Tripod Beta is an incident and accident analysis methodology made available by the Stichting Tripod Foundation [1] via the Energy Institute. The methodology is designed to help an accident investigator analyse the causes of an incident or accident in conjunction with conducting the investigation. This helps direct the investigation as the investigator will be able to see where more information is needed about what happened, or how or why the incident occurred.
Tripod Beta was developed by Shell International Exploration and Production B.V. as the result of Shell-funded academic research in the 1980s and 1990s. Such research contributed towards the development of the Swiss cheese model of accident causation, and in the late 1990s and early 2000s, towards the development of the Hearts and Minds safety culture toolkit.
The research was based on the following hypotheses
The early research focused on a predictive tool to identify underlying causes of incidents before they occurred rather than an incident investigation methodology This would later become the basis for Tripod Delta.
The incident investigation methodology whilst always part of the research came later around 1990. initial Tripod Investigation followed a tabular approach as graphical program was not yet available
Following the 1988 Piper Alpha disaster and Lord Cullen report in 1990, Shell International created a team to look at Safety management systems and Safety Cases. That team worked until 2004 they developed a number of approaches, the EP forum (later the Oil and Gas Producers Association) guidance on Safety cases was founded on work by that team. The team worked closely with Leiden and Manchester Universities to the understanding of accident causation that had been developed in the 1984–2000 research program.
In 1992 Microsoft released windows version 3.1. That gave the team the ability for the first time to create graphical representations of the theories developed. Two software-based tools were developed: Bow Tie [2] and Tripod Beta, respectively. [3] [4]
In 1998, following publicity of Tripod Beta, Shell International Exploration and Production B.V. transferred copyright of the Tripod Beta methodology to the Stichting Tripod Foundation, a charitable body under Dutch law. The Foundation's purpose is to promote best practice in industry through the sensible usage of Tripod technologies to aid in the understanding and prevention of accidents and incidents. In 2012 the Foundation partnered with the Energy Institute in the UK in order to help achieve this. The Energy Institute currently publishes the official guide on using the Tripod Beta methodology. [5] The Stichting Tripod Foundation also accredits approved training courses, and assesses the competence of users of the Tripod methodology. Users who are assessed as competent in Tripod Beta are accredited as 'Tripod Practitioners'.
Tripod Beta is a methodology that can be conducted via pen and paper or using specialized software. [6] [7]
The methodology combines a number of theories of accident causation into generating a single model (a 'Tripod tree') of an accident or incident, most notably the Swiss cheese model (barrier-based risk management) and human factors-oriented theories such as GEMS (Generic Error-modelling system). [8] [ page needed ] as well as the worldwide accepted as a 'mainstream model 'GOP' (Gap, Outcome and Power) by Martin Fishbein and Icek Ajzen, expanding on the 'Theory of Reasoned Action' (TRA) (WIKI)...
A Tripod tree is divided into three sections.
An Event in terms of Tripod Beta is the unexpected, unwanted or adverse outcome of a willfully carried out and intended process. The sequence such Events in an incident are shown in the tree as a series of 'trios', a simple logic (AND) gate that tells how the combination of two events led to an outcome. The outcome can then become an event that can combine with another event to cause a subsequent outcome, and so on.
As the sequence of trios goes forward in time, the tree ends when the last incident occurs, but if relevant can also take into account what happened after the incident (such as emergency response).
Potential events may also be investigated; Such Events that did not 'materialize' either because a 'barrier' prevented it from happening, or by sheer 'randomness' which is less likely.
As the sequence goes backwards in time, the tree usually begins with the last 'normal' Event, i.e. an event that was a normal part of ( business) operations.
This represents a logical place at which to start investigating an incident, as everything that happened after this was unusual and therefore worth investigating 'what went wrong?'.
A trio has three elements: the Event (the outcome, a change in state to an object, causing an effect such as an injury), the object (the person or thing that was changed (damaged), and the agent of change (the energy, 'driving' force or hazard that caused change or damage to the object). A logic test is used to ensure the correct identification of these elements: 'Agent of change' acts upon 'object' and results in 'event'. For example, 'Fire' acts upon 'Person' and results in 'Person burnt by fire'.
The Tripod practitioner first models the incident by constructing a series of Trios that explain 'what happened'.
Trees usually have between two and five trios via interconnecting nodes, where either an Event turns into an 'Agent of Change'in a subsequent trio, or an Object at the same time turns into an Event if affected by another Agent of Change.
In Tripod theory, accidents are managed through the usage of 'Barriers'. Barriers are ( intended) functions of a (safety) management system, such as automated trips, relief valves, etc. that prevent an Agent of Change or hazard from causing an unexpected change or incident. Barriers are often people's actions (interventions) conducting critical tasks (such as responding to alarms) often described by rules and procedures but not necessarily.
Incidents are therefore 'allowed' to happen by the ineffectiveness at this particular point in time of one or more of these barriers.
Once the Tripod practitioner has created a series of Trios the next step is to identify the barriers that should have been in place to prevent the incident occurring. This is done for each individual Trio. Only barriers that could have actually mitigated or prevented the next event are considered. Predominantly, 'Failed Barriers' are considered. These are the barriers that should have prevented the incident but failed for various reasons. For example, a barrier to prevent injury in a car is a seat belt; however, this barrier may fail because the driver did not wear a seat belt, or the seat belt mechanism itself was faulty.
'Missing Barriers' (barriers that should have been in place according to 'best practice' but had not been established by the organisation), 'Inadequate Barriers' (barriers that functioned as intended but could not achieve the required function to prevent the incident; for example, a seat belt will only prevent serious injury under certain circumstances) and 'Effective Barriers' (barriers that succeeded in preventing the subsequent event) are also considered. If the analysis is modelling a 'Potential Event', unless the event was only prevented through sheer luck, there will be one or more Effective Barrier within the incident trajectory. For example, a seat belt functions to prevent the death of the driver.
Once the investigator has identified the sequence of events, and the Failed-, Missing-, and Inadequate- Barriers, the next step is to understand the causes of these being ineffective when needed.
In Tripod theory, barriers fail because of human action or inaction. This may be human action directly related to the barrier functionality (such as the driver not wearing the seat belt), but may also be indirect, such as a failure during the design or installation of the barrier, or the failure of management to consider implementing the barrier. This human action or inaction is called the 'Immediate Cause'. This is the substandard act or human error. Often, when (non-Tripod) investigations determine that the cause of an accident was due to human error, in Tripod-terms this would relate to the immediate cause only.
The reasons for substandard acts and human error cannot always be definitively known, however it is known that human errors have situation or psychological precursors. These 'Preconditions' are aspects of the working environment that are likely to have contributed towards the substandard action or inaction. For example, typical Preconditions may be: fatigue due to improper work-life balance; perception that a guard is not required, loss of situation awareness, improper motivation, poor supervision; rushing in order to complete a job quickly; noisy or dark environment; confusing procedures, incorrect understanding of work objective, etc.
Through interviews and investigation the investigator is able to identify a number of Preconditions that likely contributed towards the substandard action.
In Tripod theory, Preconditions represent aspects of the working environment that organisations should try to manage, usually via good leadership, safety culture, and a well-documented and implemented (safety) management system. For example: fatigue of the workforce can be managed by adequate shift rotas, and policies on shift length and overtime; rushing in order to complete a job quickly can be managed by leaders not sending conflicting messages that prioritize productivity over safety, etc. These weaknesses or failures of leadership, culture or management systems are the underlying causes of accidents and incidents. They help create, or fail to correct, the Preconditions.
The investigator looks for evidence of management system-level failures that created or failed to control the Preconditions. For example, this may be ambiguously worded, or lack of, written policy, unclear management-level responsibilities, apparent lack of visibility of leadership, ineffective risk management processes, etc. Tripod Beta encourages the investigator to consider these aspects of the incident.
Importantly, Tripod Beta placed great emphasis on identifying the Underlying Causes of accidents and incidents because, whilst many aspects of an accident (such as the sequence of events, Barriers and Preconditions) may be quite specific to a particular accident or incident, Underlying Causes will be non-specific to an accident and likely will be the cause of, or potential cause of, many different accidents and incidents, even those that seem completely unrelated.
The outcome of a Tripod Beta analysis are usually a number of recommendations for improvements within the organisation in order to prevent the same or other incidents occurring. Recommendations may or may not be formed by the person investigating.
Recommendations focus only on two aspects of the Tripod analysis: the Barriers and the Underlying Causes.
It is important to strengthen or reinstate the barriers so that the particular operation that was investigated can continue. Recommendations for improving Barriers are to prevent the same (or similar) incident happening and may involve fixing equipment or putting in place extra checks and additional independent barriers where barriers overly rely on human performance.
As Underlying Causes can be causal in many different types of incident, tackling the Underlying Causes may have the greater benefit in the long-term at preventing multiple incidents. Recommendations to tackle Underlying Causes are often aimed at management system level and are sometimes much harder to implement.
Recommendations are not made for other aspects of the incident (such as the Immediate Causes) as such recommendations will be unlikely to be effective at preventing further incidents. For example, recommendations for improving Immediate Causes (the substandard actions) often focus on retraining or punishing the person involved, which will be unlikely to prevent other people making the same error in future.
In science and engineering, root cause analysis (RCA) is a method of problem solving used for identifying the root causes of faults or problems. It is widely used in IT operations, manufacturing, telecommunications, industrial process control, accident analysis, medicine, healthcare industry, etc. Root cause analysis is a form of inductive and deductive inference.
Human reliability is related to the field of human factors and ergonomics, and refers to the reliability of humans in fields including manufacturing, medicine and nuclear power. Human performance can be affected by many factors such as age, state of mind, physical health, attitude, emotions, propensity for certain common mistakes, errors and cognitive biases, etc.
A chemical accident is the unintentional release of one or more hazardous chemicals, which could harm human health and the environment. Such events include fires, explosions, and release of toxic materials that may cause people illness, injury, or disability. Chemical accidents can be caused for example by natural disasters, human error, or deliberate acts for personal gain. Chemical accidents are generally understood to be industrial-scale ones, often with important offsite consequences. Unintended exposure to chemicals that occur at smaller work sites, as well as in private premises during everyday activities are usually not referred to as chemical accidents.
Pilot error generally refers to an accident in which an action or decision made by the pilot was the cause or a contributing factor that led to the accident, but also includes the pilot's failure to make a correct decision or take proper action. Errors are intentional actions that fail to achieve their intended outcomes. The Chicago Convention defines the term "accident" as "an occurrence associated with the operation of an aircraft [...] in which [...] a person is fatally or seriously injured [...] except when the injuries are [...] inflicted by other persons." Hence the definition of "pilot error" does not include deliberate crashing.
The critical incident technique is a set of procedures used for collecting direct observations of human behavior that have critical significance and meet methodically defined criteria. These observations are then kept track of as incidents, which are then used to solve practical problems and develop broad psychological principles. A critical incident can be described as one that makes a contribution—either positively or negatively—to an activity or phenomenon. Critical incidents can be gathered in various ways, but typically respondents are asked to tell a story about an experience they have had.
Safety culture is the collection of the beliefs, perceptions and values that employees share in relation to risks within an organization, such as a workplace or community. Safety culture is a part of organizational culture, and has been described in a variety of ways; notably the National Academies of Science and the Association of Land Grant and Public Universities have published summaries on this topic in 2014 and 2016.
Human error is an action that has been done but that was "not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits". Human error has been cited as a primary cause contributing factor in disasters and accidents in industries as diverse as nuclear power, aviation, space exploration, and medicine. Prevention of human error is generally seen as a major contributor to reliability and safety of (complex) systems. Human error is one of the many contributing causes of risk events.
Patient safety is a discipline that emphasizes safety in health care through the prevention, reduction, reporting and analysis of error and other types of unnecessary harm that often lead to adverse patient events. The frequency and magnitude of avoidable adverse events, often known as patient safety incidents, experienced by patients was not well known until the 1990s, when multiple countries reported significant numbers of patients harmed and killed by medical errors. Recognizing that healthcare errors impact 1 in every 10 patients around the world, the World Health Organization (WHO) calls patient safety an endemic concern. Indeed, patient safety has emerged as a distinct healthcare discipline supported by an immature yet developing scientific framework. There is a significant transdisciplinary body of theoretical and research literature that informs the science of patient safety with mobile health apps being a growing area of research.
A near miss, near death, near hit or close call is an unplanned event that has the potential to cause, but does not actually result in human injury, environmental or equipment damage, or an interruption to normal operation.
Accident analysis is carried out in order to determine the cause or causes of an accident so as to prevent further accidents of a similar kind. It is part of accident investigation or incident investigation. These analyses may be performed by a range of experts, including forensic scientists, forensic engineers or health and safety advisers. Accident investigators, particularly those in the aircraft industry, are colloquially known as "tin-kickers". Health and safety and patient safety professionals prefer using the term "incident" in place of the term "accident". Its retrospective nature means that accident analysis is primarily an exercise of directed explanation; conducted using the theories or methods the analyst has to hand, which directs the way in which the events, aspects, or features of accident phenomena are highlighted and explained.
The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of Swiss cheese, which has randomly placed and sized holes in each slice, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. The model was originally formally propounded by James T. Reason of the University of Manchester, and has since gained widespread acceptance. It is sometimes called the "cumulative act effect".
The system safety concept calls for a risk management strategy based on identification, analysis of hazards and application of remedial controls using a systems-based approach. This is different from traditional safety strategies which rely on control of conditions and causes of an accident based either on the epidemiological analysis or as a result of investigation of individual past accidents. The concept of system safety is useful in demonstrating adequacy of technologies when difficulties are faced with probabilistic risk analysis. The underlying principle is one of synergy: a whole is more than sum of its parts. Systems-based approach to safety requires the application of scientific, technical and managerial skills to hazard identification, hazard analysis, and elimination, control, or management of hazards throughout the life-cycle of a system, program, project or an activity or a product. "Hazop" is one of several techniques available for identification of hazards.
Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.
A Technique for Human Event Analysis (ATHEANA) is a technique used in the field of human reliability assessment (HRA). The purpose of ATHEANA is to evaluate the probability of human error while performing a specific task. From such analyses, preventative measures can then be taken to reduce human errors within a system and therefore lead to improvements in the overall level of safety.
An accident is an unintended, normally unwanted event that was not directly caused by humans. The term accident implies that nobody should be blamed, but the event may have been caused by unrecognized or unaddressed risks. Most researchers who study unintentional injury avoid using the term accident and focus on factors that increase risk of severe injury and that reduce injury incidence and severity. For example, when a tree falls down during a wind storm, its fall may not have been caused by humans, but the tree's type, size, health, location, or improper maintenance may have contributed to the result. Most car wrecks are not true accidents; however English speakers started using that word in the mid-20th century as a result of media manipulation by the US automobile industry.
Human factors are the physical or cognitive properties of individuals, or social behavior which is specific to humans, and influence functioning of technological systems as well as human-environment equilibria. The safety of underwater diving operations can be improved by reducing the frequency of human error and the consequences when it does occur. Human error can be defined as an individual's deviation from acceptable or desirable practice which culminates in undesirable or unexpected results.
Dive safety is primarily a function of four factors: the environment, equipment, individual diver performance and dive team performance. The water is a harsh and alien environment which can impose severe physical and psychological stress on a diver. The remaining factors must be controlled and coordinated so the diver can overcome the stresses imposed by the underwater environment and work safely. Diving equipment is crucial because it provides life support to the diver, but the majority of dive accidents are caused by individual diver panic and an associated degradation of the individual diver's performance. - M.A. Blumenberg, 1996
The AcciMap approach is a systems-based technique for accident analysis, specifically for analysing the causes of accidents and incidents that occur in complex sociotechnical systems.
Aviation accident analysis is performed to determine the cause of errors once an accident has happened. In the modern aviation industry, it is also used to analyze a database of past accidents in order to prevent an accident from happening. Many models have been used not only for the accident investigation but also for educational purpose.
Investigation of diving accidents includes investigations into the causes of reportable incidents in professional diving and recreational diving accidents, usually when there is a fatality or litigation for gross negligence.
A bow-tie diagram is a graphic tool used to describe an accidental event in terms of its initial causes, ultimate negative consequences, and safety barriers designed to prevent or control the associated hazards. It can be considered as a simplified, linear representation of a fault tree combined with an event tree, although it can maintain the quantitative, probabilistic aspects of the fault and event tree when it is used in the context of quantified risk assessments. The diagram visualizes an unintended event, usually one with the potential to escalate to undesired consequences, with all its credible initiating causes on the left of the event and its ultimate outcomes on the right. A number of barriers, either hard/engineered or administrative/procedural, are placed on the path from the initiators to the final outcomes. The shape of the diagram recalls that of a bow tie, after which it is named.
