RISK ASSESSMENT IN DAM SAFETY DECISIONMAKING

Information on dam safety is needed by dam owners and operators, insurance companies, regulators, engineers responsible for designing and inspecting dams, emergency management agencies, realtors and planners, environmental groups, the public and others. All individuals or groups must make their own decisions oil some aspect of the safety of a dam with which they are associated in different ways. For example, the owner may view a dam as an investment, and therefore be concerned with his rate of return and his exposure to legal liability. On the other hand, a regulator is responsible for developing and implementing dam safety standards and guidelines authorized by statute. Each group interested in dam safety has its own perspective on the safety of a particular dam and the information that is important to that group in the process of dam safety evaluation.

In Sec. 2 of this paper some of these perspectives are discussed in the context of a risk-based approach to dam safety evaluation. The risk assessment approach has been used by the U.S. Bureau of Reclamation, the U.S. Army Corps of Engineers, the Federal Emergency Management Agency, and some state dam safety offices. Also, its use has been recommended in reports by the American Society of Civil Engineers (1988) and the National Research Council (1985). The "design-level" risk assessment approach is summarized in See. 3. The paper draws on the writer's experience in conducting risk assessments for several dam owners and operators in the U.S. and overseas. In Sec. 4 three case studies of actual risk assessments are summarized including a discussion of the study outcome in which the use of risk assessment results in decision-making is presented. For a comparison of risk-based approaches to dam safety evaluation the interested reader is referred to Bowles et al. (1987). This reference also addresses advantages of the risk-based approach and common objections to it.

The perspectives of several parties associated with dam safety are discussed and contrasted based on the writer's experience.

The dam owner and operator are in the legal position of being responsible for the safety of their dam, its operation, and the consequences of a failure should one ever occur. Naturally owners and operators want to limit their liability. For this economic reason, and because most dam owners recognize their moral and social obligations, dam owners and operators are usually deeply concerned with the safety of their dams. Safety is determined by engineering professionals who compare the predicted performance of a dam against established standards. Typically the safety evaluation process is highly technical and results in a determination that the dam either meets, or fails to meet, the established standards (e.g., inflow design flood, which is often set as the probable maximum flood or PMF). Understandably a non-technical owner or operator is often skeptical about the need to invest large sums in upgrading a dam that has served him well for many years and which shows no apparent sign of distress. In some cases the cost of these upgrades would literally put an owner out of business. In many other cases a corporate or public owner has the capability of raising the needed capital for costly upgrades, but may not be able to justify this use of capital by the usual investment criteria. Often this results in the diversion of funds from other "more efficient" uses. From a business perspective a dam owner needs to understand the risk that his dam poses, to be convinced that the rehabilitation required by a regulator is not excessive, and to understand his options for managing the risk (e.g., structural and nonstructural rehabilitation alternatives) and his liability exposure.

The regulator is responsible for developing and implementing dam safety standards and guidelines that are authorized by statute. In contrast to the owner, he is concerned first with compliance, rather than the cost of the remedial actions which he requires to achieve compliance. The established standards for assessing dam safety usually vary with the size of the dam and reservoir and their hazard rating. However, a site-specific evaluation of dam failure consequences and the probability of dam failure are seldom undertaken. As a result the dam rehabilitation measures required by the regulator may represent inconsistent levels of safety for different dams, and in some cases rehabilitation measures may be excessively costly for a particular site. Recognizing this, many dam safety regulators now permit exceptions to their standards if the incremental consequences of dam failure, compared with non-failure (or sometimes the case of no dam), can be shown to be negligible (see, for example, the discussion of the Oneida Dam in See. 4.3). However, such an approach does not take into account the probability that a failure may occur; rather, it examines assumed dam failure scenarios for all initiating events (e.g., inflow floods or earthquakes) up through the maximum magnitude of initiating events required by the established standards. Also, the determination of a "negligible" incremental consequence is typically made by using differences in hydraulic parameters such as depth and velocity of flow, and not through an explicit evaluation of economic, threat-to-life, and other potential consequences of dam failure.

The engineer responsible for evaluation of dam safety is usually retained by the owner or operator to perform the evaluation or, in some cases, works directly for the owner or operator. He is responsible for performing technical investigations at the dam site and analyses to determine the design flood or earthquake loading and the expected performance of the dam-foundation-spillway reservoir system. The issue of the amount of liability that the engineer may take on when he performs a dam safety evaluation is one that any engineer and owner/operator should resolve before entering into a contract for engineering services. It seems reasonable that an engineer should be responsible for his own negligence. However, it would appear to be unreasonable that an engineer should become responsible for the owner/operator's liability due to the preexisting condition of the dam. Also, where there are trade-offs to be made between the level of safety and the Investment of rehabilitation funds, it would seem that such decisions should be made by the owner/operator and regulator and not directly by the engineer. It is after all the owner/operator who benefits from the project and whose funds will be required for rehabilitation. However, as stated above, an owner/operator needs to understand the risk that his dam poses and his options for managing the risk (e.g., rehabilitation alternatives). It is the responsibility of the engineer to inform the owner/operator of these factors and the required standards which should be met by dams in the jurisdiction in which the dam is located. When these standards can be shown to be inappropriate for the particular conditions existing at a dam, the engineer has a responsibility to inform his client and to provide information that will help the owner/operator make a case for justifying alternative site-specific standards. These standards are not necessarily less safe than the usual standards. For example, designing a spillway to, say, 50% of the PMF when incremental damages and threat-to-life above this flood magnitude are negligible does not represent lower safety, but rather a more cost-efficient way of achieving the same safety. Sometimes such opportunities for cost-efficient solutions are overlooked when an engineer considers only the conventional solutions. The line between cost-efficient solutions and adequate safety is one that requires considerable professional experience to identify. The thorough evaluation procedures of risk assessment increase the likelihood of achieving the objectives of adequate safety and cost efficiency. Both objectives should be important to owner/operator and engineer alike. However, the owner/operator needs to provide a professional service contract with terms that will encourage the engineer to identify cost-efficient solutions. Without adequate protection, the engineer may have a disincentive to consider such solutions.

When risk-based approaches are used to evaluate dam safety, a risk analyst is often involved. Such an analyst should preferably be an engineer with experience in the dam safety field and also with expertise in practical risk assessment. However, lie should not attempt to replace the engineer in his technical role unless he is qualified to do so. Risk assessment procedures cannot substitute for good engineering. A team approach is recommended in which the risk analyst provides the risk assessment framework for evaluation of the dam and for communication of the study results to the client and other interested parties, and the engineer takes responsibility for the engineering analysis and design.

Insurance companies are also concerned with understanding the risk and liability associated with dam failure. Decisions on how much coverage to provide and the premium to be charged should utilize information from quantitative risk assessment procedures. To the knowledge of the writer, there are very few examples of this use of risk assessment in the Insurance of dams.

This section is divided into three subsections describing the steps in a dam safety risk assessment, development of the risk model used in the assessment, and examples of the types of information that can be obtained from a risk assessment. For. a more detailed discussion of dam safety risk assessment procedures, the interested reader is referred to Bowles et al. (1987), Anderson arid Bowles (1987), and the U.S. Bureau of Reclamation (1986).

3.1. Risk Assessment Steps

This section describes the four major steps in a dam safety evaluation risk assessment (see row headings in Fig. 1). Risk identification involves recognizing and listing the various factors which could contribute to the risk of dam failure and organizing these into logical event sequences which cover all reasonably probable failure modes. Such an organization is called an event tree, with each failure mode represented by a separate branch in the event tree. It serves as a risk model for the evaluation of existing dam safety or the effectiveness of proposed rehabilitation (risk aversion) alternatives. The second step is risk estimation, which involves assigning probabilities to each branch in the event-tree model and assessing the consequences of dam failure for each failure mode.

The product of the second step is an estimate of the probability of failure and life loss or economic consequences that would be associated with each failure mode, or combination of failure modes, for the existing dam (i.e., the do-nothing alternative). It these risks are unacceptable, the assessment proceeds to the third step, called risk aversion. This involves formulation and evaluation of alternatives for risk aversion. For dams these are commonly referred to as remedial actions or rehabilitation alternatives. Risk aversion can he achieved by reducing the probabilities associated with an event-tree branch or by reducing the consequences. In both cases structural and nonstructural measures should be considered. Figure 1 lists some examples of aversion measures in the part of the diagram that corresponds to the aversion step. These examples are linked by arrows to the probability or consequence that would be expected to be reduced by their implementation. The product of the aversion step is an estimate of the reduction in probability of failure arid life loss or economic consequences that can be attributed to the implementation of a risk-aversion measure.

The final step in the risk assessment process is the decision as to what degree of safety, or equivalently what residual risk, is acceptable (see Sec. 5). Although the engineer can supply information and recommendations for this risk acceptance decision, the decision is usually made by the dam owner, operator, or regulator. The decision is especially sensitive and difficult where lives are at risk, or where large investments will be required to improve safety with little or no effect on project benefits, except of course to their expected longevity considering the reduced likelihood of dam failure.

A risk assessment should be phased to ensure that study efforts are expended efficiently. By performing a preliminary risk assessment, the relative importance of various factors (e.g., hydrologic loading vs. seismic loading, gate failure vs. toe erosion) can be assessed. This information can be used to allocate the study effort in such a way that relatively minor risk contributors are not given a disproportionate or unjustifiable part of the dam safety evaluation effort.

3.2. Risk Model Development

Risk model development commences with the identification of a sequence of events (see column headings in Fig. 1), beginning with events that can initiate dam failure and ending with the consequences of failure. Initiating events can be classified as external or internal. External events include earthquakes, floods, and upstream dam failure. Internal events include chemical/ physical changes in soil or concrete properties or latent construction defects. At low levels these events would not normally lead to dam failure. However, at high inflow rates a rapid rise in pool level could lead to overtopping, or a severe earthquake could result in structural deformation or liquefaction. These and other dam-foundation-spillway-reservoir system responses can lead to the outcome of the sudden release of the reservoir contents. The magnitudes of the resulting life loss and property or environmental damage will depend on various exposure factors. These include flood routing to determine the path of the flood wave, area of inundation, and travel time; the time of the day and season of the year; and the effectiveness of any warning systems and evacuation plans. Consequences are classified as life loss and economic loss, which include property damage, cost of dislocations, and loss of project benefits. Environmental and social consequences of dam failure also can be considered.

During the identification step, professional judgment and experience, review of available information, and site visits are used to develop a list of the types of initiating events, system responses, outcomes, exposure factors, and consequences which apply to a particular dam-foundation-spillway-reservoir system. Using this information, an event tree (see, for example, the event tree for Oneida Dam, Bear River, ID, in Fig. 5) is developed. Each branch in the event tree represents a failure mode. A failure mode is defined as the sequence of (1) a particular range of magnitudes of an initiating event (e.g., a range of reservoir inflow magnitudes or a range of ground acceleration s at the dam site resulting from an earthquake), (2) a system response, and (3) an outcome. An example of a failure mode for Oneida Dam is (1) thunderstorm with peak magnitude between 7,500 and 14,500 cfs, 2) embankment overtopping, and (3) breach embankment (see Fig. 2 in Sec. 4.3.1.).

The event tree is the risk model for dam safety risk assessment. Probabilities and consequences must be assigned to perform risk model calculations. These calculations can be conveniently executed using a computer spreadsheet. Several cases should be considered: (1) the natural flow (i.e., with routing or flood control effects of reservoir operation); (2) the existing dam (i.e., the do-nothing alternative); and (3) the various structural and nonstructural rehabilitation alternatives (including different levels of each alternative, e.g., various spillway capacities or heights of the dam).

Traditionally in engineering design, point estimates (i.e., single values) of loads or material strengths are made on a conservative basis. In a risk-based approach additional estimates are made to describe a range of each load, probability, or consequence. With this "interval" estimate approach, the effects of uncertainty in the estimation of the inputs to a dam safety decision can be explored and documented through sensitivity analyses. Where the recommended decision is sensitive to uncertain factors, additional efforts to reduce the degree of uncertainty should be considered. Since uncertainty exists in all the inputs (e.g., probabilities and consequences) to a risk assessment, sensitivity analyses are an important part of a comprehensive dam risk assessment.

3.3 Information Outputs

Information available from a risk assessment can be categorized into several types: probabilistic, economic, safety, legal liability, and insurance. Several examples of information obtained from actual dam safety risk assessments are given in Sec. 4.

Probabilities of dam failure can be divided into components attributable to different loading (initiating event) types, or ranges of loading, and different failure modes. Probability of dam failure can be expressed on an annual basis, or over a period of time such as the remaining life of the dam.

Economic information from a risk assessment can be expressed in various forms such as histograms of damage; total risk cost; net risk cost due to dam failure; the benefits (or reduction in risk cost), net benefits, benefit-cost ratios, and rate of return associated with each rehabilitation alternative; the cost effectiveness of alternatives based on the sum of the annual risk cost and construction cost of each alternative; and incremental analysis to determine optimal capacity of an alternative. Estimates of damage costs or benefits can be allocated to the dam owner/operator or to other parties. Dam rehabilitation alternatives can be evaluated with respect to various economic criteria (e.g., maximum benefit-cost ratio, minimum total cost). However, the decision-maker (e.g., dam owner, operator, or regulator) should not be limited to using only one of these criteria (see Sec. 5). In addition, the decision-maker should weigh economic information against other factors including legal and political contributions. Thus a more informed decision can be reached in which the cost of non-economic trade-offs can be assessed.

In addition to economic analyses based on the "best estimates" of probability and consequences, sensitivity studies should be performed in order to assess the effects of input uncertainties on risk assessment results and, more importantly, on the selection of a rehabilitation alternative. In general, sensitivity factors which should be considered include, but should not be limited to, the following: hydrologic and seismic event frequencies, internal failure frequency, system response and outcome probabilities, damage and population-at-risk estimates, exposure probabilities, initial reservoir storage, rate and shape of dam breach, and flood routing parameters. The results of sensitivity studies can be usefully displayed in a regret analysis (see Sec. 4.2), in which the economic regret (in terms of the additional annual cost expressed as the sum of risk cost and construction cost) that would be expected to be incurred by selecting an alternative other than the minimum-cost alternative can be assessed for each value of the sensitivity factors.

The assessment of human safety can be presented as a histogram of probabilities of life loss events, or the cost-to-save-a-life. The latter should not be confused with placing a value on human life, which is entirely different. The cost-to-save-a-life is calculated as the cost by which a rehabilitation alternative exceeds its economic benefits expressed per life that would be expected to be saved by investing in the alternative. Thus, it can be considered as the cost of providing safety on a per-life-saved basis. Comparisons can be made with the cost-to-save-a-life that society is willing to pay in other areas involving involuntary risks, such as environmental risks, in order to judge acceptable levels of investment in public safety. It is also possible to calculate the expected number of lives that would be lost on an annual basis (similar to risk cost); however, this generally results in relatively small numbers, which are difficult to interpret. Other approaches to quantifying human safety are therefore considered to be preferable.

Probability, economic, and safety information can be used for assessing the legal liability of dam owners. Such an assessment must take into account the laws which apply in the area in which the dam is located. Another potential application of the results of a risk assessment is as a basis for establishing indemnity costs or dam failure insurance-policy premiums (ASCE 1988).

This section contains summaries of three projects in which risk assessment procedures were used to evaluate dam safety for dam owners or operators. The projects are the Verde River Risk Assessment for the Salt River Project, Phoenix, AZ; the Tongue River Risk Assessment for the state of Montana; and the Bear River Decision Analysis for Utah Power and Light Company, Salt Lake City, UT. Each summary is divided into a background subsection containing a brief description of the dam, safety concerns, and the purpose of the study; a results subsection containing a synopsis of some of the important results derived from the study; and a study outcome subsection in which the role of the study results in decisions made by the dam owner/operator and regulator is discussed.

4.1. Verde River Dams

4.1.1. Background

Many dams in the U.S. have been found to have inadequate spillway capacity when evaluated against current design standards. Two such dams are the Horseshoe and Bartlett Dams, which are located in series on the Verde River above Phoenix, AZ. Horseshoe Dam is a 194-foot-high embankment structure and Bartlett Dam is a multiple-barrel-arch concrete structure. They are part of the Salt River Project (SRP) and supply water to the SEP service territory, Salt-Gila Indian lands along the Verde River, and the city of Phoenix. Both dams were built approximately 50 years ago and have been found to be capable of passing only about 40% of the probable maximum flood estimated in 1981. Thus, a serious concern exists over the possibility of one or perhaps both dams failing during a major flood. As part of Plan 6 of the Central Arizona Project, the U.S. Bureau of Reclamation (USBR) had planned to replace Horseshoe Dam by Cliff Dam, which was to be built on the Verde River between Horseshoe and Bartlett Dams. Cliff Dam was proposed to provide sufficient flood control and surcharge space so that Bartlett would be protected from major floods. However, it was expected to be perhaps 10 to 20 years before Cliff Dam would be completed and the safety concerns for the Verde River Dams thus alleviated.

In view of this situation, SRP, which operates both dams, decided to investigate what interim solutions could be identified to reduce the risk posed by the Verde Dams to the population and economy of the metropolitan Phoenix area. Tile U.S. Bureau of Reclamation and SRP contracted with Morrison-Knudson Engineers, Inc. (MKE 1988) to perform a comprehensive risk assessment for both dams. The writer, Drs. Loren R. Anderson, and Terry F. Glover from Utah State University, and RAC Engineers and Economists served as consultants to MKE for the risk assessment. In the first phase, the existing structures were to be evaluated with respect to hydrologic, seismic, and internally initiated failure modes that could lead to the catastrophic release of reservoir contents. Using the results of the first phase, various remedial action alternatives were to be formulated and evaluated in the second phase of the risk assessment. In subsequent phases selected alternatives would be designed.

As originally proposed, the Verde River risk assessment was intended to focus on interim solutions that would improve safety during the period from the present until Cliff Dam was completed as a permanent solution. However, plans to build Cliff Dam were cancelled in 1987. This was formalized in the Energy and Water Development Appropriations Act of 1988. Funding for the risk assessment study was redirected to the development of permanent remedial action solutions.

4.1.2. Summary of Results

Preliminary risk assessment. A preliminary risk assessment was performed for the Verde River dams using approximate loading and consequence information that was available at the beginning of the study. The results showed the much greater relative contribution to probability of failure, risk cost, and threat-to-life of hydrologic failure modes over seismic and internally initiated failure modes. Also it showed the importance of carefully accounting for the effectiveness of evacuation of the inundation area in order to obtain meaningful estimates of the threat-to-life. As a result of these preliminary findings, it was decided to eliminate seismic stability evaluations of the dams from the Phase I scope of work and to add resources to the estimation of hydrologic system responses and evacuation modeling.

Threat-to-life. In all cases for which failure of the Verde River Dams was considered, several hours warning time was estimated to be available before the flood wave would reach the populated reaches near Phoenix. Hydrologic events are the most likely cause of failure, but they would also have the longest warning times. Larger magnitude dam break floods associated with hydrologic failure modes would also lead to greater areas of flooding, with the threatened population increasing faster than the increase in area. This is due both to the greater population densities that exist at greater distances from the channel and because larger areas take longer to evacuate.

Continuing urbanization is projected in the area that would be inundated from a dam break. This could lead to greater threat-to-life if a dam failure were to occur further into the future. There are established warning and evacuation procedures for much of the area that would be inundated.

Economic Damages. Estimated damages for flood events associated with dam failure varied from about $1 billion for a sunny-day (seismic or internally initiated) failure to more than $4 billion for a serial failure of both dams under 100% winter PMF conditions. In fact this extreme case would not be expected to occur with the existing dams because they are predicted to fail well before the peak of a 100% winter PMF event is reached.

Risk costs were calculated using damage curves that were adjusted to reflect economic growth projections for three periods: 10 years until the scheduled completion of Cliff Dam, 50 years remaining economic life of Bartlett Dam, and 55 years remaining economic life of Horseshoe Dam. For all three cases it was found that the relative distribution of total net risk cost between types of failure modes remained similar, with approximately 85% attributable to hydrologic modes. Of the total hydrologic risk cost, about 60% was attributable to winter floods in the 40% to60% PMF range. Since the dams are considered to be capable of safely passing a 40% PMF, it was concluded that interim safety modifications that increased the capacity of the dams to handle events tip to the 60% PMF would be expected to have the greatest benefit-cost ratios.

4.1.3. Study Outcome

The Verde River Risk Assessment Study was suspended due to the cancellation of plans to build Cliff Dam. Therefore, the comparison of remedial action alternatives was not completed. However, there seems to be little question that the permanent safety solutions at these dams will protect them against floods tip through the PMF because of their extremely high hazard classification. The real issue is what should be done on an interim basis before the permanent solution is effected. At the time that the risk assessment was commissioned, the permanent solution appeared to be Cliff Dam. Now that Cliff Dam has been cancelled the obvious permanent solutions appear to involve rehabilitating Horseshoe and Bartlett Dams. The Verde Rivet Risk Assessment for the existing dams provided valuable insights into the relative importance of different failure modes, loading types, and loading ranges. This information provided the basis for formulating various interim and permanent conceptual remedial action alternatives. It also pointed out the need for emergency planning to address dam failure floods.

The Verde River Risk Assessment is an example of the role that risk assessment can play in identifying interim solutions for reducing the risk of dam failure at high-hazard dams. Typically, the focus of attention at "unsafe" high-hazard dams is on the permanent solution. However, this type of solution can take so long to complete all the necessary approval and funding steps that it often would be beneficial to use risk assessment to identify cost effective interim solutions such that safety can be improved in the short term. These types of solutions typically would provide a lower level of protection than will be provided by the permanent solution. However, they should be more rapidly implemented and thus achieve a reduction in risk sooner. Such an approach does not challenge the need for permanent solutions that meet the currently accepted design standards; rather, it challenges the wisdom of doing nothing while waiting for the "ultimate fix." Such an argument should prove to be particularly attractive to dam owners and operators who are concerned about limiting their liability in such situations. Decisions on the selection of interim solutions are based on the schedule for construction of permanent solutions versus construction of interim solutions, the safety and economic benefits that could be expected from interim solutions, and the costs of interim solutions.

4.2. Tongue River Dam

4.2.1. Background

The Tongue River Dam Risk Assessment was conducted for the dam's owner, the state of Montana, by PRC Engineering (1986), Denver, CO (PRC Engineering is now known as ECI), in association with the writer and Dr. Terry F. Glover of Utah State University and PAC Engineers and Economists. Tongue River Dam is a 91-foothigh embankment dam with a reinforced concrete spillway consisting of a free overflow crest, an open chute, and a solid-type roller bucket energy dissipator. The spillway width varies from 350 feet at the crest to 100 feet at the upstream end of the energy dissipator. The spillway capacity of the Tongue River Dam has been shown to be inadequate to safely pass the PMF without failure at flows well below the PMF. The dam, therefore, poses a high risk to downstream property and lives. A risk assessment was performed to evaluate a number of prescribed alternative actions that have been proposed to help mitigate the current risks. The owner specifically requested an evaluation of total annual costs (i.e., annualized construction cost plus net risk cost associated with failure) for the prescribed alternatives. A comparison of life loss risks for the Tongue River Dam with other life loss risks was also requested.

4.2.2. Summary of Results

The largest estimated probability of failure and net annual risk costs of the existing dam are due to hydrologic loading conditions. Most likely failure modes of the existing dam are progressive failure of the spillway and stilling basin tailrace.

Five alternative project configurations assessed for risk and least cost in this study were selected jointly by state of Montana engineering staff and PRC/RAC from work performed previously by the U.S. Bureau of Reclamation and Harlan Miller Tait Associates. These alternatives were:

Alternative A : Existing dam. Use the existing dam structure with no structural modifications and with present reservoir operating restrictions removed.

Alternative B: Spillway capacity 382,000 cfs (100% PMF). Modify the dam and spillway to safely pass the PMF and increase reservoir storage.

Alternative C: Spillway capacity 103,400 cfs (27% PMF). Modify the dam and spillway to pass a 103,400 cfs flood.

Alternative D: Spillway capacity 60,000 cfs (16% PMF). Modify the spillway and energy dissipator to pass the originally intended design capacity.

Alternative E: Breach. Breach the dam and restore the reservoir area.

A summary of risk assessment results for each of the five alternatives is as follows:

Alternative A: Existing dam has the least total annual cost (sum of annual net risk cost and annualized construction cost) among all the alternatives because the construction cost is zero (see Fig. 2), but has the highest annual risk cost and represents the largest risk to property downstream and lives (annual probability of life loss estimated to be 1 chance in 270, see Fig. 3).

Alternative B: Spillway capacity 382,000 cfs (100% PMF) S capacity 382,000 cfs (100%has the largest total annual cost among all the alternatives, but has one of the smallest risks to downstream property damage and life loss (annual probability of life loss estimated to be 1 chance in 17,600).

Alternative C: Spillway capacity 103,400 cfs (25% PMF) has the second highest total annual cost among all the alternatives and has a small risk to property and life (annual probability of life loss estimated to be 1 in 6,800).

Alternative D: Spillway capacity 60,000 cfs (16% PMF) produces the second largest reduction in annual risk costs for the least total annual cost compared to the existing dam from among all the alternatives and has a significant reduction in the risk to property and life downstream (annual probability of life loss estimated to be 1 in 4,000).

Alternative E: Breach was the only alternative which reduced the annual risk cost to zero, but at a total annual cost exceeding that of Alternative A, Existing dam (see Fig. 2) and with the loss of all project benefits. The risk to life downstream due to dam failure also would be eliminated.

Based on results from the uncertainty analysis--which included sensitivity and regret (Table 1), analyses of the flood frequencies, system responses, and damage estimates--Alternative D remained the top ranked among all alternatives compared to the existing dam in maximum reduction in annual risk cost for least total annual cost, with the exception of Alternative E which eliminates future project benefits. This ranking is a function of economic consequences only and does not include life loss considerations.

The ranking of all alternatives on the basis of downstream risk to life from highest to lowest risk is A, D, C, B, E. Although Alternative D is ranked second highest to the existing dam (Alternative A), it is evident based on Fig. 3 that the risk to life is significantly reduced between Alternative A and all the others. Therefore, Alternative D compares favorably with Alternatives B, C, and E in effectively reducing the probability of life loss downstream from the probability associated with the existing dam, Alternative A. Cost-to-save-a-life for Alternative D is estimated to be of a magnitude similar to that found in other regulated areas of public safety (see Fig. 4).

The conclusions reached in the Tongue River study were all predicated on the assumptions that (1) legally the State of Montana would not be liable for punitive damages, and (2) economically the state's liability would be limited to the incremental damages that exceeded those attributable to natural flood flow that would occur without the Tongue River dam. Any changes in the assumed legal environment could significantly alter the conclusions of the risk assessment approach followed. A legal opinion by Montana State legal counsel addressing this subject was contained In the PRC Engineering (1986) project report.

4.2.3. Study Outcome

The Tongue River Dam risk assessment illustrates a risk-based comparison of several structural and nonstructural alternatives for addressing Spillway inadequacies. An uncertainty analysis was conducted on the total annual costs. An evaluation of threat-to-life due to dam failure is also presented. This evaluation is presented both in probabilistic terms and also as cost-to-save-a-life for each remedial action alternative. The Tongue River Dam risk assessment was used as a basis for tile decision by tile owner to continue operating restrictions, improve the dam bleak flood warning system, and seek federal government funding for upgrading the dam.

4.3. Bear River-Dams

4.3.1. Background

The Bear River Decision Analysis examined a series of four dams on the Bear River in Idaho and Utah. The dams are owned by Utah Power and Light Company (UP&L). The study was conducted by ECI and RAC (ECI/RAC 1988). Beginning upstream the four dams are Soda Point, Grace, Oneida, and Cutler. Results for Oneida Dam ate presented to illustrate an incremental consequence assessment (ICA) for both economic and life loss consequences. Also, risk assessment (RA) results for Oneida Dam are presented. These results illustrate the threat posed to downstream dams by upstream dams in probabilistic, economic, and safety terms.

Oneida Dam is a concrete gravity structure, 110 feet high, with a 40-foot-high embankment located in a saddle to the left of the concrete dam. The dam does not meet the PMF standard or the maximum credible earthquake standard, but it does meet the Federal Energy Regulatory Commission's (FERC) criteria for the internal condition of the dam. The dam is located 28.2 miles downstream of Grace Dam and 55 miles upstream of Cutler Dam.

The event tree risk model for Oneida Dam is presented in Fig. 5. A summary of results for the Oneida Dam is presented in Table 2. The table is divided vertically into sections for conventional dam safety assessment following the FERC guidelines and sections for ICA and RA. Results are summarized for hydrologic, earthquake, and internal initiating event types. Reference is made to the following remedial action alternatives: decommissioning the dam, anchoring the concrete dam and raising the embankment, and implementing a dam failure warning system.

4.3.2. Summary of Results--Incremental Consequence Assessment

Incremental hazard to human life. Failure of the existing Oneida Dam is not expected to result in additional life loss above that projected from the effects of a natural flood without the dam in place. This finding also applies to cases where Oneida Dam might fail due to flood-caused failure of the upstream Soda Point Dam. Therefore, upgrading of the dam to safely pass the PMF (by installing anchors in the concrete dam and raising the embankment) is not projected to reduce the hazard of life loss.

For an earthquake-caused failure of Oneida Dam, life loss is predicted to be about eight lives. Upgrading the dam to withstand the maximum credible earthquake could be achieved by adding anchors to the concrete dam, which would reduce predicted life loss to zero.

Incremental economic damages. Increases in economic damages due to dam failure vary with the flow rate at which dam failure is postulated (see Fig. 6). The maximum increase for the existing Oneida Dam for a general storm flood is projected to be $28 million, with only $0.5 million of non-UP&L losses. For thunderstorm floods, the maximum increase is projected to be $26 million with only $0.3 million of non-UP&L losses. These levels of UP&L damages, while not small, are, according to UP&L representatives, within the insurance coverages that UP&L carries.

Damages for earthquake failure of the existing Oneida Dam are projected to be up to $27 million for an overstress failure of the concrete dam, with only $0.8 million of non-UP&L losses. No earthquake failure damages are predicted for the embankment dam because it is considered to meet the MCE standard.

4.3.3. Summary of Results--Risk Assessment

Risk of incremental life loss. No chance of incremental or increased life loss is projected from the flood-caused failure of Oneida Dam when compared with the case of no dam.

It is predicted that if an earthquake failure of the concrete dam occurred, then about 8 lives could be lost. The chance of failure of the Oneida concrete dam is estimated to be 1 in 43,500 per year for earthquake failure, and 1 in 18,000 per year for an internal failure. If internal failure of the embankment occurred, then about 6 lives could be lost. The chance of such a failure occurring is estimated to be about 1 in 110,000 per year. These chances of life loss resulting from the failure of Oneida Dam are much lower than the historical probability of life loss from dam failures in the United States due to all causes (i.e., flood, earthquake, and internal failures), which is 1 in 5,000 per year.

The existing concrete and embankment sections of the Oneida Dam have been found to satisfy FERC criteria with respect to their internal condition. Also, the embankment section is considered to meet the MCE standard.

Cost-to-save-a-life. The cost of increasing human safety can be expressed on a "per statistical life saved" basis (i.e., cost-to-save-a-life). This is the cost of providing safety and not in any sense of value for human life. Since no life loss could be attributed to the Oneida Dam under flood loading, it follows that upgrading of the dam would not be predicted to save any lives. Therefore, the cost-to-save-a-life for remedial upgrading of the flood performance of the dam is infinitely large.

The cost-to-save-a-life for installing anchors in the concrete section of the Oneida Dam to withstand the maximum credible earthquake is calculated to be approximately $2.7 billion per life saved.

A dam-break/flood-warning system was considered for reducing the risk of life loss in the event of an earthquake or internal failure of Oneida Dam. It was calculated that the cost-to-save-a-life for this system is approximately $107 million per life saved. However, this system is not expected to reduce life loss at the Oneida Hydro Facility itself since it is located immediately below the dam. If the Oneida Dam is decommissioned, the cost-to-save-a-life is calculated to be approximately $1.6 billion per life saved.

These costs can be compared with costs-to-save-a-life calculated for regulated areas such as nuclear power plant design ($4-$10 million), environmental protection ($4 million), and occupational health and safety ($4.5 million and $300 million for OSHA benzene regulations--see Fig. 4).

Probability of dam failure. The chance of a breach failure of Oneida Dam from floods, earthquakes, and internal causes (see Fig. 7), is estimated to be 1 in 6,500 (1.6 x 10 ^-4) per year. This is lower than the historical probability of dam failure in the United States due to all causes. The chances of failure of either the concrete or embankment dam are estimated to be approximately equal (see Fig. 8).

Information on annual failure probability is combined with the Incremental consequence assessment results (incremental economic damages) in histograms in which Incremental damages are shown separately for general and thunderstorm initiating events and damages occurring to the owner (UP&L) and to other parties (non-UP&L). Figures 9 and 10 are example histograms of net damages to UP&L and to other parties for the general storm. Failure probabilities are divided between the concrete dam and embankment hydrologic failure modes.

Benefit cost ratio. Economic benefits are predicted to be less than 1% of the estimated cost for installing anchors in the concrete dam and raising the embankment. No structural alternatives were considered for internal failure modes, since the Oneida Dam has been found to meet FERC standards for these cases.

Total annual cost. The sum of the predicted annualized damages (net risk costs) and estimated annualized costs is $420,000 for installing anchors in the concrete dam and raising the embankment, $2,400 for the do-nothing alternative (i.e., maintaining the existing dam), and $249,000 for decommissioning the facility. Thus, the existing dam alternative was found to have the lowest total annual cost of these three alternatives.

Environmental impacts. A reconnaissance-level environmental evaluation of dam failure impacts was performed. For flood-caused failure scenarios, the additional area of environmental impact is predicted to be small when compared with the natural flooding case. The probability of dam breach impacts occurring was found to be approximately 1 in 6,500 per year.

4.3.4. Study Outcome

The Bear River Risk Assessment and another for the Viva Naughton Dam on the Hams Fork River, WY, were presented to the Federal Energy Regulatory Commission (FERC) by the dam owner, Utah Power and Light Company (UP&L), and ECI/RAC to justify UP&L proposals for upgrading their dams. These proposals were accepted by the FERC. UP&L estimates that they saved approximately $10 million, or twenty times the cost of the study, as the result of using information from the study. A detailed description of this study is presented in ECI/RAC (1988).

The views expressed by the owners' representative (Waite 1989) are testimony to the value of the risk assessment of five dams oil the Bear River and Hams Fork:

Was the Study Worth It? Including the internal utility costs, the risk assessment study for the five dams cost close to $500,000. What did we get for our money besides FERC's discomfort? First and foremost, we developed an in-depth understanding of these dams' potential for failure, and we internally justified the necessary remedial activities. Without this thorough review, we would probably have had bad feelings about any of the work for a considerable time to come, and we may have otherwise sought very costly legal remedies. Second, the study developed alternatives that would probably have been missed or bypassed without this penetrating scrutiny. Based on our initial estimates and contingency plans, we feel the study came very close to saving us $10 million in current remedial costs, about 40% to 50% of the money we had anticipated spending. Third, we felt that FFRC was better able to appreciate the benefit of avoiding some of the work we would have otherwise done, and we were better able to appreciate some of their concerns. For instance, during the study it became rapidly evident that the failure of the plug section at Soda Point Dam and failure of the dam at Grace would be beneficial during a PMF event. Fourth, some of the work, such as the incremental flood studies, would have been needed in any case, and they were a material portion of the study cost, perhaps 20% of the total.