Safe and secure - risk based techniques for dam safety7 December 2006
In December 2006, part one of our article on the issues associated with the use of risk based techniques for assessing the safety of dams reported on the potential for dam failures based on past evidence and causes, and assessed the records for dam safety legislation and the classifications the structures are given by countries worldwide. Part two looks at how risk assessment has evolved, studies the public’s attitudes towards dam safety, looks in detail at the concept of risk assessment as applied to dam safety and current practice in its applications, and touches on the issue of dam security
Recent years have seen approaches to dam safety developing on from an engineering approach to more risk-informed methods. This is not to say that the traditional standards-based assessment methodology has been made defunct, it is rather that the risk-based techniques are growing in popularity amongst dam professionals worldwide as a device for defining risks that may have been otherwise overlooked and to prioritize implementation of dam safety remedial works to best protect the public.
The evolution of risk assessment for dams
In the context of dam safety, risk is defined as a measure of both the probability and consequence of an adverse effect on health, property or the environment (Canadian Standards Association, 1991). Or, in more general terms, risk equals the product of the probability of an occurrence of an event (typically a dam failure event1) with the consequences of that event.
In the discussions presented in Part 1 of this article, it is clear that the general methodology for assessing the ‘risks’ associated with dam safety accounts only for the consequence part of the risk assessment. This does, generally, provide for a conservative assessment of the safety of a given dam. However, as the worlds dams age, owners face major decisions about the ways in which finite financial and human resources should be allocated to ensure their continuing safe operation. For example, many of Europe’s dams are headed towards ‘middle age’ with the median age of dams in the UK in excess of 80 years. In the US, according to the National Performance of Dams Program (NPDP), at least 85% of the more than 75,000 dams in the country will be in excess of 50 years old by 2020. To make better use of the available resources, and to allow focused and prioritized expenditures on the basis of a clear understanding of the risk a particular dam poses to the public, the dam industry is increasingly recognising the value of using risk based techniques as part of an overall dam safety programme.
Risk assessment methodologies had their origins in military operations research during World War II and subsequently to assess the potential for chemical and nuclear plant failure. More recently, industrial accidents such as the 1976 dioxin release in Seveso in northern Italy and the 1984 methyl-isocyanate incident in Bhopal, India, accelerated the application of risk assessment for the control of industrial hazards. Legislative and procedural developments have supported this trend including the European Economic Community (now European Union) Directive for Major Accident Prevention of 1982, and the US National Research Council’s risk assessment framework of 1983 for the Environmental Protection Agency (USEPA).
In the dam industry, risk analysis concepts for the evaluation of existing dams were introduced by a taskforce of the hydraulics division of ASCE in the early 1970s. Implementation of those techniques to support major dam safety rehabilitation decisions occurred during the latter part of the 1970s, with the inception of modern-day dam safety programmes in the US (FERC 1979). These guidelines formally adopted probabilistic assessment procedures to provide a rational means of predicting the occurrence of floods or earthquakes.
Throughout the 1980s, several organisations adopted risk-based approaches for risk assessment methodologies started to be applied to the issue of dam safety: for assessing the safety of individual structures (Kreuzer and Bury 1984; Bury and Kreuzer 1985); as part of an overall dam safety assessment (Gruetter and Schnitter 1982); or for the design of new structures (Atkinson and Vick 1985).
There were, however, some reservations as to the applicability of such methods for the analysis of the safety of dams. For example, Peck (1984) acknowledged the value of probabilistic methods for assessing the risk of major floods and earthquakes but cautioned that such techniques should be not used to replace the redundant ‘defences’ required in any dam design to guard against unforeseen geological hazards. Whitman (1984) compared the traditional design approaches with those based on risk and reliability prompting others to review the applicability of risk assessment techniques more closely.
In the latter part of the 1980s, the US Bureau of Reclamation (USBR) introduced guidelines for incorporating the results of risk analyses into the decision-making process (USBR 1989). During the 1990s, the use of risk-based procedures gained momentum. In 1992, the US Army Corps of Engineers (USACE) began a programme to develop computer models which used a probabilistic approach, combined with detailed condition assessments, to support decisions on major rehabilitation works. In Canada, similar, but separate, research was undertaken by Hatch Energy (then Acres International) to develop a computerised, risk-based procedure to assist in decisions with respect to the optimum timing and alternatives for competing rehabilitation options (Donnelly and MacTavish 1997; Westermann 1998; de Meel et al. 1998). During this same period, BC Hydro adopted a qualitative, risk-based approach to assist in the assessment of complex dam safety issues (Nielson 1993; Salmon and von Hehn 1993; Nielson et al. 1994; Salmon and Hartford 1995).
By the middle of the 1990s, the Australian Committee on Large Dams (ANCOLD 1994) published guidelines on dam safety that explicitly addressed tolerable life loss risk criteria based on nuclear power and industrial facility risk practices, mirroring similar work that had been published by BC Hydro (but was subsequently abandoned in 1997). Starting in 1995, USBR developed risk assessment procedures and is currently one of the largest users of risk based methodologies. In 1996, USACE recognised that major rehabilitation is an investment to avoid future increased operating and emergency repair costs and losses. To support this concept, an economic-based decision framework was developed that borrowed heavily from the methods of risk analysis combined with probabilistic benefit-cost analysis. Currently, USACE is in the process of developing tolerable loss of life guidelines (icold, 2004).
Dams and public safety
In reality, the greatest risk to the public associated with dams is not at all related to the structural failure of the structure due to inadequate design, the matter that the Standards Based Review approach is specifically intended to address.
Public safety risks, and in particular risks associated with drowning incidents due to (for example) the public making use of the waterway downstream in a restricted area or in the reservoir too close to an operating sluice gate represent the greatest danger that a dam presents to the public. In Canada, for example, safety statistics show that drowning deaths attributable to dams presents a relatively low risk to life safety compared to other activities that one might not normally consider as being potentially hazardous.
In the last 10 years in Canada there have been 34 reported drowning incidents attributable to dams. However, none of these are associated with dam failure. In fact, over the last 100 years, there have only been two deaths in Canada attributable to the failure of a dam, and none within the past four decades. In evaluating the safety of a dam it is, therefore, necessary to consider both quantifiable measures need to ensure the structural integrity of a dam (which is the subject of this paper and the focus of traditional Standards Based Review assessments) but also other issues associated with less quantifiable matters associated with protecting the public from risk that arise during the normal operation of a dam.
Risk assessment as applied to dam safety
In principle, the concept of risk-based analyses for evaluating dam safety problems is quite simple. In its most basic form, a risk-based assessment involves establishing the reliability of a given structure to perform its intended function, with reliability primarily being a function of the original design, age and condition (or maintenance). However, in practice, dam safety risks are not usually associated with an easily predictable, single incident due to the fact that failure usually occurs as a result of an uncertain chain of events, with the chance of any individual event happening along a chain conditional on all of the other events preceding it occurring first. As well, failure consequences can also be uncertain since these consequences can be mitigated by human actions which are typically also defined by a chain of uncertain events. This general concept for the establishing risk is indicated in Figure 5.
The hydroelectric industry’s recognition of the importance of avoiding unexpected failure, or forced outages, has led to the development of probabilistic, or risk-based, techniques in order to attempt to quantify exposures. Traditionally, such analyses have been undertaken using qualitative assessments, relying on experience and sound engineering judgment to establish the optimum time to maintain, repair or replace a component or system. However, depending on the nature of the problem, and the level of experience of those involved in the decision-making process, it can be difficult to strike a defendable balance between acting proactively while accepting some amount of risk. Therefore, adoption of risk assessment methodologies as the sole means of assessing the safety of a dam has not been accepted within the industry.
For this to occur, it would be necessary to derive realistic and defendable values for the probability of failure of the complex dam systems so that a responsible, transparent and accountable decision can be made with regard to both the timing and necessity of remedial works to minimise the risk of failure. As discussed by Morgenroth et. al., 1999 and Donnelly and Morgenroth, 2005, there are techniques available to assess failure probability quantitatively for some important dam components using capacity-demand analysis techniques. However, this methodology has not yet been accepted in the industry to date and will not be discussed further in this paper.
Within the dam industry risk assessments are undertaken following a series of well-defined steps, as described by Hartford et al (1995, 2005), ICOLD Bulletin 130 (2004), and others.
Step 1: Failure modes definition and screening
As a first step in the process, all conceivable failure modes are identified and screened to eliminate any which are not credible. During this step plausible failure modes are established as well as those that would be classified as highly improbable. Plausible failure modes are then typically broken down into the series of vents or conditions that would need to occur to result in failure of the dam. The ‘brainstorming’ exercise that accompanies this step often represents one of the most valuable parts of the entire process promoting creative and critical thinking amongst the investigators.
Step 2: The event-tree method
To address the complex interrelationship of occurrences that make up a single event, the fault or event-tree method (Evans, 1974) has been adopted for dam safety assessments. An event tree commences with an initiating event, which is usually associated with extreme occurrences such as a major earthquake, flood or rainfall but could also be a less definable event (at least in terms of establishing probability) such as human error or mis-operation of flow control equipment. Stemming from this initial event is a series of possible outcomes, each with its own conditional probability of occurrence. As represented in Figure 6, the event tree is essentially a model of all of the possibilities that the future might hold. In addition, it represents, at least to some extent, the analyst’s subjective and site-specific view of the future.
Step 3: Establish the unconditional probability of failure for each of the individual events
The probability of occurrence associated with initiating events (such as earthquakes or floods) can usually be established on the basis of accepted numerical techniques. Following this initiating event, the definition of the total unconditional probability of failure is:
Ptotal = Pevent x Pfailure x Pconsequence
Where: Ptotal = unconditional probability of a consequence occurring; Pevent = unconditional probability that a defined hazardous event will occur; Pfailure = conditional probability that the dam will actually fail for a given event; Pconsequence = conditional probability of the consequence occurring, given a dam failure.
As reported by numerous practitioners (Salmon and Hartford 1995; Hartford et al. 1995; Payton et al. 1998; Hartford 1988), the major drawback to the use of risk-based procedures is the fact that the assignment of the conditional probability of occurrence for subsequent events must be based on engineering judgment following the principles of ‘subjective or degree of believe probability evaluation’ (Nielson et al. 1994).
For these reasons, a traditional risk assessment relies on engineering judgment to establish conditional failure-probabilities for occurrences following the initiating event. This subjective approach can provide very valuable results, allowing assessors to prioritize remedial work and competing remedial solutions for mitigating risk, in a rational, defendable manner. Furthermore, one of the great benefits of a risk-based assessment is the process itself that promotes creative thinking by focussing on assessing and discussing problems, and the potential for problems, in great detail.
Unfortunately, these qualitative approaches can be treated with suspicion as justifications for specifying, or delaying, major dam safety decisions. For example, in 1986, the US state of Illinois allowed the use of risk analysis procedures to attempt to justify the selection of lower spillway requirements for existing dams. However, due to the perceived uncertainties associated with the method, the state required a public hearing to be held to describe the basis for the spillway design with the burden of proof placed entirely on the owners (Payton et al. 1998).
Clearly, the use of a qualitative and subjective method for assessing dam safety in such a forum would be problematic. Indeed, the reluctance of numerous organizations in adopting this type of analysis as a sole means of assessing safety is often justified. An example of the significant effect that uncertainty can have on an individual risk assessment is reported by Bury and Kreuzer (1985). In their assessment of the risks associated with a concrete gravity dam, they noted that, in some cases, the uncertainty associated with the risk can exceed the entire median risk itself. The problem with risk-based dam safety assessments, therefore, reduces to one establishing reliable and defendable values for probability of occurrence.
The most common tool for quantifying the probability of failure is a detailed analysis of past performance and historical records (de Meel et al. 1998). However, for this approach to be applicable, a statistically significant number of similar events must have occurred to similar structures in order to allow the investigator to extrapolate probability into the future. Since, as was discussed in part 1, for most dams, loading conditions and the characteristics of the structure itself are unique, reliability concepts have been explored as a means of quantifying failure probability.
Reliability theory typically defines failure rate as a function of age or service condition in terms of the three distinct periods. During the initial period of operation, the potential for failure is relatively high as a result of 'burn-in' or 'infant mortality' failures. After this burn-in period, the chance of failure is typified by a reasonably constant, usually relatively low, rate of failure. This period represents unexpected failures resulting from chance events such as floods or earthquakes during the useful service life of a structure. This 'useful life' period extends to a point where the failure rate begins to increase significantly, reflecting wear-out or old age problems.
A review of dam failure incidents, as shown in Figure 7 indicates that this typical 'bath tub' distribution of failures does occur as dams age. Although the rate of failure of older dams is not necessarily related solely to wear-out, these results do suggest that it may be possible to establish a more quantitative assessment of the failure-probability of the various conditional events which lead to a dam failure using reliability concepts.
As discussed previously, there may indeed be ways to quantitatively evaluate the probability of occurrence of certain types of failure events (Morgenroth et. al., 1999 and Donnelly and Morgenroth, 2005) in a transparent and defendable manner. However, further research is needed to fully develop this approach and until this is done, the engineering judgement methods, combined with quantitative analyses where appropriate, remains the accepted method for qualitative determination of failure probability.
Step 4: Establishing the consequences of failure
As was discussed previously, for a typical dam safety assessment, consequences of failure may include: economic losses; environmental losses; and loss of life. Traditional cost estimating techniques are used to evaluate the possible damages associated with a dam failure event, including such issues as damage to housing or infrastructure. Similarly, environmental losses can be estimated on the basis of the costs associated with reinstating the site after the failure. Often, however, the prime driving force in any dam safety assessment is the risk the dam presents in terms of the potential for loss of life.
This represents the most controversial and difficult issue associated with any risk-based assessment, as the evaluation of human response, particularly in the case of a dam failure event, is highly variable and uncertain. While research has been performed in this area, as is discussed by Hartford and Baecher, 2004, there is an emerging acceptance that estimating loss of life from dam failures using any of the current available methodologies is highly uncertain. In addition, just how uncertain estimates of loss of life are is also not known. This then represents the greatest weakness in the application of risk assessments for dam safety purposes. Estimating the potential for loss of life is subjective at best, and it can lead to a breakdown in the dam safety assessment process; particularly in jurisdictions where, politically, there is a desire to ensure that risks associated with loss of life are eliminated. In such situations, since it is not possible to accept consequence, the dam safety assessment attempts to define design standards to drive probability to ‘zero’. As this is, by definition, not possible, many jurisdictions are now attempting to redefine the consequence parameter.
In the province of Quebec in Canada, and in the New South Wales example presented in part one, the risk to public health is defined in terms of Persons at Risk (PAR) so as to allow a less emotional means of defining appropriate dam safety standards. The advantage to this approach is that the defined risk parameter represents a positive approach. That is, the hazard the dam presents to the public can be defined by the total number of people that are actually at risk in the event of a hypothetical dam failure as opposed to the number of people that may potentially lose their life.
However, it is important to note that Persons at Risk do not represent the number of persons that may loose their lives in a dam safety incident. Research by, for example, DeKay and McClelland, 1993, shows that actual loss of life during real flood events is a fraction of those that were at risk. It also shows the variability of this consequence with the potential for loss of life being a function of warning time and other factors.
Despite the fact that the PAR approach represents a potentially conservative parameter within a risk assessment, for the purposes of dam safety classification, it may be a better approach than the concept of explicitly identifying the risk of loss of life in assessing the safety of a dam as this may be politically unfeasible. For risk assessment purposes however, engineering judgement, combined with a conservative use of the available assessment tools can be used to reduce the level of conservatism where warranted.
Step 5: Assessing risk
As discussed previously, risk is typically defined as the product of overall probability of failure established under Step 3 with the consequences of the event as determined under Step 4.
Overall risk can be established using the event tree method or following a risk matrix approach. The risk matrix is a compilation of the defined consequences (life safety, economic, environmental, etc.) and the likelihood (the unconditional probability) that these consequences will manifest themselves. This allows the establishment of the risks associated with the defined initiating events that could cause an uncontrolled release of the reservoir due to deficiencies identified either during the Standards Based Dam Safety Review or due to issues identified during the risk assessment process.
Once the level of risk for a particular dam safety event is established, the question of what an acceptable level of risk is must then be addressed. For economic or environmental consequences, acceptable limits are usually established on the basis of the expected likelihood of an individual dam owner to compensate third parties in the event of a loss through insurance or other means. There has been other research, primarily for other industries, on the subject of tolerable loss that is being adopted by the dam industry as is discussed later.
The reluctance of the public, regulatory agencies and many practitioners to accept risk as the sole mechanism of ensuring dam safety may be related to the definition that is used. Risk, in reality, relates to uncertainty in both the potential consequences of an event and the possibility that those consequences might manifest. Combining these two factors mathematically, while convenient in an engineering sense, has the disadvantage that the issues and the uncertainties are potentially less clear. Therefore, risk might be better portrayed as the combination of consequence and probability with each parameter established and presented separately in a clear and transparent way. These two uncertain parameters would then be used in such a manner so as reduce the risk to the public through appropriate standards of care.
Public perception of risks
Effective design and implementation of risk reduction measures must consider how the target population perceives its risks. While a detached, scientific or professional assessment of risk may be technically accurate, it may fail to consider the local or target populations perceptions of risk and the choices available to reduce it. For example, disaster risks are unlikely to be considered important among populations that face much greater everyday threats from disease and food shortages or where child mortality in a society with a minimal or weakened primary health care system is a potential issue.
In such cases, populations in disaster-prone areas may trade-off perceived risks against real or potential benefits. For example, persons living near an industrial plant that brings the benefit of employment and jobs will often be willing to accept a higher level of risk. On the other hand, communities living near a dam often perceive no direct and specific benefit associated with the structure. In such cases, risk exposure is a simple consequence of living or working in a particular location and risk tolerance is significantly reduced.
In general, society is more adverse to a single incident involving a large number of fatalities than they are for small losses in a number of similar incidents, even if the cumulative impact of the smaller events far exceed the major event. For dams, this has a significant impact since a dam failure, while extremely rare, can result in significant one-time losses. In addition, the public is often of the perception that the risks posed by a dam are minimal or non-existent. Evidence of this is the recent New Orleans disaster where a significant portion of the population relied on the integrity of levees to protect them from inundation. While the public’s high level of confidence in the safety of dams and levees is very well founded, it makes the use of risk assessment concepts difficult when the end result of the assessment is the need to report to the public that a given dam has a certain degree of risk, however small, as opposed to the more positive approach of reporting a high level of safety, as determined on the basis of standards based analyses.
Therefore, the tolerability of risk is difficult to quantify with a single engineering parameter. However, there is a growing view that risk and uncertainty need to be explicitly included and expressed as part of the dam safety decision making process. Fundamentally, the level of risk that a dam presents may be either acceptable or unacceptable to the public. Recently this fundamental concept has been expanded to include different categories of risk. (HSE 2001; Rimington et al. 2003):
•Broadly acceptable risk: An annual risk of casualty that is lower than 10-6 is generally considered to be a negligible risk.
•Unacceptable risk: An annual risk in excess of 10-4 is considered to be intolerable under normal circumstances.
•Tolerable risk: Risk exposure between 10-6 and 10-4 is considered tolerable provided that efforts are made to reduce the risk is a level that is as low as reasonably practicable at the time.
The ALARP principle and dam safety management
Fundamentally, a risk assessment for dam safety purposes is a method designed to define the risk associated with a dam that does not meet standards.2 The starting point is often the definition of deficiencies following a Dam Safety Assessment. Risks, including consideration of reliability of flow control equipment, associated with these deficiencies are then determined
Clearly if a dam does not meet standards, and the risks are in the unacceptable range, action is required to reduce risk. To allow for flexibility in meeting acceptable standards where the established risks are in the tolerable risk zone, the Dam Safety Management Plan concept has gained wide acceptance.
The DSMP concept is used to allow dam owners that operate structures that do not meet standards the choice of instituting a phased-in schedule of structural and/or non-structural measures to meet the intent of the standards. It is used as a means of showing that a dam, so far as is reasonably practicable, is safe, and meets the intent of the standards in that the risks do not pose an unacceptable threat to persons, property or the environment. In this context ‘Reasonably Practicable’ means that measures need to reduce risk as low as possible within the tolerable range are balanced with respect to both the cost of implementing these risk reduction measures and the enhancement of public safety.
This concept has been defined as the ALARP principle. As discussed above, for dams that pose a tolerable risk to the public, efforts should be made to reduce the risk to acceptable levels. However, in cases where the structure poses a tolerable risk and efforts to reduce this risk to the acceptable range may not be feasible, or the costs greatly outweigh the risk reduction benefits, this concept requires the dam owner to reduce risks within the tolerable range to ‘As Low As Reasonably Practicable’.
Current practice in the application of risk assessments for dam safety
In Europe, risk based assessments can be considered to be in the developing stage. For example, in Finland there are currently no specific requirements for risk based analyses, but a pilot project is being undertaken as part of emergency preparedness planning, while in Norway it is considered useful to improve understanding of behaviours and failure mechanisms but is considered controversial. Details for other European countries are referenced in ICOLD 2004.
Canada, the US and Australia have somewhat more developed practices with respect to the use of risk assessment in the practice of dam safety, but there is no jurisdiction that uses risk assessment as a sole means of assessing safety. Currently, and likely for the foreseeable future, dam safety is achieved following standards based approaches and traditional and accepted engineering methodologies supported by risk assessments.
On the other hand, risk assessments have been found to provide an excellent mechanism for understanding the dam failure process and defining priorities for remedial work to reduce risk. The method allows: allocation of funds to projects where greatest risk reduction is achieved; comparison of risk across loading condition categories to help set priorities; improved consistency in decisions; more complete evaluations and thought processes; better understanding of factors contributing greatest risk at a site; better understanding on need for analyses/studies; better definition of objectives in scoping out work products; and improved credibility inside and outside of the agency.
Risk assessment methodologies
There are a number of methodologies available within the dam industry that are currently used for dam risk assessment. These techniques define both the probable failure modes and those that should be considered as highly improbable. The intention is not to determine a quantifiable probability of failure for each failure scenario but rather to identify the scenarios that are considered to place the structure at highest risk. This then allows for the design of specific defenses to reduce risk.
Most commonly, qualitative risk assessment techniques have been adopted for use in evaluating various aspects of dam safety risk. These simplistic ‘ranking’ techniques (as reported by ICOLD, 2004) include: Hazard Index (Poland); Global Risk Index (Portugal); Preliminary Risk Exposure Profile (Canada); Prioritization Index (Sweden); Criticality Index (UK); Risk-based Scheme (US).
Countries that practice somewhat more elaborate qualitative risk assessment approaches include Australia, the US, Canada, South Africa, New Zealand, Germany, Poland, the Czech Republic, Norway and Sweden. There are several of these qualitative methodologies that have gained a relatively wide acceptance in the industry as discussed as follows.
Probable Failure Modes Analysis/Failure Modes and Effects Analysis
Since 2002, in the US, Probable Failure Modes Analysis Assessments (PFMA’s) has been a requirement under the Federal Energy Regulatory Commission (FERC) regulations for all dams that form part of a hydroelectric project.
A PFMA (or FMEA in Canada) is an examination of ‘potential’ failure modes for an existing dam or other project works by a team of persons who are qualified, either by experience or education, to evaluate a particular structure. It is based on a review of existing data and information, first hand input from field and operational personnel, site inspection, completed engineering analyses, identification of potential failure modes, failure causes and failure development and an understanding of the consequences of failure. The process is intended to provide enhanced understanding and insight on the risk exposure associated with the dam. This is accomplished by including and going beyond the traditional means for assessing the safety of project works and by intentionally seeking input from the diverse team of individuals who have information on the performance and operation of the dam.
Utilising an intensive team inquiry beginning from a basis of no preconceived notions, the potential failure mode examination process has the ability to: enhance the dam safety inspection process by helping to focus on the most critical areas of concern unique to the dam under consideration; identify operational related potential failure modes and structural related potential failure modes not covered by the commonly used analytical methods (e.g. slope stability, seismic analysis); enhance and focus the visual surveillance and instrumented ï„¸monitoring programme; identify shortcomings or oversights in data, information or analyses necessary to evaluate dam safety and each potential failure mode; and help identify the most effective dam safety risk reduction measures.
This method requires dam owners to perform a qualitative risk assessment to define the potential modes of failure so as to allow remedial works to be better prioritized and instrumentation monitoring systems to be better designed. Typically it represents a one time risk assessment that may or may not be supplemented with follow up reviews. The PFMA forms a basis for project specific performance monitoring and provides an opportunity for dam safety enhancements that might be overlooked during the standards based assessments. An example of the value of a PFMA in defining potential risks that might be missed following a strictly standards based approach was reported by Regan, 2004. On the basis of these discussions, it is clear that the qualitative assessment tools are designed to compliment and supplement traditional engineering assessments of safety, not to replace it.
Since the implementation of the process in the US, it has been found to work quite well. For example, on the basis of the application of the process on six dams, Rudolph, 2005 outlined the advantages that a PFMA assessment provided for the enhancement of the safety of their structures:
•The method allowed for an increased focus on the relative likelihood of various failure modes and priorities by corrective action.
•It provided for a diverse set of viewpoints and experiences.
•It provided for increased attention to operational failure modes that can be overlooked in a traditional standard based assessment.
•It assisted in the identification in areas where instrumentation or other monitoring needs improvement.
•It ensured that other structures (such as for example penstocks) are included in the overall assessment of dam safety and the potential for the uncontrolled release of the reservoir.
•It integrated the emergency preparedness plans with the technical information related to instrumentation, operation and design.
The technique is well defined by FERC and is in wide use throughout the US. In Canada, a similar methodology exists called the Failure Modes and Effects Analysis. The FMEA approach has been applied since the mid-90’s by Ontario Power Generation. This methodology is used to enhance the standards-based approach to reviewing the safety of their dams following an approach that is similar to the US model. With the inclusion of risk assessment options for dam owners proposed in the draft revisions to the CDA Guidelines that were presented during the annual CDA conference in 2006, it is anticipated that this methodology will become an increasingly routine procedure in Canada over the next few years.
Portfolio risk analysis
Portfolio risk assessment (PRA) involves the reconnaissance level application of the identification, estimation and evaluation steps of a qualitative risk assessment for a group of dams. This has become a standard of practice in Australia with most portfolios of dams having undergone some level of PRA. In addition, the methodology has been used, and PRAs have been performed, in the US, Canada and in Europe. Portfolios have ranged in size from a few dams to more than 250 and have varied in the level of detail according to purpose and decision context.
The PRA process involves four general parts: identification of decision context; engineering assessment against current dam safety requirements and good practice; risk assessment; and prioritisation of investigations and risk reduction measures formulated as separable construction upgrade packages (SCUPs).
The risk assessment portion of the work follows the PFMA approach with a qualitative evaluation of risk involving: failure modes analysis; qualitative assessment of the risks associated with the existing dam; indicative evaluation of existing dam against risk guidelines; assessment of the representative risk reduction measures; and indicative evaluation of the effectiveness of risk reduction measures against risk guidelines.
The results from these analyses can be grouped into the following categories: description of the risk profile of the existing dam (base line condition); basis for improving recurrent dam safety management programme; basis for the design of short-term risk reduction measures; design of the Dam Safety Improvement Program; and input to business processes, such as capital budgeting, legal evaluations, loss financing, and contingency planning. As with any of the qualitative decision support tools available in the industry, ICOLD, 2004 cautions: ‘PRA outcomes must be used with regards to the limitations of the approach and should be periodically updated.’
Portfolio risk management
Portfolio Risk Management was developed and is currently in use by BC Hydro in Canada. It follows, to some extent, the PRA approach in that it is a qualitative approach used to assess a group of dams. The method is driven by both the evaluated consequences of failure and the nature of dam safety deficiencies identified during normal standards-based assessments. The approach has proven to be robust and quite successful, providing valuable prioritizing information for 61 of BC Hydro’s dams. It is of note that this approach was selected over a quantitative methodology that had also been explored by BC hydro due to their experience which showed that, for most (if not all) dams, there is insufficient knowledge of the dam, and its potential defects, to permit a quantitative risk assessment to be performed.
Quantitative risk assessments
Quantitative risk assessments have been carried out in the US (the USBR for example), Canada and Australia. However, no country uses the method as the sole means of addressing the safety of a dam. As with the qualitative approaches, quantitative risk assessments are used to support traditional engineering analyses and as a prioritization tool. ICOLD, 2004 reported that the current feeling in the industry is that full scale risk assessments currently do not and, for the foreseeable future, likely will not replace traditional engineering evaluations.
ICOLD, 2004 does note that, in the Netherlands, the new waterway storm surge barrier in Rotterdam was designed completely on the basis of quantitative risk assessment methods. It would appear, however, that this represents a unique example that may not form a precedent for future designs of hydroelectric dams.
One of the largest obstacles to performing quantitative risk assessment is defining a tolerable level of risk. As discussed previously in this article, there is recent and considerable research into this subject in a number of countries but, to date, Australia is the only country that has published tolerable risk levels for dams. There is also guidance in the literature on the subject of tolerable loss based on research in the nuclear and other industries. For example, Neilson et al (1994) and Salmon and Hartford (1995) presented details of tolerable loss of life criteria from various organisations, as is summarised in Figure 8. The USBR has also published tolerable risk criteria (Figure 9) that they use as a prioritisation tool for defining the need for dam safety remedial works based on the potential risk to human life. It is this approach that would appear, at least in the short to medium term, to have the most promise.
In addition to the risk of failure associated with natural events, there is a risk that the dam could be caused to fail as a result of deliberate human intervention. In the US, and elsewhere, this has become a credible possibility that is assessed using risk assessment methodologies. Site security is typically assessed by engineers and security experts.
There are three components to a risk assessment: threat, vulnerability and impact. The threat component would be assessed by experts in the field of security, wherein they would identify entities that pose a threat (global, regional, local) and their capabilities in carrying out an act. Engineers would not be involved in this aspect, as it is beyond their typical area of expertise.
The vulnerabilities component requires an overlap of the fields of security and engineering assessed jointly by experts in those fields. As experts in the design of hydro plants, for instance, engineers can identify potential failure modes (vulnerabilities), such as breaks in penstocks, concrete or earth fill dams, control gates, substations, etc. The difference in dam security assessment is that, in the case of dam security, vulnerabilities may include aspects that have an operational and/or cost impact to the owner/public, such as loss of power, which may not have as direct an impact on public safety as a flood would.
A vulnerability assessment may also include highly technical engineering applications such as the dynamic response of structures or elements to impact loadings that may occur as a result of defined vehicle impacts or explosives. This sort of analysis is not in itself unusual, in that impact loadings are often taken into account in design of bridges, nuclear plants, high profile buildings, military installations, etc. The actual process in the US often involves the use the RAM-D programme. This process is designed to assess security risks at dams and to provide a systematic way to compare the reduction in risk afforded by various strategies, costs, and impacts of deploying specific security system upgrade packages or consequence-mitigation efforts. RAM-D was prepared by Sandia National Laboratories for the Interagency Forum for Infrastructure Protection (IFIP) - a consortium of hydro power generators, government dam owners, transmission system operators, and anti-terrorism experts in 2001.
Currently, true quantitative risk assessment can not be done to fully address the safety of a dam due to problems in defining the probability of failure of the chain of events that can lead to a dam breach and issues associated with the public perception of the risks that a dam imposes. For this reason, a method of classifying the dam according to the consequences or perhaps, more commonly, the hazards that it presents has developed to provide guidance in the selection of measures needed to reduce risk. While this process is effective, it has some inherent deficiencies associated with attempting to define the threshold levels that would elevate a given dam from, for example a LOW to a HIGH consequence structure. For this reason, the available classification systems tend to be somewhat open to interpretation so as to allow for the input of engineering judgment in the definition of the classification of a dam. However, given the finite resources available to maintain the safety of dams, it is recognised that methods are needed to better define true risk so that focused and prioritized dam safety enhancements can be implemented by dam owners.
In response to this need, risk based techniques are growing in popularity in North America, Australia, Europe and around the world. The industry recognises that these methods cannot replace traditional engineering assessments, and engineering judgment for ensuring dam safety in the foreseeable future, and perhaps not ever. However, they have proven to be a very effective tool for better defining risks that might otherwise be missed during a traditional dam safety standards based review. For example, the ‘brainstorming’ process used in defining the failure probable failure modes has proven to be a very effective method to draw out professional and experienced judgment from both engineers and operators of the dam who have hands on experience in what can go wrong. Such insights can be invaluable in determining issues such as problems with debris, or icing, which could affect the reliability of flow control equipment, an important risk issue that might not be identified using traditional engineering methods.
Quantitative risk assessments in use in Canada, the US, Australia, Sweden and elsewhere provide a rational prioritization tool that compliments standards based assessments. The quantitative risk assessment processes, as practiced by the USBR, appears to have significant promise. While, to date, this method remains generally in use as a prioritizing and risk identification tool, it does have the advantage that it provides owners with readily understood risk values that allow owners a clear and defendable means of identifying the remedial works, or monitoring activities, that need to be completed on a priority basis and to ensure the safety of dams that have been determined to fall within the tolerable risk range using the Damï„µSafety Management approach following the ALARP concept. Continued development and experience in risk based methods will certainly have the effect of helping to ensure that monies available for dam safety enhancement will continue to be well spent.
C. Richard Donnelly M.A.Sc., P.Eng, Director, Acres Water and Wind Power Division, Hatch Energy, 4342 Queen Street, P.O. Box 1001, Niagara Falls Ontario, Canada L0S 1J0. Email: [email protected]Related ArticlesSafe and secure - risk-based techniques for dam safetyTablesFact box Table 6 Table 7