ALARP: A Lazy And Risky Policy?

You are at an airport waiting with your family for a plane to take you away on holiday.

On the wall is a poster that says that the airline aims to make the risks of travelling with it “as low as reasonably practicable”.

Your flight leaves in fifteen minutes. How do you feel?

What does ALARP mean?

You may never have encountered ALARP (“As Low As Reasonably Practicable”) if you work outside the United Kingdom; if you have any responsibility for risk within the UK, then you probably know that is one of the legal principles that define the risk management framework.

Every organisation that has responsibility for significant hazards needs to justify its risk management processes: its design elements, maintenance procedures, training and other measures. Safety authorities around the world commonly apply two principles: absolute risk, a requirement to reduce the risk to a specified, tolerable level, and “good engineering practice” where management processes are compared with similar operations in the same jurisdiction.

UK safety law incorporates another principle which is based on this question: if the cost of reducing risk is immense—perhaps enough to make the business uneconomic—does the organisation still have a responsibility to spend that money, even if the benefits may be tiny?

It would be unfair to criticise the UK Health and Safety Executive for its presentation of ALARP. The HSE’s view of the place of ALARP is clear and logical. I am not here to criticise the principle of ALARP. But I definitely do want to question the practical application ALARP in many branches of our industry.

Where did ALARP come from?

The question of risk reduction costs was raised in 1949 by a case in the English courts. A coal mine employee had been killed by a rock fall that might have been prevented if the tunnel roof had been shored up. Given that the operator, the UK National Coal Board (NCB), could have shored up all the roadways in the mine, and that doing so would reduce risks to its employees, did it have an obligation to do so? If it was physically possible to prevent most rock falls, did the business have to install supports everywhere, whatever the cost? If it did, the NCB could be held liable for the employee’s death.

The appeal court’s decision was that the NCB did not have to take every possible physical measure to eliminate risk; it only had to provide protection where it was required. The phrase used in the judgement was “reasonably practicable”, and that phrase still has an important role in UK risk management today:

“’Reasonably practicable’ is a narrower term than ‘physically possible’ and seems to me to imply that a computation must be made by the owner in which the quantum of risk is placed on one scale and the sacrifice involved in the measures necessary for averting the risk (whether in money, time or trouble) is placed on the other, and that if it be shown that there is a gross disproportion between them – the risk being insignificant in relation to the sacrifice – the defendants discharge the onus on them.”

This judgement enabled business owners to defend themselves from successful legal action by showing that they had taken all “reasonably practicable” measures to ensure safe operation, and that therefore risks were “As Low As Reasonably Practicable” or ALARP.  

How should ALARP work?

UK law identifies a “duty holder” who is has an obligation to ensure safety of staff, visitors and the general public. This may simply be the employer, although some hazards must be managed by identified individuals, who may be held individually responsible for any problems.

The UK HSE looks at a number of factors when deciding whether the duty holder’s risk management is adequate.

One factor is common practice: how do other organisations manage this type of hazard? This is easy to do for common hazards such as pressure vessels and lifting equipment. Obviously more discretion is needed if the organisation uses unusual materials or methods. Assuming that good practice can be established, the question becomes one of ensuring that the right management processes are implemented, carried out and monitored. If the duty holder wants to manage the risk differently, an argument must be provided showing that the new management procedure is at least as effective as common practice.

Sometimes the hazard is unusual or the overall situation is complex and a first principles assessment has to be carried out. Assuming that the overall risk is considered significant, all mitigation measures are considered, assigning a risk reduction and cost to each of them. The analysis may be informal—for example, there may be no viable risk reduction strategy at all—or it may be formal, backed up by a written cost benefit analysis.

In a world without ALARP, hazards fall into one of two areas: tolerable and intolerable. Every intolerable hazard has to be eliminated, whatever the cost. If a hazard in the intolerable zone occurs and hurts someone, I have no defence at all.

This is where the ALARP principle is important. A first-principles assessment can identify a wide range of hazards and management methods. The risks identified may range from trivial to catastrophic, and the cost of risk reduction from negligible to totally unacceptable. If the costs of risk reduction are high and the benefit is small (“grossly disproportionate”), then the existing measures may already satisfy the ALARP principle. Otherwise, any identified measures should be implemented to achieve ALARP status.

The impact of the ALARP principle is usually illustrated by drawing a third zone between “intolerable” and “tolerable” risks. 

Here is ALARP in one sentence.

The risk associated with one or more hazards is not acceptable, but it is either impossible or hugely expensive to reduce the risk; so we choose to do what is “reasonably practicable” to manage it and label the process “ALARP”. The alternative is that the process would have to shut down.

ALARP in practice

So far the presentation of ALARP sounds like good practice and common sense. Perhaps it seems less reasonable when it is examined from a slightly different viewpoint.

First let us be absolutely clear about what the ALARP region means. It does not mean that the failure is tolerable; if it were, it would be in the green zone. Without the orange ALARP band, the risk would be somewhere in the red, intolerable zone and something would have to be done to manage the risk.

The reasoning behind the ALARP zone is something like this.

• “Even with the best management we can afford, the risk of this failure is intolerable by absolute standards
•  “Doing any better is impossible or far too expensive. If we can’t live with the risk, we will have to shut down this process.
• So we will do as well as we can and call the risk ‘as low as reasonably practicable.’”

If that seems like a way of avoiding the issue, you’re probably right. ALARP says that if our organisation applied its own strict criteria consistently, this failure would have to be managed better, whatever the cost, or the process would be shut down. Perhaps a less cynical interpretation is this: managing this hazard is so expensive (per life saved) that the money would be better spent on managing other hazards where the impact of increased expenditure will be greater.We have to accept that absolute standards cannot be applied everywhere. We make the same compromises as a society, where a fisherman at sea is over ten times more likely to be killed than a construction worker, and a construction worker in turn is five times more likely to die than a shop assistant. Cooks and laundry staff on an oil platform are safer than drill workers. We don’t know how—or can’t afford—to make fishing as safe as construction, or a building site as safe as a retail store, but we don’t want to stop fishing or building. Where it is applied consistently and with thought, ALARP draws our attention to failures and hazards that genuinely cannot be managed successfully. We become aware of rare exceptions where a compromise has had to be made, and those hazards can be reviewed as new techniques and technologies become available, moving them from ALARP to the tolerable zone.

But that isn’t how ALARP is usually applied.

In the real world, ALARP is often shorthand for “We haven’t been able to quantify this hazard, and in any case we think that the current process and management policy are good enough.”

The three-zone diagram above, showing risks as green, orange and red, is similar to that seen in most textbooks and papers on ALARP principles. The risk regions are “tolerable” (green), “intolerable” (red), and “ALARP” (orange). The idea seems to be that some hazards are just above the green limit, so it doesn’t stretch our tolerance too far if we allow ALARP failures in that region. At this point consider carefully what we have done. The organisation spent time and effort defining a hard limit for tolerable risk. Then some hazards were found that were difficult to manage but just above the limit. The boundary of tolerable risk says that they have to be managed, but because they the ALARP region, they are acceptable. After all, the orange zone isn’t red, and it looks comfortably close to tolerability. Surely we haven’t compromised our principles too much by including them.

It is unusual for hazard documentation explicitly to say that ALARP failures must like just outside the tolerable region, but it is obviously an implication of the three-zone diagram. It may be uncomfortable to accept hazards that lie just above the boundary, but it is understandable if the cost of managing them would be excessive. If that were the worst aspect of ALARP, perhaps there would not be too much to worry about.

In practice “ALARP” hazards are all over the red zone. Their common factor is that it would be difficult or impossible to reduce the risk. To make this more specific, suppose that the major hazards of a system have been analysed and identified, making the assumption that no failure management is currently in place.

The risks in the green zone are already tolerable and no further management is needed. For the red risks we need to identify ways to reduce the severity or frequency of the hazard.

Redesign: The asset is changed in some way to reduce the risk. Examples include adding guards, alarms and trip systems.

Maintenance: Equipment is replaced, overhauled, inspected or tested to prevent failure and to ensure that protective systems are operational.

Change Operating Procedures: Operating procedures are changed to reduce risk, and personnel are trained to apply operating procedures safely.

These hazard management measures move some of the failures from the red to the green zone. 

What happens to the remaining intolerable failures?

If the intolerable risk frontier is absolute, then there is no choice: either a management policy must be found for each of them, whatever the cost, or the process must be shut down.

Real-world ALARP tends not to involve a comfortable and subtle extension of the tolerable region. With the alternative of massive expenditure, complete redesign or shutting down the process, it is tempting to classify the remaining hazards as ALARP. There is no intention to revisit them or to reconsider the decision. Some hazards may be well away from the tolerable zone but there is no feasible action that will prevent them.

Now suppose that we want to review the organisation’s risk management. Where should we look first? The ALARP hazards, of course: they are an obvious review target because the first priority should be to try to remove them from ALARP and manage them fully. Although they may have been considered ALARP when they were first analysed, now new design, maintenance and operations technologies may enable us to improve risks. So one absolute requirement where the ALARP principle is used is to document the ALARP hazards and to institute a formal review process.

ALARP as a fallback

The positive aspect of ALARP is that it identifies a group of hazards that are inadequately managed (as measured by the organisation’s risk limits) but where dispensation has been given to continue operation. A thorough ALARP framework, as outlined by the UK Health and Safety Executive, should encourage rigorous analysis of high-risk failures and it provide a target list of hazards for review.

The negative aspects of ALARP are all too apparent when the resources allocated to risk analysis are restricted, time is short and staff are inexperienced.

1. Above all else, the risks associated with a process are not brought down to what would otherwise be a minimum tolerable level
2. When a hazard has been classified as “ALARP”, any further discussion of risk reduction is irrelevant. It is tempting to use ALARP as a catchall for hazards that are difficult to manage
3. ALARP can be used to rubber-stamp current design and maintenance decisions without serious consideration of other possibilities
4. Alternative management policies, including new maintenance and production technologies, are not fully considered
5. Equipment that does not meet newer, more rigorous safety standards may remain in service when full consideration should be given to its replacement

Failure Management Options

One reason that so many hazards fall into the ALARP category is that review staff are not experienced in modern failure management and maintenance technologies. The old-fashioned view of risk is that equipment failure just happens: there is little that can be done to influence risk except basic time-based maintenance. This view was challenged by the civil aviation industry with the development of Reliability-centred Maintenance (RCM) in the 1970s.

The view today is that there are many alternatives available to manage equipment failure. In the first instance, RCM can be used to identify a maintenance policy that will reduce the risk of each failure to a tolerable level, considering all the available technologies that could be used to prevent or predict failure. RCM recognises that it is not the failure itself that generates risk, but the effects of failure. So if maintenance by itself cannot reduce risk, or if maintenance is impractical or too expensive, then the technique can point to areas where the consequences of the failure can be changed, perhaps by adding protective systems or minor design changes.

Summary: how should ALARP be managed?

1       Manage every hazard that you can

Consider every possible alternative before opting for ALARP. That includes maintenance options, design changes, new protective systems, or perhaps changing the way in which assets are operated. Don’t treat ALARP as a rubber stamp for existing operating procedures and maintenance policies.

Consider both aspects of risk: the size of consequences and the hazard frequency. Each of these can be managed in different ways.

Reduce the frequency       

Consider all possible maintenance interventions that would prevent the failure or reduce its frequency. These include condition monitoring, scheduled overhaul and discard and failure-finding. 

If maintenance cannot prevent or predict the failure, consider physical and operational changes that could make the system more reliable.

Change how the failure matters

Think about adding protective devices that can prevent equipment failure from leading to a major hazard, or which can detect problems before they become serious (for example, detection of small leaks before they become dangerous).

Where the equipment itself cannot be made completely safe, consider measures such as relocating operators or providing secondary containment.

Ensure that all possible risk reduction measures have been considered and costed.

2       Is continued operation acceptable?

If maintenance, operational and design changes are impractical, consider the risks carefully.

Is the risk on the border of the tolerable risk limit, or is it significantly above it?

Do all those involved think that the risk is acceptable, including those who are potential victims and those who could be held legally responsible? Has the opinion of the relevant statutory body been sought?

3      Justify the decision

If the situation is considered to be ALARP after examining all possible alternatives, write up a full justification. Remember that this isn’t a comfortable decision to make, so don’t lock the documentation away: ensure that everyone who has a stake in the decision knows the details, particularly those exposed to the risk and everyone who could be held responsible.

4       Keep a record

Keep a live record of all ALARP hazards. Schedule a review date when the decision will be revisited and possibly reconsidered.

5       Review

Review the register regularly in the light of new operating practices and new maintenance, production and design technologies.

Terms of use and Copyright

Neither the author nor the publisher accepts any responsibility for the application of the information and techniques presented in this document, nor for any errors or omissions. The reader should satisfy himself or herself of the correctness and applicability of the techniques described in this document, and bears full responsibility for the consequences of any application.

Copyright ? 2016 numeratis.com.

Licensed for personal use only under a Creative Commons Attribution-Noncommercial-No Derivatives 3.0 Unported Licence. You may use this work for non-commercial purposes only. You may copy and distribute this work in its entirety provided that it is attributed to the author in the same way as in the original document and includes the original Terms of Use and Copyright statements. You may not create derivative works based on this work. You may not copy or use the images within this work except when copying or distributing the entire work.