higher the burden of proof of gross disproportion.
Putative consequences mean those that can be envisaged as potentially occurring without proof
of the actual possible severity of the outcome. In other words, with increasing uncertainty
regarding possible consequences expert opinion is used to propose the worse case
consequence erring on the side of increased severity.

ALARP Guide Rev B Issue for useMay 2013

Page 8 of 35

Process Safety Guidance

Figure 1 Overview of uncertainty in management of major accident hazard scenarios

The test of gross disproportion requires you to know how close risk is to the tolerability
threshold. Increasing uncertainty for large scale hazardous scenarios increases the burden of
proof. The closer the exposed population is to tolerability threshold, the higher the burden of
proof.
Cost Benefit Analysis (CBA) may be used, with a factor that is appropriate to the burden of proof
of disproportion. For example, if the Individual Risk Per Annum (IRPA) for a worker is near the
threshold of 1x10-3, a risk reduction measure would have to cost more than 10x the risk cost 2 of
accepting the consequences to be considered grossly disproportionate.
Cost Benefit alone is insufficient to demonstrate ALARP. When a Cost Benefit Analysis is
conducted, the upside may be significant to the organization, however, along with the upside a
new or increased risk may be transferred to others who do not derive a defined benefit.
Example, if a new chemical is being used to improve production rates, the cost benefit to the
organization may be significant, however, the risk to environmental emissions or additional road
transport may mean society is being asked to accept a new risk for little or no perceived benefit.
2 risk cost is the estimated cost of asset damage arising from incident including impact to
people, environmental damage and clean up, cost of business interruption and reputation
weighted according to the probability of occurrence during the remaining life of the asset
ALARP Guide Rev B Issue for useMay 2013

Page 9 of 35

Process Safety Guidance

The risk tolerance levels for different parties differs and hence this too needs to be evaluated in
the overall cost benefit analysis.
The above concepts contribute to the ALARP determination. To support this, section 4.6 and
Appendix B contains a number of statements to further clarify the ALARP concept.
UKOOA ALARP Decision Framework
Demonstrating ALARP includes justifying that the appropriate hazard management decisions
have been taken. Figure 2, The UKOOA Decision Framework was developed to help industry
determine the decision context. Note that this is currently (2013) being updated by Oil and Gas
UK (which is effectively the successor to UKOOA). Once the context has been identified the
framework can be used to select the most appropriate bases for decision making. Later in this
guidance document, reference is made to the UKOOA decision framework and A, B and C
type decision and how they pertain to delivering an ALARP demonstration to meet the
requirements of HSSE & SP CF.

Figure 2 UKOOA DECISION FRAMEWORK

Significance to Decision
Making Process
Means of Calibration
Codes and Standards

Decision Context Type

Codes & Standards

A

Verification
Peer Review

Benchmarking
Internal Stakeholder
Consultation
External Stakeholder
Consultation

Company
Values
Societal Values

Nothing new or unusual

Well understood risks
Established practice
No major stakeholder implications
Lifecycle implications
Some risk trade-offs/ transfers
Some uncertainty or deviation from
standard or best practice
Significant economic implications
Very novel or challenging
Strong stakeholder views and
perceptions
Significant risk trade-offs or risk
transfer
Large uncertainties
Perceived lowering of safety
standards

Bow-Ties
One of the HSSE tools to support an ALARP demonstration is the bow-tie. Criteria have been
developed to ensure credit is only taken for valid barriers. Barrier health reviews are required
periodically during the Operational phase of an asset to ensure the barriers continue to perform
to the required functional and performance standards.
For risk assessments it is a pre-requisite that concept process design has been carried out to
provide primary containment specifically defining Design Pressure (DP), Design Temperature
(DT) and material selection. Threat identification is related to breach of this primary
containment.
ALARP Guide Rev B Issue for useMay 2013

Page 10 of 35

Process Safety Guidance

A barrier is considered to be valid if it is:

Independent
Effective
Auditable (i.e. against a performance standard).
"Barriers prevent or reduce the probability of each Threat or prevent, limit the extent of, or
provide immediate recovery from the Consequences: Barriers may be:
Design features in addition to determination of DP, DT and material selection (e.g.
separation distances);
Hardware (e.g. pipeline wall thickness, pressure relief valve, fire detection);
Processes or procedures (e.g. lock out/tag out);
Operational intervention tasks (e.g. plant monitoring/shutdown).
Both Downstream(Re f2) and Upstream have developed guidance on the use of bow-ties including
requirements for barrier validity.
Particularly during the operational phase, the demonstration that the risks are reduced to
ALARP often includes a bow-tie workshop to convince the operation that the risks for the asset
are ALARP. An ALARP demonstration will require documented assessment of the bow-tie
together with justification for additional or improved barriers. The ALARP demonstration in
these cases relies on the judgement of specialists and experts and this should be recorded as
part the demonstration process.
An ALARP demonstration should include details of what action has been taken to ensure that
the risk of human error to the effectiveness of Barriers has also been mitigated. This
demonstration should include consideration of human error in design, as well as operational
controls such as competence, procedures and avoidance of risks from factors such as fatigue.
Much of this content for this demonstration should be available from the results of implementing
the project HFE Strategy, as well as ensuring compliance with other HSSE&SP Control
Framework manuals.

ALARP Guide Rev B Issue for useMay 2013

Page 11 of 35

Process Safety Guidance

Characteristics of the ALARP Demonstration

3.1

Introduction

The guidance in this document describes how to develop an ALARP demonstration that satisfies
the requirements of the HSSE & SP Control Framework.
The ALARP demonstration process begins during the early project phases and continues
through front end design, detailed design, execution and throughout the operational life of the
asset or activity. Figure 4 provides an overview of the process as the project progresses from
initiation through design and execution to operations. The ALARP process in Section 4
describes the various steps and tools available during the project phase to support the
development and ultimately resulting in the ALARP demonstration prior to start-up of an asset.
In addition, Shell owns assets which have been operational for many years and also obtains
new assets through acquisitions. The later part of Section 4 describes the means by which
existing and newly acquired assets can be assessed to support an ALARP demonstration.
Figure 4 is a pictorial representation of the process by which ALARP is delivered during a
project and into the operational phase. The process represented focuses on three aspects of
an ALARP demonstration:

Application of the hazard hierarchy (Figure 3)

Iterative nature of ALARP with the evaluation of risk reduction options becoming
increasingly more detailed as the project progresses.

ALARP demonstration is not simply a calculated value.

The left hand side of the diagram (Figure 4) identifies some of the supporting HEMP studies and
HSSE&SP deliverables typically completed during the project phase to identify, assess and
evaluate hazards and their associated risks. The boxes on the right hand side identify some of
the non-technical and technical inputs that may be required for consideration as part of the
ALARP assessment.
This ALARP guidance document is focussed on describing the process and tools required to
conduct the ALARP assessment and evaluation which culminates in an ALARP demonstration.
As shown in Figure 4, the ALARP demonstration process starts at the Identification phase and
the process is iterative in nature: initial focus is on high level elimination or substitution of
hazards and associated risks and becomes more refined as the project develops.

ALARP Guide Rev B Issue for useMay 2013

Page 12 of 35

Process Safety Guidance

Eliminate

Figure 3 Hazard Hierarchy

MOST
EFFECTIVE

Substitute

Isolate/Separate
EIs
ng
eer
oin
late

LEAST
EFFECTIVE

P
PP
PE

Eliminatesourcesof flammablegasrelease

S
ubstitute
SubstituteCompressor Houseforopenarrangement
Separation

Separatecompressorsfromeachother
Separatecompressorsfromrest of plant
Separategascloudfromignitionsources

EngineeredSafeguards

PREVENTIONDesignforprocesscontainmentintegrity
MITIGATION Gasdetection, shutdown, blowdown
Isolationof ignitionsources
Forcedventilation

Erg
na
gnin
rn
O
ise
ae
tio
in
PA
rodcm
ed
ures

Eliminate

Not
assessedin
quantitative
terms

O
rganisational Controls
OperatortrainingforCompressor upsetconditions
Communicationforemergencyresponse

Procedural Controls-

Operatingprocedures
Emergencyresponseprocedures

P
ersonal ProtectiveEquipment
N/AthereisnoPPEeffectiveagainstexplosion

For those projects following the Opportunity Realisation Process (ORP) many of the
deliverables and HSSE Studies are prepared during the development phase in accordance with
the Discipline Controls and Assurance Framework (DCAF). Whilst not all projects use DCAF,
this guidance document cross references key DCAF deliverables.
Compliance with this guidance will enable assets to meet the HSSE Case Guidance document
which specifies the requirements for developing and documenting HSSE Cases including
ALARP demonstration reports for each stage of the ORP.
Section 4.6 provides guidance on questions to discuss as part of an ALARP demonstration
review.
3.2

Risk Tolerability Criteria

At the outset of any risk assessment or ALARP demonstration process, it is important to define
the basic parameters for the risk assessment and to set the scope and document the Risk
Tolerability Criteria. The Risk Tolerability Criteria establish the reference point for the evaluation
of the results of the risk assessment and input to the ALARP decision process. The Risk
Tolerability Criteria shall as far as possible reflect the HSE objectives of the project / asset,
including any local legal requirements. In addition they shall be:

suitable for evaluation of the activity or system in question

suitable for comparison with the result of the analysis performed

suitable for decisions regarding risk reduction measures

suitable for communication both internally and externally

clear and unambiguous.

Guidance on setting such criteria is given in Appendix C.

ALARP Guide Rev B Issue for useMay 2013

Page 13 of 35

Process Safety Guidance

Figure

ITERATIVE

DEVELOPMENT

ALARP Demonstration Process

ALARP Guide Rev B Issue for useMay 2013

Page 14 of 35

OF

ALARP

DEMONSTRATION

Process Safety Guidance

4.1

Identify & Assess Phase

Objective: To identify stakeholder minimum requirements and concerns and evaluate

project viability. To demonstrate that each development concept meets societal,
company and technical expectations, and opportunities to eliminate hazards have been
taken.
Responsibility: The Business Opportunity Manager, Business Development Leader or
Project Manager
The Identify phase of a new project is focused on correctly identifying stakeholder minimum
requirements and concerns. The goal is to understand the environmental and societal drivers.
The ALARP process is focussed on new projects meeting the value drivers and stakeholder
aspirations.
The Assess phase of the project life-cycle continues to identify and assess stakeholders
minimum requirements and concerns and to screen possible development concepts for
suitability and economic performance. Obtaining a clear understanding of stakeholder concerns
is critical since failure to identify them will create errors in economic analysis and in the concept
selection process.
Early in the Opportunity Realisation Process, ALARP demonstration is centred on identification
of the key risk contributors that make up the overall risk profile for each development option
under consideration. The holistic picture of the project risks should be developed and
opportunities to eliminate or minimize hazards sought.
With reference to the UKOOA decision framework, the focus during the Identify and Assess
phase of the ORP is to understand and address the hazards associated with B and C type
decisions. Fundamental to delivering an ALARP design is the application of inherent safety
principles to each development concept and demonstrating that each concept meets societal,
company and technical expectations.
4.2

Select Phase

Objective: To understand the relative risks of all remaining concepts and select the best
qualified concept for further development. Hazards are eliminated, substituted or
segregated where reasonably practicable. Where the best qualified concept is not the
lowest risk, documentation on the reasoning behind the chosen concept is a critical
aspect of an ALARP demonstration.
Responsible: The Business Opportunity Manager, Business Development Leader or
Project Manager
The focus of the Select Phase is to compare the proposed development concepts, decide if one
or more is acceptable, and select the most qualified concept for further development.
For all viable concepts it shall be documented how societal and company expectations have
been addressed. The ALARP demonstration process relies on demonstrating a transparent
evaluation process, recorded in for example an ALARP Demonstration Worksheet (see
Appendix A), as well as continuing to engage key stakeholders.
Philosophies may be developed to guide to goals that company and project are determined to
achieve. Philosophies may function to support options evaluation against the described goals
that are set to be achieved. Philosophies can act as help to overcome disputes in level of
expectations and requirements.
With reference to Figure 4, the intent of the Select Phase is to compare relative risk limits of
each concept. This will enable the project to understand the relative range of risks between
ALARP Guide Rev B Issue for useMay 2013

Page 15 of 35

Process Safety Guidance

each option together with uncertainties associated with the risk estimates. The concept
selection shall consider both the relative risks between each option and the likelihood of being
able to deliver the project at the low end of the risk range.
The concept selection phase applies the hazard hierarchy (Figure 3) to each option and focuses
on elimination and substitution of the risks as well as isolation and separation of hazards to
reduce the level of risk.

The Concept selection phase includes evaluation and selection of development

options including for example: process options (e.g. platform type, process
technology); location (e.g. onshore, offshore, site selection, pipeline right of way);
operating philosophy (e.g. manned, unmanned, degree of automation), etc.
Lifecycle risks should be considered, i.e. construction, commissioning and
decommissioning as well as operation.

The HSSE premise for the project is developed during this phase and the ability of
the options to meet the HSSE premise shall be taken into account during concept
selection process.

The Basis of Design is developed which documents the Engineering Design

Standards that shall be applied. The Basis of Design includes identified Safety
Critical Equipment (SCE) and associated minimum functional performance standards
required to prevent or mitigate against identified hazard scenarios.

The Basis of Design drives selection of main containment parameters, such as

Design Pressure and Temperature and Material Selection and having influence on
potential threat and barrier identification and measures.

The HFE strategy is developed which documents HFE standards and quality control
activities to bring human error to ALARP.

The documented demonstration of ALARP shall include the above together with a
transparent evaluation of options against alternatives.

For new installations the residual risk levels should not be greater that those achieved by the
best examples of existing Shell and Industry good practice for comparable functions and
operating locations / conditions.
With reference to the UKOOA decision framework, the focus during the Select phase of the
ORP is to understand and address the hazards associated with B and C type decisions and
define expectations for the management of A type decisions. The process followed should
demonstrate appropriate means of stakeholder involvement.
4.3

Define Phase

Objective: To take the selected concept and further define the configuration and
equipment specifications to ensure the risks are tolerable and continue to be reduced
towards ALARP.
Responsible: Project Manager
The goal is to ensure that key stakeholders are engaged and the conceptual design is optimal.
Major design decisions are taken that reduce risks associated with the design and operations of
the facility and uncertainty around risk levels are reduced using the hazard hierarchy. Technical
ALARP Guide Rev B Issue for useMay 2013

Page 16 of 35

Process Safety Guidance

Safety Engineering, Environment and Health tools are applied to evaluate risk reduction
opportunities and implement viable recommendations.
The hazard hierarchy continues to be applied; focus is primarily on main threat identification and
measures to prevent LOC, for example overpressure protection, over/under temperature
protection, isolation and separation of hazards during the early stage of this phase (plot plan
optimization and safe shutdown/isolation of processes). Engineered control and mitigation
measures are assessed to ensure suitable, sufficient controls are included in the design to
prevent and mitigate the hazard scenarios. Technology selection and equipment options are
evaluated for their HSSE risks. The lowest risk options or combination of options should be
selected whilst giving due consideration to other project priorities. Cost Benefit Analysis (CBA),
Quantitative Risk Assessment (QRA) and other quantitative tools may be used to support
ALARP decision and demonstration. For most decisions CBA is not necessary and it is only
needed in the relatively few cases where the benefits of moving to a lower risk option are
unclear and cannot be resolved qualitatively. Operation and maintenance principles, including
HFE are applied during this phase to ensure that longer term operational risks are minimized.
Construction and Commissioning risks for the design are identified and assessed to ensure
these HSSE risks are managed to ALARP. The hazard hierarchy shall be applied to identified
construction / commissioning risks and associated activities. For example, opportunities to
minimize transport risk, working at height etc. to reduce activity based risks to ALARP shall be
assessed.
AI-PSM requirements applied, particularly ensuring Process Safety Basic Requirements are met
and creating documentation for HSSE Critical Equipment.
It is important that the results of the Health, Safety and Environmental risk evaluation Tools are
documented to support the demonstration that risks are reduced to ALARP. Examples of such
studies include:

Compliance with the HSSE & SP Control Framework.

Layout Philosophy behind layout is visible (HFE / HSSE / Congestion).

Equipment Specification Comply with DEP and SHALL [PS] statements.

Equipment to prevent / control hazard scenario is identified as SCE with appropriate
Performance Standards.

Demonstrated compliance with Minimum Safety System Standards such as DEP

37.01.10.10 Gen (ISO 10418, API 14C).

Demonstration that adequate attention has been given to identifying and mitigating
the risk of human error to performance of safety critical tasks (for example by
compliance with DEP 30.00.60.19-GEN).

Demonstration that Bow-ties have been assessed to ensure human performance

does not threaten the validity of barriers.

Appropriate risk studies used to demonstrate ALARP using Project Guide 1. Risk
Studies support decisions requiring risk tradeoffs.

HSSE Action Register close out. The closeout of actions from HEMP studies (PEM,
HAZID, QRA, HRA, EIA, HFE, Reviews etc.).

Documented demonstration that risks are ALARP - HSSE Case.

ALARP Guide Rev B Issue for useMay 2013

Page 17 of 35

Process Safety Guidance

4.4

Execute Phase

Objective: To complete the detailed design and construct, install and commission the
facility ready for operations.
Responsible: Project Manager and Construction & Commissioning Manager
The detailed design phase of the project should focus on application of relevant codes,
standards and good engineering practice. Approval processes shall be in-place to ensure
appropriate implementation of HEMP and risk assessment results and the recommendations
from these studies. Follow-up risk studies are completed to verify assumptions during the
concept and define phases and confirm the detailed design continues to demonstrate HSSE
risks are managed to ALARP. Effective Management of Suppliers, Contractors and Change
procedures are required to ensure that the HSSE risks associated with proposed changes are
assessed and evaluated and risk reduction measures continue to be implemented where
reasonably practicable. The Design HSSE Case / ALARP Demonstration Report is signed-off
as detailed design is completed.
As the execute phase progresses into construction and commissioning there is little impact on
the risk profile of the design of the facility, provided no significant changes are made to the basis
of design. The focus is on conformity to the design and delivery of the Safety Critical Equipment
to the Performance Standards. Material control and quality control of installation and
commissioning steps (welding, leak testing, function testing) is crucial to enable the facility to be
handed over for safe operation.
Stakeholder engagement continues to ensure risk and issue management is transparent and
commitments are delivered. Key Stakeholders need to be satisfied that a high quality asset is
being delivered.
HSSE and Technical Safety Engineering studies such as Bow-Tie Assessment and
Safeguarding Reviews are finalized to document the control and mitigation measures (barriers)
in place to manage the hazards and associated risks to ALARP. Operations and maintenance
personnel will be trained and maintenance and operating systems completed to ensure Safety
Critical Equipment is managed within design limits. At this stage of the project life-cycle
ensuring high quality as-built condition as well as effective recording of the as-built state is
crucial to deliver to operations a facility with high design and technical integrity to enable best in
class HSSE performance. Projects shall demonstrate compliance with agreed design
philosophies and minimum functional specifications for all Safety Critical Equipment.
The Execute Phase is completed with the handover of the asset to Operations which includes
the sign-off of the Statement of Fitness, including the ALARP demonstration report (HSE Case).
4.5

Operate Phase

Objective: To operate and maintain the facility in accordance with design codes and
performance standards to ensure control barriers remain valid. Review HSSE Risks on
a regular basis, learn from incidents and demonstrate process safety, HSSE and social
performance risks continue to be managed to ALARP.
Responsible: Asset Manager

ALARP Guide Rev B Issue for useMay 2013

Page 18 of 35

Process Safety Guidance

The main objective in the operational phase is to demonstrate that the risk level during
operations is maintained at ALARP. In this phase of the lifecycle of an asset the ability to further
reduce HSSE risks is limited however, close monitoring of HSSE and Asset Integrity / Process
Safety performance is critical to ensure risks remain ALARP. Compliance with the requirements
of the HSSE & SP CF, AI-PSM and monitoring of developments in industry, use of best
practices, affordable technology (Best Available Technology - BAT) and Learning From Incidents
(LFI) both within an asset, company and industry, are required to ensure risks remain ALARP.
In the Operate Phase the documented demonstration of ALARP is often contained in the assets
HSSE Case. ALARP decisions and supporting risk analysis must be reviewed throughout the
life of the facility since societys expectations with respect to Health, Safety and Environment
change over time. The ALARP demonstration and HSSE Case shall be regularly reviewed and
maintained to enable the asset to demonstrate the hazards and associated risks continue to be
managed to tolerable and ALARP. In particular the Asset Statement of Fitness confirming that
Process Safety risks have been identified and documented and are managed to ALARP is
required to be developed before commissioning a new Asset or modification to an existing one
and updated:

before restarting after an incident involving uncontrolled shutdown;

after an overhaul or a turn-around;

after the Asset has been subjected to operating conditions outside the Equipment
Constraints;

after the Asset has experienced environmental conditions beyond the original design
parameters.

Stakeholder engagement continues to be important to maintain relationships and to be aware of

changes in stakeholder intolerabilities and expectations.
In the operational phase (without major modifications, which should be managed as an
improvement project), relevant sources of identifying potential risk reduction measures and
improvements to maintain ALARP include:

Demonstrated Compliance with Regulatory requirements.

Update to risk analysis and HEMP studies

Assurance to control Process Safety Basic Requirements (PSBRs) to ALARP.

Internal and external audit findings

Technical Integrity reviews and documented management of Safety Critical

Equipment against Performance Standards.

Incident and near miss reports & Learning from incidents

Stakeholder engagement to ensure that societal expectations continue to be

addressed for existing and emerging issues.

Proposals for risk improvement actions documented to demonstrate risk continues to

be managed to ALARP. [i.e. improvement opportunities implemented where justified
and documented ALARP justification for those actions not implemented]

ALARP Guide Rev B Issue for useMay 2013

Page 19 of 35

Process Safety Guidance

Conduct periodic review of hazard controls (Barrier Health Checks).

Compliance with AI-PSM requirements, in particular having robust business controls

including Management of Change, Permit to Work, Operating Envelopes, Competent
and Trained Operators, annual review of process safety risks. Companies are
increasingly held liable if they dont adhere to what was established in the agreed
and approved ALARP determination (do what you say you are going to do e.g.
inspection & maintenance tasks)

Periodic review of HSSE Case; Process Safety Review at least every five years.
Evaluate barriers against latest DEPs, Minimum Safety Systems, and best practices.

Comparison with model bow-ties and documented challenge to incorporate new or

improved barriers to manage risks to ALARP.

Layer of Protection Analysis (LOPA)

Fatigue Risk Management

The evaluation of risk reduction options during the Operations phase may include cost benefit
analysis and quantified risk assessments to determine whether a solution is ALARP. In other
words, are the cost, time and effort required grossly disproportional to the risk reduction
achieved?
The cost of risk reduction measures is a key consideration during the operational phase of a
facility. For example, the layout and location of a pipeline during the early design phase can be
moved to account for new threats, such as an increased set back distance from road / rail
routes. However, during the operational phase of a facility the cost of relocating a pipeline is
likely to be disproportionate to the risk reduction achieved. In this situation, controls lower down
the hierarchy of controls will need to be evaluated, such as crash barriers, improved signage,
reduced speed limits, to minimize the potential for impact.
Where Shell acquires assets the need to demonstrate ALARP remains. However, it is
recognized that HEMP and Safety Studies together with an HSSE Case may not exist. The
initial focus for the asset will be to complete appropriate HEMP studies to identify the hazards
and areas of risk that require most urgent attention. The demonstration that the risks are
reduced to ALARP often includes a bow-tie workshop with operations personnel to identify if any
further barriers are required to bring the facility risks to ALARP. An ALARP demonstration will
require documented assessment of the bow-tie together with justification for any recommended
additional or improved barriers. The ALARP demonstration in these cases relies on the
judgement of specialists and experts. This should be recorded as part the demonstration
process.
All ALARP decisions conducted during the operations phase shall continue to be recorded and
documented in the Operations HSSE Case.
4.6

ALARP
Principles

Demonstration

As has been discussed already in this guidance document, ALARP decisions are not taken in
isolation, but they take into account the implications on interacting and interconnected activities.
ALARP decisions may involve many different processes (design, contracts & procurement,

ALARP Guide Rev B Issue for useMay 2013

Page 20 of 35

Process Safety Guidance

construction, operations, quality control, management of change, turnarounds, etc.) and input
from appropriately qualified experts in each field should be sought as required.
The ALARP demonstration starts at the onset of a project, and develops throughout all phases,
including in the documented demonstration of ALARP report at the end of design and the
Statement of Fitness that confirms in the operational phase that the Process Safety risks have
been identified, documented and are managed to ALARP (often in an Operations HSSE Case).
Demonstrating ALARP requires documentation of identified risk reduction opportunities through
various HEMP studies, as well as appropriate review and tracking to closure of agreed ALARP
decisions. The documented demonstration of ALARP should discuss two areas:
1) Justification for the selected option with lowest risk or risk reduction options that have been
agreed to
2) Reasons why it is justifiable not to implement the option with lowest risk or other proposed
risk reduction measures.

Appendix B gives guiding mindset statements on getting to ALARP. The questions below are
to be considered in conducting an ALARP demonstration and serve as guidance when
conducting an ALARP workshop or reviewing an ALARP demonstration:
i.

Are all relevant legal requirements satisfied?

ii.

Are all Shell and local requirements, guidelines, philosophies as well as national and
international standards and recommended practices satisfied?

iii.

Are consistent solutions applied across different Shell companies / business units in
one country / region? Recognize significant variations in ALARP solutions for the
same problem in similar circumstances must be defensible and are likely to come
under increasing scrutiny

iv.

Is the quantified risk level at least on a par with risk levels for similar concepts /
facilities in similar circumstances / locations?

v.

If solutions are being considered which do not meet ii) or iii) can it be shown that no
significant increase in risk level will result as a consequence of these deviations? Are
any deviations from regulatory / Shell requirements approved at the appropriate level
of authority?

vi.

Where quantitative criteria are defined, is there sufficient margin to allow some
increase in risk later in the design process to be absorbed without the need for
massive change or improvement?

vii.

Has best available technology (BAT) been considered?

viii.

Have inherent safety solutions been chosen where possible?

ix.

Have appropriate HSE risk experts, technical and non-technical disciplines been
involved, taking all relevant aspects into account (individual and societal impacts,
reputation, commercial etc.)?

x.

Has the appropriate level of input from peers, subject matter experts and senior
leaders in the organization been taken into account in the ALARP decision process?

xi.

Are precautionary and cautionary principles considered? (see FAQ2)

ALARP Guide Rev B Issue for useMay 2013

Page 21 of 35

Process Safety Guidance

xii.

Are there unsolved aspects relating to risk to personnel or environment and is there
conflict between these areas (e.g. risk trade off)?

xiii.

Is the concept selected robust to safety and environment as well as supportive to

Shells reputation?

xiv.

Are the latest research and development results and new technology aspects
reflected in the solutions adopted?

xv.

Are societal concerns met / addressed?

xvi.

Are associated costs for lower risk options significantly disproportionate to the risk
reduction achieved?

xvii.

Have risks defined as Process Safety Basic Requirements (PSBRs) been

satisfactorily managed to ALARP?

xviii.

Has appropriate attention and effort been given to identifying HSSE critical activities
throughout the design process, and to ensuring the design will support high levels of
reliable human performance on those activities?

4.7

Catalogue
Design
(Package / Skid Units)

For many smaller projects, for example, multi well pad, production packs, compressors, etc.
businesses have developed catalogue designs. The specifications for these designs should
have been developed to comply with relevant Shell DEPs. The designs are intended for
repeatable (manufactured) equipment. The initial catalogue design may be developed following
the Opportunity Realisation Process. When the catalogue design is being applied in the field,
it is important that the HSSE&SP issues associated with its application at the proposed location
are identified and evaluated to ensure the as-built facility continues to be managed to risks
ALARP. For example, the installation of a catalogue compressor may be ALARP, however, once
3 or 4 compressors are installed at the same location, additional noise controls may be required
from a health and/or environmental perspective to manage the hazard to ALARP.
The ALARP demonstration of the catalogue design requires the HSSE Assessments in the
Identify and Assess phases of the ORP to be completed. At the end of this phase the
development should be able to:

Demonstrate that stakeholder and environmental issues at the location have been
met.

Company expectations have been met.

The HSSE Philosophy underpinning the catalogue design remains valid taking into
account interconnectivity with new / other facilities.

If the above is demonstrated, the project can implement the Catalogue Design without further
ALARP demonstration. If the premise for the Catalogue Design is no longer valid, it shall be
adapted and appropriate steps of the ORP applied.

ALARP Guide Rev B Issue for useMay 2013

Page 22 of 35

Process Safety Guidance

References
1. UKOOA Industry Guidelines on A Framework for Risk Related Decision Support
2. Shell Downstream Manufacturing Hazards & Effects Management Process (HEMP) DSM 2500003-ST
3. Shell HSSE & SP Control Framework
4. ISO 10418: 2003 Petroleum and natural gas industries -- Offshore production
installations -- Analysis, design, installation and testing of basic surface process safety
systems
5. API RP 14C: Recommended Practice for Analysis, Design, Installation, and Testing of
Basic Surface Safety Systems for Offshore Production Platforms
6. The Process of Achieving ALARP 16 Nov 2000
7. UK Health and Safety Executive, Reducing Risk, Protecting People: HSEs Decision
Making Process, published 2001. Generally known as R2P2.
8. UK Health and Safety Executive Assessment Principles for Offshore Safety Cases
Published March 2006
9. Shell Downstream Manufacturing: HEMP Hazard Identification and Risk Assessment,
Hazard Analysis, and Management Handshakes, DSM-2500003-SP-01.
10. NORSOK Standard Z-013 Risk and Emergency Preparedness Analysis, Rev 2,
September 2001.

ALARP Guide Rev B Issue for useMay 2013

Page 23 of 35

Process Safety Guidance

APPENDIX A ALARP DEMONSTRATION WORKSHEET TEMPLATE

Appendix A contains a template for recording an ALARP demonstration. In addition completed
examples using the template are provided.
Figure A1 shows the range of ALARP decisions one can experience, ranging from Prelude, to
Pipeline Location, to location of fire fighting facilities. The Technical Safety Engineering website
contains examples across the range and can be used to calibrate ALARP decision making.
Figure A1 Schematic Overview of the Range of ALARP Decision

ALARP Guide Rev B Issue for useMay 2013

Page 24 of 35

Process Safety Guidance

IDENTIFY

Example ALARP Worksheet Template

Problem Definition

HSSE Issues and Potential Risk

HSSE Issues
Potential Risks

ASSESS

HSSE Standard and Tolerability Criteria

Options Considered

A number of controls or mitigation measures have been identified and considered for
reducing risk of enclosing the equipment:
Basis for Selection & Uncertainties

Option Discussion:
Justification for Chosen Option

CONTROL & EVALUATION

Justification for Rejected Options (e.g. Options not

incorporated as considered beyond ALARP)

Residual HSSE Risks

Recommendations for Next Project Phase

None
Requirements for the Operations HSSE-Plan
All safety critical equipment to be operated and maintained to the Performance Standards.

ALARP Guide Rev B Issue for useMay 2013

Page 25 of 35

Process Safety Guidance

ALARP Guide Rev B Issue for useMay 2013

Page 26 of 35

APPENDIX B Getting to ALARP guiding statements

The decision making process to get to ALARP is not a mathematical one. It may involve calculation, but in
the end depends on subject matter expertise and professional judgment. Getting to ALARP requires
awareness of the guiding statements below, as it will help to drive the ALARP discussion to closure in an
integrated way, taking all aspects into account.

Reputation:

ALARP decision making should be defendable to the public

ALARP decision making should be defendable in the context of Shells reputation, and be
consistent with our business principles

Legal:

Tolerable may not be ALARP as tolerable relates to permissible regime. The HSSE & SP CF
(like UK law) requires implementation of ALARP.
Where implementation of ALARP is a legal requirement, it is not just about numbers and
complicated risk models. It is about demonstrating that the cost and effort (time and trouble) of
further risk reduction is grossly disproportionate to the risk reduction achieved
Companies are increasingly held liable if they dont adhere to what was established in the agreed
and approved ALARP determination (do what you say you are going to do e.g. inspection &
maintenance tasks)
Across different Shell companies in one country, significant variations in ALARP solutions for the
same problem in similar circumstances, are hard to explain

Scope:

ALARP decisions are not taken in isolation, but they take into account the implications of
interacting and interconnected activities
ALARP decisions range from conceptual to detailed design decisions through to operational and
decommissioning decisions.

Process:
The ALARP demonstration is started at the onset of a project, and developed throughout all
phases, including the ALARP demonstration report at the end of design and SoF in the
Operations phase.
ALARP decisions are documented and built upon while the decision making process towards the
final product is still ongoing, i.e. they are iterative.
ALARP requires documentation of identified risk reduction opportunities through various HEMP
studies, and appropriate review and closure tracking on implementation decisions.
ALARP decision making is applicable through the whole life cycle of an asset and involves most
processes (design, contracts & procurement, construct, operations, quality control, management
of change, turnarounds, decommissioning, etc.)
ALARP solutions are dynamic, they change over time with changes in societal expectations;
technology advances, availability and cost.
Professionalism:

ALARP is not a mathematical calculation; it may be supported by mathematical / model

calculations. In general the calculation is not the end but the start point. It can help understanding
of the contributing factors to the risk and aid judgment.
ALARP assessments should where possible make use of industry accepted justification
guidelines.
Industry body practices can be used as good practice, a competitors practice cant as such

ALARP Guide Rev B Issue for useMay 2013

Page 27 of 35

ALARP is about professional judgement and technical discipline, taking all relevant aspects into
account (society, reputation, commercial, industry standards, discipline engineering etc.)
ALARP decisions seek the right level of input from peers and specialists.
ALARP decision making should make use of multidisciplinary input depending on potential risk
and implications
Making ALARP decisions requires incorporation of good practices across the industry, and
lessons learned from incidents (internal and external)

ALARP Guide Rev B Issue for useMay 2013

Page 28 of 35

FREQUENTLY ASKED QUESTIONS

FAQ 1 Legislation
Q When all laws and regulations are complied with, does this mean that the Risks are both
Tolerable and ALARP?
A Not necessarily. It depends on the approach taken in the particular country. Many countries
do not have detailed legislation to regulate the full range of HSSE Risks in the oil and
petrochemical business, so complying with regulations alone provides no assurance that Risks
are being adequately controlled. Other countries have prescriptive requirements that may lag
behind developing technologies. Complying with these requirements will contribute to achieving
tolerability, but does not mean that Risks are reduced to ALARP.
In some countries reducing Risks to ALARP is a legal requirement in itself.
FAQ 2 Precautionary approach
Q We do not have any conclusive scientific evidence linking a particular medical condition with
the exposure to a certain chemical. However, some people believe there is a link. Do we need
to take any further action?
A Yes. The absence of conclusive evidence alone is not an adequate justification for taking no
action. On the contrary a more precautionary approach should be adopted when deciding the
required controls. If there are large uncertainties and the potential Risks are high, we would
classify this decision as Type B, or Type C if there are societal implications involving a large
element of judgment and consultation.
FAQ 3 Good Practice
Q If laws and regulations are complied with, Industry Standards and Codes are being followed
and Shell guidance is being applied, does this mean that the Risks are Tolerable? Are they also
ALARP?
A The Risks will be Tolerable providing Shell Group and Business standards and other agreed
Tolerability Criteria are being followed in addition to the legislation. For well-understood Risks
(Type A decisions), the Risks may also be ALARP if the Industry Codes and Standards are
current, the understanding of the Risks have not changed and the practices contained in the
codes have captured learning from incidents. Input from an expert may be necessary to be sure
that all the recent learning has been captured.
When operating at the forefront of technological know how or when the initial Risks are
significant, application of relevant Good Practice will be insufficient to achieve ALARP.
FAQ 4 Good Practice in overpressure protection
Q Can applying the DEPs reduce the Risks to ALARP?
A For the threat of overpressure of a process vessel, the requirement for providing relief valves
as a barrier is established in Industry Codes and Standards, e.g. API Codes and Recommended
Practices. This would typically be an A-type decision on the ALARP Decision Framework. The
selection, sizing and location of the relief valves follow standard practices. Hence the industry
codes, supplemented by practices established in Shell Design Engineering Practices (DEPs),
together with the expertise of the design engineer, will be adequate to select and specify the
relief valves. Relief valves, together with the other barriers established by industry will reduce
the Risk from this threat to ALARP.
If it is proposed to control the threat of overpressure by using an alternative such as a High
Integrity Pressure Protection system, then this is deviating from established Good Practice. The
decision should be assessed as Type B.
ALARP Guide Rev B Issue for useMay 2013

Page 29 of 35

Note that it may be possible to eliminate this hazard by fully rating the system (step 3 of the
ALARP determination process in Figure 4)
FAQ 5 Reasonably Practicable versus Reasonably Affordable
Q A refinery has established a budget for minor capital projects, which is used to fund asset
integrity upgrades and HSSE improvements. Proposals are ranked using the RAM. The refinery
management is confident that it is applying the RAM consistently and that it is investing the
available capital on proposals that will have the biggest impact in reducing the overall Risk to
the refinery. Are the Risks being reduced to ALARP?
A No. The refinery management is allocating the budgeted resources on the basis of Risk and is
probably reducing the overall Risk of the refinery to as low as reasonably affordable. However,
there may be additional measures that are Reasonably Practicable to reduce the Risk in
individual areas if additional budget was requested. An ALARP determination should be made
for each risk-reducing proposal and if justified (not grossly disproportionate) additional funds
should be sought.
FAQ 6 Less protected situations
Q When the whole idea behind ALARP is to reduce Risks to ALARP, how can we allow a less
protected situation?
A An example related to the effect of new knowledge can be found in the area of selection of
materials. Piping that was installed on a plant has a corrosion allowance of 6 mm. Some years
later a reassessment of the material codes established that 3 mm is sufficient. Subsequently,
during an expansion project the throughput and operating pressure of the pipe could be
increased, whilst remaining within the new corrosion allowance. The real Risk of the pipe failing
was increased, whilst remaining at a very low level, several orders of magnitude below any
Tolerability Criteria. An ALARP determination confirmed that the Risks were still ALARP.
FAQ 7 Transfer of Risks
Q What does this mean?
A We introduce measures to control all kinds of Risks. If the measures introduced involve risks,
we talk about transferring the risk from the original problem to the control measure. We can
distinguish two different situations involving transfer of Risk; same hazard and different
hazard:
Same hazard. As an example, the introduction of mechanical exhaust ventilation in a workshop
may transfer the Risk of welding fumes from the welders to general employees outside the
workshop. The added Risk to the general employees should be offset against the benefits to the
welders in the ALARP determination, as they are subject to the same hazard, although the risk
to individuals should be a lower as long as the ventilation has been properly designed.
Different hazard. Installing a fire/blast wall in a new offshore production platform will reduce
fire/explosion Risks to the future workers on the platform. However, building the fire/blast wall
will involve Risks to the construction workforce. The hazards underpinning the two Risks are
quite different. The hazards of building a wall are well understood and the Risks can be
managed to ALARP. These Risks should therefore not be taken into account in the ALARP
determination for the proposal to install a fire/blast wall.
Transfer of a Risk to the Public should always be avoided.
FAQ 8 Environment and safety Risks(1)
Q A proposal to transport drill cuttings to shore will reduce the environmental impact of an
offshore platform operation, but it will increase the Risks to people because it involves more
boat transfers. Should we reject the proposal?
ALARP Guide Rev B Issue for useMay 2013

Page 30 of 35

A No. The proposal should be evaluated by balancing the cost, effort and personal safety risk
involved against the environmental benefit in an ALARP determination. The Risks of boat
transfers, in particular of the crew being injured, involve quite different hazards from the
environmental hazards related to disposal of the drill cuttings. They are well understood and
there may be only a small increase in Risk from the additional boat journeys, which could be
effectively managed by existing marine transport controls. In some instances the increased
personal safety risk may be judged to outweigh the environmental benefit. Without the proper
analysis of both risks and benefits the risk ALARP decision cannot be made.
FAQ 9 Environment and Safety Risks (2)
Q When building an extension to an onshore gas plant, there are two options to dispose of the
excavated rock, either transport by road to a remote site, or dumping in the sea as part of the
land reclamation to extend the plant. The road transport option will significantly increase the
Risk to the local population and to the drivers. As the prevailing driving standards in this region
are low and the roads are of poor quality it will require a major effort to effectively manage the
road transport Risk. Should the road transport Risks be taken into account when assessing the
environmental Risks of the second option of dumping the excavated rock at sea?
A Yes. The road transport Risks involve quite different hazards from rock dumping at sea.
However, the expectation is that the residual road transport Risks will be quite significant, even
when they have been reduced to ALARP. They should therefore be included in the ALARP
determination. The environmental impact of the road transport should also be considered to
ensure that the scope boundaries of the assessments for the two options are comparable so
that a fair comparison can be made.
FAQ 10 Retroactive upgrading
Q Current practice does not permit the use of screwed fittings in hydrocarbon service. Our
facility was built a lot earlier and has many screwed fittings. Do we have to replace them?
A Possibly but not necessarily. The cost, effort and Risks involved in replacing the screwed
fittings should be balanced against the resulting risk reduction over the remaining lifetime of the
plant in an ALARP determination.
Historically, the cost, effort and Risk involved have proved to be grossly disproportionate on offshore platforms, but on refineries the upgrades have been Reasonably Practicable when made
during turnarounds.
FAQ 11 Hazard Register
Q Does a hazard register (tabulation of hazard, source/release scenarios, consequence, RAM
rating, risk reduction measures) provide sufficient documentation that Risks in the light shaded
area of the ALARP decision matrix (Figure 2) have been reduced to ALARP?

A No. The risk reduction measures column of a hazard register should refer to the procedure,
job hazard analysis, health risk assessment or other document that specifies the barriers to be
adopted. In addition, the person or team making the ALARP determination should confirm their
judgment that the risks are reduced to ALARP and that no further Reasonably Practicable
measures are available. This confirmation should be recorded either in the hazard register or
the referenced document, e.g. a HRA record.

FAQ 12 Human Error

ALARP Guide Rev B Issue for useMay 2013

Page 31 of 35

Q How can a Capital Project be expected to make a demonstration that the risk of human error
is ALARP during DEFINE and EXECUTE phase? Ensuring people are competent, and follow
Procedures are Operational issues that a project cannot be expected to control.
A Projects are expected to apply the principles of Human Factors Engineering throughout the
project lifecycle, and to reflect the results of HFE analysis, design and validation in the ALARP
demonstration as appropriate. Poor access, equipment layout, interface design, labelling, or
lighting, etc, can all contribute to making human errors more likely. Similarly, unreasonable
expectations about what people will be able to do, or how well they will be able to perform when
highly automated systems fail or dont work perform to the standards expected can mean that
Barriers are not as effective as is assumed.
As well as complying with relevant technical standards, projects should put reasonable effort
throughout DEFINE and EXECUTE phases into identifying where there is a reliance on human
performance to perform, maintain or support Barriers. And they should maintain a focus on
ensuring the features necessary to support those activities from equipment layout and user
interface design to the design of Procedures and decision aids - are well designed and that lack
of consideration of HFE design issues does not increase the likelihood of human error.

ALARP Guide Rev B Issue for useMay 2013

Page 32 of 35

Appendix C Risk Tolerability Criteria

Introduction
Tolerability criteria are often used, in conjunction with ALARP arguments, to specify limits above
which the risk is deemed to be unacceptable. They should not be used as an alternative to
ALARP: risks must be ALARP as well as being lower than the tolerability criteria.
This is illustrated in Figure 1 below, adapted from the UK Health and Safety Executives
guidance on risk-based decision makingRef 7. In essence there is:

An upper bound above which risks are deemed to be unacceptable and, save in
exceptional circumstances, must either be reduced, whatever the cost, or the activity
giving rise to the risk discontinued.
A lower bound below which risks are regarded as being broadly acceptable and
therefore requiring no significant action to effect further reduction.
A range between the upper and lower bounds in which risks are regarded as being
tolerable provided that they have been reduced to levels that are as low as reasonably
practicable.

Tolerability criteria generally represent the boundary between the Unacceptable and the
Tolerable regions.

Unacceptable
Increasing risks

Tolerable

Broadly acceptable
Figure C.1. UK HSE framework for the tolerability of risk.
In general the Company does not prescribe global tolerability criteria and it is not the role of this
Appendix to do so. Some particular criteria have been specified in DEPs and Downstream
Manufacturing Standards and they are referenced but not duplicated here. The choice of
tolerability criteria depends on the particular circumstances of the project or operation and on
the regulatory environment. They will normally be prescribed in a projects Design HSE
Premises or associated Risk Tolerability Criteria document. The process of developing such
premises should include critically reviewing and discussing what has been done in the past for
similar projects: a document such as this cannot provide a comprehensive list of risk measures
and tolerability criteria that would cover any project.
In the discussion below, we focus on tolerability criteria in relation to QRA as applied to the
cumulative risk from all scenarios. Criteria for LOPA are different, and should not be confused
with these, in that they relate to the risk from individual scenarios rather than the cumulative
risk. Downstream Manufacturing has specified LOPA tolerability criteria in DSM-2500003-SP01Ref 9.
ALARP Guide Rev B Issue for useMay 2013

Page 33 of 35

The criteria discussed here relate to safety (i.e. risk to people) and to asset damage. Major
accidents resulting in multiple fatalities or asset damage can have considerable reputational
impact to the Company and so decisions on what is tolerable must be extended beyond purely
local cost benefit considerations.
When considering such absolute criteria (against which QRA results will be judged), the inherent
uncertainties in QRA should always be borne in mind. QRA relies on a number of imprecise
assumptions. For example, the failure frequencies used in QRA (and LOPA) are based on
statistically averaged historical failure data. QRA is actually more powerful and reliable when
used in a relative sense (such as comparing options in an ALARP demonstration) than in an
absolute sense against set criteria. Moving beyond the risk value quantified by QRA typically
requires the application of less quantifiable risk reduction measures.
Individual Risk
Individual risk relates to the annual risk of fatality of a particular individual taking into account
their exposure, throughout their working year, to all company-induced hazards. It is often
referred to as IRPA (individual risk per annum). It can include aspects such as protection and
escape. Where exposure is limited because an individual works for the Company for a short
time, the risk should be prorated for the full years activities. In other words, benefit should not
be taken for the fact that a diving contractor, for example, might only work for the Company for
one month during a year. Conversely, rotating work patterns where the Company does have
control over the workers activity does give the opportunity to ensure that no single individual is
exposed to too high a risk.
The UK HSE, in relation to Figure C.1, describe the boundary between the Tolerable and
Unacceptable regions as being around 10-3/year and the boundary between the Tolerable and
Broadly Acceptable regions as being around 10 -6/year. This is within the framework of a very
robust ALARP culture as the UK has been applying the concept for over sixty years.
For an offshore project, an IRPA tolerability criterion of 10 -3/year could be appropriate, taking
into account both process and other (e.g. helicopter transport) risks. For a typical onshore
project a criterion of 10-4/year for process safety contribution to individual risk is often applied. In
addition, some onshore projects specify 2x10-4/year for total work-related IRPA (i.e. including
both process safety and personal safety) however this is only really appropriate if the nonprocess safety risks can usefully be estimated through QRA. For some onshore projects, such
as upstream projects involving significant sour gas risks (e.g. 5 bar partial pressure of H 2S), a
value of 10-3/year might be more appropriate for all contributions to individual risk.
For specific criteria relating to the process safety risks to onshore building occupants see the
relevant DEPs including DEP 34.17.10.35-Gen. (Siting of Onshore Occupied Portable Buildings)
and DEP 80.00.10.11-Gen. (Layout of Onshore Facilities).
Location Specific Risk
The location specific risk (LSR) refers to the annual risk of fatality to a hypothetical individual at
a location for 24 hours per day, 365 days per year, unprotected and unable to escape. LSR is
usually represented on a map in terms of contours and so is often referred to by the more
generic term risk contours however this is ambiguous as other risk measures can also be
represented as contours. It is also referred to as Location Specific Individual Risk or,
particularly by some regulators, as Individual Risk. The latter is avoided within Shell as it can
lead to confusion (see the previous section on Individual Risk).
LSR is usually used for onshore projects to represent offsite risk and is the cumulative risk from
all potential scenarios that could cause a hypothetical exposed person at the specific location to
ALARP Guide Rev B Issue for useMay 2013

Page 34 of 35

be fatally injured. When considering a brown field modification to an existing site, a QRA is
sometimes done for the new units to calculate risk contours. In such cases however, if the risks
from the existing site are not included, then the estimated risks are only a contribution to the
total LSR.
Countries with a mature approach to land use planning and safety management will often
specify LSR tolerability criteria. Otherwise projects typically define criteria such as the following.
LSR
10-6/year

10-5/year

No residential developments or places of

continuous occupancy, such as hotels or tourist
resorts, should be located where the LSR exceeds
10-6/year.
The LSR should not exceed 10-5/year beyond the
controlled site boundary.

These criteria are consistent with the advice in DEP INFORMATIVE 80.00.10.11-Gen. (Layout
of Onshore Facilities), February 2013. The residential criteria are sometimes refined in order to
differentiate between populations of different vulnerabilities (industrial complexes, schools,
hospitals etc.) but values as low as 10-8/year that have sometimes been used (based on
withdrawn Dutch criteria) are inadvisable. The particular fenceline risk criterion needs to be set
in the context of the industrial or other environment. For example a boundary adjacent to a
populated area, or an area with no planning controls, is different in this respect from a boundary
adjacent to an industrial area subject to planning or emergency response controls or a boundary
with a controlled coastline.
Escalation Risk
Escalation here refers to the impact of an initial event causing subsequent events or limiting the
ability of safety critical equipment to operate. For example part of the basis for the separation
between significant individual assets such as LNG trains is often to limit the risk of an event in
one train causing significant damage in the neighbouring train. This would have both
commercial and reputation impacts. Safety critical equipment that is designed to prevent or
minimise escalation may also require adequate robustness to withstand the impact of credible
major accident hazard scenarios. Both the required robustness and the performance to prevent
escalation should be addressed in the Design Performance Standards for Safety Critical
Equipment.
Projects typically apply a criterion that escalation events should happen with a frequency less
than 10-4/year. This is consistent with, for example, the criterion specified in DEP.34.17.10.30Gen. (Design of Blast Resistant Onshore Buildings, Control Rooms and Field Auxiliary Rooms)
for the design load of critical buildings. Also NORSOK(Ref 10) states that loss of main safety
function for preventing escalation between areas; main load carrying capacity; rooms of
significance to combating accidental events; designated safe areas and escape routes shall
each have a risk tolerability criterion of 10-4/year.

ALARP Guide Rev B Issue for useMay 2013

Page 35 of 35