The document provides an overview of risk management principles and processes for human error. It discusses qualitative and quantitative risk assessment approaches. The key stages of risk management are identified as hazard identification, risk assessment, and risk control. Methods for hazard identification, risk estimation, and developing risk control plans are outlined. Finally, the TRIPOD framework for accident investigation and analysis is introduced, which uses a causal model to identify hazards, events, targets, barriers, failures, preconditions, and latent failures.

1. Risk Management For
Human Error

2. Principles of Risk Management
Risk management can be defined as:
The eradication or minimisation of the adverse
affects of risks to which an organisation is
exposed.

3. Activity
Characterization

Hazard Identification

Risk Estimation
Implementation

Monitoring

Audit or Review
Option Analysis

Decision Making
RISK MANAGEMENT
RISK ASSESSMENT
RISK REDUCTION

4. Qualitative Risk Assessment
Risk assessment can be a
‘very straightforward process based on judgement
requiring no specialist skills or complicated
techniques.’
This approach is commonly known as Qualitative
or Subjective risk assessment.

5. Quantitative Risk Assessment
• Major hazards associated with complex chemical or
nuclear plants, may ‘warrant the need of such
techniques as Quantitative Risk Assessment’.
• In Quantitative Risk Assessment (QRA) a numerical
estimate is made of the probability that a defined
harm will result from the occurrence of a particular
event

6. Stages in Risk Management
•Identifying the hazards.
•Evaluating the associated risks.
•Controlling the risks.

7. Risk Management Process- Hazard Identification
• The potential to cause harm. Harm
including ill health and injury,
damage to property, plant, products
or the environment, production
losses or increased liabilities.

8. Risk Management Process- Hazard Identification
•Comparative Methods. e.g. checklists and audits.
•Fundamental Methods: e.g. Deviation Analysis, Hazard and
Operability Studies, Energy Analysis, Failure Modes & Effects
Analysis.
•Failure Logic: e.g. Fault Trees, Event Trees & Cause-
Consequence diagrams

9. Risk Management Process- Hazard Identification
• What will I be using/doing?
• How much do I know about what I am using/doing?
• What factors or properties could there be that affect the
level of hazard (not risk)?
• Do I really have to do the work/task at all?
• Can I substitute something less hazardous?

10. Assessing The Risks
“The likelihood that a specified undesired event will occur due to the
realisation of a hazard by, or during work activities or by the products and
services created by work activities”
Calculated as -
potential severity of harm × likelihood of event occurring

11. Can We Work Out How High The Risk Is ?
• Consequence - severity
• What could go wrong?
• What is the worst that could happen?
• Likelihood
• How often must it be done?
• How many people do it?
• Is everyone doing it competent and trained?

12. Where Do Our Risks Fit On The Spectrum?
Howlikely?
How bad?

13. Evaluating The Risk
Likelihoods
Highly unlikely
Possibly
Quite likely
Very likely
Severity
Slight harm
Injury affecting work
Serious injury
Possible fatality

14. Risk Matrix
4 8 9 16
3 6 9 12
2 4 6 8
1 2 3 4

15. Does It Works?
4
Tolerable
8
Significant
12
Unacceptable
16
Unacceptable
3
Insignificant
6
Tolerable
9
Significant
12
Unacceptable
2
Insignificant
4
Tolerable
6
Tolerable
8
Significant
1
Insignificant
2
Insignificant
3
Insignificant
4
Tolerable

16. Controlling Risk
• Risk Avoidance – This strategy involves a conscious decision on the
part of the organisation to avoid completely a particular risk by
discontinuing the operation producing the risk e.g. the replacing a
hazardous chemical by one with less or no risk potential.
• Risk Retention – The risk is retained in the organisation where any
consequent loss is financed by the company. There are two aspects to
consider here, risk retention with knowledge and risk retention without
knowledge.

17. Controlling Risk
• Risk Transfer – This refers to the legal assignment of the costs of
certain potential losses from one party to another. The most common
way is by insurance.
• Risk Reduction – Here the risks are systematically reduced through
control measures, according to the hierarchy of risk control described in
earlier sections.

18. Practical Risk
Assessment
Classify work activities
Identify hazards
Determine risk
Decide if risk is tolerable
Prepare risk control action plan
(if necessary)
Review adequacy of action plan

19. Classify Work Activities
Possible ways of classifying work activities include:
• Geographical areas within/outside the organisation's
premises.
• Stages in the production process, or in the provision of a
service.
• Planned and reactive work.
• Defined tasks (e.g. driving).

20. Identify Hazards
Broad categories of hazard
To help with the process of identifying hazards it is useful to
categorise hazards in different ways, for example by topic,
e.g.:
• Mechanical.
• Electrical.
• Radiation.
• Substances.
• Fire and explosion.

21. Hazards Prompt-list
During work activities could the following hazards exist?
• Slips/falls on the level.
• Falls of persons form heights.
• Falls of tools, materials, etc., from heights.
• Inadequate headroom.
• Hazards associated with manual lifting/handling of tools,
materials, etc..
• Hazards from plant and machinery associated with assembly,
commissioning, operation, maintenance, modification, repair and
dismantling.

22. Hazards Prompt-list
• Vehicle hazards, covering both site transport, and travel by road.
• Fire and explosion.
• Violence to staff.
• Substances that may be inhaled.
• Substances or agents that may damage the eye.
• Substances that may cause harm by coming into contact with, or
being absorbed through, the skin.
• Substances that may cause harm by being ingested (i.e., entering
the body via the mouth).
• Harmful energies (e.g., electricity, radiation, noise, vibration).

23. Determine Risk
The risk from the hazard should be determined by
estimating the potential severity of harm and the
likelihood that harm will occur.

24. Slightly
harmful
Harmful Extremely
harmful
Highly
unlikely
Trivial Risk Tolerable
Risk
Moderate
Risk
Unlikely Moderate
Risk
Substantial
Risk
Likely Moderate
Risk
Substantial
Risk
Intolerable
Risk
One simple method for
estimating risk levels
and for deciding
whether risks are
tolerable. Risks are
classified according to
their estimated
likelihood and potential
severity of harm.
Decide If Risk Is Tolerable
Tolerable Risk

25. Prepare Risk Control Action Plan
Risk categories shown form the basis for deciding
whether improved controls are required and the
timescale for action.
The outcome of a risk assessment should be an inventory
of actions, in priority order, to devise, maintain or
improve controls.

26. RISK LEVEL ACTION AND TIMESCALE
TRIVIAL No action is required and no documentary records need to be kept.
TOLERABLE No additional controls are required. Consideration may be given to a more
cost-effective solution or improvement that imposes no additional cost burden.
Monitoring is required to ensure that the controls are maintained
.
MODERATE Efforts should be made to reduce the risk, but the costs of prevention should b
e carefully measured and limited. Risk reduction measures should be
implemented within a defined time period.
Where the moderate risk is associated with extremely harmful consequences,
further assessment may be necessary to establish more precisely the likelihood
of harm as a basis for determining the need for improved control measures.
SUBSTANTIAL Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk involves
work in progress, urgent action should be taken.
INTOLERABLE Work should not be started or continued until the risk has been reduced. If it
is not possible to reduce risk even with unlimited resources, work has to
remain prohibited.
A Simple Risk-Based Control Plan.

27. Prepare Risk Control Action Plan
The action plan should be reviewed before
implementation, typically by asking:
• Will the revised controls lead to tolerable risk levels?
• Are new hazards created?
• Has the most cost-effective solution been chosen?
• What do people affected think about the need for, and practicality
of, the revised preventive measures?
• Will the revised controls be used in practice, and not ignored in
the face of, for example, pressures to get the job done?

28. Changing Conditions and Revising
Risk assessment should be seen as a continuing process.
Thus, the adequacy of control measures should be
subject to continual review and revised if necessary.

29. TRIPOD

30. Incidents Are An Indicator
To Improve Our Performance
Understanding what
happened and why enables
us to improve our business

31. The “Conventional” View of
Accidents
• Once again there is a clear
recognition that defences of some
kind have been breached, usually
because of an unsafe act carried out
in a specific situation and in the
presence of hazards of some kind.
• That infers that the hazards were
not controlled (otherwise nothing or
no one would have been harmed).
Thus far nothing is new.

32. The “Tripodian” View of Accidents
• It uses the Conventional” diagram
above but adds a third component
“General Failure Types” (GFTs).
• What changed this long established
view was some highly original
research sponsored by one of the oil
majors and carried out at two major
universities, one in Holland and one
in the UK.

33. The “Tripodian” View of Accidents
• The research originally set out to establish the role of the human
being in the accident equation but very quickly established an
“alternative” theory of accident causation.
• Because of the triangular shape of the basic model of the
theory, it became known as the “Tripodian” view of accident
causation.

34. The Tripod Causation Model
• The research delved deep into the causation theory in
order to establish a concrete link between breached
defences and controls and active and latent failures thus
the Tripod causation model was born

35. Tripod – Useable Tool
Tripod-BETA
• Useful in assisting the
investigation process, is
aimed primarily at
providing a well-
structured and highly
disciplined approach to
analysing accidents.
Tripod-DELTA
• Is a proactive safety
health check.

36. Tripod-BETA
Incident Investigation And Analysis

37. What Is Tripod-BETA ?
• A methodology for incident analysis during an investigation
• Combine concepts of hazard management
and the Tripod theory of accident causation.

38. How Does Tripod-BETA Work ?
The incident facts are built into a tree diagram showing ...
- What happened ?
- What hazard management elements failed ?
- Why each element failed ?

39. How Does The Tree Work ?
Let’s walk through a simple incident introducing the
terminology and logic that underpins Tripod-BETA

40. Example
• Location: An offshore platform
• Incident: An operative coming off shift slips and falls in the shower
room
• Consequence: He hurts his back and is off work. In the past three
months there have been two similar incidents

41. Initial Findings
• The incident occurred at 18:20 hours
• The operative slipped on the wet floor
• Cleaning staff are supposed to keep the shower
room floor dry

42. Starting A Tripod Tree
We start by identifying:
• An EVENT – Where a hazard and a target get together
• A TARGET - A person or an object that was harmed
• A HAZARD - The thing that did the harm

43. The Hazard, Event, Target
They are shown in a Tripod tree like this:
Hazard
Event
Target

44. Hazard, Event, Target
In this incident:
The HAZARD is : Wet floor (slipping hazard)
The EVENT is : Operative falls in shower room
The TARGET is : Operative

45. Hazard, Event, Tree Diagram
The Hazard,
Wet floor (slipping
hazard)
Event
Target

46. Hazard, Event, Tree Diagram
The Hazard, acting on the Target,
Wet floor (slipping
hazard)
Event
Operative

47. HET Diagram
The Hazard, acting on the Target, resulted in the Event
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative

48. Is The Investigation Complete ?
• Does this show full understanding ?
Finding: The man must have been careless
Recommendation: He should take more care on a wet floor
• Or is there something more ?

49. Was The Incident Preventable ?
• We know that a hazard management measure was in place
• Cleaning staff were assigned to keep the floor dry
• That ‘barrier’ to the incident failed.

50. Failed Barrier
The barrier should have controlled the hazard
Hazard
Event
Target
Failed
Barrier

51. Incident Mechanism
The incident mechanism looks like this:
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor
drying

52. Further Investigation
What caused the barrier to fail ?
• The cleaner could not keep the floor dry .
• because the shower room was always congested between
18:00 and 19:00 hours.

53. Active Failure
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Active
Failure
An Active Failure
defeated the
barrier
Active failures can be viewed as ‘the straw that broke the camel’s back’!”

54. Active Failures: Unsafe Acts or Conditions
Active failures are the failures close to the accident event that
defeat the controls and defences on the hazard and target
trajectories
Active Failure: Cleaner unable to keep floor dry

55. Active Failure
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Cleaner unable to keep
floor dry

56. End of Investigation ?
• Is this the end of the investigation ?
Finding: The cleaner was incompetent
Recommendation: Cleaner should be replaced or retrained
Or is there still something more ?

57. Further Investigation
• We know that congestion was a factor that prompted the
active failure.
• Telephones are only available for private calls up till 19:00
hours.
• The congestion is caused by day shift crew hurrying to call
home.

58. The Full Picture
Now we have the full picture:
• The congestion is a ‘Precondition’ that influenced the
cleaner’s task
• Restriction on telephones is a ‘Latent Failure’ that created
the precondition

59. Precondition
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Precondition
Cleaner unable to keep
floor dry

60. Precondition
• Preconditions are the environmental, situational or psychological
“system states” or even “states of mind” that promote, or
directly cause, active failures.
• Preconditions form the link between active and latent failures
and can be viewed as the sources of human error.
Precondition: Congestion 18:00 – 19:00 hours

61. Precondition
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Congestion
18:00 – 19:00 hrs
Cleaner unable to keep
floor dry

62. Latent Failure
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Latent Failure
Congestion
1800 - 1900 hrs
Cleaner unable to keep
floor dry

63. Latent Failure
• “A defining characteristic of latent failures is
that they have been present within the operation
before the onset of a recognisable accident
sequence

64. The Eleven Latent Failures
• Hardware
• Design
• Maintenance management
• Procedures
• Error-enforcing conditions
• Housekeeping
• Incompatible goals
• Communications
• Organisation
• Training
• Defence

65. The Eleven Latent Failures
• The eleven latent failures, which constitute what are known as
the General Failure Types (GFTs).
• “The eleven latent failures represent the vital organs of the
safety equation – failure to ensure their inherent good health
will increase your propensity to have accidents”.
Latent Failure: Restriction on private phone calls

66. Latent Failure
Wet floor (slipping
hazard)
Operative falls in
shower room
Operative
Floor drying
Restriction on
private phone calls
Congestion
1800 - 1900 hrs
Cleaner unable to keep
floor dry

67. Recommendations
Action items should address:
• The failed barrier ...
to restore safe conditions on a temporary basis
(provide extra cleaner between 18:00 and 19:00)
• The latent failure ...
to remove the underlying cause
(extend the availability of shore telephone)

68. The Tripod Incident Chain And Feedback loop
The Tripod causation model can be further expanded to show
the various ways of learning from
• Accidents themselves;
• From what are called observed unsafe acts and:
• By proactively measuring or assessing the state of health of
the eleven GFTs.

70. Summary Of Tripod-BETA
• Investigate
• Identify each event starting with the main one – do not proceed until this
is done
• For each event identity the hazard and target (object of harm)
• For each hazard identify the breached or missing control(s)
• For each target identify the breached or missing defence(s)
• Confirm the changed status of each event i.e. each event (except the
final one) becomes either a target or a hazard in its own right
• Confirm the totality of the sequence and that no events are missing i.e.
the whole tree should following a continuous and verifiable sequence

71. • Make sure that you have not omitted any events in the
response/recovery stage of the incident
• Seek out missing information identified during the first phase and repeat
the process if necessary
• Graphically display the resultant event tree and recheck once more
• For each breached or missing control on each hazard leg identity the
active failure
• For each breached or missing defence on each target leg identity the
active failure
• For each active failure identify the relevant precondition
Summary Of Tripod-BETA

72. • For each precondition identify the latent failure and
categorise into GFTs (up to three GFTs may be involved
per latent failure)
• Add up all the GFTs and graphically plot them in the form
of vertical bars–the highest bars are indicators of
greatest weakness and therefore greatest concern
• Identify the (fallible) decision behind each GFT where
possible
• Seek out missing information identified during phase 2
and repeat the process if necessary
Summary Of Tripod-BETA

73. Tripod-DELTA
A Proactive Safety Health Check

74. Tripod-DELTA
• “Tripod-DELTA addresses the latent failures that are
behind the active failures, most of which are caused by
human error. It reveals the factors that increase the
likelihood of human errors so that they can be
proactively addressed

75. Tripod-DELTA
• Whereas Tripod-BETA is able to identify, amongst other
things, latent failures after an incident, Tripod-DELTA is able
to identify and quantify (at least in relative terms) the
existence of latent failures before an incident happens.
• It is a proactive safety health check in every sense of the
word.

76. How It Works?
• Use Indicator questions to measure and assess organizational
health.
• Input the questions to computer programme.
• Computer select 20 questions randomly from each bank of
indicator questions.
• The questions are then displayed randomly and issued as a
questionnaire.
• Teams of operatives are then invited to answer the questionnaire.
• The results are fed into the computer which then categorises
them in terms of GFTs.

77. • Computer analyses them comparing the yes/no answers with the
preferred answers in the system.
• The resultant analysis is then displayed as a “DELTA profile”
based on the number of differences per GFT between the
preferred answers and the answers given.
• The greater the difference the greater the height of the vertical
bar and the greater the concern.
• Each vertical bar represents one GFT i.e. Hardware,
Housekeeping etc. In this case the greatest differences involve
Maintenance management, Communications and Defences.
How It Works?

78. • After diagnosis delta gives the organisation time to correct
problems before they potentially develop into incidents.
• Team involved with the profiling will be invited to identify
specific concerns and to apply (usually) three remedial measures
for each of the three worse GFT.
• This involves a two or three hour “brainstorming” session based
on a “what”, “when” and “who” format, i.e. what the action is,
when it is to be completed and who is responsible for its
implementation.
How It Works?

79. Delta-Profile

80. Benefits of DELTA
• Resource prioritisation
• Proactive approach
• Self diagnostic
• Profiling between audits
• Addresses hidden failures
• Good cost/benefit ratio
• Human-tolerant system

81. Conclusion
• Tripod-DELTA looks at safety in a new light, examining the entire
organisation at every level for latent failures instead of
“traditional” safety problems.
• It provides feedback on potential incident causes before any
incident has occurred.
• It identifies the strongest and weakest areas of an operation,
therefore allowing the accurate prioritisation of resources.
• As a self-diagnostic tool it is run by the line efficiently and is
flexible enough to avoid peak work periods.