Safe and secure - risk-based techniques for dam safety

17 November 2006



In part one of a two-part piece, C. Richard Donnelly discusses issues associated with the use of risk based techniques for assessing the safety of dams


Dam safety has traditionally been achieved using an engineering approach following a Standards Based Assessment methodology that assesses the current condition of the dam and makes recommendations to maintain the structure. This methodology has proven to be quite effective with dam failure being a very infrequent occurrence. In recent years, risk based assessments have gained popularity worldwide. These methods are intended to reduce the level of conservatism of the traditional approaches and allow a more focused deployment of finite resources to deal with dam safety issues on a priority basis.

In the paper that follows, public perception of safety (and security) risks as they are currently assessed (and perceived) for hydro dams are reviewed. Current risk assessment approaches in use in North America, Australia, Europe and elsewhere, are reviewed as well as the status of dam safety legislation in different countries and the degree to which the legislation is risk-informed. Issues associated with the identification of quantitative failure probabilities for the complex and inter-related dam/foundation system are detailed. The rational that has led to the use of qualitative risk based systems, designed to enhance and supplement traditional approaches that form the current basis for risk based dam safety assessments today is described.

The nature of failure

If failure were a certainty it could be dealt with appropriately before it occurred thereby avoiding the consequences of failure. Given foreknowledge of the nature of the failure mode, specific and focused maintenance expenditures, designed to prevent the known failure condition from occurring, could be designed. However, for large civil structures, neither the mode of a given failure mechanism nor the timing of the failure, are certain. Therefore, the risks associated with continuing to operate aging equipment, or attempting to extend the life of an ageing structure, are typically very difficult to determine quantitatively. It is, however, the consequences associated with unexpected failure, such as environmental damage, loss of life or extraneous damage that have the greatest impact on any dam safety decision.

The hydroelectric industry's recognition of the importance of avoiding unexpected failure, both for protecting the public and the asset itself, has led to the development of dam safety procedures that have traditionally focused on a deterministic assessment of the condition of the dam and the potential consequences of failure. In this approach, dams are classified according to the potential adverse consequences of failure they present. These traditional dam safety classification systems do not account for the probability of failure, structural integrity, operational status, flood routing capability or the actual condition of the dam or its appurtenances. Rather, they are based on reasonable worst-case scenarios that do not account for the potential for the failure condition to manifest itself or the emergency response measures that have been put in place to mitigate potential damages. The dam safety classification then determines the level of effort that should go into the long emergency preparedness requirements, the magnitude of the loadings that the dam needs to resist, the frequency of dam safety inspections and other safety related activities.

In an attempt to reduce the level of conservatism associated with this consequence based approach to dam safety, and to provide a more realistic assessment of the measures needed to enhance safety, risk-based techniques are gaining popularity. However, in practice, the determination of failure probability for dams is a complex task that is often not readily accomplished in a scientific way with the current state of knowledge. For this reason, such analyses are usually undertaken using qualitative assessments, relying on experience and sound engineering judgment to establish the optimum time to maintain, repair or replace a component or system. The system is quite effective but, depending on the nature of the problem, and the level of experience of those involved in the decision-making process, it can be very difficult to strike a defendable balance between acting proactively while accepting some amount of risk. In addition, it is difficult to maintain a balance between different major sources of risk, e.g. operator errors, ageing of the structures, floods, earthquakes, etc. The applicability of risk-based techniques to dam safety issues, therefore, often reduces to qualitative framework for establishing the failure modes and failure sequences associated with the risk of failure. Notwithstanding the lack of quantitative risk results, the process itself can provide a responsible, transparent and accountable basis for decision-making with regard to both the timing and necessity of remedial works needed to minimize the risk of failure.

Coupled with the potential for failure due to unexpected loading conditions or foundation problems are risks associated with actions by individuals or groups intended to cause a dam breach. Recognition and definition of such security risks is becoming an increasingly important issue in the evaluation of the overall safety of a dam. In the United States, methodologies have been developed following a similar security classification approach to identify security risks and define measures to deal with them proactively.

In this paper, the existing dam safety methodologies in Europe and North America, and the evolving 'Failure Modes Analyses' techniques that have been developed to utilize selected methods from the risk assessment 'toolbox' to better identify and document the risk of failure are reviewed. The effectiveness of these approaches, and public perception of the safety of dams, is discussed.

Potential for dam failure

Traditionally, dam safety has been, and still is, achieved using an engineering Standards Based Approach that requires dams to withstand certain defined loads. This is a transparent and readily understood methodology that has wide pubic acceptance. However, in the early years of scientific dam design, and indeed up to the middle of the 20th century, there were really no formal and accepted methods for selecting the standards that a dam must satisfy to be 'safe'. For this reason, dam design standards often varied depending on the judgment and experience of the practitioner. The risk that a dam posed to the downstream public was not explicitly assessed in the selection of the design parameters, although the experienced engineer would generally account for it implicitly in his choice of 'safety factors' and magnitude of loads.

Despite these shortcomings, the dam industry has had an admirable record with major dam failures being a very infrequent occurrence. However, dam failure does occur In the United States, a process of reporting dam failures and dam safety incidents is an integral part of dam safety practice. The results of this monitoring program has shown that, in the period from 1993 to 1999, 421 dam failures of varying degrees of severity have occurred (Hydro Review 1999) which translates to an overall probability of failure in the order of 6 x 10-4 failures per dam year (Figure 1). As at 2005, the total number of dam failures has reached 626 continuing to follow this long established trend (Hydro Review, 2005).

As shown in Table 1, numerous other researchers throughout the world have reported similar dam failure rates with the overall average equivalent to about one dam failure every 2500 years.

Clearly then, there are compelling statistics that dam failure can be an expected consequence of inadequate or improper maintenance of a dam. As well, there are failure statistics that indicate certain types of dams might be more likely to experience problems. As detailed below, at first glance, it would seem that the most vulnerable dam is an embankment structure which, according the FEMA/icold, represent nearly three quarters of the total number of dams that have failed (Figure 2).

However, in the case of dams, as with most issues, simple statistics alone can be quite misleading. As shown in Figure 3, the actual risks presented by an embankment dam are considerably less when one accounts for the fact that they represent the oldest and most common type of water retaining structure.

Adding to the complexity of assessing potential for failure is the fact that each dam represents a unique structure which, as is shown in Figure 4, can fail for a variety of reasons. This complex behaviour stems from the fact that each dam has site specific and complex foundation characteristics that cannot be easily represented in physical or mathematical models. Finally, it is possible for a dam to fail for reasons other than design deficiencies of unknown geological defects. Human error in operation of the flow control equipment or deliberate acts of sabotage could cause an uncontrolled release of the impounded reservoir.

It is evident therefore, that evaluation of the potential for a dam to fail due to physical reasons is a difficult task. Indeed, a strict quantifiable evaluation of risk is, in general, not feasible within the current state of knowledge. In this regard, in a discussion on Risk assessment in dam safety management, the International Congress on Large Dams (ICOLD) concurred with this sentiment noting that;

'Risk assessment is in the development stage and this is especially true of its application to dams' (ICOLD Bulletin 130).

Assessing the safety of dams

As dams grew larger, and closer to populated centers, a method of attempting to better account for the risk a dam imposed to the public started to become increasingly more formalized in the early 1960's. In the United States, following failure of several dams during the 1970's (Buffalo Creek, Kelly Barnes, Teton), federal dam building and regulating agencies were charted with a mandate to develop guidelines for assuring a comprehensive approach to dam safety. The mandate included specific direction to consider the use of risk-based approaches for dam safety.

While the use of a strictly risk based approach may be desirable for many reasons, as discussed above, even to date, the technology is not available to undertake quantifiable risk based assessments that would completely define the risks associated with the failure of a particular dam. It is for this reason that the industry has turned to a system that classifies dams according to the potential consequences of failure. One of the initial steps in this direction was a report by the US ad hoc committee on dam safety. Their report, issued in June, 1979, contained a dam safety classification system that has is mirrored in dam safety legislation worldwide (Table 2).

It is of note that in all of these existing dam safety legislations, risks of failure are identified primarily through an assessment of consequences of failure. As is discussed later, the actual potential for failure (and therefore the true 'risk') is generally not addressed in legislation.

Classifying dams for dam safety purposes

The fundamental purpose of the dam safety classification system is to provide guidance with respect to the conditions that a dam needs to resist (such as the design earthquake and flood) so as to ensure that it does not present an unacceptable danger to the environment or the public. The classification system is also used to determine surveillance requirements, dam safety review scheduling, inspection frequency and other tasks needed to ensure an appropriate level of safety is maintained. This is accomplished by determining the incremental effects that might occur if the dam were to fail. These effects are typically measured in three ways:

* Incremental losses to the environment.

* Incremental economic loss.

*Incremental risk to human life.

In all current classifications systems, when assessing each of these potential consequences, all are considered to have equal importance. For example, if a particular dam presents a LOW risk to human life, but could result in incremental environmental losses that are considered to be HIGH, the classification of the dam would be HIGH.

One of the original dam safety classification system for hydro power projects in the United States, as detailed 'Engineering Guidelines for the Evaluation of Hydropower Projects', Office of Energy Projects, US Federal Energy Regulatory Commission, April 1991, provides for three dam safety hazard classifications (Table 3).

This general methodology has been adopted in most of the systems used in Europe and elsewhere throughout the world (reference Table 4). Differences in the various types of classification systems have developed largely as a result of attempting to increase the number of hazard (or consequence) categories and to attempt to better define threshold levels to better reflect the 'risk' the dam may pose to the public. As is evident from Table 4, these threshold levels are open to interpretation (using terms such as 'Significant', 'Some' and 'Few') which can (and does) lead to difficulties in assessing the consequence classification. This results in the potential for differences in design standards depending on the judgement of the individual dam safety assessor. That is, the very thing the classification system was intended to avoid.

This is, however, an expected consequence of attempting to provide simplified standards to a complex issue which, in part, is the reason that the industry is turning towards risk based approaches to better identify safety standards that a dam needs to meet. Recent (March 2002) guidelines published by the New South Wales Dam Safety Committee (Table 5) attempt to address this issue by providing specific guidance in the selection of dam safety categories with respect to Population at Risk and the severity of possible damage based on recommendations of the Australian National Congress on Large Dams (ANCOLD). However, there still remains judgement required in assessment of the 'severity' of damage and loss.

Overall, as is evident in Table 4, there is, at least in general terms, general agreement in the fundamental approach to dam classification with some important fundamental concepts that are repeated in most systems.

Incremental loss

In Table 4, all of the systems listed direct the user to assess consequence on the basis of the additional losses that occur as a result of the failure of the dam itself. In understanding this concept, it is important to remember that the intent of the dam safety classification is to identify the standards that the dam should meet to provide protection to the public (life and property damage) and the environment in case of a dam break.

To achieve this goal, it is, therefore, necessary to establish whether or not a dam failure event would, in fact, be the cause of the losses. For example, for many smaller dams, downstream water levels during an extreme event, such as the Probable Maximum Flood (PMF), can be many meters above the crest of the structure. In these cases, the dam becomes 'drowned out' such that, even if the dam were to fail during the flood, the effects of the failure would be unnoticeable. In this case, it would not result in providing the public with any additional protection against increased losses or damages to design the dam to resist the effects of the PMF since the same losses would occur with or without a failure. For such cases, progressively higher frequency floods are assessed in order to determine the magnitude of the flood that would result in unacceptable incremental losses. This flood is then selected as the Inflow Design Flood (IDF).

Alternatively, a dam may be found to pose no risk in case of a flood. However, if it were to fail as a result of a random loading, such as might be generated by an earthquake, the chance nature of the event could put transient users such as boaters at risk who would not have been in the watershed during an extreme flood event. In such cases, designing the dam to resist the earthquake would be necessary to protect the public but there would be no reason to design this example dam to resist the PMF. For this reason, for dam safety purposes, it is necessary to identify the consequences resulting from a dam failure during a flood event and the consequences associated with failure during a random event (i.e. the so called 'sunny day' or 'normal' condition).

Consequence and Risk

The intent of a dam safety program is not to ensure that a particular dam does not fail. Rather it is to ensure that if a particular dam were to fail, the consequences of that event would fall within acceptable defined limits. Therefore, classification systems are typically based on the total incremental adverse consequences of failure or mis-operation. Dam classification does not attempt to account for the structural integrity of the dam, operational status, flood routing capability, or the current safety condition of the dam. In other words, the actual risk a dam might impose is not determined. For example, according to US practice,

'For the purposes of hazard potential classification, the dam should be evaluated assuming that emergency action plans (if existing) will not be activated, and that warning time will be limited or non-existent.' FERC Dam Safety Guidelines.

The intent of this statement is that if, as a result of a dam failure, there were the potential for an incremental inundation of sufficient depth and velocity that (for, example) loss of life might be expected, the dam would be classified as a high hazard structure. This rating would not reduce if appropriate warning measures were instituted such that all persons could be effectively evacuated in the event of a dam break. For consequence classification purposes this is logical since the purpose of the classification is to identify the need for mitigation. Therefore, it would not be logical take into account any existing mitigation measures in place as they would have the effect of lowering the dam classification and the need for the existing mitigation in the first place. For classification purposes these warning systems would typically be viewed as a second line of defence to address latent risks that are difficult to address appropriately in other ways such as human error and transient persons in the inundation zone (fishermen and other day use activities etc.) In other words, the dam will still be classified as presenting the same consequences regardless of what measures are used to reduce exposure.

Similarly other jurisdictions around the world have taken a similar approach in the classification of dams. As another example, in New South Wales, Australia the regulations state

'The Committee assigns 'Consequence Categories' to a dam according to the seriousness and magnitude of the adverse consequences affecting the community's interests, or the environment, and which could be expected to result from dam failure. In assigning such consequence categories, no account is taken of the likelihood of dam failure. Thus a dam which meets the highest safety standards, and which therefore is extremely unlikely to fail, can have a high Consequence Category. '

Third party losses

In the event of a dam failure the owner of the dam and associated hydroelectric facility may often incur significant. These might include:

* Loss of generation.

* Costs to rebuild the asset.

* Costs to repair damages caused by flooding of generation equipment.

However, these losses do not impact public safety. Therefore, they are not included in the dam safety classification assessment.


Author Info:

C. Richard Donnelly M.A.Sc., P.Eng , Director, Water and Wind Power Hatch Acres Corporation, 4342 Queen Street, P.O. Box 1001, Niagara Falls Ontario, Canada L0S 1J0. Email: rdonnelly@acres.com. www.hatchacres.com.

Related Articles
Safe and secure - risk based techniques for dam safety
Tables

Table 1
Table 2
Table 3
Table 5

Figure 1 Figure 1
Figure 3 Figure 3
Figure 4 Figure 4
Figure 2 Figure 2


Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.