Risky business3 June 2003
Phuong Nguyen gives an overview of the dam safety process, the evolution of risk management, and the main approaches in use at Canadian company Hydro-Québec.
Many specialists working in the dam safety field pose the question "Why do we need risk management?" Answers can vary widely, but from our point of view, risk management must respond to a specific need: to complement the classic and deterministic approach by formally considering the notions of uncertainty and complexity in the decision-making process. In fact, if the traditional deterministic approach is adapted well to an engineering approach in the design of new dams, it is not always appropriate to evaluate the safety of existing dams. This approach is more oriented to the protection of the dam itself, rather than to examining the dam and its environment as a whole and to characterising the risks and adverse consequences generated by the presence and operation of the dam.
Risk management as applied to dam safety has to be developed and implemented to achieve these principal objectives:
• A better understanding of the dam's behaviour and its response projected under different load combinations and under adverse conditions leading to potential failure mechanisms.
• An appropriate evaluation of uncertainties related to parameters, models and loads.
• An assessment of load conditions, the possibility of failure given loads and the consequences given a failure.
• The identification and prioritisation of appropriate structural and non-structural measures to reduce overall risks, including recurrent surveillance activities.
• A global view and appreciation of the different tasks and contribution of each stake--holder involved in the decision-making process: owner, legislator, public(s) concerned.
• An efficient funding allowance and use of resources to ensure dam safety, to keep risks to an appropriate and balanced level for the overall portfolio.
Finally, to keep it practicable and useful, a formal process for safety evaluation and technical judgment must be implemented to keep track of all related documentation and to ensure the transparency and defendable aspects of the overall risk management process.
With an inventory of 566 dams, 226 of which are considered large dams according to icold criteria, dam safety is always a top priority at Hydro-Québec. A dam safety policy and regulations were first introduced in 1985 and, since then, they have been updated regularly to reflect the evolution of international practice and also to cope with the legal and regulatory framework of the Province of Québec.
To deal with basic dam risk and ensure safe installation, the following activities need to be carried out:
• Adoption of an internal dam safety policy, with a complete set of regulations covering all aspects to ensure the safety of dams.
• A comprehensive programme planned over a 10-year timeframe and a detailed yearly schedule drawn up for all activities.
• On-site activities covering visual inspection, instrumentation, dam behaviour and follow-up. The performance testing of discharge facilities also needs to be done on a yearly basis. All these surveillance data, after validation, should be stored in an integrated database for further analysis and safety reviews.
• Safety reviews of dams, including structural and functional analyses of all components of the facility, with emphasis on the ability of dams to withstand extreme events (large floods, strong earthquakes). (In Québec, this comprehensive study is now compulsory and has to be tabled before, and approved by regulators.)
• Safety maintenance programme, including basic and regular maintenance and specific maintenance as issued or recommended through previous activities.
Even if all these activities are carried out, residual risk always exists. Hydraulic studies and dam-break simulations are then performed and inundation mappings drawn up to form part of an Emergency Action Plan at each location.
After a period of observation and benchmarking with other big dam owners regarding the introduction of risk management in conjunction with asset management, Hydro-Québec finally adopted a formal Dam Risk Management Policy in 2000. The policy is based on a prudent, flexible and realistic philosophy, with a strategy aimed more on a qualitative than a quantitative approach and integrated throughout the entire dam safety process.
Three basic principles govern the Dam Risk Management Policy. Firstly, there is Proaction. The unit responsible for the dam or facility has to manage and reduce dam risk as far as is practicable, following the well-known ALARP principle, through preventive action to lower the probability of failure, or by mitigative measures to reduce adverse consequences. This proaction principle is oriented toward two main objectives: to ensure continuous due diligence related to basic activities for dam safety, and to ensure sound and competent technical judgment able to counterbalance inherent uncertainties.
Preparedness is another principle. People at each management level must be ready to take the action, and handle the specific intervention required to deal efficiently with any emergency situation.
The final principle is precaution. Management must take into account all stakeholders' interests and regulatory requirements in the day-by-day business and decision-making process. Emphasis is on a sound communications plan and public awareness of dam risk.
Risk management can be achieved in four levels. Identification of hazards is the first level of the process. At this level, three categories of loads are considered: normal or static load, extreme floods, and strong earthquake conditions, with the respective response of dams being assessed for each load condition. Potential failure mechanisms resulting from these load scenarios are determined, mostly in intense working group sessions. The outcome at this step is the determination of main failure mechanisms and the overall probability of failure P of a dam. This probability is interpreted in the subjective or Bayesian sense and pertains to data, information and knowledge, including the personal knowledge and experience of the specialists involved. It is not considered to be a property of the dam.
Risk Analyses are performed at the second level of the process. Consequences C resulting from dam failure will be evaluated and combined with the results from the first level. Risk analyses are then performed. The conventional calculation of risk is mathematically unstable, considering the product of P, a number tending to zero, by C, which tends to infinity. Since this is too unreliable to be useful, parameters P and C are considered separately for interpretation.
Risk Assessment is performed at the third level. Results from the risk analyses are then evaluated and compared against principles and technical criteria, general practice or state-of-the-art, acceptable limits, internal regulations, etc. A global portrait of risk, with main issues and uncertainties on key parameters and possible measures for reducing risk are determined. Measures can be categorised as: Reduction of probability of failure P; Reduction of uncertainties related to P; Reduction of magnitude of adverse consequences C; Reduction of uncertainties related to C.
Risk Control and mitigative measures are the final steps in the process. To reduce risk to a 'tolerable' level, mitigative measures often used are: basic and repetitive activities or structural measures for reducing the probability of failure P, or non-structural measures to reduce consequences C and to avoid the possibility of loss of life resulting from dam failure. This is a key issue in any sound risk management process.
The rational and practical links between the basic activities of the dam safety process, the different mitigative measures for risk control, and the positive return of experience and feedback between
these basic activities and the risk assessment process, constitute the backbone of the Dam Risk Management Policy at Hydro-Québec. This is also a realistic way of spreading the concept of risk all through the company's comprehensive dam safety process. Surveillance activities and safety reviews of dams are then associated with repetitive activities to control risk of failure and lower P. Maintenance programmes, with basic maintenance, remedial works and rehabilitation projects, are linked to structural measures to control risk through parameter P. Emergency Action Plans (EAP), Early Warning Systems (EWS), land use planning, flood plain policy and insurance covering the risk of dam failure are then associated with non-structural measures to effectively reduce parameter C.
All these activities and the links between the dam safety and risk management processes are now gradually being applied at different levels at Hydro-Québec.
Meanwhile, threats and risks related to extreme events, particularly large flash floods and their impacts on retaining structures, were and remain a great concern.
In July 1996, a major hydrologic event occurred in the northeastern part of Québec, with flooding conditions affecting various basins and adjoining watersheds in the Saguenay area, particularly the Kenogami reservoir and Chicoutimi river.
The precipitation registered in the upper part of this basin was 250mm, covering a surface of 3390km2, with a daily flow peak at 2364m3/sec. This maximum flow represents a return period of 1:10,000 years. Hydro-Québec has just two decommissioned power plants on the river.
The total physical damage to the overall area covered by flooding was estimated at about US$589M. No loss of life was attributed to this major event because emergency measures were deployed and people at risk evacuated in a timely and efficient fashion by local municipalities and public security forces. This event later led to the adoption by the Québec government of the Dam Safety Act in 2000.
Like other dam owners, Hydro-Québec experienced some operational difficulties during this event. The major lessons that can be learned from the 1996 Saguenay Flood include: key roles need to be identified in an effective and up-to-date Emergency Action Plan to save lives under severe flood conditions; flood management of a river or water basin needs coherent and congruous action among different owners; dams and reservoirs can play a key role in retention and in delaying peak discharge and flood routing; and breaching in the vicinity of hydraulic structures, or on the rim of reservoirs where erodible materials predominate, create a situation of great concern, and were the principal cause of reservoir losses during the event.
Following this major event, Hydro-Québec adopted a careful approach based on safe evacuation during extreme floods at optimum cost. The approach is built on four guiding principles:
• No failure of dams will be tolerated, and all technical and practicable action must be taken promptly to ensure the safety of dams up to Safety Check Flood.
• When the probability of loss of life exists, the facility must be able to deal safely with the Probable Maximum Flood.
• All practicable measures must be taken to avoid damage and to reduce risk to people downstream.
• Once the safety of people has been assured, all other decisions can be made based on technical and economical factors.
To ensure the adequate capacity of existing spillways to handle large floods, and despite the widespread practice to use only Inflow Design Flood (IDF) in North America, Hydro-Québec has adopted two levels of floods, as recommended by the ICOLD design flood (inflow that must be discharged under normal conditions with a safety margin provided by the freeboard) and safety check flood (maximum flood under which dam and components are considered on the verge of failure, but exhibit marginally safety performance for this flood condition).
In practice, and based on the experience with the 1996 Saguenay Flood, the hydrologic risk can be managed safely and at optimum cost throughout an overall approach based on management and control of three sets of risks:
We can control the risk at the dam itself through: No-failure criteria under normal and extreme loads; Preventive action and dam safety process measures; Remedial action and structural work based on ALARP principle.
Inundation and flood risks can be managed through: More flexible rules and preventive operations at large reservoirs to reduce and delay flood peaks by pre-releases, water storage and flood routing; Improved and updated hydrologic modeling for inflow and flooding forecasts, with more accurate data allowing enough time for appropriate preventive action and measures (reservoir operations, gate openings.
This last component of risk can be managed through non-structural measures, such as Early Warning Systems and inundation alerts for people at risk, implementing and regularly testing the Emergency Action Plan to improve its effectiveness.
Perspectives and improvements
The United States Society of Dams (USSD) Working Group on Risk Assessment, in their report of June 2002, listed four risk assessment categories for current practice:
Failure Modes Identification (FMI)
FMI is a qualitative diagnostic approach, and not a decision tool, that provides a comprehensive safety evaluation of dam and a basis for strengthening many aspects of a dam safety programme.
Index Prioritisation (IP)
IP is an increasingly popular approach for prioritising dam safety issues and investigations, generally less costly to use, but more limited in the scope of outcomes.
Portfolio Risk Assessment (PRA)
PRA is an accepted approach for cost-effectively prioritising dam safety remedial measures and investigations for a group of dams. It provides insights that can better inform owners about the business and liability implications of dam ownership.
Quantitative Risk Assessment (QRA)
QRA approaches are valuable for providing insights and understanding failure modes and associated risks, in terms of probabilities and consequences, for stakeholders. Uncertainties in inputs and outcomes must be taken into account.
To date, Hydro-Québec is using two approaches simultaneously. Firstly there is Condition Index (CI), which was developed jointly with the US Army Corps of Engineers and other major dam owners. This approach is aimed at optimising resources allocated to a group of dams for dam safety purposes. There are four steps. First, there is a subjective evaluation of the possibility of failure by global or specific failure mechanisms, followed by an evaluation of each dam's surveillance system and defence mechanism and their contribution to withstanding failure. The next step is an evaluation of the specific condition of each dam, and finally establishing a Condition Index for each dam, as a relative ranking (0 to 100), to prioritise interventions and remedial measures among a group of dams.
Having completed a Condition Index for earth and rockfill dams, this approach is now being used to develop an index for concrete dams and spillways.
Quantitative Risk Assessment (QRA) is another approach. This approach, which includes the identification of hazards and risk analysis, is used in working group sessions. Given the large number of dams concerned, QRA is now considered an extension of the safety review study. Risk assessments are limited to specific cases where the decision-making process regarding the safety of a dam calls for a better understanding of the phenomena and uncertainties involved.
As with any QRA approach, improvements are needed to better estimate and correctly interpret probabilities and consequences. Due to a paucity of statistics on dam failures and the non-verifiability of published case studies, probabilities derived from historical failures must be used and interpreted with caution. A research project is under way to improve representing knowledge related to uncertain parameters that contribute to risk, and to allow probabilistic inference within the context of Bayesian statistics. However, determining adverse consequences, particularly for persons at risk (PAR) and the relationship leading to an evaluation of loss of life (LOL), require some benchmarks or models that can be used as standard practice. Finally, determining some 'tolerable' risk criteria so that outcomes can be compared, and the defensibility of QRA from the viewpoint of legislators and the general public are among the problems to be solved to make a risk-based approach more appropriate as a decision-making tool for dam safety purposes.
Phuong Nguyen is Manager, Dams and Civil Works in Hydro-Québec's Generation Division. He obtained his B.Eng. degree from École Polytechnique in 1979, and subsequently an MBA from l'Université de Montréal. He has worked principally on the James Bay project and the dam safety program. Since 1997, he has been responsible for technical studies and for the periodic safety review of all Hydro-Québec dams.
The author would like to acknowledge the contribution of Gerard Verzeni, Director, Dam Safety at Hydro-Québec for the part he played in the development and implementation of the concept of risk, and as the head of the taskforce to establish a risk management policy. A special thanks, too, to Marc Smith, geotechnical engineer and risk specialist, who kindly agreed to review this article.
Related ArticlesSpotlight on… Canada