Professional Documents
Culture Documents
JPTTripod DELTA
JPTTripod DELTA
JPTTripod DELTA
net/publication/243786904
CITATIONS READS
85 8,790
4 authors, including:
SEE PROFILE
All content following this page was uploaded by Patrick Thomas William Hudson on 20 September 2014.
Tripod-DELTA:
A Proactive Approach to Enhanced Safety
P.T.W. Hudson, SPE Leiden U., J.T. Reason, Manchester U., W.A. Wagenaar, Leiden U.,
P.D. Bentley, SPE, M. Primrose &J.P. Visser SPE Shell International Petroleum Mij B.V.
Summary
Introduction
Accidents, Unsafe Acts and Underlying Causes. Accidents have a number of immediate
causes, many of which are of human origin. For an accident actually to take place, human
unsafe acts have to interact with triggering events, such as a breaking cable or a well kick.
When the combination circumvents the available defenses, the result may be an accident
or a near miss. There is, all too often, a focus on the immediate events and human failures
in the investigation of incidents. This concentration upon the direct causes (active
failures) often also applies to the proposals for prevention of future incidents. However,
the events leading to accidents do not arise spontaneously. The shortcomings that can be
identified after an accident are often present long before (latent failures).
Triggering
events Defenses
Figure 1. Tripod basic figure: Accidents are the result of the combination of unsafe acts
and local triggers, arising from specific situations penetrating the available defenses. The
General Failure Types underlie both of these, allowing unsafe acts to take place and
dangerous specific triggers to occur. Accident investigation and analysis can provide
1
SPE 27846
information about the General Failure Types after an accident, hence the line from
Accident to General Failure Types.
The general model, represented by Figure 1, has three basic components of the
accident process:
3. Behind the unsafe acts and conditions lie a history of causes, classified into a
limited set of General Failure Types shown in Table I.
The restricted set of General Failure Types (GFTs) has been identified in field
studies and from analyses of major accidents1,2 and was defined by (1) providing a
general set of terms adequate to describe latent failures and (2) by the distinct ways of
remedying problems once identified. The Communication GFT, for instance, covers both
technical failures (e.g. a poor or non-existent telephone system or difficult radio
communication) and human failures (inability to pass on or to understand messages). The
important factor in a potential accident is that the vital information may not be available to
the proper people at the right time. Similarly, the Hardware GFT refers to the quality and
availability of components, tools and equipment. Problems in any of those may lead to
people creating situations, such as accepting corrosion, installing incorrect material or
using the wrong tools, which can lead to hardware failures later.
The view taken within Tripod is that it is more effective to concentrate upon the
conditions, defined by the GFTs, rather than attempt to stop the unsafe acts as they
occur1,3,4. The GFTs, lying behind the large numbers of unsafe acts and triggering events,
form a natural and more limited set of targets for improvement.
2
SPE 27846
errors within an organization, framed in terms of the GFTs. As Machiavelli 6 pointed out,
in the early stages of a problem diagnosis is difficult, but finding the solution is easy; in
the late stages, however, diagnosis is easy, what is wrong can be immediately seen, but
the solution may no longer even be possible. Tripod-DELTA was intended to aid the
difficult process of early diagnosis so that easy solutions could be identified.
Looking for latent failures is distinct from, but fully complementary with, the
engineering approach of listing everything that can go wrong, examining the
consequences and likelihoods of those failures, and then attempting to stop those most
likely. The detailed approach is one taken by Safety Management Systems, as required
following Lord Cullen's inquiry into the Piper Alpha disaster7. This approach, however, is
limited by the imagination and experience of those assessing and managing risks and their
ability to foresee all problems is naturally restricted. Many of the contributory factors are
caused purely by human intervention or failure, areas that are very much harder to predict,
especially as there is so little in the way of normative data,. Nevertheless, when such
failures do occur, with hindsight we see how obvious and likely the contributory failures
were. Safety Management Systems provide a consistent framework from the top down;
Tripod-DELTA augments detailed advance planning with analyses of what is actually
happening, in contrast to what is expected by a management system.
Safety Health. The understanding of how accidents happen, described by Tripod 1, led to
a specific instrument. It is, in principle, possible to measure a platform, a rig or even
specific services such as transport. Rather than wait for accidents to happen, or even to
see what actual unsafe acts people are performing, it was decided to aim more directly at
underlying causes, operationalised as latent errors.
The approach taken is analogous to a health check for safety. When someone goes
for a check-up they do not expect an examination for a large number of specific diseases;
the doctor checks a limited number of well-chosen vital signs, such as blood pressure,
blood chemistry, weight and life style. While it may not be possible to predict exactly the
illness associated with a poor vital sign profile, a better profile will certainly reduce the
chances of catching many diseases and improve the chances of recovering from illness.
Improving the 'safety health' increases resilience to 'disease'. Tripod-DELTA involves
assessing the state of an activity or operation using the GFTs as the vital signs.
Delta Profile
Concern
Increasing
IG
DE
EC
OR
CO
TR
DF
PR
HK
HW
MM
3
SPE 27846
Tripod-DELTA
The tool for diagnosing the presence of latent errors involves using a checklist
approach followed by a structured diagnosis leading to defined remedial actions. The
checklists are made up of a number of indicator questions, where an indicator is a small
pointer that all is not as good as it could or should be. If you visit a restaurant and you find
that the toilet is dirty, that is probably indicative of the quality of the restaurant as a
whole.
This statistical technique should increase the chances of asking questions sensitive to
the presence of unexpected problems. The essence of the approach is that giving many
'unacceptable' answers to the indicator items for a specific GFT strongly indicates
underlying problems associated with that GFT.
4
SPE 27846
activity (e.g. drilling with a jack-up rig) and for one of the General Failure Types. A large
collection of indicators can be collected to form a database out of which a smaller number
can be selected for use in a specific checklist. Alternative checklists can be constructed in
the same way using other selections of indicator items.
The indicators refer to the limited number of ways (Features) in which a GFT can be
expressed in any given activity. For instance, Hardware problems can be expressed by
poor performance of the hardware, by excessively high repair frequencies or by the
continuing requests for more appropriate hardware and possibly illegal acquisitions of
such hardware outside normal channels. All of these serve as indicators for the fact that
there are hardware problems. These problems may be limited to a single piece of
equipment rather than being more generic, so one does not wish to concentrate upon a
specific indicator item. Nevertheless, finding general evidence among such indicators is
suggestive that hardware failure is a distinct possibility and this, as is known from
studying accidents, may be a necessary cause of an accident. It may not be a direct cause,
which would appear in risk analysis, but rather as a triggering event which can combine
with a totally different problem to generate suddenly crucial unsafe acts.
Indicator items for a GFT are usually generated by a small group of specialists,
called a syndicate. These people are experienced front-line supervisors, operators, etc.
They are led by a trained syndicate leader. For specific GFTs a specialist should be part of
the group (e.g. for Maintenance Management or Training). The manager who will be the
recipient of the profiles should also take part in at least one such group session to ensure
that he understands the background to the questions. The generation technique involves
three stages:
1) Define 'The Perfect World', a set of desirable features, for each GFT.
There are, in a number of cases1, existing databases of indicator items which can
serve either to prime the generation process or as the major source of items. In the future
it is to be expected that such generic databases will be extended and will form an
increasing input to the process of constructing local databases.
1. In the past three months, have you been unable to trace a piece of equipment that is on
the stock list?
Hardware
2. Are procedures written in the first language of the personnel using them?
Procedures
3. Has the maintenance department been consulted in 75% of purchases of new equipment
last year? Maintenance
Management
4.Is there at least 15 minutes available for shift handover? Error Enforcing Conditions
5. Are the production meetings scheduled on a fixed day of the week? Organization
1Databases currently exist for both onshore and offshore drilling, marine operations,
onshore and offshore construction and some aspects of operations.
5
SPE 27846
Environment
- Bureaucracy
- Unavailability, etc.
Information
- Overload, etc.
Equipment
- Quality of communication means, etc.
Time Pressure
- Information loss, etc.
Language Problems
- Intelligibility, etc.
A typical database consists of about 150-200 indicator items per GFT, i.e. about
2000 questions in total. In some GFTs, such as Procedures, Maintenance Management and
Training, there may be great similarities for different activities. In other cases, the items
can be very activity specific, such as Design, Defenses and Housekeeping.
Interpreting Profiles. A profile score can be computed for each individual General
Failure Type by simply adding the number of indicators which were answered in the
'unacceptable' way. The worst score, therefore, would be 20 (bad) while the best would be
0 (good). Indicators are selected to have a straightforward yes/no answer rather than
needing any significant level of interpretation or relative rating.
6
SPE 27846
techniques are intended to bring busy managers down to a level of operational detail at
which it is possible to identify clear courses of action for improvement.
Generating Tasks and Targets. The most important part of the Tripod-DELTA process
is the definition of the remedial actions. Many safety initiatives fail because they never
succeed in turning enthusiastic commitment into actions. Furthermore, these actions are
themselves often not checked and assessed. Tripod-DELTA requires that specific actions,
defined as tasks and targets for the nominated action parties, be entered into an audit trail.
What this means is that there is a certain point of no return. At the same time the
advantages of proactive approaches become clear. It is possible to select actions in terms
of their feasibility and effectiveness - even if the item is only getting an amount in next
year's budget - rather than being driven by the immediate consequences of an accident.
Given this freedom to select, it is incumbent on those selecting actions to carry them out.
Syndicate leaders who are trained are expected to be line personnel. In principle
their task is finished once a database has been assembled, although their expertise may be
made available elsewhere within a company. They can play a role in the improvement
loop by running syndicates to assess and, where necessary, add or delete indicators. One
suggestion that has been made is to structure monthly safety meetings around a specific
GFT which allows an annual quality improvement loop. By taking a month to look at
Communication, followed in the next month by, say, Incompatible Goals, it is possible to
give safety meetings concrete, work-related topics which still have clear safety
consequences.
Implementation Experience
Validation Studies. Field trials of Tripod-DELTA have been carried out in a number of
Shell companies. The first attempts were validated by presenting a number of profiles and
asking managers whether they could assign profiles to platforms or rigs. Such validation
was, at best, informal. More serious validation required tests of test-retest reliability (does
the technique produce the same profiles?) and predictive validity.(was it measuring the
right things?).
TM Windows is a trademark of Microsoft Corp.
7
SPE 27846
One reliability study was done by giving different checklists with different
indicator questions and to different people 8. The study showed that while there were some
variations due to the checklists being completed by people with different roles (e.g.
toolpushers vs. company superintendents), nevertheless the same shapes of profiles were
generated. Later field trials and improvements have helped to reduce the variability found
in this study (see below).
Another study, for predictive validity, showed that the failure profile derived by
analyzing accidents was very similar to that obtained by the checklisting approach9. In
this validation study, a number of accidents were analyzed back to their underlying
causes, represented in terms of the GFTs. With a number of such accidents it is possible to
generate a profile comparable to the Tripod-DELTA profiles. The correlation between the
reactive and the proactive measures was 0.72, which can be interpreted as showing that
the Tripod-DELTA profile gives a good indication of the causes of the next accident.
Improving Indicator Generation. Once the validity had been demonstrated it was
necessary to develop a usable methodology for getting profiles without the necessary
intervention of external researchers. The first checklists had been made by hand using
indicator items laboriously collected in interviews. There were a number of problems with
this approach. One was that the selection of indicators was filtered through a university
researcher, rather than being the direct output of an experienced oilfield professional.
Another problem was in the phrasing of questions and the method of administration. The
quality of the indicator items in the database is crucial for the success of Tripod-DELTA.
What was needed was a methodology which would release the generation of
indicator items to those mostly directly involved, ensuring that the indicator items
generated are comprehensive, unambiguously phrased and accepted by those managers for
whom the profiles are intended. This was tackled by developing a structured training
course so that field personnel could develop their own databases of indicators (the
syndicate approach) together with clear guidelines on the nature and wording of the
indicators.
Training for Implementation. Other companies within the Shell group have also
participated in the field trials. The instrument offered to companies within the Group can
be implemented and run independently. There are two approaches to training. A five day
training course gives departmental Focal Points and syndicate leaders enough background
to run alone. This course teaches the theoretical background and gives considerable
hands-on experience in running syndicates and the software. The preferred training
approach takes only two days, leading directly into working sessions, under guidance,
where complete databases are developed. Courses also teach syndicate leaders how to
phrase items and how to recognise poorly worded questions. Finally interpretation and
diagnosis, and the practical aspects of implementation, are covered in the course.
Conclusion
8
SPE 27846
References
1.The Tripod Manual Vols. I-IV Shell International Petroleum Maatschappij EP 91-2800
/2nd Edition Vols. I-III EP 93-2800
4. Wagenaar, W.A., Hudson P.T.W. & Reason, J.T. "Cognitive Failures and the Causes of
Accidents." Applied Cognitive Psychology , 1990, 4,231-252
7. Cullen, D. Enquiry into the Piper Alpha Disaster. Her Majesty's Stationary Office.
9. Hudson, P.T.W., et al.: "Application of TRIPOD to Measure Latent Errors in North Sea
Gas Platforms: Validity of Failure State Profiles." paper SPE 23293 presented at the 1991
SPE Health, Safety and Environment in Oil & Gas Exploration and Production
Conference, The Hague, Nov. 11-14
10. Hudson, P.T.W., et al.: "Diagnosis and Target Setting in Drilling and Engineering
operations using Tripod-DELTA" paper SPE 27294 to be presented at the 1994 2nd SPE
Health, Safety and Environment in Oil & Gas Exploration and Production Conference,
Jakarta