‘The conduct of risk assessment needs three qualities: to be credible, to be defensible and to be transparent.’ Borrowing these words from a presentation given by Des Hartford of BC Hydro at icold 2000, Tor Åmdal of Norway-based Statkraft Groner summed up the message delegates were given during a session at the recent Hydrovision 2002 conference held from 29 July to 2 August in Portland, Oregon, US.

Entitled ‘getting value from risk assessment: when is it worth the effort?’, the session, chaired by Thomas E Duncan of US-based Southern Company Generation and featuring panellists Åmdal, Dan Dupak of Canada-based Ontario Power Generation, John D Smart of the US Bureau of Reclamation (USBR) and Lieutenant Colonel Terrence P Ryan of the US Army Corps of Engineers (USACE), aimed to answer questions that are no doubt on the minds of many of you involved in dam safety.

Using recent case histories in which risk assessment was used to make safety-related decisions, these panellists promised to examine the evolution of approaches and methodologies of risk assessment, with focus on costs and benefits.

Dan Dupak opened the session by explaining the objectives of risk assessment.

‘Risk assessment is important to identify with greater clarity failure scenarios that can affect the safety of the dam and the dam system,’ he explained. ‘It’s needed to identify, quantify, prioritise and manage dam safety risks in a proactive, focused and interactive manner so that benefits from opportunities are maximised and the consequences of adverse events are minimised.’

Dupak also pointed out that a good risk assessment method would need to communicate risk exposure to the operators, stakeholders and management, and enhance decision-making in terms of improved dam safety in a manner that produces the greatest value for the available resources in conjunction with business goals and asset protection. He suggested risk assessment should follow 12 steps which could help the dam operator become risk-informed and identify safety critical failures, as shown in the fact file below.

Risk-based management

John Smart, a dam safety officer for the USBR, agreed that a structured approach to risk assessment was important. Smart pointed out that a fundamental part of a risk-based approach was the identification of plausible failure modes. He told delegates that the quantification of risk is defined as the probability of a failure multiplied by the consequence of the failure.

But what would be the benefits of using risk-based programme management? Smart said that such a system could lead to:

• Identification of issues that are related to dam safety as opposed to required maintenance.

• Prioritisation of dam safety issues for a given dam as well as from dam to dam within the portfolio.

• Prioritisation based on both likelihood of failure and magnitude of consequences.

• Dam safety decisions driven by risk reduction rather than deterministic approaches such as maximum credible earthquake and probable maximum flood loadings.

• Effective communication of programme needs to managers (decision-makers) who may not be dam safety professionals.

• A focus for studies, analysis, and data gathering activities in support of risk identification and reduction of uncertainty in risk estimation.

• Identification of effectiveness of both structural and non-structural risk reduction alternatives.

• Full consideration of the threats to the safety of a dam with common measures of the degree of importance.

• Assessment of failure modes that do not lend themselves to rigorous engineering analysis including piping and manmade events such as operational failures and malevolent acts.

Cost issues

Delegates attending the session were interested to find out about the costs associated with risk assessment

‘When the overall cost of the dam safety programme is considered, costs are reduced for a given level of accomplishment by focusing the effort on the areas of highest risk,’ said Smart. ‘The purpose of risk-based programme management is to increase the effectiveness of risk-reduction efforts.

‘It requires approximately 65 staff-days to perform a comprehensive risk analysis for a dam in a team setting and to prepare a report on the results,’ he added, ‘but useful information can be developed for decision-making in the case of single issue studies with considerably fewer staff days. In the case of a project that goes through the complete cycle of issue identification;

conceptual and final design of a modification; and then construction of a modification, considerably more staff time may be spent on risk analysis.’

As an example of successful risk assessment, Smart told delegates about the case of Pueblo dam, a composite dam in southeastern Colorado. Issues identified at the dam included problems with flood handling capability, foundation and lift-line stability of the massive head concrete buttress structure, and leakage of the water stops between the massive head buttresses

As a result of a risk assessment programme – in which the full spectrum of threats to the safety of the dam were considered – dam safety issues were clearly defined and the water-stop issue was determined to be a maintenance issue rather than a dam safety issue

Modification of the dam was also given high priority within the programme and the stability issues were given higher priority than spillway capacities for extreme events. The dam safety requirements were effectively communicated to decision-makers and to other stakeholders, while a copy of the risk analysis report was provided to the local library.

Risk analysis was also used to evaluate the effectiveness of reservoir restrictions and modifications in reducing risk.

‘While there are substantial costs associated with risk analysis activities, the use of risk assessment provides an overall increase in risk reduction for funds expended,’ Smart added. ‘The use of risk assessment is an effective tool that provides information that is central to the objectives of the programme for the use of those who make programme decisions.’

Methods of assessment

So what methods of risk assessment have been developed? In his presentation, panellist Tor Åmdal focused on a new quantitative risk analysis method that has been developed to analyse the consequences of dam breaks.

‘Let us look at the two main inputs to a risk assessment,’ said Åmdal, who has been involved in several risk analyses in Norway and is responsible for the New Norwegian guidelines for risk assessment for dams, gates and penstocks. ‘In general, risk is the product of probability of failure multiplied by the consequences of failure. Let’s say that quantifying of risk is the target for the analysis, which is represented by 100%. Then, how much effort should be put into quantifying the probability of failure? I think the risk analysis facilitator should spend 50% of total time and cost for the analysis on this part. Then 50% of total time and cost remains for the analysis of consequences of failure.

‘In Norway, and probably also in many other countries, the main effort has been put on quantifying the probability of failure,’ he added. ‘We also tend to call it a risk assessment even if the consequence part is totally neglected. But what about methodologies for quantifying the consequences of failure? Is this part of the RA not so important, or are we in lack of reliable models for the consequence part?’

Åmdal explains that the Norwegian purpose has been to develop a consequence model applicable for Norwegian dams, which takes into account all the essential factors influencing people’s ability to escape safely from a treacherous flood wave.

He said the consequences of dam breaks for the population living downstream of the dam will depend on a number of different factors, such as:

• The characteristics of the flood wave (height, velocity and temperature).

• Destruction of downstream dam(s).

• Erosions and landslides caused by the flood wave.

• Reliability of warning facilities and systems.

• Whether the decision to start evacuation is taken prior to the dam break or not.

• Warning time, i.e. the available time that the population has for evacuation.

• Existence of well developed manual warning and evacuation plans.

• Evacuation efficiency, such as: the population’s knowledge of how to act in case of a dam break; availability of escape possibilities; present weather and flooding conditions; fraction of elderly and disabled persons in the population; the time of the day (day/night) and time of the year (winter/summer);

the availability of external assistance in the evacuation process; regular realistic emergency preparedness exercises involving both dam operation personnel and persons living in the affected communities.

All these factors will affect the number of people that will be affected due to a dam break. So, is it possible to calculate the expected number of fatalities? In the model presented by Åmdal, the expected number of fatalities per year, or potential loss of life (PLL) are calculated based on the event tree methodology.

To incorporate the factors mentioned above, a mathematical formula for PLL was introduced where population groups, warning time and fraction of people successfully evacuated is included.

‘First, you have to make a definition of the population groups,’ said Åmdal. ‘If the population is scattered all the way in the areas downstream of the dam, it is necessary to divide it into sub-populations when calculating the risk. Basically the sub-populations should be defined according to the distance to the dam and the height above the normal water level. This is important since some houses may be threatened by the water as soon as the water level is only a few metres above normal, while others are not exposed before the flood wave approaches its maximum height.

‘Second, the warning time is included,’ he added. ‘In this context, the warning time is defined to be the available evacuation time for a given population, i.e. the time period between the warning of dam break is received by the population and the time the flood wave is considered as fatal for the population in question. The crucial point is to assure that as many people as possible are warned in due time so that they have sufficient time to escape the water unharmed.’

Åmdal says this may be obtained by the following measures:

• Installation of a public warning system in the area. This will ensure that everybody is being warned at the same time. Such a system may be of an audible type.

• If the public warning system is not working properly (or not installed), proper manual warning plans should be established. These plans need to be activated within short time after the dam break is realised or prior to the dam break.

Finally, the fraction of people successfully evacuated needs to be included. This means that the number of fatalities in a given population may now be calculated according to the following expression:

PLL = N•[_•(1-_)+(1-_)•(1- _)]


N•_•(1-_) = number of people who die among those who have been warned

N(1-_)•(1- _) = number of people who die among those who have not been warned

According to Åmdal, since no ‘true’ values of the essential parameters affecting the evacuation effectiveness of people during dam failures exist, some of the parameters are based on sound judgement. ‘Luckily we have never had any failures of large dams in Norway. A couple of dam failures of minor dams have occurred since the last war, but with no fatalities,’ he said. ‘Hence the model cannot be calibrated against relevant Norwegian dam failures.’

Security issues

During the session, delegates were also presented with information on another risk assessment methodology for dams – the RAM-D system.

As Lieutenant Colonel Terrence P Ryan of USACE explained, RAM-D is the first tool to be developed and validated by the Interagency Forum for Infrastructure Protection (IFIP), in connection with Sandia National Laboratories, who have a history of providing security solutions for high-consequence facilities. It is specialised for assessing risks from security breaches.

The RAM-D process consists of a series of checksheets and worklists that needs to be completed. The assessment starts with a screening process to determine which dams require a full examination. It identifies undesired events and their consequences, and it prioritises them to decide whether a particular dam needs to be fully analysed.

The core of RAM-D is based on a general risk equation, which aims to estimate the effectiveness of current security systems and the likelihood that the adversary can defeat them as follows:

PA * C * (1-PE) = R


PA = Likelihood of the attack

C = Consequence of the attack

PE = Security system effectiveness in preventing undesired event

(1-PE) = Likelihood that the adversary attack is successful (also the likelihood that security system is not effective against the attack)

R = Risk associated with adversary attack.

This methodology is currently available in the US. However, as it contains sensitive information all those who request it are screened and asked to sign a non-disclosure statement.

With such systems available, risk assessment is likely to form an important part of an effective dam safety programme. And it may have important consequences for the safety of dams, as Dupak suggests: ‘The biggest risk you take, is not knowing the risk.’

Related Articles
Spotlight on … uprating and refurbishment

The 12 steps of risk assessment

1. Define system boundary.
2. Define component function.
3. Identify failure modes.
4. Determine cause.
5. Develop failure mechanics.
6. Identify detection provisions.
7. Identify controlling provisions.
8. Outline emergency action.
9. Develop failure scenario.
10. Determine consequences.
11. Evaluate risk.
12. Document.