Resources Article

Managing the Risks of Deepwater Drilling

Mar 15, 2011 | Carolyn Kousky

The Deepwater Horizon incident last April brought the possibility of catastrophic oil spills to the public's attention. The nature, magnitude, and duration of the spill clearly demonstrate the need for a systemwide change in regulatory approach to effectively address the low-probability risk of catastrophic spills. Considering these spills is important because they cause the majority of damage. Spills greater than 1,000 barrels account for only 0.05 percent of spills, but for nearly 80 percent of the total volume spilled.

Federal regulatory agencies, like the Federal Aviation Administration and the Nuclear Regulatory Commission, have dealt effectively with low-probability, highconsequence events through risk-based approaches. Their experiences can inform a shift away from prescriptive regulation and toward a risk-informed approach at the new Bureau of Ocean Energy, Management, Regulation and Enforcement (BOEMRE), the successor to the Minerals Management Service (MMS), which was reorganized following the spill.

Estimating the Risk of Catastrophic Oil Spills

To assess the risks posed by oil spills, MMS had used a model for regulatory analyses developed by the U.S. Geological Survey, including three steps—estimating the probability of an oil spill, simulating trajectories of spills to critical environmental resources, and combining the results of the first two to estimate the risk from potential oil activity. Modeling deepwater spills is a bit trickier due to the higher pressures and colder temperatures, but these complications have been addressed in modeling and validated with field experiments.

Modeling done for the Deepwater Horizon project estimated that the most likely size of a spill greater than 1,000 barrels was only 4,600 barrels of oil, and the maximum spill would be 26,000 barrels over the 40-year life of exploration, development, and production activity on six leases, including the one involved in the recent spill, the Macondo. However, the low probability of a catastrophic spill was not taken into consideration; the Deepwater Horizon spill spewed almost 5 million barrels of oil.

Because the USGS model is used in many aspects of the regulatory process, any concerns about it propagate through almost all oil spill analyses, such as those done for compliance with the National Environmental Policy Act (NEPA). In many cases, it generated such low estimates that MMS could conclude there would be no significant impact of drilling on the environment and so was able to rely on broad, planningstage NEPA analyses rather than additional site-specific analyses of environmental and other impacts.

MMS maintained and used historical data on oil spill occurrences to estimate the probability of a spill, and this partly accounts for the underestimations of catastrophic risk. Using historical data for low-probability, high-consequence events can be misleading. When risk analyses were calculated for the Macondo well, there had been no historical observations of catastrophic spills of the size experienced in the United States. Though a spill of this magnitude had not previously occurred in the Gulf, the probability of such an occurrence was not zero.

Risk modelers have developed methods to assess low-probability risks when there are not enough historical data to do so. One approach is called accident sequence precursor (ASP) analysis. Essentially, operators keep detailed records on “accident precursors,” or incidents in which one or more safety technologies or behavioral processes did not work as intended. With those data, engineers can compute the conditional probability that a precursor sequence of events could have gone on to catastrophic failure. Tracking and analyzing past performance to see where the opening steps to system failure are actually occurring is central to improving their performance. (See also Preventing Offshore Oil Spills on page 37.)

Lessons from Elsewhere: Tolerable Risk

Many agencies within the United States and abroad use a tolerable risk framework to guide regulatory actions. Under this approach, first developed in the United Kingdom by the British Health and Safety Executive for regulating nuclear power plants, risks are divided into three categories, as shown in the figure on page 38.

Unacceptable risks are those that are not allowed and, when identified, must be reduced. Acceptable risks are those that are sufficiently small that further risk-reducing actions are not necessary. Tolerable risks occupy the middle ground: for these risks, actions should be undertaken to reduce the risk to levels that are as low as reasonably practicable. The tolerable risk approach requires that quantitative thresholds be set to demarcate acceptable, tolerable, and unacceptable risks.

Different agencies have different methods for making this determination. As might be expected, thresholds will differ depending on whether the risk is for individuals, society, or project failure. They will also vary depending on the consequences. For example, thresholds for a risk of environmental harm will likely be different from those associated with human health.

Once thresholds are determined, regulators will also need to determine what methods to use for determining whether a tolerable risk is as low as reasonably possible. One approach to making this determination is cost–benefit analysis, in which risk-reduction benefits are monetized and weighed against costs. Others include minimizing the worst-possible outcome, maximizing risk mitigation within a preset budget constraint, using multicriteria decision-analysis tools, or relying on assessments of the best available technology for reducing risks. Whatever approach is chosen, the analysis should be redone periodically to take account of changes in the technology or risk estimates.

A tolerable risk approach with quantitative risk targets is quite different from the more historical, prescriptive approach taken by MMS, which specified technologies and practices. A prescriptive approach to risk management can be problematic:

  • Regulations may lag behind the newest and safest equipment and practices.
  • Regulations may not cover all behaviors that influence safety.
  • Regulators bear a large burden for inspecting facilities to affirm safety.

A tolerable risk framework would avoid these challenges and more closely mirror what other countries have adopted to regulate their oil drilling. Norway, for example, places responsibility on the operator to identify risks and then develop controls, mitigation strategies, and systems to reduce risks to predefined thresholds. Intuitively, equipment and systems determined to be highly important to safety are regulated more closely than others. In the United Kingdom, each operator must develop a safety case that first identifies risks on a systemwide basis, including both technical and procedural or human-behavioral risks, and then recommends a strategy to reduce them to specified thresholds.


Catastrophic spills, while of very low probability, are responsible for the vast majority of damage from oil spills. The Deepwater Horizon demonstrated that oil spill regulation in the United States had failed to fully consider the possibilities. Without analysis of their likelihood and the damage they would cause, there was no way to ascertain whether enough was being done to reduce this threat. BOEMRE and the industry as a whole could benefit from improved risk management in several ways.

First, modeling of such low-probability, high-consequence events can be improved. Approaches for overcoming the limits of lacking historical data have been developed in other sectors, most notably nuclear power regulation, and could be adapted to oil drilling. Improvements in modeling will improve not just BOEMRE safety regulations but also compliance with statutes, like the NEPA and the Endangered Species Act.

possible but not likely and where the technology is constantly evolving, prescriptive safety approaches are not the best regulatory framework. Instead, a risk-based approach under which government and industry can work together to improve safety and lower the risks of a catastrophic spill to acceptable limits is preferable. This approach should go hand in hand with the development of a culture of safety within industry, and BOEMRE should do what it can to support and promote such a culture. Adopting a risk-based approach with quantifiable targets would also allow for a transparent answer to the question: How safe is safe enough? Once quantified, stakeholders can weigh in and others can independently review and critique risk analyses, facilitating analytic improvements and public acceptance of agency risk management choices.

Preventing Offshore Oil Spills
Roger Cooke, Heather Ross, and Adam Stern

Events that open the door to offshore oil spills happen all the time. They are the first steps in accident sequences that are generally cut short by safety mechanisms before well control is lost. But not always—as reported in the Wall Street Journal, there were 28 major drilling-related spills, natural gas releases, or incidents in which workers lost control of a well in the U.S Gulf of Mexico in 2009, up over 60 percent from 2006. As drilling activity extends to deeper water and higher-pressure horizons, these events are increasing, coming dramatically to our attention with the Macondo well blowout, the biggest system failure yet.

The first order of business to prevent offshore spills is observing what is going wrong and correcting it. No amount of planning, training, standard setting, incentive structuring, institution-building or culture-imbuing can substitute for this fundamental recognition. Problems will arise and we must spot them when they occur and prevent them from occurring again. This is the centerpiece of any risk management effort: collect data, track performance, learn lessons, and improve results. Offshore, this means setting up a quantitative risk-performance tracking system that reports real-time operating data to feed spill-focused learning models that use experience in the Gulf to illuminate patterns of mishaps occurring as drilling proceeds. A successful system will do for offshore oil and gas what the Nuclear Regulatory Commission accomplished in the U.S. nuclear sector with its Accident Sequence Precursor (ASP) program developed after Three Mile Island. Thirty years on, that sector, both government and industry, is among the most sophisticated users of quantitative risk assessment and has not had another significant core meltdown.

Further Reading
Gold, Russell and Ben Casselman. 2010. Far Offshore, a Rash of Close Calls. Wall Street Journal. Dec. 8. Business.