Satisficing ALARP


A short and pragmatic guide on how to demonstrate what is practical and reasonable in complying with the ALARP safety goal

The principle of  As Low As Reasonably Practical (ALARP) is enshrined in the Health and Safety legislation of many western countries and embodies a hybrid rights and utility (cost/benefit) decision strategy used to determine when to stop reducing risk associated with the use of a system. (1),(2)

To quote the UK Defence safety standard DEF-STAN 00-56 ALARP is achieved when:

… it has been demonstrated that the cost of any further risk reduction, where the cost includes the loss of system capability as well as financial or other resource costs, is grossly disproportionate to the benefit obtained from that risk reduction. (DEF-STAN 00-56 Issue 3)
Unfortunately the terms reasonable and practical are unbounded qualifiers of the requirement, what is deemed to be either reasonable or practical is inherently subjective and subject to interpretation. This of course is not a good thing when it comes to writing a specification or forming a contract so from this perspective while ALARP may be a laudable societal goal but it is not a good commercial requirement. Further what do you do in practical terms when a naive customer requires you to ‘demonstrate’ the achievement of ALARP for all risks no matter how many of them, or how well they are understood?


So if you’re presented with ALARP as a contract technical requirement how do you work with it?

OH&S organisations (such as the UK HSE) all provide reams of guidance on the theory of ALARP however in my experience most of this material is impractical at the working level where we may be dealing with a significant number of medium consequence risks and cost/benefit analysts are few and far between (3). ALARP also does not fit well within engineering domains where safety is defined in terms of compliance to a specific design code, for example pressure vessel design, in such a context what does ALARP really mean? (4)

What we need is a practical set of derived design criteria which, if we comply with them, will be deemed to satisfice (5) the ALARP safety goal. To that end here are some criteria that I’ve developed over a number of projects to form an ALARP satisficing strategy. To satisfice the ALARP goal all that is required is at least one of the following criteria is met:

  1. full compliance with existing statutory requirements,
  2. full compliance with an industry design standard or best practice,
  3. at least 2 specific hazard controls of diverse nature have been implemented & verified,
  4. further risk reduction would require use of non-state of art technologies, or
  5. further risk reduction would require major constraints upon operational use such that the system mission or customer business case cannot be achieved.

Of course you should socialise these criteria with your customer and other stakeholders before you commence work, but short of a full blown cost benefit study the above do provide a defensible position on ALARP.


1. ALARP as a principle can be traced to the english common law tort of negligence and the element of the tort that requires the plaintiff to prove that it was both reasonable and practical for the defendant to take action. The ALARP principle as originally defined by the UK HSE was intended to be applied in the context of a ‘tolerable risk’ region, defining that region as indicating ‘a willingness to live with a risk so as to secure certain benefits’. Risk tolerance is distinguished from risk acceptance by requiring risks in the tolerable region to be justified on the basis of the benefits accrued against the cost of further reduction with the ALARP principle providing the decision analysis framework that allows one to make such judgements with confidence.

2. Note that there is a significant (if subtle) difference between the english common law assessment of risk as tolerable if no further reasonable opportunities exist versus the code napoleonic approach in which a legally defined quantitative decision rule defines the acceptability of risk. For example in the Netherlands, the maximum individual risk in any new potentially hazardous situation is 10exp-6/yr or 10exp-5/yr for existing installations while in the UK a region of risk ‘tolerability’ is defined as between these values of 10exp-6/year and 10exp-4/year.

3. Due to it’s historical development the ALARP principle was initially intended to address the risk posed by a few well understood catastrophic severity events. Because of this high consequence but low in number context quantitative or qualitative cost/benefit analyses were normally carried out as part of the approval regime to justify achieving the goal of ALARP (see for example, the UK Canvey Island safety studies).

4. It is arguable that the ALARP principal is inappropriate for engineering domains where safety is either dominated by an ensemble of medium and low severity events and carrying out multiple cost vs benefit analyses is simply not achievable in either cost or time, or where safety is achieved through the application of highly prescriptive design standards.

5. Satisficing is a decision strategy that attempts to deliver adequate rather than optimal decision outcomes. However a satisficing strategy may often be near optimal if the costs of the decision-making process itself, such as the cost of obtaining complete information cost-benefit analyses are considered. In the case of assessing an ensemble of risks in the tolerable region a satisficing strategy of applying standard risk reduction design criteria will require significantly less decision costs to implement than the conduct of a formal cost benefit analysis for each risk.