48 2 365KB
Shell International Exploration and Production B.V.
Tripod-DELTA (to be re-issued in 1999)
EP 95-0320
HSE MANUAL Revision 0: 27 October 1995
EP HSE Manual Amendment Record Sheet Section Number: EP 95-0320 Section Title: Tripod-DELTA
Rev. No. 0
Chapter Nos. All
Description of amendment
Date dd/mm/yy
Original hard copy and CD-ROM issue
27/10/95
Amended by EPO/61
Contents
CONTENTS Introduction
iii
3.2.1 Profiling : overview
31
3.2.2 Tripod-DELTA software
31
3.2.3 Profiling
32
3.2.4 Generating a questionnaire
32
1
Management Overview
1
3.2.5 Answering questions
32
1.1
Incidents: Setting the Scene
2
3.2.6 Recording answers
34
1.1.1 Why incidents occur
2
Generating Actions
35
1.1.2 Addressing the problem
2
3.3.1 Generating the profile
35
Tripod: The Theory
3
3.3.2 Profile interpretation and troubleshooting
35
1.2.1 Background
3
3.3.3 Generating action items
35
3.3.4 Action itemising
36
3.3.5 Action items
37
3.3.6 Human Factors Analysis techniques
38
1.2
1.3
1.4
1.2.2 Incident causation: active and latent failures
3
1.2.3 The General Failure Types
4
Tripod-DELTA: The Mechanism
5
1.3.1 Introduction
5
1.3.2 DELTA profiles
5
1.3.3 Prior to implementation
6
1.3.4 Implementation
6
Appendices I
1.3.5 Critical success factors
7
Running DELTA
9
1.4.1 Issuing the questionnaire
9
1.4.2 Answering the questionnaire
9
1.4.3 Action itemising
9
1.4.4 Human Factors Analysis
10
1.4.5 Managers' role in running DELTA
10
1.5
The Benefits
11
1.6
Summary: Chapter 1
13
2
Implementation Guidelines
2.1
Preparation for Implementing DELTA
16
2.1.1 Organisational requirements
16
2.1.2 Training
18
Indicator Questions
20
2.2.1 Characteristics
20
2.2.2 Customising a generic database
21
2.2.3 Generating a database
22
2.2.4 Calibrating a database
22
2.3
Summary: Chapter 2
24
3
Application: Profiling
3.1
Background
26
3.1.1 Tripod research
26
3.1.2 Human error
26
3.1.3 System failures
27
2.2
3.2
3.3
3.3.7 Feedback on results
39
Summary: Chapter 3
40
Tripod Background
Glossary
41
49
15
25
3.1.4 The General Failure Types
27
Running DELTA
31
EP 95-0320 Revision 0 27 October 1995
3.4
i
HSE Manual EP 95-0320 Document Title This page intentionally left blank.
ii
EP 95-0320 Revision 0 27 October 1995
Introduction
INTRODUCTION Tripod-DELTA is a diagnostic tool for incident prevention based on the Tripod Theory of accident causation. Questionnaires extracted from a pre-established database of indicator questions are completed by site representatives. Answers to the questionnaires are summarised as a profile showing the relative 'health' of the HSE management of an operational unit in 11 separate areas. This document is presented in three ‘stand alone’ chapters each aimed at a specific readership. For this reason, some duplication between chapters is inevitable. Chapter 1 summarises the underlying Tripod Theory and defines the 11 General Failure Types (GFTs). An overview is given of the profiling mechanism, resources involved and the benefits of the application. Chapter 2 addresses the organisational requirements for initial implementation of Tripod-DELTA in an area of operations - planning , training, resources and communications - and the procedure for customising a generic database. The purpose of Chapter 3 is to provide guidance to team leaders and participants running TripodDELTA profiling exercises. Human error and the Tripod Theory are discussed, a profiling exercise is described and guidance is given on interpretation of profiles and generating response action items.
EP 95-0320 Revision 0 27 October 1995
3
HSE Manual EP 95-0320 Tripod-DELTA This page intentionally left blank
4
EP 95-0320 Revision 0 27 October 1995
1 Management Overview
1
MANAGEMENT OVERVIEW
This chapter offers a concise overview of Tripod-DELTA (Diagnostic EvaLuation Tool for Accident Prevention) directed primarily at senior management. The best way for an organisation to deal with incidents (in this document the term incident encompasses dangerous occurrences, near misses and all recordable incidents and accidents) is to prevent them from ever happening. Incidents cost time, money and sometimes even lives. By devoting resources to prevention an organisation can concentrate on its core business instead of being sidetracked into dealing with the consequences of incidents. DELTA is a proactive safety tool aimed at incident prevention. It has been specifically designed for operations where remedial information used to improve safety is scarce because of reduced incident frequency. DELTA works as a self diagnostic tool which, once implemented, has been developed to run in companies by line personnel with minimum effort but maximum effectiveness. Organisations with a high incident frequency will benefit more from Tripod-BETA, the retrospective application of Tripod, dealing with incident analysis. Tripod-DELTA is not a replacement for other safety initiatives, but works in conjunction with Safety and HSE Management Systems (SMS and HSE MS) and Safety Cases, supported under the HSE MS Guidelines. Implementing DELTA demonstrates a commitment to safety. The main benefits of DELTA are summarised as:
examines the organisation as a whole and not just safety in isolation
feedback on potential incident causes before incident occurrence
prioritisation of action to prevent incidents, targeting resources where they are most needed
a low maintenance system coupled with a high quality deliverable
exposes latent failures not normally addressed by traditional safety tools
self diagnostic: run by the line with assistance from the HSE department/focal point
continual improvement through regular DELTA profiling exercises
profiling can be conducted at any time therefore avoiding peak work periods
dissemination of improvements to multiple sites.
EP 95-0320 Revision 0 27 October 1995
5
HSE Manual EP 95-0320 Tripod-DELTA
1.1
Incidents: Setting the Scene
1.1.1 Why incidents occur In recent years most organisations have implemented comprehensive safety measures. Initiatives such as ESM and Unsafe Act Auditing (UAA) have contributed to a fall in recordable incidents. However, almost no organisation has reached a consistently flawless level of incident occurrence. This is because no matter how well an operation is run, error producing factors will always exist. Such factors include time pressure, continual operational changes in a dynamic environment and the fact that over time, known risks are underestimated. Although these factors ensure that incidents will continue to occur their end result can be controlled to a certain degree. If the organisation is working safely and efficiently the potential of incidents arising from such factors will be reduced. High quality operations are more adept at dealing with crises than organisations pushed beyond their limit. In poor quality operations a small crisis is often the straw that breaks the donkeys back, and something that started out as relatively insignificant becomes a full scale disaster.
1.1.2 Addressing the problem Error-producing factors can result in either technical or human failures. Over the years much work has been done to improve the technical aspects of operations. As technology has progressed machinery and equipment have become more reliable and safer to operate. Very little, however, has been done with regard to failures of a human nature. If anything, human error has been used as a scapegoat when no other causes for an incident could be identified. Research has confirmed that humans will always commit errors. This does not mean that all humans commit the same types of errors. Inexperienced people, for instance, tend to make slips or lapses, eg fumbled gear change, exiting a motorway one junction too early or late. Highly experienced people, on the other hand, are more likely to commit violations. Violations are deliberate deviations from a planned action sequence. They are often caused by a persons superior understanding of an operation. It is therefore impossible to label a particular type of individual as prone to making errors. Often, the best personnel make the worst mistakes. Tripod is a system that addresses human error. It reveals where human errors stem from and attempts to minimise its consequences. Tripod-DELTA addresses the latent failures that are behind active failures, most of which are caused by human error. It reveals the factors that increase the likelihood of human errors so that they can be addressed.
6
EP 95-0320 Revision 0 27 October 1995
1 Management Overview
1.2
Tripod: The Theory
1.2.1 Background Tripod is the result of Shell Group sponsored research, carried out by the Universities of Leiden, The Netherlands, and Manchester, United Kingdom. Tripod is a theory of incident causation and has produced two applications to date: Tripod-BETA, a retrospective application in incident analysis and Tripod-DELTA, a proactive tool for incident prevention. Tripod-DELTA has been field-tested in a variety of Group Opcos including Exploration and Production (EP) Opcos and the STASCO fleet where it is already an established part of their HSE management activities. A more detailed account of the background is given in Appendix I.
1.2.2 Incident causation: active and latent failures In order to reduce incident frequency one must first have an understanding of how incidents happen. Tripod research identified two types of failure: active failures and latent failures. Their roles in incident causation will be explained using the example of the Kings Cross Tube fire in 1987 (UK). In this disaster, the active failure was a discarded cigarette. Because of this the cause of the incident was labelled as a 'human error' by many of the investigators. Latent failures, however, included wooden escalators, poor firefighting/detection equipment, refuse soaked in flammable material, etc, that had been present a long time before the event of the discarded cigarette. Even though the occurrence of some active failures will be inevitable, their effects can be reduced considerably by eliminating as many latent failures as possible. For example, if the cigarette would have been dropped whilst the firefighting/detection equipment were in good working order, the active failure would most probably not have resulted in catastrophe. Active failures (human errors) come in many different forms, and are therefore hard to predict. Latent failures are present all the time but are often hidden, overlooked or tolerated in an organisation. Latent failures often stem from decisions made at a much earlier time. These decisions may have been correct at the time they were made, however, in a dynamic environment such as the oil and gas industry, yesterday's best decision can be tomorrow’s worst source of error. Tripod aims at identifying and reducing latent failures so that when the inevitable active failure (human error) occurs, it does not result in an incident.
1.2.3 The General Failure Types Tripod classifies all possible latent failures into 11 General Failure Types (GFTs): Hardware (HW)
Incompatible Goals (IG)
Design (DE)
Communication (CO)
Maintenance Management (MM)
Organisation (OR)
Procedures (PR)
Training (TR)
Error Enforcing Conditions (EC)
Defences (DF)
Housekeeping (HK) The General Failure Types are defined in 3.1.4.
EP 95-0320 Revision 0 27 October 1995
7
HSE Manual EP 95-0320 Tripod-DELTA
1.3
Tripod-DELTA: The Mechanism
1.3.1 Introduction DELTA is a proactive tool that functions by taking a 'safety health check' of an organisation. In the same way that a doctor measures vital signs (eg heart rate, cholesterol, albumen, etc) as indicators for the overall health of a patient, DELTA uses 'indicator questions' to measure an organisation’s health. Each indicator question is tailor-made for the operation in question, and is specific to one of the 11 GFTs. Indicator questions are objective, and can only have one desirable answer, either 'yes' or 'no'. During a profiling exercise a questionnaire is prepared and answered by a small group of personnel. By analysing the answers a graphic profile is generated. Much in the same way a doctor, after a diagnosis, can warn a patient of imminent illness and thus prevent its manifestation, DELTA can forewarn an organisation of potential future problem areas. This gives the organisation time to put problems right before they potentially develop into incidents. DELTA profiling exercises are normally carried out every four to six months.
1.3.2 DELTA profiles A DELTA profile is a ‘failure state profile’, the GFTs being represented on the x-axis, and 'increasing concern' represented on the y-axis (see Figure 1.1). The higher a particular GFT bar, the more signs of latent failure have been detected in that GFT and therefore the more the GFT poses a threat to the safety of the organisation. DELTA profile
Increasing Concern
Figure 1.1
HW DE MM PR EC HK IG CO OR TR
DF
GFT
By representing the relative difference in concern between GFT areas, a profile allows a manager to prioritise corrective action. This prioritisation process supports the manager in allocating resources where they are most needed. In the illustration, Communication, Maintenance and Hardware are the most problematic GFTs (the higher bars). Available resources should concentrate on improving these areas first. On the other hand Organisation, Housekeeping and Procedures (the lower bars) are the areas with the least number of deficiencies. They require less attention. After a profiling exercise, three points of improvement are generated on site for each of the three highest scoring GFTs in the profile. In the same way a doctor may recommend a patient takes more
8
EP 95-0320 Revision 0 27 October 1995
1 Management Overview exercise and eats more healthily in order to prevent future illness, an organisation must improve problem areas by generating and implementing corrective action. This process is called action itemising. Management involvement at this stage is strongly recommended to ensure commitment to the implementation of action items. It is important to remember that a profiling exercise is run before an incident has occurred. Improvements are made before personal injury, material loss or environmental damage have occurred.
1.3.3 Prior to implementation Although Tripod-DELTA is a powerful tool, it cannot be implemented everywhere. Prior to the implementation of Tripod-DELTA, three questions should be considered: WHERE?
In order to generate meaningful profiles operational units are profiled instead of the organisation as a whole. Operational units are small parts of the organisation which are partly self-regulatory. A single drilling rig is a good example of an operational unit.
WHEN?
DELTA is a tool specifically designed for operational units where incident information used to improve safety is scarce because of low incident frequency. DELTA provides points for improvement without having to have incidents, and thus assists an organisation in maintaining low incident statistics.
WHAT?
For operational units that do not have a low incident frequency Tripod-DELTA may not be appropriate. There may be more benefit from the retrospective application Tripod-BETA to assist in the analysis of incidents, thereby providing information concerning points for improvement.
1.3.4 Implementation The implementation of Tripod-DELTA for the first time in an operation begins with training Opco personnel. The training lasts one or two days and ideally the internal resource requirements are as follows: one or two Focal Points (typically from the Opco HSE department) three Supervisors from the operational unit to be profiled (eg on a rig the toolpusher and two drilling supervisors) one Manager at a senior level in the operation (eg Head of drilling operations) should attend at the start of the training. At least one of the focal points should have a rudimentary knowledge of MS DOS and Windows. After training, work can begin on customising indicator questions. It is recommended that an external licensed consultant facilitates the implementation process. A list of licensed consultants can be obtained from SIEP. The generation of indicator questions from a zero base is a time-consuming process, typically involving five or six selected Opco personnel and two external facilitators for ten days, following which the new questions need to be validated against quality criteria. A database of new questions also needs calibrating before conclusions can be drawn regarding repeat profiles. To facilitate the implementation of DELTA in companies, a 'generic' database of indicator questions from previous implementations for each main activity, eg drilling, construction, is maintained by SIEP, The Hague. Good quality indicator questions are at the heart of DELTA's success; using questions from these databases cuts down implementation time dramatically. Customising is the process of modifying previously developed indicator questions to suit a new operational unit. This is best done by a group of two or three personnel from the unit in which DELTA is to be implemented. The personnel should be from a supervisory level to provide sufficient
EP 95-0320 Revision 0 27 October 1995
9
HSE Manual EP 95-0320 Tripod-DELTA knowledge of the technical aspects of safety and of the more organisational elements of the unit. Customising takes two to three days and besides making the questions specific to the operation starts the process of 'ownership' amongst line personnel. Full ownership is achieved once management endorsed action is being taken in response to a DELTA profile. Previous implementations have benefited from management input on completion of customising, (ie reviewing a random selection of questions to ensure DELTA has approval from senior levels of the organisation). Customising is a one-off process; afterwards the database can be used with minimal maintenance for some years. Customised indicator questions can be imported into the DELTA software. The software manages the entire DELTA process and is simple to use. Table 1.1 provides an overview of a time schedule and resource requirements for a DELTA implementation. Table 1.1 DAY
DELTA implementation: time and resource schedule TASK
RESOURCES
1
TRAINING
2
TRAINING/ CUSTOMISING
3
CUSTOMISING
4
CUSTOMISING
1 to 2 Focal Points 3 Supervisors 1 Manager (about 2 hours) 1 Consultant 2 Focal Points 3 Supervisors 1 Consultant 1 Focal Point 3 Supervisors 1 Consultant 1 Focal Point 3 Supervisors 1 Consultant
After a database has been in use for some time, further fine tuning can be made by calibration, measuring the correlation of each individual indicator question with its respective GFT. This exercise can be arranged via SIEP in The Hague. Annual feedback on the results of profiling exercises is suggested to help maintain the currency of SIEP generic databases.
1.3.5 Critical success factors In order for a DELTA implementation to be a success, some critical success factors should be taken into consideration: Senior Management Commitment
Support from the top of the organisation at implementation and afterwards sanctioning action items to ensure that the benefits of DELTA are cascaded throughout the organisation.
Employee Involvement
DELTA’s success relies upon employees (company and contractor) active involvement in answering questions and developing action items.
Planning
Start with a pilot implementation and expand the application in line with the ability of the organisation to support it. Ensure that DELTA implementation minimises interference with other activities and coordinate the use of resources, key personnel and external consultants.
Training
Comprehensive training should be given to the personnel involved in the customising of indicator questions, running the DELTA software, and generating action items.
Resources
Sufficient time and money must be allocated to implementation and to executing action items if the implementation is to be successful.
10
EP 95-0320 Revision 0 27 October 1995
1 Management Overview Organisational Communications
Keep the organisation informed about the progress of DELTA pilot projects and implementation plans.
Monitoring and Feedback
Monitoring the completion of action items and feedback of progress in profiling results are vital for establishing long-term success of DELTA.
Mature Safety Culture
DELTA can only work if questions are answered openly and if action points created are executed. A mature safety culture is necessary to achieve this.
EP 95-0320 Revision 0 27 October 1995
11
HSE Manual EP 95-0320 Tripod-DELTA
1.4
Running DELTA
1.4.1 Issuing the questionnaire The DELTA software manages the database, and all aspects of DELTA. It is normally run by an appointed DELTA focal point. Generating a questionnaire from this database, based on a random selection with certain constraints put on the algorithm requires very little effort. The software allows a questionnaire to be issued either on computer disk or paper. Profiling is normally done on a regular basis (every four to six months), but it is flexible in the sense that it can be done at a time most suitable to the operation (ie when there is a respite in the work load). Action items from previous exercises should have been completed.
1.4.2 Answering the questionnaire The questionnaire is completed by a small group of site personnel (no more than four) who, collectively, have the knowledge to answer the questions. An answering group on a rig, for example, could include the drilling supervisor, tool pusher, maintenance engineer and safety officer. The questionnaire consists of 220 to 275 questions (20 to 25 per GFT). Most questionnaires can be completed in two to three hours (over a flexible period of time). Once completed a DELTA profile is automatically generated.
1.4.3 Action itemising The profile will reveal both strong and weak areas. Normally the three worst performing GFTs (highest bars) are examined in more detail during an action itemising exercise. The objective of the exercise is to define approximately three areas of improvement per GFT and to put corrective action into place. This process involves brain storming conducted by a selection of the answering group, line personnel and management, possibly at a slightly higher level than the team that completed the questionnaire. Each item of improvement follows a 'What', 'When', 'Who' format. What the action is, When it will be completed by and 'Who' is responsible for its implementation. The action itemising meeting normally takes two to three hours. In order to assist the process specific grids and instructions have been developed. Action itemising points are line generated and often low budget. A time schedule for a DELTA profiling exercise is presented in Table 1.2. Table 1.2
Time schedule: DELTA profiling exercise Days
Task
1
2
Issue Questionnaire Answer Questionnaire Generate Action Items
1.4.4 Human Factors Analysis Action itemising is very much a local response aimed at improving one GFT. For more in-depth analysis of a GFT, different 'human factors' analysis tools are advised (refer to EP 95-0324). Different techniques are recommended to instigate analysis in specific areas. Techniques include hierarchical task analysis, link analysis, simulations, human reliability and error analysis, ergonomic checklists and standards, walk/talk-through analysis, functional allocation and health risk assessment (see 3.3.6).
12
EP 95-0320 Revision 0 27 October 1995
1 Management Overview 1.4.5 Managers' role in running DELTA Although run primarily by the line, DELTA is a tool for the whole operation. Most active failures will manifest themselves in the workplace but many of the latent failures will have originated from higher management decisions. Management must therefore be willing to entertain action itemising points and to assess if corrective action can be put into place. If the workforce see that their points of improvement are being implemented they will have 'ownership' and will be encouraged to support the DELTA initiative. Support from the top of the organisation during implementation and afterwards by endorsing action items will ensure that the benefits of DELTA are spread throughout the organisation.
EP 95-0320 Revision 0 27 October 1995
13
HSE Manual EP 95-0320 Tripod-DELTA
1.5
The Benefits
The benefits of DELTA are listed below:
resource prioritisation Safety and quality are simple obstacles to attain if there is an unlimited budget and time to spend. However, no manager has an unlimited budget. DELTA identifies the GFTs that pose the greatest concern in HSE management. By concentrating efforts in these areas a manager can make efficient use of resources.
proactive measures When an incident occurs it controls time. Management and the line prioritise on recovery and investigation, deviating from their core business thus becoming inefficient. Traditional improvements in HSE management rely upon learning from mistakes. Often, it is only after an incident has occurred that lessons are learned and improvements are implemented. DELTA cuts the incident out of the learning cycle. It replaces it with the findings of a profile. By removing the 'incident', improvements no longer have to be preceded by personal injury, material loss or environmental damage. By running DELTA, time spent on preventing incidents can be saved many times over when compared to time spent dealing with the consequences of incidents.
self diagnostic After implementation DELTA is run by the line. It is designed with efficiency in mind to run without the intervention of external resources. As the technique is self-diagnostic, the line and its management are the first to know about potential problems. They can use their talents to solve their own problems. The level of ownership is high and safety philosophy is communicated through the line.
profiling between audits Conventional audits are time consuming, costly and normally target an individual installation. Often, they produce many action points simultaneously, implementation of which requires a great deal of planning. With DELTA, however, action points are self-generated and the quantity is limited to encourage proper implementation. They are also often low budget. Therefore the tool is extremely efficient and can be run regularly on several locations at a time in order to assess their 'safety health'.
addresses hidden failures Most safety systems only address issues that are known to be a problem. DELTA addresses issues that, in many cases, are hidden (latent failures). It also acknowledges that latent failures are contained throughout the organisation and not just in the safety arena.
good cost/ benefit ratio DELTA takes up relatively little time. Implementation can be achieved in about a week and maintenance in both time and money is low. After the one-off customising exercise the DELTA database can be used time after time without any two questionnaires being the same. Answering the questionnaire takes about three hours. Generating action items takes about the same time. This process happens two to three times a year so the time spent on DELTA is low. DELTA encourages the generation of regular improvements to the operation. By implementing these improvements the chance of serious incidents is lowered. DELTA profiling exercises are run by the line at times convenient to the planning of operations.
14
EP 95-0320 Revision 0 27 October 1995
1 Management Overview By improving safety DELTA improves organisational efficiency. If a company can reduce the time spent investigating incidents and dealing with loss and recovery it would have more resources for its core business; finding and producing petrochemicals.
human-tolerant system Many safety systems continue to target humans as the cause of incidents. DELTA acknowledges all humans are prone to making mistakes and that predicting and preventing human errors is virtually impossible. It therefore concentrates on latent failures that are continually present and are the underlying causes of incidents.
EP 95-0320 Revision 0 27 October 1995
15
HSE Manual EP 95-0320 Tripod-DELTA
1.6
Summary: Chapter 1
Incident research has shown two types of failures are evident in most incidents. Active failures (technical or human) have a direct impact and are often committed at shop floor level. Latent failures, however, lie hidden in the system for a long period of time and often stem from decisions made at a much higher level of the organisation. Latent failures can encourage active failures or act in combination with active failures to cause incidents. Tripod-DELTA is a tool that exposes latent failures. It classifies latent failures into 11 GFTs. By analysing an operation using the GFTs DELTA assesses where the most problematic areas of an operation are. The process of action itemising facilitates the removal of latent failures. Practically, DELTA analyses an operation using a questionnaire. The questionnaire is generated by a software package from a database previously customised by line personnel. The questionnaire is specific to the operational unit and has an equal number of questions for each of the 11 GFTs (normally 20 to 25). The questionnaire is answered by line personnel and a DELTA profile is generated showing the GFTs against a scale of increasing concern. The higher a GFT bar, the more threat it poses to the operation. By concentrating resources on the worst GFTs, managers can direct resources to areas of their operations where they are most needed. The benefits of DELTA are numerous. It looks at safety in a new light, examining the entire organisation for latent failures instead of 'traditional' safety problems. It provides feedback on potential incident causes before any incident has occurred. It identifies the strongest and weakest areas of an operation, therefore allowing prioritisation of resources. As a self diagnostic tool it is run by the line efficiently and is flexible so can avoid peak work periods. It delivers steady improvement by providing a manageable number of action items for implementation. Finally, DELTA provides a method of learning and improving that does not rely on having suffered human, material or environmental loss. The quality and effectiveness of a business is an excellent indication of its safety record. The better run the business, the lower its incident frequency. DELTA is a tool that helps business become better by exposing potential shortcomings and remedying them before incident occurrence.
16
EP 95-0320 Revision 0 27 October 1995
1 Management Overview Figure 1.2
Tripod-DELTA overview
DELTA
Syndicate or
Opco Database
SIEP Generic Database
Customising team
Feedback
HW DE MM
PR
EC
HK
IG
CO
OR
TR
DF
GFT
Answering Group
DELTA Profile
Corrective Action
In Figure 1.2 three levels can be identified:
generating indicator question in a syndicate or customising a generic database; the resulting Opco database is then imported into the DELTA software
answering a questionnaire, generated by the DELTA software resulting in a DELTA profile
focusing on problem areas and the generation of action items for the top three GFTs in the profile.
Feedback of profiling results to SIEP (every one or two years) is also shown.
EP 95-0320 Revision 0 27 October 1995
17
HSE Manual EP 95-0320 Tripod-DELTA
2
IMPLEMENTATION GUIDELINES
This chapter, directed primarily at DELTA focal points, offers a guide to the introduction of Tripod-DELTA into a specific operational activity - setting up a database of indicator questions relevant to the operation, training focal points and line staff to run profiling exercises. For a given operation, implementation should be considered a one-off exercise. A database, once set up, should last for a considerable time requiring only minimal maintenance. Training for running profiling exercises only needs to be repeated for an expanded application or in response to staff turnover. An Opco team familiar with the operation is given initial training and goes on to develop its own set of indicator questions from a zero base. This is always possible, but it does have disadvantages. Developing a balanced set of 1000 to 1200 questions requires a considerable effort, and after it is completed each question needs to be validated independently - checked for quality against a set of criteria. The completed database needs to be calibrated to identify the questions that provide the most useful indicators of the true state of affairs in the operation being profiled. Calibration of a new database typically involves the completion of 40 to 50 profiling questionaires distributed over ten or more operating units. The alternative preferred method still uses an Opco team, but requires fewer people and less time. After initial training, the team ‘customises’ a generic database obtained from SIEP by amending the references or parameters of the questions to reflect the local operation. As these generic databases have been validated and calibrated beforehand in a similar operation, the database will be ready to use after customising. The first part of this chapter deals with preparation and in particular critical success factors that should be in place before implementation is attempted. The rest of the chapter focuses on the actual implementation process using the customising option. A summary with a brief 'do’s and don’ts' listing concludes the chapter.
18
EP 95-0320 Revision 0 27 October 1995
2 Implementation Guidelines
2.1
Preparation for Implementing DELTA
Before introducing Tripod-DELTA into an operation it is important to ensure that the operation is suitable. The following questions should be considered: WHERE?
Tripod-DELTA recognises that most organisations are made up of different operational units that have their own strengths and weaknesses. The fact that housekeeping may be a problem in one part of the organisation does not necessarily mean the organisation as a whole suffers from this. In order to generate meaningful profiles, and thus generate specialised points for improvement, operational units are profiled instead of the organisation as a whole. Operational units are small parts of the organisation which are partly self-regulatory. A single drilling rig or small production platform is a good example of an operational unit. A large refinery is not a good example, nor is a large platform with simultaneous drilling and production operations. A very small location is also not ideal. An operational unit should have approximately 25 to 100 personnel. There should be a predominant main activity with an organisational hierarchy that has between two to six people in the unit who, combined, have a complete understanding of the operation (eg on a rig, the toolpusher, drilling supervisor, maintenance engineer). This is to assist in answering the questionnaire and creating action items.
WHEN?
DELTA is a tool specifically designed for operational units where incident information used to improve safety is scarce because of low incident frequency. Although low incident statistics may imply a safe operation, the real challenge for an organisation is to keep incident statistics low. In an ever changing dynamic environment, improvement must be continuous. DELTA is a tool that provides points for improvement without having to incur incidents, and thus assists an organisation in maintaining low incident statistics.
WHAT?
DELTA may not be an appropriate application for operations with a high incident frequency. Such operations may benefit more from the retrospective application of Tripod-BETA. This tool will assist in the analysis of incidents that have occurred, thereby providing information concerning points for improvement. Although DELTA and BETA are two different applications, they both result in a GFT profile. A DELTA profile represents the safety health of an operational unit. A BETA profile represents the typical contributory failures in an incident that has occurred.
HOW?
A database can be developed locally from a zero base, but this is a resource intensive exercise. Generic databases available in SIEP, derived from indicator questions developed in Opcos, offer the opportunity for reducing the time and resources for implementation.
2.1.1 Organisational requirements If the right environment exists for the implementation of DELTA and the decision is taken to proceed, it is also necessary to ensure that critical success factors are in place: Senior management commitment
Implementing DELTA will only succeed if senior management in an organisation are committed to its introduction and application. DELTA will require some time, money and effort in order to be implemented correctly. Senior management are the only people who can allocate these resources and they will only do so if they understand what benefits DELTA can realise for their company. Ensure they understand DELTA by providing management with the correct literature (DELTA Manager’s
EP 95-0320 Revision 0 27 October 1995
19
HSE Manual EP 95-0320 Tripod-DELTA Summary) and support their understanding by giving presentations on the concept. The implementation of DELTA will also be assisted by having a senior manager who will act as a DELTA 'champion' within the organisation. Management should also approve and monitor action implementation. Employee involvement
One of the main reasons for the failure of the implementation of any innovative technology is lack of employee involvement. DELTA’s success relies upon employees answering questions and developing action itemising points. They cannot perform these tasks if they are kept in the dark. Although some employees will be involved in the implementation phases all employees in the operational unit should be informed about DELTA. This should be done through a series of presentations and question and answer sessions. If contractors work in the unit, special attention should be paid to include them in the implementation process.
Planning
It is recommended that a pilot implementation is made in a selected area that can serve as a demonstrator for wider implementation. The application can be expanded in line with the ability of the organisation to support it. In order for the implementation phase to run smoothly it is essential that it does not coincide with major operational activities. Furthermore, planning should ensure that all resources, key personnel and external consultants used will be available at the desired time. Periods of absence of key players should be taken into consideration and avoided if at all possible.
Training (see also 2.1.2)
Before implementation key personnel must be trained in DELTA. Although the system has been specifically developed to be simple to use comprehensive training should be given to a company focal point who will be responsible for running DELTA. The focal point also has to be trained in operating a simple software package that will manage DELTA as well as being familiar with giving DELTA presentations, explaining the concept and facilitating action itemising meetings. HSE departments will most likely provide these focal points as part of their services to the line.
Resources
The success of DELTA also depends on having available resources. As well as the availability of sufficient time and finances to complete the implementation, attention should be given to the key personnel who will be involved with DELTA on a day to day basis. Administration time alone can be demanding on a company focal point and this should be built into the resource equation from the onset. Selection of personnel should concentrate on creative, forward thinking individuals who know their operational unit well.
Organisational communications
20
Both during and after the implementation of DELTA it is important to keep all elements of the organisation informed about its progress. This includes senior management from company and contractors as well as other employees. Good communications are essential when several operational units in an organisation are using DELTA or plan to do so in the future. By comparing notes between implementations the organisation as a whole will learn how to implement and use DELTA. Past experiences have shown that, eg, a steering committee in the organisation has been of
EP 95-0320 Revision 0 27 October 1995
2 Implementation Guidelines benefit during implementation and subsequently maintaining momentum of DELTA. Monitoring and feedback
Once implemented it is important to monitor progress on DELTA to ensure it is progressing correctly. This is particularly salient with DELTA as it can be up to six months between profiling exercises. Ensuring that DELTA profiles and action points are published in reports and bulletins will help keep the momentum going. Feedback also should be given to SIEP, normally on an annual or biannual basis.
Mature safety culture
Questionnaires have to be answered openly and when shortcomings are exposed in the organisation nobody should be blamed. A mature safety culture that supports open reporting is therefore a necessity.
When the above factors are in place an implementation should proceed. There are three distinct phases to implementation; training (2.1.2), customising (2.2.2) and database calibration (2.2.4).
2.1.2 Training Without good training a successful implementation is hard to achieve. Training during implementation should be given in the operational unit in question. The use of a licensed consultant is advocated to ensure a systematic, thorough introduction of DELTA and to iron out teething problems during implementation. Training lasts two days (with the exception of the manager who will not be required for the duration). A list of licensed consultants can be obtained from SIEP. Who should be trained? Implementation involves the following people:
the senior manager in whose operational unit the implementation is taking place
the company Tripod-DELTA focal point and possibly an assistant
personnel directly affected by the implementation of DELTA (three supervisors per operational unit).
Training plans should take work cycles, leave schedules and job changes into account. The above represents requirements in one location, ie on a single rig or platform. If a number of operational units are involved in the implementation then the number of focal points and managers involved in the process should remain the same. The only increase is in the number of personnel directly from locations in which implementations are carried out, eg if four platforms are involved in the implementation then training for 4 x 3 supervisors will be required. The customising exercise should produce a common database for all operating units. What training should be given? DELTA training can be divided into two categories; knowledge-based and skill-based. Different course participants should be trained in different skills although all should have the knowledge-based training to ensure they know what their part, and that of other participants is in the overall concept of DELTA. With regard to the skill based training three main areas are identified: Training for customising DELTA indicator questions All personnel involved in the customising process should have an understanding of what comprises a good indicator question. In addition, there should be a DELTA focal point who is in charge of leading
EP 95-0320 Revision 0 27 October 1995
21
HSE Manual EP 95-0320 Tripod-DELTA the customising sessions. The focal point should receive additional training in how to exert quality control during the customising sessions. Management of DELTA software The DELTA focal point is responsible for the day-to-day management of DELTA, and should therefore be thoroughly trained in how to use the DELTA software. It is strongly recommended also to train someone from the computer department in the DELTA software, in order to provide internal back-up for troubleshooting. Generation of action items Since the generation of action items requires a cross-section of personnel, including management, supervisors and workers, a cross-section of personnel should receive training in how to do this. Again, a designated person should be appointed to lead these sessions, and should receive training accordingly. Furthermore, the DELTA focal point should be made aware of the importance of liaising between all different parties involved. One very important task of the DELTA focal point is to keep DELTA alive over a long period of time.
22
EP 95-0320 Revision 0 27 October 1995
2 Implementation Guidelines
2.2
Indicator Questions
2.2.1 Characteristics At the heart of DELTA are indicator questions. Much in the same way a doctor makes a diagnoses by asking a patient questions about their health, DELTA uses indicator questions to determine the safety health of an operation. DELTA uses a database of approximately 1100 indicator questions. The intent of indicator questions is to diagnose rather than to audit or investigate. An indicator question should have the following characteristics:
it can only be answered with 'Yes' or 'No'
it has only one desirable answer, which can be 'Yes' or 'No'
it is objective, ie it does not ask about feelings, awareness, etc
it is measurable, ie it has a specified time frame or frequency
it is specific to the operation
it is specific to a GFT
it is auditable - the answer is based on facts that can be verified
it is specific to a single item or item group, eg it refers to lifting equipment rather than to equipment in general
it is directed at a specified individual or group, eg it refers to the drilling supervisor rather than to 'you'.
An example of a good indicator question is: Has the drilling supervisor worked more than 16 consecutive hours in the last seven days? The answer to this question is either 'Yes' or 'No'. However, the desirable answer is 'No'. It is objective, measurable and specific to a drilling operation. The question is relevant to the GFT Error Enforcing Conditions and is directed specifically at the drilling supervisor. Some questions are designed so that the desirable answer is a 'No' and others are designed so that the desirable answer is 'Yes'. This is to prevent an answering group assuming that all 'Yes' answers are necessarily desirable. Desirable Answer 'No': Has there been a fatality on site during the last year ? Desirable Answer 'Yes': Has there been a fire drill in the last week? A database should ideally be split evenly between questions that have 'Yes' and 'No' for a desirable answer. All questions are weighted equally. Features
The GFT is a relatively broad category. Within each category a number of specific aspects, called features, has been defined. When a database of indicator questions is generated a check is made to ensure that each feature is represented, so that the full scope of the GFT is covered. Typical Hardware features are, for example, availability and quality. Features are also used as prompts for the generation of remedial actions. The rationale behind the existing features structure is currently under review.
EP 95-0320 Revision 0 27 October 1995
23
HSE Manual EP 95-0320 Tripod-DELTA 2.2.2 Customising a generic database Generating indicator questions from scratch is time consuming and difficult. A team of four to five, consisting of supervisors, management and workers would take at least a day per GFT. Many operations cannot afford the manhours necessary to develop questions from scratch and therefore to help the implementation of DELTA in an operational unit a process called 'customising' has been developed. Customising involves taking indicator questions previously developed for another operational unit and modifying them to suit the specific work environment. Existing DELTA questions have been developed for a variety of operations including drilling, construction, seismic and production. These questions are kept at SIEP, The Hague in a 'master' database. Prior to a new implementation, indicator questions most likely to suit the needs of the operation are selected from the 'master' database. Questions can be selected on various criteria and the business unit in which DELTA is to be implemented should provide the following information on the operation: its geographic location (eg equatorial), the type of operation (eg drilling) and its environment (eg onshore, desert). Once the shortlist of questions has been selected they are ready to be customised. Questions are shortlisted as a document file and can therefore be amended on paper or directly by using a wordprocessor. The amended text files can be converted by the Tripod-DELTA software into data files. Ideally, a group of experienced people is used for either generation or customising of indicator questions. In practice, this normally boils down to personnel from the supervisory level. This group normally contains two to three people, who understand the operation well. The use of experienced personnel generation/customising promotes 'ownership' of DELTA. Different people may be involved in different GFT sessions. For example, if GFT Maintenance Management is under scrutiny, a representative from the maintenance department (eg maintenance supervisor) may provide particular expertise. It is strongly recommended that one DELTA focal point is present at all 11 sessions, whether generation or customising. His or her role should be to lead the group and continually ensure the quality of indicator questions. Although care is taken in the selection of indicator questions they will not all be ready to use. It is anticipated that some 25 percent may need to be modified. Modifications can be considered in two areas:
changes to references or terminology to make the question more appropriate to the operational unit
changes to the parameters (eg time, quantities) to adjust the 'Yes-No' thresholds that indicate a desirable or undesirable state.
Modified questions should be validated against the characteristics defined in 2.1.1. Some questions may need to be made more specific to the operation, eg GFT Procedures: Are all procedures manuals indexed at the present time? Could become: Are the Medevac procedures manuals indexed at the present time? Some may require location or equipment terminology to be changed, eg GFT Design: Are there more than two air-conditioning units in the camp at the present time? Could become: Are there more than two air-conditioning units on the platform at the present time? Some questions may require an amended time frame to ensure the answer produces a realistic indicator, eg Has there been a Lost Time Injury on the rig in the last year?
24
EP 95-0320 Revision 0 27 October 1995
2 Implementation Guidelines Could become: Has there been a Lost Time Injury on the rig in the last three months? Although some questions will have to be modified, the majority of changes will be small. Customising previously selected indicator questions is far less time consuming than creating questions from scratch. Experience has shown that two to three supervisors who understand the operational unit well can customise a 1,100 indicator database in under three days (Table 2.1). A team is used to avoid the possibility of personal bias manifesting itself in the formulation of indicator questions. Once indicators have been validated they can be circulated for approval. There is no restriction on who can see the questions. Many previous implementations have benefited from a sample of questions being distributed to the management and workers who could not attend the customising sessions. This instils a feeling of ownership and also counters any notions employees may have of being excluded from the implementation process. Once the indicator questions have been customised and approved they can be imported into the DELTA software by the focal point and profiling can begin. Table 2.1
DELTA Implementation: time schedule
Tasks
Days 1
2
3
4
Training Customising
2.2.3 Generating a database Generating a database from a zero base is an exercise similar to customising, but requires more time and resources. A team of people who are familiar with the operation is given initial training in the principles behind Tripod-DELTA, usually by an external consultant, following which questions are generated for each GFT, using the features as aides-mémoire to ensure that the scope of the subject is covered adequately. Generation of questions by a typical six person team (with one or two external facilitators) takes about one day per GFT. The question generated must then be validated - checked for conformance with quality criteria (see 2.2.1), a task usually done by the external consultants. Although the validated database is then ready to run, it has not been calibrated, and should be at the earliest opportunity (see 2.2.4).
2.2.4 Calibrating a database A database of indicator questions, generated by people who are familiar with the activity and validated for question quality will contain some questions that despite their face validity are not effective indicators. If a question is always going to produce a ‘desirable’ answer or always going to produce an ‘undesirable’ answer it represents a steady state, and therefore it is not an effective indicator for managing improvements in the short term. It may be that the parameters of the question have been incorrectly set, in which case the question can be amended. If not, removing the question from the selection list will improve the sensitivity of the database. Analysis of profiling exercises has discovered that other questions produce unreliable results. They behave differently from the majority, with severe effects on the repeatability of profiles of individual answering units. The reason for such questions behaving differently is possibly because their answers are determined by factors other than those that affect the rest of the questions. Whatever the cause, removing these questions from the selection list improves database effectiveness.
EP 95-0320 Revision 0 27 October 1995
25
HSE Manual EP 95-0320 Tripod-DELTA Identification of both types of question, the 0 per cent or 100 per cent questions and those negatively correlating, can be achieved by ‘calibrating’ a database using the statistical measure known as Chronbach’s . In a calibration exercise the response for each individual question is measured against the overall pattern of responses. The overall pattern termed the 'True State of Affairs' (TSA) is established by answering each question in the database from as many different sources as possible. The more comprehensive the overall pattern can be made, the more meaningful the calibration for each item becomes. In the ideal case there should be more responding units than questions; this is not possible considering the size of the databases. What is necessary is to take the widest spread of potential answering units and have a sufficiently large number of answers. The initial work on calibration used data from three profiling exercises carried out on 14 tankers. The generic database for drilling used input from 12 rigs spread across two neighbouring Opcos. Generic databases are calibrated before finalisation by involving a number of Opcos in a co-ordinated calibration exercise. Recalibration of a customised Opco database is recommended after sufficient profiling exercises have been carried out to be able to establish the overall pattern for that Opco. Initial experience suggests that a minimum of six complete ‘passes’ through the database is required. This can be achieved by accumulation of + 24 ‘normal’ profiling exercises or, as in the case of the generic databases, by an intensive calibration exercise whereby each answering unit completes a number of questionnaires. Further details on calibration of Opco databases can be obtained from SIEP.
26
EP 95-0320 Revision 0 27 October 1995
2 Implementation Guidelines
2.3
Summary: Chapter 2
Not all operational units are suitable for DELTA. Before implementation suitability for use of the tool should be confirmed. To facilitate the implementation of DELTA critical success factors have been identified and should be put in place. Indicator questions are the heart of DELTA. Generating good indicator questions is time consuming so a process called customising has been developed to help the implementation process. Following customising, the database can be used to produce questionnaires, profiles and action item points. If the organisation is ready for DELTA, implementation can be achieved in a matter of days (subject to prerequisites being in place). When sufficient experience has been gained in the use of the database, further calibration can be made to confirm each individual indicator question correlates positively with its respective GFT. Practical Tips for DELTA implementations: Do
Don’t
involve the operational units from the start
exclude personnel just because they are not directly involved in DELTA
keep people informed on DELTA progress ensure training is complete before customising
allow DELTA to be side-tracked
ensure management are completely behind DELTA
commence customising before all parties are happy to proceed
attempt to ensure there are no hidden agendas for implementation.
presume one 'keen' manager is sufficient to complete the implementation implement for the wrong reasons.
EP 95-0320 Revision 0 27 October 1995
27
HSE Manual EP 95-0320 Tripod-DELTA
3
APPLICATION: PROFILING
This chapter is directed primarily at users of Tripod-DELTA. It describes the application of the tool in a profiling exercise and the development of actions for improvement. Tripod-DELTA is a proactive safety tool aimed at identifying and addressing latent failures. It has been specifically designed for companies where remedial information used to improve safety is scarce because of reduced incident frequency. DELTA works as a self diagnostic tool which, once implemented, has been developed to run in companies by line personnel with minimum effort but maximum effectiveness. Tripod-DELTA is not a replacement for other safety initiatives, but works in conjunction with HSE Management Systems (HSE MS) and HSE Cases, supported under the HSE MS guidelines. In this chapter, the following topics are discussed:
the background to Tripod-DELTA and how it can help prevent incidents
using the DELTA tool for analysing the safety health of an operational unit
developing points of improvement.
28
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling
3.1
Background
3.1.1 Tripod research Shell Group sponsored research into incident causation and human factors, (Tripod research) has resulted in the development of two applications: a retrospective application that addresses the analysis of incidents (BETA ) and a proactive diagnostic tool (DELTA ) that attempts to prevent future incidents from occurring. Research has shown that in the oil and gas industry there is a continual presence of error-producing factors. These factors do not cause incidents but they do indirectly contribute to their occurrence. Factors include time pressure, continual operational changes in a dynamic environment and the fact that over time, known risks are underestimated. Analysis reveals that there is rarely one single cause for an incident. Most incidents are caused by a combination of two types of failure. Those that are made at the sharp end of the organisation (active failures) and others that have their origins in the decision-making part of the company (latent failures). Although incidents are caused by a combination of active and latent failures they are often blamed on human error as it is easier to find fault in an individual rather than with an organisation. Active failures occur at the worksite, eg rig or production floor and most are attributable to human errors, committed by shop floor personnel. Active failures are hard to predict and therefore hard to eradicate. Latent failures are continually present in the organisation and normally remain hidden until an incident occurs and draws attention to them (Example 3.1). By examining a typical incident the difference between the two types of failure becomes clear: Example 3.1 Accident description To meet a production deadline a supervisor assigns a man to help another team of workers loading sacked chemicals. The man has been newly employed, and has not yet received his full HSE induction. Due to the urgency of the work he is given only a brief site induction and is not aware that the chemicals are corrosive. One sack is damaged, and while cleaning up the spillage the worker suffers burns to his hand from coming in contact with the chemicals through a torn working glove. Active failures
damage to the sack containing chemicals
failure of the glove to protect the worker's hand
Latent failures
lack of competence (failure in HSE induction and site induction)
production goals promoting short cut in site induction
3.1.2 Human error Part of being human is to err. Extensive research in the field of human error has revealed what we all know; that human beings have always and will continue to make errors. There are several types of human error: Slip:
An unintended deviation from a correct plan of action, eg knocking over a glass while attempting to pick it up.
Lapse:
Omission/ repetition of a planned action, eg forgetting to wear a hard hat.
EP 95-0320 Revision 0 27 October 1995
29
HSE Manual EP 95-0320 Tripod-DELTA Mistake:
Intended action inappropriate to the circumstances, eg attempting to open the front door with the back door key.
Violation:
Deliberately breaking a rule to achieve a goal; eg exceeding the speed limit.
Human error is often the trigger of an incident and is implicated in four out of five active failures.
3.1.3 Latent failures In the example there is questionable work practice and poor decision-making. The reasons for this may be numerous, eg lack of procedures, pressure from management to meet deadlines, lack of training, etc. Furthermore, over time in a changing world with work practices continually advancing the effects of decisions previously made can be reduced. Yesterday's best decision can become tomorrow’s worst source of error. Organisations continually change existing work practices to accommodate changes over time. Unfortunately some work practices are overlooked. This may be because they are rarely used or noone has had time to change or update them. Such factors then become hidden in the system. Therefore these system failures are called latent failures. Tripod-DELTA distinguishes itself from other safety approaches in that it does not concentrate on preventing active failures. It concedes that humans are bound to make errors and that equipment can fail. Instead it focuses on latent failures that cause incidents. Tripod-DELTA is a system that exposes latent failures and facilitates their removal from an organisation.
3.1.4 The General Failure Types DELTA seeks to identify and remove latent failures without the need for any incidents taking place. It does this by analysing a single defined operational unit (ie a rig, platform, etc) by using a questionnaire. The questions determine how may 'tokens of failure' exist in the unit under scrutiny. These tokens are classified into categories called General Failure Types (GFTs). The GFT with the most tokens is also the one likely to have the most latent failures. By identifying latent failures in the worst GFTs and addressing them DELTA aims to reduce the chance of future incidents occurring. Tripod classifies all latent failures into 11 GFTs listed below: Hardware (HW) Failures due to inadequate quality of materials or construction, non-availability of hardware and failures due to ageing (position in the life cycle). The Hardware GFT is concerned with the question 'Are the right tools, equipment and components for the job always available and operating correctly?' It does not include failures caused by poorly designed items or poor maintenance, but does include the use of incorrect or inappropriate materials, non-availability of hardware and failures due to ageing. Design (DE) Deficiencies in layout or design of facilities, plant, equipment or tools that lead to the misuse or unsafe acts, increasing the chance of particular types of errors and violations. Design faults can contribute to an incident by allowing or even encouraging unsafe acts to be made; making unsafe acts necessary in order to make something operate as intended. Design faults can manifest themselves by poor layout and design of plant equipment or tools. Maintenance Management (MM) Failures in the systems for ensuring technical integrity of facilities, plant, equipment and tools, eg condition surveys, corrosion controls and function testing of safety and emergency equipment.
30
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling This GFT deals with failures that can be introduced by delayed, missed or poorly planned maintenance activities. Factors such as fitting incorrect components, inadequate training of maintenance engineers or poor maintenance instructions are covered by other GFTs. The scope of this GFT is the management of maintenance rather than the practical execution of the tasks involved. Procedures (PR) Unclear, unavailable, incorrect or otherwise unusable standardised task information that has been established to achieve a desired result. Procedures and work instructions are meant to ensure that staff carry out tasks in a standard, safe and efficient way. The effectiveness of procedures and work instructions may vary greatly. There may be no instructions at all for some tasks, where staff are just expected to 'know' what to do. In other cases the instructions or procedures may be misleading, incorrect or so complicated that no-one ever bothers to read them. Poor procedures can lead to incidents by allowing, or even encouraging, people to take short cuts and/or commit unsafe acts. Error Enforcing Conditions (EC) Factors such as time pressures, changes in work patterns, physical working conditions (hot, cold, noisy etc,) acting on the individual or in the workplace, that promote the performance of unsafe acts. This GFT covers a broad range of conditions affecting the individual or the workplace, which can lead to unsafe acts. It includes the attitudes of workers (low morale, mistrust of management, overconfidence) and their physical condition (tired, affected by alcohol, etc). Also, it considers how staff perform under adverse conditions, perhaps faced with an emergency or unfamiliar situation with either no information to help them cope, or too much information at once. On top of all this, the situation can be aggravated by pressures caused by time shortage and the errors that can arise from confused or distorted information. The 'urgency' in the incident in Example 3.1 that led to insufficient briefing is an example of an error enforcing condition. Housekeeping (HK) Tolerance of deficiencies in conditions of tidiness and cleanliness of facilities and work spaces or in the provision of adequate resources for cleaning and waste removal. This GFT tackles the failure of management to correct housekeeping problems. Management may be aware that a facility is dirty or untidy without fully appreciating the dangers posed. They may have taken steps to improve the problem and failed due to inadequate resources for cleaning and waste removal. Staff may have concealed the problems from them during visits or, worse still, management may have never visited the facility and so remain unaware of the housekeeping failures. Incompatible Goals (IG) Failure to manage conflict; between organisational goals, such as safety and production; between formal rules such as company written procedures and the rules generated informally by a work group; between the demands of individuals' tasks and their personal preoccupations or distractions. This GFT recognises that organisations and people are usually trying to meet several goals at once and that this can lead to dangerous conflicts. For a group running an operation there may be a conflict between the formal safety rules set by the organisation and the local rules which are followed in order to get the job done on time. Without clear guidance on the relative priorities conflicts can arise between safety requirements, completion of deadlines and financial issues. Production pressures in Example 3.1 resulted in a conflict with the need to ensure HSE competence, contributing to the incident.
EP 95-0320 Revision 0 27 October 1995
31
HSE Manual EP 95-0320 Tripod-DELTA Communications (CO) Failure in transmitting information necessary for the safe and effective functioning of the organisation to the appropriate recipients in a clear, unambiguous or intelligible form. This GFT covers the inadequate exchange of information. Effective communication is essential for the safe execution of tasks. Failures can be classified in two types; transmission or reception: Transmission failures (system): the necessary communication channels do not exist or the necessary information is not transmitted. Reception failures (local): the communication channels exist and the information is transmitted, but the message is not understood (eg because of language), misinterpreted by the recipient, or is sent too late to be of use. Even under ideal conditions, people tend to hear what they expect rather than what was actually said. The lack of a proper briefing in Example 3.1 shows poor communications. Organisation (OR) Deficiencies in either the structure of a company or the way it conducts its business that allow safety responsibilities to become ill-defined and warning signs to be overlooked. Organisational failures are deficiencies in the structure of the company or the way it goes about its business. These deficiencies allow safety and other responsibilities to become blurred and problems to remain unrecognised by the 'system' even though sometimes individuals are well aware of them. Poor co-ordination and planning, insufficient feedback on performance and the assumption (without verifying) that all commands issued will be carried out as expected are all factors which allow potential problems to develop. Where the chain of command is very long, even well-planned activities may suffer from an inability to respond quickly to situations. Example 3.1 shows that poor supervision, failures under this GFT, contributed to the incident. Training (TR) Deficiencies in the system for providing the necessary awareness, knowledge or skill to an individual or individuals in the organisation. In this context, training includes on the job coaching by mentors and supervisors as well as formal courses. Awareness is the process of understanding the hazardous conditions present at the worksite. Many incidents can be traced back to inadequate training, for both routine work and for dealing with emergencies. It is the responsibility of management to ensure that the right people get the right training. Problems can arise for many different reasons, and are often not the fault of the employees affected. Training requirements may not be properly understood, the training badly run, or not run at all. Also, the effectiveness of training can be reduced if personnel lack sufficient background education, therefore this GFT should also consider recruitment and selection. Defences (DF) Failures in the systems, facilities and equipment for control or containment of hazards or for the mitigation of the consequences of either human or component failures. The defences we build into equipment and systems form the final barrier between the hazards, actions of personnel and an incident taking place. Defences should be continually evaluated and improved to take account of the changing demands placed upon them. Problems in defences take various forms. Detection and warning systems may give false alarms or fail to work. Recovery equipment may be missing, faulty or badly situated. Protection equipment or containment systems may have been deliberately disabled or not even used, perhaps because they are awkward, cumbersome, take too long to set up or are not understood by personnel. Escape and evacuation plans are rarely put to the test. Serious incidents can take unexpected forms which planners may not have foreseen. Faulty personal protective equipment can escalate the consequences of another failure, as in the example.
32
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling
3.2
Running DELTA
3.2.1 Profiling : overview Tripod-DELTA works in the following way: an identifiable operational unit is selected. The unit has a good safety record and is running out of data from incidents with which to improve its safety performance. A database of questions is developed for the operational unit. DELTA attempts to measure the amount of latent failures in a GFT by issuing a questionnaire answered by personnel from the operational unit. The answers determine which GFTs have the most signs of latent failure. The results are presented in the form of a DELTA profile. The profile shows the GFTs on the x-axis and 'increasing concern' on the y-axis. The more latent failures related to a GFT are found, the higher the bar. By looking at the profile it is clear which GFTs pose the greatest threat to the operational unit. By generating and implementing points of improvement for the worst GFTs, thereby improving the most problematic areas, the aim is that the chances of incident occurrence diminish. All this is done before an incident has occurred. The details of how to run DELTA are discussed in the remainder of this chapter.
3.2.2 Tripod-DELTA software Following implementation (see Chapter 2) a set of indicator questions will have been developed by line personnel and imported into the DELTA software ready for issuing in the form of a questionnaire. The software is the key to running DELTA efficiently. The program is designed to run on any personal computer. It is simple to use and an individual who is reasonably computer literate (can use an wordprocessor or spreadsheet) should be able to use the software. A comprehensive user manual accompanies the software. The software has multiple functions, described below, that can be performed in a few minutes: Stores the indicator questions in a database Once customised there will be 11 indicator files (one per GFT ). By importing the files from a wordprocessor into DELTA the files become a single database specific to an operational unit. Allows indicators to be modified When the questions are in database form they can be further modified if desired. Text can be altered and characteristics changed, eg the GFT the question belongs to. A search command assists in the location of specific questions. Compiles questionnaires From the software questionnaires can be compiled. The software automatically selects a number of questions from each GFT and randomly assembles them in a questionnaire to ensure personnel answering do not know which GFT a question belongs to. Furthermore, the software labels indicator questions once they have been used to prevent them from being used in the next few questionnaires. Once the questionnaire has been created the software allows it to be issued either on disk or paper. Paper questionnaires are ideal for remote locations accessed by fax. Profiles Once the completed questionnaire is returned the software displays the DELTA profile and allows it to be printed out. If the answers have been returned on paper they can be quickly entered by using a function specifically designed for this.
EP 95-0320 Revision 0 27 October 1995
33
HSE Manual EP 95-0320 Tripod-DELTA Performs statistics The constitution of the database can be analysed to show how many questions are in each GFT, how many questions there are in total and how many questions have either a 'Yes' or 'No' as a desirable answer. Correlations between profiles can be calculated. Export indicator questions Finally, indicator questions can be exported to allow another organisation to use questions for customising or to make a back-up database.
3.2.3 Profiling A profiling exercise carried out on an individual unit comprises four activities: generating the questionnaire answering the questionnaire on site generating a Tripod-DELTA profile for the operating unit generating actions addressing the most critical areas identified in the profile. The exercise can be completed in two days (see Table 3.1). Table 3.1
Profiling exercise: schedule and resource requirements
Day
Phase
Method
People Responsible
1
Generate Questionnaire
DELTA Software
Focal Point
Answer Questionnaire Generate Profile
Either on paper or on disk Disk: A profile is generated automatically
Group of experienced site personnel Answering group
Paper: Answers have to be processed after which the profile can be forwarded to the unit
Focal Point
By using grids or HFA techniques
Group of personnel including management, supervisors and workers
2
Generate Action Items
3.2.4 Generating a questionnaire The Tripod-DELTA Software will automatically generate a questionnaire on disk or a *.txt file that can be used to make a paper copy (see 3.3.1). A DELTA questionnaire normally consists of 275 questions (25 per GFT ). The same questionnaire can be used to profile several operation units at once to assess the safety health of an entire operational activity, eg all platforms are profiled to assess the safety health of the production operation.
3.2.5 Answering questions A questionnaire should be answered by a group of experienced individuals from the worksite who understand the operational unit under scrutiny (eg on a rig the toolpusher, drilling supervisor and maintenance engineer). The presence of the site safety adviser can also be beneficial. The answering group may include personnel who are not senior supervisors; the critical point is that the group should, between them, have or have access to the information necessary to answer the questions. If the questionnaire is issued on disk the people answering will need to use a computer. The computer, however, does not need to have the DELTA software loaded. The disk contains an *.exe file that will run the questionnaire. If no computer is available the questionnaire can be issued on paper.
34
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling The questions are objective and, in principle, can only be answered with a 'Yes' or 'No'. Since the questions will have been customised for the operational unit very few questions should be answered with 'do not know' or 'not applicable' responses. When answering the questionnaire all efforts should be made to find the correct answer to a question, ie Checking logs or manuals if necessary. The questionnaire should take less than three hours to complete (Table 3.1). Although this may sound a significant period of time, profiling exercises are only carried out every four to six months. Also, the questionnaire does not have to be answered at one sitting. It can be answered gradually over a few days, when operational activities allow. When answering on computer, the questionnaire can be paused at any time. When ready to resume the questionnaire begins at the place it was left. Possible Answers For each indicator question, four possible answers are available to an individual:
'Yes', if you agree with the statement
'No', if you disagree with the statement
'do not know', if you do not know the answer to the question
'not applicable', if the statement is not relevant to you or your operation.
The aim is to answer as many questions with either 'Yes' or 'No'. In other words, try to avoid answering questions with 'do not know' or 'not applicable'. The more questions answered with a 'do not know' or 'not applicable', the less reliable the resulting profile will be. Therefore, if the answer to the question requires specific knowledge which is unavailable in the answering group, other people may be approached to help find the correct answer. Feedback with regard to the quality of the indicator questions can only be obtained from the people who actually answer the questions. If questions are found to be confusing it is important to provide the DELTA focal point with this information. The DELTA focal point can then improve the questions with input from the workforce in order to prevent confusion in the future. Group consensus vs individual answers From the questions, it should be clear whether a group consensus or an answer from a specific individual is required. A few examples follow: 'In the last week, has the drilling supervisor worked more than 16 consecutive hours?' This question requires the drilling supervisor to determine the answer. 'In the last month has anyone not been paid on time?' This question is directed at the answering group. If one member of the group has not been paid in time, the answer should be 'No'. 'At the present time are all cranes operational?' This question is clearly directed at a certain type of equipment, and can easily be checked. 'In the last month has everyone been paid on time?' This question is directed at all members of the answering group. Only if all members have been paid on time is the answer given 'Yes'.
3.2.6 Recording answers DELTA questionnaires can be answered either on paper or on computer. The advantage from answering on computer is that the profile will be displayed on the computer screen as soon as the questionnaire is completed. However, due to logistics and available hardware this may not always be possible.
EP 95-0320 Revision 0 27 October 1995
35
HSE Manual EP 95-0320 Tripod-DELTA Paper When answering a DELTA questionnaire from paper, the questionnaire will be accompanied by a dedicated answering form. This form consists of question numbers followed by four boxes ('yes', 'no', 'do not know' and 'not applicable'). Depending on the answer given to the question, one of four boxes can be ticked. After returning the answers to the DELTA focal point, he or she will import the answers into the DELTA software after which a profile is generated. This profile will then be returned to the operation in question where onsite personnel will be responsible for the generation of action items. Computer When answering a DELTA questionnaire on computer, the questionnaire will be forwarded by the DELTA focal point on a disk. In order to run this disk, insert it into the disk drive (usually the a: drive) and type 'a:DELTA'. After pressing 'enter', the first question will appear on the screen. Four possible responses can be given to each question: 'y' for yes, 'n' for no, '?' for do not know and '-' for not applicable. The answer can be given by typing in any one of these four responses. By confirming the answer given by pressing 'enter', the next question will appear on the screen. After every 11th question, the computer will give the option to either continue (C) or review (R). By pressing 'C' followed by 'enter', the next question will appear on the screen. However, if one wants to check or change some or all of the answers given to the previous 11 questions, press 'R' followed by 'enter'. The last 11 questions will now be repeated. After all questions have been answered, a profile can be displayed by simply following the instructions on the screen. After having generated the profile, the questions can no longer be accessed. The answering process can be interrupted at any time. By simply pressing escape (esc), the questionnaire is closed down. When you wish to continue with the questionnaire, insert the disk into the drive and type 'a:DELTA'. The questionnaire now starts with the question where it was interrupted. The previous answers have been automatically saved.
36
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling
3.3
Generating Actions
3.3.1 Generating the profile If the questionnaire has been completed on paper, answers have to be returned to the DELTA focal point for entering into the DELTA software. Once a questionnaire has been completed on disk a DELTA profile is automatically displayed. Example profile
Increasing Concern
Figure 3.1
HW
DE
MM
PR
EC
HK
IG
CO
OR
TR
DF
GFT
3.3.2 Profile interpretation and troubleshooting Ideally a profile should have peaks and troughs. However there are three possible problems that may manifest themselves in the shape of the profile. Firstly, a DELTA profile can be 'flat' with no GFTs higher than the rest. The reason for this could be the size of the operational unit profiled or the spread of activities. The greater the size of the unit or spread of activities the greater the chance that good and bad areas equal out. If this occurs, ways to split the operational unit into smaller autonomous areas should be explored. Profiling should then be repeated on the smaller units. Secondly, all the GFTs on a profile can be very high or very low. Although the GFT bars in a good DELTA profile fluctuate, the average bars should appear somewhere in the middle of the graph. The reason for this problem is the relative difficulty in the answerability of questions. If the profile is low then the threshold-used in the questions are too easily reached. If it is high, the threshold is too difficult. To manipulate the sensitivity of questions the dynamics of the question should be altered, eg: 'Have at least two safety meetings been held in the last month?' is more likely to be answered with a desirable answer 'Yes' than: 'Have at least four safety meetings been held in the last month?' Thirdly, the unit could have so many problems that most likely the incident rate is still high and the safety culture immature, ie the unit is a candidate for Tripod-BETA.
EP 95-0320 Revision 0 27 October 1995
37
HSE Manual EP 95-0320 Tripod-DELTA 3.3.3 Generating action items A DELTA profile generated after a questionnaire has been answered shows weak areas (the highest GFTs) and strong areas (the lowest GFTs) of an operational unit. As a general rule, the three most prominent GFTs are selected as targets for action. Actions may be generated locally by a process known as action itemising or further more in-depth study may be directed at specific aspects (see 3.3.6) In the example profile shown in Figure 3.1, Communication, Maintenance and Hardware are the most problematic GFTs (the higher bars). Available resources should concentrate on improving these areas. On the other hand Organisation, Housekeeping and Procedures (the lower bars) are the strongest areas. They require less attention.
3.3.4 Action itemising The process of action itemising is carried out by a team of personnel from the operational unit including some but not necessarily all the people involved in completing the questionnaire. Ideally there should be a cross-section including management, supervisors and workers who are willing to participate in the exercise. Developing action points takes a team approximately three to four hours (Table 3.2). Action points are line-generated, often low budget and can be transferred across operational units (an improvement on one rig can be implemented to the rest of the rigs in the drilling operation). There are no hard or fast rules that determine how to run an action itemising exercise. To all intents and purposes the meeting is a structured brainstorming session where the GFT under scrutiny is analysed to try and identify areas of improvement. One method that has proved successful is developing action item points from specifically developed grids (see 3.3.5). The number of action points is determined by the time needed to implement the improvements. It is recommended that three to four action points are developed for each of the three selected GFTs. At the completion of an exercise approximately ten areas of improvement will have been identified and be ready to be implemented. Experience has shown that implementing ten action points every four to six months is a realistic goal. Table 3.2
Blank grid GFT Features
WHERE/WHY IT GOES WRONG Bureaucracy
Resources
Time
Money
Planning
At All
Accountabili ty
Timing
Feature 1 WHAT Feature 2 GOES Feature 3 WRONG Feature 4
Feature 5
38
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling The grids sub-divide the GFT into smaller component areas called features (previously created when developing indicator questions). The features are assembled in rows. In the exercise the features are considered to be the parts of the GFT where latent failures can exist ('what' can go wrong).The four columns represent 'where' and 'why' things go wrong. The columns are divided into four categories: Bureaucracy
This determines if the structure of the operational unit or organisation is inhibiting the execution of desired actions.
Resources
This can refer to a shortage either of time or of money.
Planning
Divided into two parts 'At all' refers to situations where plans are not made. 'Timing' refers to situations in which plans and their corresponding actions do not synchronise.
Accountability
Problems with accountability occur when it is unclear who is responsible for executing tasks or if no one is held accountable for performing jobs.
The process starts by discussing the first feature. If the general consensus of the participants is that there is a problem with that feature an attempt should be made to identify 'where' the problems are and 'why' they exist. This is done by analysing the feature against the four column categories bureaucracy, resources, planning and accountability. By discussing the feature against these categories specific problems will be identified. These should be written down. After the first feature has been analysed the exercise should be repeated until all features for the GFT have been discussed.
3.3.5 Action items The rows that have the most writing are the most problematic features. By analysing the problems written down the participants now have to arrive at some action that will address the problem. Good action points have the following characteristics. WHAT action should be taken WHO is responsible for taking the action WHEN the action will be addressed or completed. These characteristics should be used as a structure whenever developing action points. An example of how to fill in a grid and generate three action points of improvement is presented in Table 3.3.
EP 95-0320 Revision 0 27 October 1995
39
HSE Manual EP 95-0320 Tripod-DELTA Table 3.3
Grid and action points
Hardware
Where/Why it Goes Wrong
Features
Bureaucracy
Resources Time
Money
Planning At All
Purchase Quality
Timing Ordering of new tools occurs after breakdown of old ones
WHAT GOES WRONG
Accountability
Vendor Relations
Last request for 'vendor support' got lost
Ordering System
No Logging System
No time taken to chase up this request No Dedicated Person
No Store Keeper
ACTION ITEM POINTS: WHAT
generate a plan for the six-monthly assessment of tool condition
WHEN
by 1/6/95
WHO
store keeper.
WHAT
communicate with vendor to ensure the required support
WHEN
by 1/6/95
WHO
drilling superintendent.
WHAT
to nominate a designated storekeeper on board the rig
WHEN
by 01/05/95
WHO
toolpusher.
3.3.6 Human Factors Analysis techniques Action itemising is used for locally generated improvement plans. For more in-depth analysis in a specific area of a GFT, human factors analysis (HFA) techniques may be helpful. HFA techniques, usually involving a team or task force approach, include:
hierarchical task analysis
link analysis
simulations
human reliability analysis
human error analysis
ergonomic checklists
ergonomic standards
walk/talk through analysis
function allocation analysis
40
EP 95-0320 Revision 0 27 October 1995
3 Application: Profiling
health risk assessment.
Further details can be found in EP 95-0324.
3.3.7 Feedback on results The generic databases held in SIEP need to be kept up to date in order to reflect the ‘true state of affairs’ in Group EP activities. To maintain these databases, regular recalibration is planned, initially on an annual basis, using the *.dat files from Opco profiling exercises. This should not require any significant additional effort on the part of Opcos. Following recalibration, updated generic databases will be issued to all Opcos using Tripod-DELTA.
EP 95-0320 Revision 0 27 October 1995
41
HSE Manual EP 95-0320 Tripod-DELTA
3.4
Summary: Chapter 3
Over recent years safety initiatives have been successful in reducing incident frequency. However, human error is still regarded as a problem. Human error can never be eradicated completely. Research has shown two types of failures are evident in most incidents. Active failures have a direct impact and often occur at shop floor level. Latent failures, however, lie hidden in the system for a long period of time. They often stem from decisions made at a higher level of the organisation. Active failures often have their root cause in latent failures in organisation or equipment. Latent failures can also contribute to an active failure developing into an incident. Tripod-DELTA is a tool that exposes latent failures. It classifies all possible latent failures into 11 GFTs. By analysing an operation using the GFTs DELTA assesses where the most problematic areas of an operation are. By the process of action itemising DELTA then exposes and facilitates the removal of latent failures. Practically, DELTA analyses an operation using a questionnaire. The questionnaire comes from a database previously validated by line personnel and is generated by a computer software package. The questionnaire is specific to the operational unit and has an equal number of questions for each of the 11 GFTs (normally 25). The questionnaire is answered by line personnel and a DELTA profile is generated showing the GFTs against increasing concern. The higher a GFT bar, the more threat it poses to the operation. By concentrating resources on the worst GFTs personnel can direct resources to areas of their operations where they are most needed. The benefits of DELTA are numerous. It looks at safety in a new light, examining the entire organisation for latent failures instead of 'traditional' safety problems. It provides feedback on potential incident causes before any incident has occurred. It identifies the strongest and weakest areas of an operation, therefore allowing prioritisation of resources. As a self diagnostic tool it is run by the line extremely efficiently and is flexible so can avoid peak work periods. It delivers steady improvement by providing a manageable number of action items for implementation. Finally, DELTA provides a method of learning and improving that does not rely on having suffered human, material or environmental loss. The quality and effectiveness of a business is an excellent indication of its safety record. The better run the business, the lower its incident frequency. DELTA is a tool that helps business become better by exposing potential shortcomings and remedying them before incident occurrence.
42
EP 95-0320 Revision 0 27 October 1995
Appendix I Tripod Background
APPENDIX I TRIPOD BACKGROUND The Tripod Theory originated from research by the Rijks Universiteit Leiden and the Victoria University, Manchester into the contribution of human behavioural factors in accidents. The research was commissioned in SIEP and has been supported by EP, MF, CMF and SIS. Currently, two applications have been developed based on the research: Tripod-DELTA, a diagnostic tool for accident prevention and Tripod-BETA, a PC-based tool for analysis during accident investigation. The essential concept of the Tripod Theory and its applications were documented in Report EP 882300 and its subsequent update, EP 93-2800. This manual and EP 95-0321 replace the Tripod Manual suite EP 93-2800. This appendix encapsulates the essential elements of the Tripod Theory as a base-line reference for EP 95-0320 Tripod-DELTA and EP 95-0321 Tripod-BETA.
I.1
Tripod Accident Causation Theory
Tripod is an approach to hazard management aimed at the underlying causes of accidents. It takes its name from the three key aspects of accident causation and is represented as a three-footed diagram (Figure I.1). It is best introduced by taking each foot in turn. Figure I.1
The Tripod framework
Latent Failures
HAZARDS Accidents
Unsafe Acts Specific Situations
Controls/Defences Failure to properly secure a ladder, overtaking into a dust cloud on a desert road, misjudging the clearance for a machete stroke - these and countless other unsafe acts are the immediate causes of accidents, whether fatal or not. The unsafe act in a hazardous situation is the first foot of the diagram. Active failures (including unsafe acts) occur at the sharp end of the organisation. They can have an immediate adverse effect. EP 95-0320 Revision 0 27 October 1995
43
HSE Manual EP 95-0320 Tripod-DELTA Whilst there may be very large numbers of unsafe acts, only a relatively small number of them will result in lost time injury or significant damage or loss. An even smaller number will end in fatalities, substantial material loss or serious damage to the environment. This sequence, from unsafe acts through breached defences to accidents constitutes the second foot of Tripod. The core of the Tripod hazard management concept is that accidents have their primary origins in latent rather than active human failures. Latent failures, the third foot of the Tripod framework, stem from decisions or actions taken by other more remote parts of the organisation. The may lie dormant for a long time, their accident-producing consequences only becoming evident when they combine with local triggering factors (active failures, technical faults, environmental conditions, atypical system states, etc) to breach the system's defences. The defining characteristic of latent failures is that they were present within the organisation well before the onset of a recognisable accident sequence. In some cases, their history may stretch back several years.
I.2
Accident Causation Sequence
The line of causality connecting from errors to latent failures and the main intervening factors are illustrated in Figure I.2. Figure I.2
Accident causation sequence
Top level decision makers
Line managers designers, planners, etc.
Fallible decisions Latent failures
Line management
Pre-conditions
Causal sequence
Human involvement
Operators maintainers truck drivers etc.
Active failures (incl. Unsafe acts) Controls & System defences
Local triggers Technical Faults Atypical conditions Environmental conditions etc.
ACCIDENT Limited windows of Accident opportunity
Top level decision makers and fallible decisions
44
EP 95-0320 Revision 0 27 October 1995
Appendix I Tripod Background The people responsible for initiating, designing, constructing and resourcing of a particular company, facility or activity are the strategic apex of the system. Because their decisions have a wide-ranging impact, they are the principal organisational sources of latent failures. Their decisions measured against risk management objectives as defined in the Opco HSE MS may have unfortunate consequences, often years later, which may or may not have been foreseen at the time. Their attitudes also determine the overall hazard management culture. Line management and latent failures The decisions of top management are translated into specific forms and disseminated throughout the organisation along departmental pathways (technical, production, training, maintenance, hazard management, etc). It is here that fallible decisions impose the constraints (eg lack of time or financial resources) that can lead to the seeding of latent failures, as in design, poor procedures or inadequate training. These latent failures need to be seen in conjunction with, or as causing, preconditions that lead people to commit unsafe acts. Line management and preconditions Preconditions are the psychological and situational (eg technical) precursors of unsafe acts. They comprise such things as poor motivation, inadequate perception of hazards, high work load, ignorance of the system, poor tasking, distracters, dangerous working conditions. They are the ingredients from which individual unsafe acts are made. Operators, maintenance crews and local triggers Local triggers are the inherently unpredictable events which interact with unsafe acts to circumvent the system defences. Triggering events may be due to a wide variety of causes (atypical conditions, technical faults, environmental conditions), but are usually outside the control of those directly involved. Controls and System Defences The hazard control and recovery measures put in place based on HEMP and objectives set out in HSE Cases for critical facilities and activities.
I.3
General Failure Types
Based upon Shell accident investigation studies across different company departments and Opcos, Tripod research has classified latent failures into 11 General Failure Types (GFTs), which provide a comprehensive hazard management picture that is valid across the diversity of Shell's activities: Hardware
Error-enforcing Conditions
Organisation
Design
Housekeeping
Training
Maintenance Management
Incompatible Goals
Defences
Procedures
Communication
Some of these GFTs reach back over the development history of the organisation (eg incompatible goals and organisational failures); others assess the current quality of its specific functions (eg design, maintenance, procedures, etc).
EP 95-0320 Revision 0 27 October 1995
45
HSE Manual EP 95-0320 Tripod-DELTA I.4
GFT Definitions
Hardware (HW) Failures due to inadequate quality of materials or construction, non-availability of hardware and failures due to ageing (position in the life cycle).The GFT does not include:
error-generating mechanisms due to poorly designed equipment:
Design GFT
hardware failures caused by inadequate maintenance:
Maintenance Management GFT
Design (DE) Deficiencies in layout or design of facilities, plant, equipment or tools that lead to misuse or unsafe acts, increasing the chance of particular types of errors and violations. Maintenance Management (MM) Failures in the systems for ensuring technical integrity of facilities, plant, equipment and tools, eg condition surveys, corrosion controls and function testing of safety and emergency equipment. Issues relevant to the execution aspects of maintenance are considered in the GFTs: Error-enforcing Conditions; Procedures; Design; Hardware; Communication. Procedures (PR) Unclear, unavailable, incorrect or otherwise unusable standardised task information that has been established to achieve a desired result. Error-enforcing conditions (EC) Factors such as time pressures, changes in work patterns, physical working conditions (heat, cold, noise, shift patterns, etc), acting on the individual or in the workplace, that promote the performance of unsafe acts - errors (unintended deviations) or violations (intended deviations). Housekeeping (HK) Tolerance of deficiencies in conditions of tidiness and cleanliness of facilities and work spaces or in the provision of adequate resources for cleaning and waste removal. Incompatible goals (IG) Failure to manage conflict; between organisational goals, such as safety and production; between formal rules such as company written procedures and the rules generated informally by a work group; between the demands of individuals, tasks and their personal preoccupation or distractions. Communication (CO) Failure in transmitting information that is necessary for the safe and effective functioning of the organisation to the appropriate recipients in a clear, unambiguous or intelligible form. Transmission failures (system) means the necessary communication channels do not exist or the necessary information is not transmitted. Reception failures (local) means the communication channels exist and the information is transmitted, but the message is not understood (eg because of language), is misinterpreted by the recipient, or is sent too late to be of use. Organisation (OR) Deficiencies in either the structure of a company or the way it conducts its business that allow safety responsibilities to become ill-defined and warning signs to be overlooked. Training (TR) Deficiencies in the system for providing the necessary awareness, knowledge or skill to an individual or individuals in the organisation. In this context, training includes on-the-job coaching by mentors and supervisors as well as formal courses. Awareness means the process of understanding the hazardous conditions present at the worksite.
46
EP 95-0320 Revision 0 27 October 1995
Appendix I Tripod Background Defences (DF) Failures in the systems, facilities and equipment for control or containment of hazards or for the mitigation of the consequences of either human or component failures. These comprise: Detection/Alarm: to provide clear warning of both the presence and nature of a potentially dangerous condition. Control and Interim Recovery: to restore the system to a safe state with minimal injury or damage. Protection/containment: to limit the adverse consequences of any unplanned release of mass, energy or dangerous substances. Escape: to evacuate all potential victims from the endangered location as speedily as possible.
I.5
Failure State Profiles
Tripod research has demonstrated that assessments of the degree to which these GFTs are present in an activity or facility provide an accurate picture of its overall 'health'. These assessments may be quantified in several ways. The relative presence or absence of each of the 11 GFTs may be represented by the height of a bar in a histogram format (see Figure I.3). This histogram is called a Failure State Profile (FSP). Failure State Profile
Increasing concern
Figure I.3
HW
DE
MM
PR
EC
HK
IG
CO
OR
TR
DF
The two main applications of Failure State Profiling, proactively in the Tripod-DELTA technique and retrospectively in Incident Analysis, Tripod-BETA, are described briefly below.
I.6
The Tripod-DELTA Diagnostic Tool
Much of the evidence proving that there are problems in an organisation is scattered about, or has become invisible and accepted as part of the conditions under which people work. The TripodDELTA diagnostic procedure samples the hazard management health of an organisational unit by answering a list of indicator questions which indicate whether a particular GFT is present in the operation or organisation. The lists of questions are selected randomly from a pre-established database of indicator questions relevant to the operation being examined. The responses to the questions indicate a 'desirable' or 'undesirable' condition relating to the GFT. The FSP shows the relative state of each GFT. Tripod-DELTA is an exercise that takes place outside the environment of accident investigation and is thus a proactive rather than a retrospective hazard management tool.
EP 95-0320 Revision 0 27 October 1995
47
HSE Manual EP 95-0320 Tripod-DELTA I.7
Tripod-BETA: Analysis During Incident Investigation
Accidents and incidents, can be analysed in terms of the causal sequence depicted in Figure I.2. The latent failures identified in the investigation can be assigned to GFT categories. Failure State Profiles obtained retrospectively by combining the profiles from a number of incident analyses have been seen to correspond closely to those obtained proactively.
I.8
Interpreting and Using FSPs
Examination of the FSP for a given activity by the activity manager can generate the following results: 1. Determine the organisation's performance in the individual GFTs and establish in which order of priority the GFTs should be tackled for improvement. 2. Compare profiles of the same activity taken from previous assessments to determine if improvements have been made. 3. Compare profiles for one site, or activity against another similar site or activity. In the case of the lower-order GFTs, it is often possible to spell out precise corrective actions within the operational unit, particularly where the problems arise from failures to appreciate human strengths and weaknesses. In the case of the higher-order GFTs, such clear-cut prescriptions are neither possible nor desirable. The aim here is to make clear the adverse hazard management effects associated with these more strategic decisions, normally requiring management involvement. The importance of management action against GFTs is that it demonstrates corporate motivation to improve hazard management performance and shows that hazard management and production goals are compatible - both involve doing the job well.
I.9
The Benefits of Tripod
The main benefits Tripod can offer are
a principled way of understanding how accidents happen Tripod explains the real reasons why accidents happen, how an organisation's resistance to accidents can be enhanced and what to do to improve resistance.
early feedback on potential accident causes The completion of FSPs provides feedback about hazard management effectiveness of an organisational unit at a much earlier stage in the accident causation sequence.
managing and controlling latent failures This is the principal feature of the Tripod approach. Only by monitoring and influencing the GFTs can an organisation hope to maintain a high degree of hazard management. These are the controllable factors contributing to incidents. Hazard management means increasing resistance to ever-present hazards and inevitable unsafe acts and conditions. Imposed understanding of the GFTs and the fallible decisions by managers and others that lead to latent errors will enable improved decisions and fewer latent errors to be introduced into the system. Only the GFTs - the vital signs - will reveal the true state of organisational hazard management health, an especially important requirement as accidents become rarer events.
48
EP 95-0320 Revision 0 27 October 1995
Appendix I Tripod Background This page intentionally left blank
EP 95-0320 Revision 0 27 October 1995
49
HSE Manual EP 95-0320 Tripod-DELTA
GLOSSARY A glossary of commonly used terms in HSE is given in both EP 95-0100 HSE Management Systems and EP 95-0300 Overview Hazards and Effects Management Process
50
EP 95-0320 Revision 0 27 October 1995