As low as reasonably practicable (ALARP) and tolerable risk concepts - IEC61511-3

Before dive-in the explanation of ALARP concept as explained from perspective of functional safety severity, I would like to state of the practical scenario as follows:

Considering there is a reactor in one of the chemical/petrochemical unit with following even description & consequence, initiating cause, likelihood, IPLs and safeguards as follows:

1. Initiating Cause: Failure of leading to "no flow"

2. Consequence: No/Less feed flow leading to loss of fluidization within reactor with increase in reactor temperature and subsequent agglomerate formation - No significant safety issues, however significant maintenance would be required to restore reactor condition. Shutdown is required for potentially two weeks "(Commercially 10 to 50 Million losses subject to severity of polymerized chunks)"

3. Likelihood: Assumed to be "once in 4 years" as per operator experience

4. Severity Classification (SIL/CIL rating): SIL2 (in terms of safety) while CIL3 (from economical point of view)

Considering above practical scenario on the scale of safety, environment & asset/financial of course highest severity is CIL3 (equivalent to SIL3) however core concern in terms of losses (production, resources & efforts).

Exactly the kind of above scenario emphasize the significance of ALARP concept for decision making process.

What is ALARP Concept: (as per IEC61511-3, Annex-K)

This concept outlines the main criteria that are applied in regulating industrial risks and indicates that the activities involve determining whether:

a) The risk is so great that it is refused altogether; or

b) The risk is, or has been made, so small as to be insignificant; or

c) The risk falls between the two states specified in items a) and b) above and has been reduced to the lowest practicable level, bearing in mind the benefits resulting from its acceptance and taking into account the costs of any further reduction.

With respect to item c), the ALARP principle recommends that risks be reduced “so far as is reasonably practicable,” or to a level which is “As Low As Reasonably Practicable” (ALARP).

If a risk falls between the two extremes (that is, the unacceptable region and broadly acceptable region) and the ALARP principle has been applied, then the resulting risk is the tolerable risk for that specific application. According to this approach, a risk is considered to fall into one of 3 regions classified as “unacceptable”, “tolerable” or “broadly acceptable”

By understanding the above concept defined under the umbrella of functional safety concept it is evident that if risk is under unacceptable OR broadly acceptable region the ALARP is ruled-out while the actual story starts if identified risk falls between the two states specified in items a) and b).

Considering above practical example its all about to think from asset availability & production losses perspective v/s redesign the complete engineered system with fully making the existing "Safety Instrumented Function" redundant not only from instrumentation aspects but also from complete process system/sub-system perspective while also considering the likelihood across the industrial sectors which is certainly not impossible but likelihood timeline is significantly higher with certain stated conditions and independent protection layers in place while cost of redesign the complete reaction section including customized reactor with redundant nozzles of each critical sensing parts, associated piping and other accessories plus of course redundant sensors & final elements of such a complex safety interlock which is not only costing from design perspective but quite higher complicacy from lifecycle maintainability point of view for such explicit customized very special design (with higher than specified financial losses if such incident scenario realized i.e. 10 Million+) which is not really feasible from certain aspects as well.

Hence in order to apply the ALARP principle, it is necessary to define the 3 regions in terms of the probability and consequence of an incident. This definition would take place by discussion and agreement between the interested parties (for example safety regulatory authorities, those producing the risks and those exposed to the risks).

To take into account ALARP concepts, the matching of a consequence with a tolerable frequency can be done through risk classes. IEC61511-3, Table K.1 is an example showing three risk classes (I, II, III) for a number of consequences and frequencies.

While IEC61511-3, Table K.2 interprets each of the risk classes using the concept of ALARP. That is, the descriptions for each of the four risk classes are based on Figure K.1. The risks within these risk class definitions are the risks that are present when risk reduction measures have been put in place.

With respect to Figure K.1 (refer below) the risk classes are as follows:

– risk class I is in the unacceptable region;

– risk class II is in the ALARP region;

– risk class III is in the broadly acceptable region.