See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/243786904

Tripod Delta: Proactive Approach to Enhanced Safety

Article in Journal of Petroleum Technology · January 1994

DOI: 10.2118/27846-PA

CITATIONS READS

85 8,790

4 authors, including:

Patrick Thomas William Hudson

Leiden University
127 PUBLICATIONS 3,522 CITATIONS

SEE PROFILE

All content following this page was uploaded by Patrick Thomas William Hudson on 20 September 2014.

The user has requested enhancement of the downloaded file.

 SPE 27846

Tripod-DELTA:
A Proactive Approach to Enhanced Safety
P.T.W. Hudson, SPE Leiden U., J.T. Reason, Manchester U., W.A. Wagenaar, Leiden U.,
P.D. Bentley, SPE, M. Primrose &J.P. Visser SPE Shell International Petroleum Mij B.V.

Summary

Tripod-DELTA is a checklist-based approach to carrying out safety 'health checks'.

This paper describes the theoretical background, based upon a model for understanding
the role of human error in accidents. The methodology for constructing databases from
which to make checklists and the use of the system to generate remedial safety plans are
described. Finally the implementation is discussed and the status reviewed.

Introduction

Tripod1 is an approach to safety developed by the Universities of Leiden and

Manchester in close co-operation with Shell's Exploration and Production function.
Tripod aims at attacking underlying safety problems with special reference to the problem
of human error, seen as failures at both the individual and the organizational levels. A
central concept within Tripod is that of the latent failure, the potential cause of future
accidents. Tripod-DELTA is a diagnostic tool developed to help identify such underlying
problems before those latent failures generate active failures (the immediate causes of
accidents). This paper describes the background to Tripod-DELTA, how it operates and
the current status of the system.

Accidents, Unsafe Acts and Underlying Causes. Accidents have a number of immediate
causes, many of which are of human origin. For an accident actually to take place, human
unsafe acts have to interact with triggering events, such as a breaking cable or a well kick.
When the combination circumvents the available defenses, the result may be an accident
or a near miss. There is, all too often, a focus on the immediate events and human failures
in the investigation of incidents. This concentration upon the direct causes (active
failures) often also applies to the proposals for prevention of future incidents. However,
the events leading to accidents do not arise spontaneously. The shortcomings that can be
identified after an accident are often present long before (latent failures).

General Failure Types

Triggering

Unsafe acts Accident

events Defenses

Figure 1. Tripod basic figure: Accidents are the result of the combination of unsafe acts
and local triggers, arising from specific situations penetrating the available defenses. The
General Failure Types underlie both of these, allowing unsafe acts to take place and
dangerous specific triggers to occur. Accident investigation and analysis can provide

1
 SPE 27846

information about the General Failure Types after an accident, hence the line from
Accident to General Failure Types.

The general model, represented by Figure 1, has three basic components of the
accident process:

1. Accidents happen when defenses are breached;

2. The unfortunate sequence of events involves the combination of one or more

unsafe acts in the context of specific triggering conditions (which may themselves be
technical or human in origin);

3. Behind the unsafe acts and conditions lie a history of causes, classified into a
limited set of General Failure Types shown in Table I.

•Hardware (HW) • Design (DE)

• Maintenance Management (MM) • Procedures (PR)
• Error Enforcing Conditions (EC) • Housekeeping (HK)
• Incompatible Goals (IG) • Organization (OR)
• Communication (CO) • Training (TR)
• Defenses (DF)

Table I The General Failure Types and their standard abbreviations.

The restricted set of General Failure Types (GFTs) has been identified in field
studies and from analyses of major accidents1,2 and was defined by (1) providing a
general set of terms adequate to describe latent failures and (2) by the distinct ways of
remedying problems once identified. The Communication GFT, for instance, covers both
technical failures (e.g. a poor or non-existent telephone system or difficult radio
communication) and human failures (inability to pass on or to understand messages). The
important factor in a potential accident is that the vital information may not be available to
the proper people at the right time. Similarly, the Hardware GFT refers to the quality and
availability of components, tools and equipment. Problems in any of those may lead to
people creating situations, such as accepting corrosion, installing incorrect material or
using the wrong tools, which can lead to hardware failures later.

The view taken within Tripod is that it is more effective to concentrate upon the
conditions, defined by the GFTs, rather than attempt to stop the unsafe acts as they
occur1,3,4. The GFTs, lying behind the large numbers of unsafe acts and triggering events,
form a natural and more limited set of targets for improvement.

Safety Management and Proactive Approaches. An important starting point in safety

management involves the identification of the necessary components of good
management practice. Shell's Enhanced Safety Management principles 5 embody such an
approach, stressing factors such as the necessity for firm commitment to safety, line
responsibility for safety and regular audits. Once management systems meet such
principles, in general, it becomes necessary to determine where attention must be directed.
The daily practice of safety management involves discovering existing specific safety
problems and remedying them. If this can be done before things actually go wrong, so
much the better. This proactive approach, preventing problems before they arise, contrasts
with the reactive approach, waiting until an accident or incident has taken place

Identification of problems is a normal step in the accident investigation process.

Finding causes before accidents, however, is considerably more difficult. Tripod-DELTA,
the Diagnostic Evaluation Tool for Accident Prevention, provides indications of latent

2
 SPE 27846

errors within an organization, framed in terms of the GFTs. As Machiavelli 6 pointed out,
in the early stages of a problem diagnosis is difficult, but finding the solution is easy; in
the late stages, however, diagnosis is easy, what is wrong can be immediately seen, but
the solution may no longer even be possible. Tripod-DELTA was intended to aid the
difficult process of early diagnosis so that easy solutions could be identified.

Looking for latent failures is distinct from, but fully complementary with, the
engineering approach of listing everything that can go wrong, examining the
consequences and likelihoods of those failures, and then attempting to stop those most
likely. The detailed approach is one taken by Safety Management Systems, as required
following Lord Cullen's inquiry into the Piper Alpha disaster7. This approach, however, is
limited by the imagination and experience of those assessing and managing risks and their
ability to foresee all problems is naturally restricted. Many of the contributory factors are
caused purely by human intervention or failure, areas that are very much harder to predict,
especially as there is so little in the way of normative data,. Nevertheless, when such
failures do occur, with hindsight we see how obvious and likely the contributory failures
were. Safety Management Systems provide a consistent framework from the top down;
Tripod-DELTA augments detailed advance planning with analyses of what is actually
happening, in contrast to what is expected by a management system.

Safety Health. The understanding of how accidents happen, described by Tripod 1, led to
a specific instrument. It is, in principle, possible to measure a platform, a rig or even
specific services such as transport. Rather than wait for accidents to happen, or even to
see what actual unsafe acts people are performing, it was decided to aim more directly at
underlying causes, operationalised as latent errors.

The approach taken is analogous to a health check for safety. When someone goes
for a check-up they do not expect an examination for a large number of specific diseases;
the doctor checks a limited number of well-chosen vital signs, such as blood pressure,
blood chemistry, weight and life style. While it may not be possible to predict exactly the
illness associated with a poor vital sign profile, a better profile will certainly reduce the
chances of catching many diseases and improve the chances of recovering from illness.
Improving the 'safety health' increases resilience to 'disease'. Tripod-DELTA involves
assessing the state of an activity or operation using the GFTs as the vital signs.

Delta Profile
Concern
Increasing

IG
DE

EC

OR

CO

TR

DF
PR

HK
HW

MM

General Failure Types

Figure 2. A fictitious Tripod-DELTA Failure State Profile of an operational unit. The

height of a bar represents the extent that latent failures may be present for each of the
GFTs.

3
 SPE 27846

Tripod-DELTA is intended to provide information about where problems may be

found and their relative importance, framed in terms of the different GFTs. This
information can be presented as a Failure State Profile (Figure 2). Acting upon such
information a manager can prioritize remedial actions. Furthermore, by acting proactively,
before there is the kind of pressure for action that an accident creates, it is possible to
select plans of action best suited to the prevailing constraints on time, money and
personnel. Early experience with Tripod-DELTA profiling showed that there may be
cases where throwing money at a problem, once identified, is the best solution. In many
cases, however, the solutions have been easy, straightforward and cheap!

Tripod-DELTA

The tool for diagnosing the presence of latent errors involves using a checklist
approach followed by a structured diagnosis leading to defined remedial actions. The
checklists are made up of a number of indicator questions, where an indicator is a small
pointer that all is not as good as it could or should be. If you visit a restaurant and you find
that the toilet is dirty, that is probably indicative of the quality of the restaurant as a
whole.

An indicator is not necessarily an item for improvement. It is an indication that

something is not functioning properly. Indicators should be sufficiently trivial as to be
below the threshold for taking immediate action. In terms of the safety health concept,
indicators may be small life-style indicators, such as smoking which suggest a potential
for future problems. Because Tripod-DELTA is aimed at unknown latent errors, the
approach is not to have a set list of questions, but to draw a number, for each GFT, from a
larger collection in a database.

This statistical technique should increase the chances of asking questions sensitive to
the presence of unexpected problems. The essence of the approach is that giving many
'unacceptable' answers to the indicator items for a specific GFT strongly indicates
underlying problems associated with that GFT.

The following sections describe how a database of indicators is generated, the

process of generating and filling in checklists, the diagnosis process and what is done with
the remedial actions generated. Table II gives an overview of the different components of
the Tripod-DELTA methodology and assigns approximate frequencies where appropriate.

Tripod-DELTA Process Methodology

DELTA Task Frequency

1. Generation of a Database of GFT Indicators Infrequent

2. Checklist Construction and Answering 3-6 monthly

3. Profile Construction When checklist completed

4. Profile Discussions by Management When profile available

5. Setting of Remedial Tasks and Targets Following profile interpretation

Table II. The Tripod-DELTA methodology.

Constructing a Database of Indicator Items. Constructing a Failure State Profile

involves using a test to sample each of the individual General Failure Types. The test
items are indicators, relatively small items agreed to be relevant both for the specific

4
 SPE 27846

activity (e.g. drilling with a jack-up rig) and for one of the General Failure Types. A large
collection of indicators can be collected to form a database out of which a smaller number
can be selected for use in a specific checklist. Alternative checklists can be constructed in
the same way using other selections of indicator items.

The indicators refer to the limited number of ways (Features) in which a GFT can be
expressed in any given activity. For instance, Hardware problems can be expressed by
poor performance of the hardware, by excessively high repair frequencies or by the
continuing requests for more appropriate hardware and possibly illegal acquisitions of
such hardware outside normal channels. All of these serve as indicators for the fact that
there are hardware problems. These problems may be limited to a single piece of
equipment rather than being more generic, so one does not wish to concentrate upon a
specific indicator item. Nevertheless, finding general evidence among such indicators is
suggestive that hardware failure is a distinct possibility and this, as is known from
studying accidents, may be a necessary cause of an accident. It may not be a direct cause,
which would appear in risk analysis, but rather as a triggering event which can combine
with a totally different problem to generate suddenly crucial unsafe acts.

Indicator items for a GFT are usually generated by a small group of specialists,
called a syndicate. These people are experienced front-line supervisors, operators, etc.
They are led by a trained syndicate leader. For specific GFTs a specialist should be part of
the group (e.g. for Maintenance Management or Training). The manager who will be the
recipient of the profiles should also take part in at least one such group session to ensure
that he understands the background to the questions. The generation technique involves
three stages:

1) Define 'The Perfect World', a set of desirable features, for each GFT.

2) Generate indicators. These are small, objective and preferably auditable,

indicators that a feature, defined by the Perfect World, either has or has not met. These
indicators are phrased as yes/no questions.

3) Validate the indicators by submitting them to management for acceptance in

terms of their relevance, objectivity and understandability.

There are, in a number of cases1, existing databases of indicator items which can
serve either to prime the generation process or as the major source of items. In the future
it is to be expected that such generic databases will be extended and will form an
increasing input to the process of constructing local databases.

1. In the past three months, have you been unable to trace a piece of equipment that is on
the stock list?
Hardware

2. Are procedures written in the first language of the personnel using them?
Procedures

3. Has the maintenance department been consulted in 75% of purchases of new equipment
last year? Maintenance
Management

4.Is there at least 15 minutes available for shift handover? Error Enforcing Conditions

5. Are the production meetings scheduled on a fixed day of the week? Organization

1Databases currently exist for both onshore and offshore drilling, marine operations,
onshore and offshore construction and some aspects of operations.

5
 SPE 27846

Table III Examples of indicator items for different GFTs.

Environment
- Bureaucracy
- Unavailability, etc.

Information
- Overload, etc.

Equipment
- Quality of communication means, etc.

Time Pressure
- Information loss, etc.

Language Problems
- Intelligibility, etc.

Table IV. Examples of features for the Communication GFT

A typical database consists of about 150-200 indicator items per GFT, i.e. about
2000 questions in total. In some GFTs, such as Procedures, Maintenance Management and
Training, there may be great similarities for different activities. In other cases, the items
can be very activity specific, such as Design, Defenses and Housekeeping.

Constructing and Completing Checklists. Checklists are constructed by sampling a

number of indicators, usually 20, from each of the 11 GFTs. The software (see below)
performs this task, ensuring that an indicator item that has appeared in a previous
checklist will not be repeated immediately. The checklist can be sent as a file on a floppy,
or can be printed out. Checklists have even been downloaded via a satellite link to a
tanker at sea. Once the checklist has been completed, it can be sent back the way it came.
Completion of a 220 item checklist usually takes less than two hours.

Checklists are usually completed by a small group so that no single individual is

associated with the answers. The membership normally include the front line supervisors
and anyone else with sufficient oversight of the daily operation. Some questions may
provoke discussion, which is seen as a positive side-effect. It is usually stressed that the
group is assessing their plant or operation, not the individuals.

Interpreting Profiles. A profile score can be computed for each individual General
Failure Type by simply adding the number of indicators which were answered in the
'unacceptable' way. The worst score, therefore, would be 20 (bad) while the best would be
0 (good). Indicators are selected to have a straightforward yes/no answer rather than
needing any significant level of interpretation or relative rating.

Interpretation is usually confined to examining the top (worst-scoring) three GFTs.

The detailed procedure recommends spending some time initially on examining the whole
profile for consistency. But the majority of the time should be devoted to looking for
latent failures in the worst two or three GFTs.

Initially, profiles formed the end-product, leaving management to identify specific

weaknesses. It soon became clear that further focusing was necessary. One interpretation
technique uses more detailed information about the GFT. This is documented in the
Tripod Manual1 (what can go wrong), to which can be added the features (see Table IV)
used in the generation of the indicators (how things go wrong). Another technique is based
upon assigning GFTs to the different parts of the business process. All interpretation

6
 SPE 27846

techniques are intended to bring busy managers down to a level of operational detail at
which it is possible to identify clear courses of action for improvement.

Generating Tasks and Targets. The most important part of the Tripod-DELTA process
is the definition of the remedial actions. Many safety initiatives fail because they never
succeed in turning enthusiastic commitment into actions. Furthermore, these actions are
themselves often not checked and assessed. Tripod-DELTA requires that specific actions,
defined as tasks and targets for the nominated action parties, be entered into an audit trail.
What this means is that there is a certain point of no return. At the same time the
advantages of proactive approaches become clear. It is possible to select actions in terms
of their feasibility and effectiveness - even if the item is only getting an amount in next
year's budget - rather than being driven by the immediate consequences of an accident.
Given this freedom to select, it is incumbent on those selecting actions to carry them out.

Infrastructure Requirements. A Tripod-DELTA database usually applies at the

departmental level, e.g. the Drilling department can profile all its rigs. In order for Tripod-
DELTA to work, an individual must be nominated as Focal Point to act as custodian of
the database, generate the checklists, send them out, get them back and ensure that the
remedial actions generated are documented and followed. As databases are not expected
to alter rapidly, except when there are significant changes in tasks or equipment, the Focal
Point need only ensure that the indicator items are revalidated from time to time.
Checklists are usually issued only quarterly and quite automatically. Unless paper
checklists are used, getting the completed checklists with the profiles back is simple.
Software supports direct cut and paste operations from checklists into word processing
programs. The Focal Point's other duties would normally involve convening and running
the interpretation and task setting meeting and providing specialist knowledge of the
GFTs when requested. Tripod-DELTA was specifically designed to be a line instrument
with GFTs which are predominantly concerned with the state of the business, so Focal
Points are usually line specialists. The safety department would often play the role of
providing company-wide support and infrastructure, including liaison to the home offices.

Syndicate leaders who are trained are expected to be line personnel. In principle
their task is finished once a database has been assembled, although their expertise may be
made available elsewhere within a company. They can play a role in the improvement
loop by running syndicates to assess and, where necessary, add or delete indicators. One
suggestion that has been made is to structure monthly safety meetings around a specific
GFT which allows an annual quality improvement loop. By taking a month to look at
Communication, followed in the next month by, say, Incompatible Goals, it is possible to
give safety meetings concrete, work-related topics which still have clear safety
consequences.

Computer Support. Tripod-DELTA is supported by a small number of PC-based

computer programs, running under WindowsTM, for the use of Focal Points. This enables
them to create and maintain their databases, to generate checklists and, where necessary,
to transfer completed printed checklists back into computer form. Checklists are usually
completed by using a separate single program run on any IBM compatible. This program
(called Tripod-DELTA) is the one most users will experience.

Implementation Experience

Validation Studies. Field trials of Tripod-DELTA have been carried out in a number of
Shell companies. The first attempts were validated by presenting a number of profiles and
asking managers whether they could assign profiles to platforms or rigs. Such validation
was, at best, informal. More serious validation required tests of test-retest reliability (does
the technique produce the same profiles?) and predictive validity.(was it measuring the
right things?).
TM Windows is a trademark of Microsoft Corp.

7
 SPE 27846

One reliability study was done by giving different checklists with different
indicator questions and to different people 8. The study showed that while there were some
variations due to the checklists being completed by people with different roles (e.g.
toolpushers vs. company superintendents), nevertheless the same shapes of profiles were
generated. Later field trials and improvements have helped to reduce the variability found
in this study (see below).

Another study, for predictive validity, showed that the failure profile derived by
analyzing accidents was very similar to that obtained by the checklisting approach9. In
this validation study, a number of accidents were analyzed back to their underlying
causes, represented in terms of the GFTs. With a number of such accidents it is possible to
generate a profile comparable to the Tripod-DELTA profiles. The correlation between the
reactive and the proactive measures was 0.72, which can be interpreted as showing that
the Tripod-DELTA profile gives a good indication of the causes of the next accident.

Improving Indicator Generation. Once the validity had been demonstrated it was
necessary to develop a usable methodology for getting profiles without the necessary
intervention of external researchers. The first checklists had been made by hand using
indicator items laboriously collected in interviews. There were a number of problems with
this approach. One was that the selection of indicators was filtered through a university
researcher, rather than being the direct output of an experienced oilfield professional.
Another problem was in the phrasing of questions and the method of administration. The
quality of the indicator items in the database is crucial for the success of Tripod-DELTA.

What was needed was a methodology which would release the generation of
indicator items to those mostly directly involved, ensuring that the indicator items
generated are comprehensive, unambiguously phrased and accepted by those managers for
whom the profiles are intended. This was tackled by developing a structured training
course so that field personnel could develop their own databases of indicators (the
syndicate approach) together with clear guidelines on the nature and wording of the
indicators.

Two developments have allowed Tripod-DELTA to become widely applicable.

Successful trials of the use of syndicates were held in Malaysia and in the Netherlands.
The second development was the use of the so-called 'ideal world' scenario, which
enabled syndicates to develop more comprehensive lists of indicators for each GFT. The
emphasis on a scenario enables the initial generation of features which can be checked
against other databases. Specialists, e.g. drillers or operators, can now produce their own
high quality indicator databases with little external guidance. With clear guidelines on
phrasing, the indicators generated now meet the necessary quality standards. Many
implementations do use external facilitation, but some have been completely independent
after an initial training course.

Training for Implementation. Other companies within the Shell group have also
participated in the field trials. The instrument offered to companies within the Group can
be implemented and run independently. There are two approaches to training. A five day
training course gives departmental Focal Points and syndicate leaders enough background
to run alone. This course teaches the theoretical background and gives considerable
hands-on experience in running syndicates and the software. The preferred training
approach takes only two days, leading directly into working sessions, under guidance,
where complete databases are developed. Courses also teach syndicate leaders how to
phrase items and how to recognise poorly worded questions. Finally interpretation and
diagnosis, and the practical aspects of implementation, are covered in the course.

Conclusion

8
 SPE 27846

Tripod-DELTA has been implemented, to date, in a wide variety of settings. The

first E&P implementations began in 1991. They were in desert 10 and offshore drilling,
land10 and offshore construction, marine (standby and supply vessels) and helicopter
operations11. Shell tankers have recently carried out a full scale implementation in one
national tanker fleet, with the firm intention of extending the use of Tripod-DELTA to the
full integrated fleet in 1994. The first fully independent implementation involved two
North Sea platforms, following attendance at a training workshop by people from those
platforms. In Oman, the experience with external facilitators has been followed up with a
new development in land based operations. There have been extensions made to LNG
processing, refineries and chemical plants. Current planning should have Tripod-DELTA
implemented Group-wide in the next few years, by which time auditing and improvement
programs should be in place.

Future research will be examining the causes of violations of procedures,

attempting to develop measuring instruments and managerial tools. The lessons learned in
implementing Tripod-DELTA should be applied to the construction and implementation
of the next generation of tools. We hope that such new developments will also soon be
implemented in such hazardous environments as the North Sea.

References
1.The Tripod Manual Vols. I-IV Shell International Petroleum Maatschappij EP 91-2800
/2nd Edition Vols. I-III EP 93-2800

2. Reason, J.T. Human Error , 1990, Cambridge University Press.

3. Wagenaar, W.A. "Influencing Human Behavior: Toward a Practical Approach for

E&P" Journal of Petroleum Technology, 1992, 44, 1258-1261

4. Wagenaar, W.A., Hudson P.T.W. & Reason, J.T. "Cognitive Failures and the Causes of
Accidents." Applied Cognitive Psychology , 1990, 4,231-252

5. Enhanced Safety Management. Shell Health and Safety Committee.

6. Machiavelli, N The Prince Penguin, Harmondsworth, London.

7. Cullen, D. Enquiry into the Piper Alpha Disaster. Her Majesty's Stationary Office.

8. Hudson, P.T.W., et al.: "Enhancing Safety in Drilling: Implementing TRIPOD in a

Desert Drilling Operation." paper SPE 23248 presented at the 1991 SPE Health, Safety
and Environment in Oil & Gas Exploration and Production Conference, The Hague, Nov.
11-14

9. Hudson, P.T.W., et al.: "Application of TRIPOD to Measure Latent Errors in North Sea
Gas Platforms: Validity of Failure State Profiles." paper SPE 23293 presented at the 1991
SPE Health, Safety and Environment in Oil & Gas Exploration and Production
Conference, The Hague, Nov. 11-14

10. Hudson, P.T.W., et al.: "Diagnosis and Target Setting in Drilling and Engineering
operations using Tripod-DELTA" paper SPE 27294 to be presented at the 1994 2nd SPE
Health, Safety and Environment in Oil & Gas Exploration and Production Conference,
Jakarta

11. Hudson, P.T.W., et al.: "Implementing Tripod-DELTA in a Major Contractor." paper

SPE 27302 to be presented at the 1994 2nd SPE Health, Safety and Environment in Oil &
Gas Exploration and Production Conference, Jakarta

View publication stats