Integrated Subsurface Containment Strategies

In high-risk activities, a minimum of two barriers are required to prevent risks from becoming failures. A multi-barrier strategy for preventing accident, failure, or, in this case, a subsurface containment loss is known as a defense-in-depth strategy.

Swiss Cheese Model of Accident Causation

This model is often conceptualized as a Swiss Cheese Model of Accident Causation. Each successive barrier blocks additional risks that pass through the “holes” of the previous barrier. The Swiss Cheese Model provides a useful approach for identifying where barriers can be placed or improved in event of failure.

A comprehensive approach for subsurface containment integrates geosciences, engineering, drilling and completion technology, operations and management. In the best cases, these disciplines collaborate to build out a defense-in-depth strategy of risk mitigation.

For example, an initial barrier of a subsurface containment strategy is provided by geological conditions, such as the presence of an adequate top seal sequence. This barrier set is supported by the engineered barriers of wells and pressure controls. These technical barriers are then further supported by human barriers including informed and qualified operators and robust regulations and processes. These processes in turn are verified by inspections, documentation and regulatory review.

Bowtie Model of Risk Assessment

The arrangement and overlay of human and technical barriers can be conceptualized further in the Bowtie Model of Risk Assessment and Mitigation. This model is used widely in safety analysis and process design as it allows an analysis of the most important risks and potential consequences and the systematic definition of barriers between them.

The bow tie model is read left to right with an event at the central knot of the tie. Risks occupy the left-most position with barriers separating the risk from escalating to an event. Then on the right of the event, additional barriers prevent that even from becoming a consequence.

Royal Dutch Shell Group (Shell) was one of the first large companies in the oil and gas industry to initially utilize the Bowtie Method. Shell’s primary motivation was the necessity of ensuring that appropriate risk barriers were in place throughout all worldwide operations. Because of their inherently larger and more dispersed organization, major operators must have a thorough company-wide plan set in place to mitigate risks of their high level of activity. As a result of this need, Shell adopted the Bowtie Method, and many other companies within the industry have since followed the same path.

Deepwater Horizon Bowtie Model

The figure below shows an example of a Bowtie Model to showcase the various hazards and barriers in place on the Deepwater Horizon rig that, when breached, led to disastrous consequences once hydrocarbons had entered the riser. The model assesses loss of containment risk in regard to foreseeable hazards and outcomes, as well as the various barriers. On the Deepwater Horizon, once hydrocarbons had entered the riser (center of the diagram), and hazards were recognizable, barriers were breached, and the result was an ignited blowout with loss of life (upper right of diagram). This historic containment loss will be further discussed later in this lesson.

Bowtie model for the Deepwater Horizon

Risk Management in Oil and Gas

One of our experts ties all of this together, contextualizing risk management in oil and gas within the wider world of best practices for avoiding incidents and risk.


Risk Management & Subsurface Containment – Jon Olson – The University of Texas at Austin

With recent high profile incidents, such as the natural gas leak in Aliso Canyon near Los Angeles, strategies for preventing containment losses are receiving increased attention. Subsurface containment consists of two main parts; Wellbore integrity and subsurface integrity. These are the two most important factors in preventing leaks and blowouts from subsurface facilities. Subsurface containment is required in all types of underground reservoir situations, including oil and gas fields, geothermal projects, natural gas storage facilities, strategic petroleum reserves and carbon dioxide storage.

Developing a containment strategy requires breaking down technical and organizational silos. Geologists, engineers, operators and management must all work together. Otherwise, critical information might not reach the people who need it. This can have serious and sometimes life-threatening repercussions. Wellbore integrity is maintained through proper design, testing, monitoring and maintenance. Subsurface integrity involves predicting and mitigating out of zone fluid migration through the subsurface geology. Baseline monitoring gives us data we can use to detect leaks from a well or from the geology, but monitoring is not enough.

What happens when an event in the subsurface occurs? Are there fail-safe mechanisms in place? Do employees know what to do? This is where our risk management plan comes into play. There are two main sets of barriers, hardware barriers and human barriers. Both are required to assure subsurface containment and project safety, and both should be a part of any risk management plan. Detection and shut down systems, such as blow out preventers, are examples of hardware barriers, but what if an alarm goes off and no one’s trained to respond to it? This is why human barriers are also critical. Hardware barriers alone are not enough. There should be at least one hardware barrier and one human barrier in place for each major risk area.

Examples of human barriers include training, preparedness, documentation, regulation and handover. Handover is the communication of information across an organization. Again, this may require breaking down silos. If engineers don’t pass along information to operators, mistakes can be made. The combination of hardware barriers and human barriers becomes what is called a defense-in-depth strategy. This is based on the principal that it’s more difficult to breach a complex and multilayer defense system than to penetrate a single barrier. The reason we need a multi-pronged approach is that most failures don’t happen in just one area. They often start with a small incident, which cascades and leads to a major failure.

Think about a grease fire that starts in a pan on someone’s stove. They don’t have a fire extinguisher in the kitchen. They make the mistake of pouring water on it and the fire spreads. They panic and run out of the house leaving their cell phone inside so they can’t call 911. By the time they find a neighbor who’s home, the house is engulfed in flames. Using our defense-in-depth strategy, a fire extinguisher would have been within reach. That’s the hardware barrier. The cook would have been trained in how to extinguish a grease fire. That would be the human barrier. With those barriers in place, we would have had a small incident instead of a catastrophe.

One way to identify barriers and risks is the Swiss Cheese model. Imagine slices of cheese as barriers. The holes in the cheese are the potential risks. By identifying and plugging the holes, we increase the chance that if something makes it through one barrier, it doesn’t make it through the next one. The Swiss cheese model gives us a way to identify and mitigate risks, but we also need to consider the consequences if failure occurs. To plan for both risks and consequences, we employ the bow tie model. Essentially, it’s looking at an event from both sides. We identify all of the potential causes of an event and the potential consequences. Equal attention must be paid to both sides of the bow tie.

In the example of the kitchen fire, having an evacuation plan and a working fire suppression system in place could have mitigated the consequences of the grease fire. All operators need to have a risk management plan that includes risk identification, mitigation procedures, a defense-in-depth strategy, including both human and hardware barriers, a system for monitoring feedback and regular assessment of the plan and a focus on safety across the organization. The plan would then be submitted to the regulatory agency for review and approval. A continuous improvement process is an ongoing effort to improve products, services, or processes. This can be incremental improvement over time or breakthrough improvement that happens all at once. Without effective communication in sharing of data, the process doesn’t work.

There are a number of commonly accepted definitions of safety culture. A concise one is that it is the values, attitudes, motivations and knowledge that affect the extent which safety is emphasized over competing goals in decisions and behavior. Here are some things to keep in mind when applying these models to subsurface containment in the petroleum industry. Start with a baseline study to assess potential risks and the exposure of the project to those risks. For example, has a field experienced prior leakage events? What is the level of natural earthquake activity? Are there orphaned wells in the area that haven’t been documented?

Apply the Swiss Cheese model to analyze wellbore integrity and subsurface integrity. Then create a defense-in-depth strategy that encompasses monitoring and operations. Finally, create an action plan that uses a continuous improvement model. If these plans are properly designed and implemented, safe operations will be the norm and containment losses will be minimized.


1. U.S. Chemical Safety Board, (n.d.), Macondo Blowout and Explosion, Accident Description, (accessed January 2, 2023)

Video written by Dr. Rich Schultz