Soe&tvof PetroleumEnaineers

SPE 35971

Tripod-BETA: Incident investigation and analysis

J.A. Doran and G.C. van der Graaf, SPE, Shell International Exploration and Production B.V.

Copfight 1S9$, .Sccii c4 Petroleum Engmesrs, Inc
7him wpar was pmparsd for prewntat!on at the Internatmnsl Conference on Health safety &
Endronmant hold in NW Ofleans, Loukiana, 9.12 June 1006
This pawr was sah%tsd fof pmsentatmn by an SPE Program Cammmee follcwng rwmw of
infommticm contained in WI abstmct subrmttsd by the author(a) Contents of the papsf, as
prawntsd havs not bwn raWwsd by the Soaety of Pofroleum EnoIosws and are suqacted
to wmwfior by the author(a) The materml, w prwsntsd, dws not necsssaril y Idled any
PUSitioocdthe Sociely of Pstroleum Engineers, ts flicef$, or members Papsrs presentsd at
SPE mwtings are sutjsct to publiitmn m..ww by Edtirial Commdtew of the Wiety
Psboleum Enginaam Psrmiuion to copy is rwtncted to an abstract of not more than 3W
of
words Illustmfiom may J@ t9 copied The ●bstract should contain conspmwus
acknovdadgement c1 Mare ●nd by vhcsn the pawr was pfesanted Wrke L!brarmn, SPE, P
0 SW n= R+chards.m TX 7S033-3.930, U S A Fax 01.214-952.9435
Shell wmpsniw hava their own sepamts Identities In this papsr the collectwe expressmms
‘Shel~ and ‘Group’ and ‘Royal OtitcMShall Group d Companms’ may M used for corwsmence
where rsterence IS made to ths wmpanfies d the Royal DutchlShell Group m general Those
expfsssions are ●lso ussd vdwre no usahd purpose IS sewed by !dentlfymg the particular
mxnpany w cmnpanmm
Abstract
Tripod-BETA is a methodology for conducting an
incident analysis in parallel with the investigation, supported
by a PC based tool. Interaction between these two processes
provides the investigators with confirmation of the relevance
of their fact gathering and highlights avenues of investigation
leading to latent failures. The benefit to the analysis process is
that logical anomalies can be highlighted and resolved while
the investigation is still active.
Tripod-BETA focuses initially on the accident mechanism -
the physical process of the accident - and uses it as a structure
to identify the controls and defences that should have been in
place. For the incident to happen these controls and defences
either were missing or failed. The investigation then
examines the immediate and latent failures behind each
missing or failed defence. following the Tripod theory of
accident causation,
Tripod-BETA software provides the means to collect and
assemble investigation facts and manipulate them on screen
into a graphic representation of the evem and its causes - an
incident tree. The logic of the tree swtrcturc (Iabclling and
connections) can be tested to ensure that it conforms to the
concepts of the Hazard and Effkcts Management Prwess
(HEMP) and the Tripod theo~. When anomalies and
omissions have been resolved, a dratl accident report can Lx
auto-generated for final editing using a word processing
package.
Introduction
Incident investigation is an important source of feedback
on the effectiveness of HSE management systems. It can
provide managers with evidence of system failures, their
actual consequences and, more importantly, the potential
consequences, so that remedial actions can be prioritised in
relation to business risk.
A comprehensive investigation will identi~ the active
failures: immediate causation factors that are otlen the result
of human error. Also the underlying or latent failures that
indicate system defects will be identified. Although the
remedies for latent failures often take time to implement they
have wider implications in terms of incident prevention.
In a Company culture where HSE management is clearly a
line responsibility, the lead in incident investigation will
naturally be taken by the line, and the ‘customer’ for the
investigation findings and recommendation is line
management. Investigation using entirely internal resources
can have drawbacks such as lack of independence and the
relatively amateur status of line statT as investigators. A line
supervisor may only be involved in a complex incident
investigation a few times in his working life. Tripod-BETA
was developed to provide a structure for investigation that
will enable investigators to apply their technical know-how
and knowledge of HSE management systems to best effect,
Background
Tripod is an approach to safety aimed at the underlying
problems that lead to incidents. The Tripod theory, and the
applications that have been developed from it, are the result

645
of research by the Universities of Lciden and Manchester,
sponsored by Shell. Incidents are seen as multi-causal events,
having immediate causes many of which are of human origin
and underlying causes that are system failures, generally
hidden, or known and tolerated. and otlen long lasting,
(Figure 1)
The Tripod Theory and its pro-active application to measure
failure states in eleven General Failure Types (GFTs) was
initiatly presented at the 1991 SPE conference on HSE 1,2,
and a follow up paper on the pro-active application, Tripod-
DELTA was presented at the 1994 conference’. The Tripod
l%eay in combination with the elements of HSE
management systems, especially the hazards and effects
management process has led to the development of Tripod-
BETA.
HSE-Management Systems
The mechanism of an HSE Management system can be
described as a hierarchy of tasks, with a plan - do - check -
feedback loop at each level. In the absence of check and
feedback the activity can drift outside its dctined bounds,
either through internal changes or changes in the external
environment, and become an ineffective element of
management. Audit and inspection, performance reporting
and incident investigation are all valid feedback mechanisms,
each having its place in HSE management.
Audits and inspections provide feedback on non-conformance
and system failure, and pro-active operational ‘health checks’
can identi~ areas of weakness. Incident investigations,
however, provide evidence of failure together with a measure
of the actual consequence and a possible indication of more
serious consequences. This ‘smoking gun’ evidence provides
compelling support to the recommendations for remedial
action. Because a direct cause-effect relationship is described,
incident findings are oilen easier to understand, and
recommendations more difficult to ignore than, for example,
those of audits. Incidents therefore present valuable
opportunities for improvement.
Operational incidents imply failure to manage hazards of a
business. Involvement of senior management in incident
investigation is an opportunity to demonstrate their
commitment to HSE and to send a strong signal that hazard
management is a fundamental part of the business. This
involvement, to be credible, must include resourcing remedial
actions and follow up. In this way, it is an effective
implementation of the E&P Forum statement on commitment:
The foundation of an HSE A{S is leadership and
commitment from the top management OJ the company, and
its readiness to provide adequate resources for FISE matters.
Particular attention is drawn to the importance 0$ senior
management providing a visible expression of commitment.
The E&P Forum4
646
Investigations should not be limited to incidents resulting in
harm or damage. Elimination of incidents with the potential
for injury or damage should be a matter of HSE Policy, and
incidents should be investigated at an appropriate level to
develop remedial measures in pursuit of this objective. HSE
management measures undoubtedly have the potential to
reduce the frequency and consequence of incidents, but it
would be naive to assume that all mistakes can be eliminated.
Mistakes are part of the human condition and a ‘safe’
operation will need to be mistake-tolerant. The broad
objective of an incident investigation is to learn lessons from
the incident - to feed back the causes of failure so that they
can be properly addressed. In an operation where HSE
management has been successful at reducing injury and
damage frequency and severity to an extremely low level,
near misses will continue to provide a valid source of
feedback on system failures. Near misses provide an equal
opportunity for improving. However, investigating all near
misses could result in an overload of information and loss of
effectiveness when no differentiation is made between serious
incidents and near misses.
It is therefore necessmy to assess the risk of foreseeable
events, by determining the probability of different scenarios
Occurnng to cause the ‘hazardous event’ and the consequences
arising. It is possible to represent the risk graphically using a
Risk Assessment Matrix (Figure 2),
The matrix is used to estimate the highest credible potential
outcome of an incident, the true measure of its ‘seriousness’.
A given incident - release or exposure of a hazard, can have a
number of potential outcomes ranging from a ‘near miss’ to
catastrophic damage or fatalities. If an incident is examined
in the light of its highest credible potential, lessons can be
learned from near misses that will help avoid repeats with
more serious consequences.
Another benefit of looking at the highest credible potential at
the beginning of an investigation is that appropriate resources
can be deployed. Identification of system failures is a primary
objective of an investigation. A low level team investigating
an incident is unlikely to have insight into systems outside the
team’s immediate experience, and in a high potential incident
is unlikely to achieve the right scope or depth of
investigation. A high level team investigating a low potential
incident may be seen as wasting time and effort, diminishing
the credibility of the investigation policy.
Tripod based tools
Two applications have been developed using the Tripod
research insights, Tripod-DELTA and Tripod-BETA.
Tripod-DELTA is a proactive ‘diagnostic’ tool that works on
the premise that there is usually some detectable evidence of
latent failures in an organisation or operation. The evidence
takes the form of minor deviations from the desired state,
perhaps individually tolerable but, when aggregated, indicate
that serious latent failure may exist. These ‘tokens of failure’
can be identified by a questionnaire-based tool that uses a
database of predetermined indicators.
The indicator questions for Tripod-DELTA refer to individual
General Failure Types (GITs), classifications that provide
some indication of the area where the problem (and its
solution) lies, e.g Communications, Procedures, Maintenance
Management. A diagnostic exercise, uses a questionnaire that
has an equal numtxx of questions per GIT, The ‘undesirable
state’ answers are presented in the form of a ‘GFT profile{ -
the taller the profile bar of a GFT, [he more concern should
be in that area of latent failure.
The GFf profile is not a precise identifier, but the evidence of
a number of failure tokens is used as a rationale to develop
remedial actions in that particular area. This methodology is
particularly useful in an activity where there is a low rate of
incident occurrence and other feedback is required in order to
focus HSE management efforts. A profiling exercise can be
held at any time, and thus scheduled to avoid conflict with
other priorities.
Tripod-BETA is a retrospective application. The incident is
the initiating event, usually giving little choice in the timing
of the exercise, but providing more tangible evidence of active
and latent failure. Avoiding all incidents is a laudable target,
but if incidents do happen, an organisation should be
prepared to extract the maximum lessons from them so as to
avoid recurrence of the same scenario or other scenarios with
the same underlying clauses.
One of the deliverables of an investigation is identification of
the latent failures. Tripod-BETA has the facility to assign
GFT categories to latent failures, providing a cross-reference
to diagnostic information.
Incident analysis is a retrospective application in the context
of the incident being investigated. but application of incident
recommendations outside the domain of a particular accident
is pro-active HSE management, Latenl failures will by their
nature usually impact on a broad t’ron[: addressing them
should bring wider benefit. Also, actions addressing active
failure may have lateral applications in other operations,
gaining the benctit without having gone through the
experience of the incident.
HEMP (identify, assess, control, recover)
The Hazards and Effects Management Process (HEMP) was
originally developed to provide a structured approach to the
analysis of HSE hazards throughout the life cycle of an
installation. The process is applicable to all business
processes in the life cycle of an operation from inception to
abandonment. Arrangements identiticd as necessary to
manage assessed threats and potential consequences and
effects are incorporated in the design phase and into the
procedures and practices of the operation,
647
The principles of ‘identi@’,‘assess’,‘control’and ‘recover*are
the basis of HEMP:
● Identi$ hazards and potential effects
● ASSCSS risks
● Define control and defence measures
● Establish recovery measures in the event of control
failures
An incident is a manifestation of failures of some kind in the
HSE management system, therefore an investigation into
these failures should make some reference to the system itself.
Tripod-BETA provides a structure underpinned by the HEMP
model, so that the incident is investigated and analysed in the
context of a hazard management failure,
A common way of understanding the possible threats or
causes that could lead to the unplanned release of a hazard is
to present them diagrammatically using a fault tree. In a
similar way after the release of a hazard an event tree may be
used to determine and display the potential outcomes or
consequences.
Fault Tree Analysis is used to show the sequence of possible
threats or causes that could lead to the release of a hazard.
The fault tree leads to a single point where the undesired
event has taken place or where the hazard has been released,
termed the Top Event. The Event Tree is made up of nodes
which correspond to the different stages in an escalating
incident sequence from the Top Event.
An incident is characterised by a sequence of causes leading
to an event and the subsequent sequence leading to the
consequence, It can be thought of as a section through the
fault tree and event tree defined as a sequence of events and
conditions having a probability of 1.0 - they have occurred.
This is the core of the Tripod-BETA structure - the incident
mechanism. (Figure 3)
From HEMP to incident analysis tool
The Tripod-BETA incident model has an incident ‘event’
as its core. The event is considered to be the point at which
the hazard becomes ‘active’ - it is released or exposed, and
harms or threatens to harm a ‘target’.
In an industrial context, the Hazard - Event - Target model is
too simple. Hazard management is about recognizing and
assessing hazards and establishing appropriate controls as
well as containment or protection measures should those
controls fail. The basic model of the accident should also
show the controls on the ‘hazard trajectory’ that must have
failed if the event occurred, and the defences that must have
failed if a Target was harmed. In HEMP terms, these were set
up in order to prevent the release of the hazard or, in the
event of the hazird being released, to mitigate its effects. For
the purpcxs of accident investigation the hazard controls and
victim/target dcfenccs can be considered together. Each in its
way serves to keep a hazard separated from its potential
victims or targets.
The Tripod theory identifies active failures as the ‘trigger
events’ of the incident. The real trigger event of the incident
is, of course, the last control or dcfence to fail, but the
concern of the investigation is to identi~ also the other
controls and defences that had been rendered ineffective
beforehand. Aprerequisite of any dcfcnce-in-depth system is
the combination of defence failures all situated on the hazard
trajectory (Pigure 4)
This is the first part of an accident ‘model’,a representation of
WHAT happens inan incident. A hazard has been released
(or exposed) due to failure in control and somebody or
something has been or could have been damaged due to
failure inmitigation orprotcction. In broad terms, it usually
describes circumstances at the site of the incident.
Knowing what happened is only part of the investigation. To
make recommendations to avoid the incident recurring, it is
necessary to find out WHY the various failures occurred,
tracing backward to identi~ the underlying or latent failures.
Active and latent failures.
The Tripod theory emphasises that aclive failures, e.g.
people’s errors (unsafe acts), do not occur in isolation but are
influenced by external factors - organisational or
environmental preconditions. Many of these factors
themselves originate from failures e]scwhcre in (he business -
latent failures - often in decisions or actions taken by
planners, designers or managers rcmolc in time and location
from the front line of operations, This generates an
investigation lead for each active failure to one or more latent
failures (Figure 5).
Preconditions and GFTs. The Tripod-BETA ‘cause and
effect tree’ and its elements (Figure 6) is the combination of
the WHAT and the WHY models.
The model is a simplification. designed to give an
investigation team a mental picture that helps them recognise
relevant facts and likely sequences of events. Accidents are
rarely so simple and Tripod-BETA allows for a large number
of variations on this central theme. For example. there can be
more than one hazard involved, or a barrier mny have been
inadequate from the time it was established - in which case it
would be meaningless to identify more than a Latent Failure
cause.
The use of Tripod-BETA
The first stage of an incident investigation using Tripod-
BETA would be very similar to the way in which most
investigations take place. A typical investigation approach
was presented at the 1994 SPE Conference on HSES. The
selection of the team would be made based on the potential of
the incident as initially reported. with the possibility of
reviewing the team composition if the potential is revised.
648
The initial task of the investigation is to establish the incident
mechanism, the hazard(s), event(s) and target(s). This is a
logical approach - find out what happened - and the
effectiveness of subsequent investigating activity can be
strongly irdluenced by the quality of this part of the exercise.
This may seem extremely obvious, but without a systematic
review of all the controls and defences on the hazard
trajectory, the scope of the next phase of the investigation will
be inhibited.
In the next phase of the investigation, the causes behind each
control and defence failure are examined. The Tripod theory
of accident causation postulates that the active failures caused
by people errors (unsafe acts) are likely to have been
influenced by organisational or environmental preconditions.
Each failed control or defence represents a unique
investigation lead, although it is possible that there will be
some common preconditions or latent failures. The Tripod
causation model, whilst acknowledging that human error
often features as a trigger to incidents, indicates that
organisational deficiencies may have contributed to these
errors or magnified that consequences. This avoids the
implication of blame that is characteristic of investigations
that limit their scope to the worksite.
The construction of a BETA Tree does not require any
specialised or sophisticated equipment. A BETA-Tree can be
drawn on a whiteboard, or ‘post-it’ stickers used. What is
required is a good understanding of the structure of a BETA
tree, so that accident facts can be correctly classified and
phrased in a concise manner. Many narrative accident reports
obscure the essential facts in a wealth of descriptive narrative.
Building a Tripod-BETA tree promotes the identification of
essential points only, so that the logic of the cause and effect
connections is more transparent. A typical Tripod-BETA tree
resulting from an investigation is shown in Figure 7.
Computerisation & benefits
Development of a structure for investigation and analysis has
lent itself to a PC application, In addition to providing the
facility to create and manipulate tree elements graphically,
the logic of the connections can be validated, Additional
descriptive narrative can be attached to each tree element
entry, and a forcing function prompts completion of entries.
Interim report drafts and tree diagrams can be printed for
team discussion. The data can be printed into a drafl report
that highlights all salient points, and includes a copy of the
final tree. The report can be farther edited using a word-
processing package.
Report generation. The draft report centres on the tree
elements, and even if further narrative is attached, the
elements highlight the relevant issues,
Many operating units have outline specifications for incident
report subjects, but free-form narrative reports have the
tendency to reflect different reporting styles and sometimes
different Icrminology, Tripod-BETA presents the information
in a standard layout, with cons.is[ent wcc clement
terminology. This makes comparison of different incidents a
simpler matter.
The objective of an investigation report is 10 demonstrate to
the ‘customer’ - the Company marurgcmcnt, that the
investigation has been thorough, that a good understanding
has been reached of the circumstances leading up to the
incident and its consequences. and (hat recommendations for
remedial action are pertinent and likely to be cffcctivc, Unless
the investigation team member arc good report writers, this
phase of an investigation can prove to be onc of the most
difficult. A draft report with a standard content and layout is
probably adequate for internal circulation. although a report
destined for extcmal issue could require more explanatory
narrative,
Structuring, Although irwcstigation trees have been a
recommended methodology in Shell Operating Units for a
number of years. the cause-effect connection bc(~vccnvarious
tree elements has not been emphasised. with a result that
some trees add little to an understanding of the incident.
Providing a structure for the investigation brings the analysis
process forward, enabling the investigation to concentrate on
leads to the Ia(cnt failures rclclant to the incident,
The software forces complctcncss of action recommendations
by flagging tree clcmcnts that have not been vcriticd or
contain incomplete information. c,g, every idcntiticd active
failure must have a remedial recommendation attached,
The advantage of a Wuclurcd investigation is that the
presentation of the outcome dcrnonstratcs Ihc imcstigation
process.
Efficiency. The methodology has been developed with the
concept that an investigation tcmn will only require one
Tripod-BETA analyst, who \vill interact t~ith the other
members of the team during the investigation process in a
two-way communication. The analyst will need 10bc familiar
with the concepts and terminology of the rncthod, and will
convert the raw data of ‘accident facts’ into the structure of the
BETA tree, feeding back to the rest of the team to ensure a
common understanding of the incident mcclmnism and the
investigation lead paths, Only a limi[cd rrumbcr of such
resources need to be trained as analysts, who will probably be
located in the HSE advice and services group,
Future developments
Field experience. Tripod-BETA has been dcvciopcd widl
participation by operating companies. The field trials of
Tripod-BETA have demonstrated the utility of the tool and
produced a number of intcrcsling suggestions for
enhancement, but it is preferable d~at the basic model is given
a broader airing in ticld conditions follot~cd by a formal
review later on this year,
649
Availability. Tripod-BETA has been developedprimarily for
the benefit of Shell operating units, and as such the initial
documentation and software is being issued under Group
copyright. It can be expected that members of the contracting
community will come into contact with the methodology in
the context of Shell contracts. Ways are being examined in
which interested third parties can obtain the benefit, in line
with Group policy on making HSE know-how available to the
wider community.
Ongoing research. Tripod research in the contribution of
human actions to incidents is still in progress. Further
research on incident analysis will possibly result in direct
enhancements to Tripod-BETA. Other research has the
objective of providing practical tools for measuring key
factors influencing human behaviour and tools for modifying
adverse factors once identified. Identification and
measurement of these factors would certainly be pertinent to
incident investigation. Interfaces with the current tools will be
made as appropriate.
Conclusions
Incident investigation and analysis remains an important
element in the feedback process and identification of latent
failures provides the means to apply the lessons from
incidents proactively, The tindings of an indepth
investigation and analysis have a high “face validity”
compared to other feedback sources, as they provide concrete
evidence of cause and effect, linked with potential for injury,
damage or loss.
Supporting incident investigation gives management the
opportunity to demonstrate commitment to HSE performance.
By following incident leads to latent failures, an investigation
avoids misapportioning blame at the worksite level.
Tripod-BETA tool provides a structure for incident
investigation and analysis that helps to achieve the above
objectives efficiently and consistently.
References
] Hudson, P.T, W,, et al, Applicationof TRIPODto measurelatent
errors in North Sea gas platforms: validity of Failure State
Profiles, paper SPE 23293 presented at the SPE First
International Conference on Health, Safety and Environment, The
Hague Nov. 1991
2 Hudson, P.T. W,, Enhancing safety in Drilling: implementing
TRIPOD in a desert drilling operation, paper SPE 23248,
presented at the SPE First International Conference on Health,
Safety and Environment, The Hague Nov. 1991
3 Hudson, P. T.W., et al, Diagnosis and target setting in Drilling and
Engineering operations using Tripod-DELTA, paper SPE 27294
presented at the SPE Second International Conference on Health,
Safety and Environment, Jakarta, Jan. 1994
4 E&P Forum: Guidelines for the dmwloprncnt and application of
health, safety and environmental management systems, report no
6,36/210, July 1994

5 Waterfall K. W., et al, Incident investigateion and analysis for

exploration and production opemt ions. paper SPE 27233
presented at the SPE First International Conference on Health,
Safety and Environment, Jakarta, Jan 1994

650
 Figure 1 Tripod Causation Model

Breached
Defence

[ I I
Latent Failure Active failure

0’) Figure 2 Risk Assessment Matrix

U-l

OONSEGUENCE I INCREASINGPROBABM.IN

I
T
Severity Peoplo Aaeeb Environment Reputation A B c D E
Nmver Incldmtt H8pperu mm
heard of occurred has aeveml Baveral
n EP ‘n EP occurred tlma per llnn8 per
Industry nduetry In OpcO year In ysor In
Opco oc.tlon
7 No No No No
inlury dwnaqe efiect impact
1 Sliiht SIQht Sliiht Slight Manage for continuous
injury (image effect
T Minor WKn Mincf Limited
injury dmsga effect
3 Majrx LocaBaeC Localised Considerable ‘.,,.,’,.,,,:,.,:::,.
.,’,’..’:.:.:
...........
injury dame@ elkt impact
7 Singie t@cM Major National
fatality damage effect
5 M.dtiple Extensbe Massive International ‘;,:?’ .:’’” ““ ““::” ::”
fatalities damqe effact impact , ,,,,
Figure 3 The Incident Sequence

Failed
~mg~ Failed “““$~~
““”’”’’V7-
recovery ,$gg~
Control(s)
measure(s) -

Figure 4 Failed Controls & Defences

Failed
control

Failed
defence

Figure 5 Active Failures to Latent Failures

Failed
control
Figure 6 Tripod-BETA Basic Tree

\
Failed
control
Figure 7 Tripod-BETA Tree

:i ,..
.......... .........++..
,:..:,:,,.,,.,,,,
,,:,W: ,..

Hazard

,:::::,:
;:~:j.:,:.::,,/.::::
.:,:,,.:,,,2.:
,:,>.}.:

.-.:. .........
...-........:.,.:.,,.
,.,.,, ,..,.,,
...........
.....< ;
:?.5>*.;,:~,:,:F,:
,$.>~.:,,,,,.,,,.,<,,
,....*<..:-c ...,.