INTERNATIONAL CONFERENCE ON ASPECTS OF CONFLICTS

IN RESERVOIR DEVELOPMENT & MANAGEMENT

3-5 September 1996, City University, London

Reservoir Safety: A Risk Management Approach

David S. Bowles

Professor of Civil and Environmental Engineering

Utah Water Research Laboratory

Utah State University

Logan, Utah 84322-8200, U.S.A.

Reservoirs are formed by dams. While reservoirs are designed and operated to reduce such risks as water shortage, downstream flooding, and insufficient draft for navigation, they inevitably create a new risk of dam failure. This risk is characteristically of low probability, but can be of high consequence, with a potential for life loss in addition to economic and environmental damages and social disruption. Thus reservoirs present a societal tradeoff of the everyday benefits of more reliable project outputs, against the remote potential for dam failure. However, the distributions of project benefits and dam failure consequences are seldom congruent. This can result in conflicts between the beneficiaries of a reservoir project and those whose lives and livelihoods are placed at risk, albeit a low probability risk, by the existence of the project.

This paper explores the evolving field of practical risk management approaches to reservoir safety management and decision-making. Various facets of reservoir safety management, which are important throughout the life of a project, are considered. The issues of how society views dam safety in comparison to other risks, and the process by which acceptable safety levels for dams can be determined are also discussed. Both the perspectives of an individual dam owner, and an owner of multiple dams, who is concerned with corporate risk reduction, are considered. The paper draws on the author's experience in conducting risk-based safety assessments for more than seventy dams for owners, operators, and regulators in the U.S. and other countries.

Dam safety is a very important aspect of reservoir management. Practical dam safety management is intrinsically risk management in which risks are assessed and alternative risk reduction and control strategies are evaluated and implemented with the goal of avoiding unacceptable risks. In the past, reservoir managers have not always given sufficient attention to dam safety. Also, the explicit consideration of dam failure risks has not been practiced by the dam engineering profession.

Today, many dams that were constructed decades ago do not meet the current state-of-the-art in dam design practice. In many cases downstream development has increased the hazard associated with dam failure. Our understanding of the seismic threat to dams has grown in recent decades. Also today's engineering practice yields more severe safety evaluation floods and earthquakes than most existing dams were designed to withstand. To bring dams into compliance with modern standards it is often necessary to make significant capital expenditures. These expenditures were not anticipated at the time of project planning and often cannot be funded from existing project revenues. Dam owners, financial institutions, politicians, and others are questioning the justification for these investments, and are wondering how dam safety requirements compare with safety requirements in other fields.

In many cases seismic, flood capacity, and state-of-the-art deficiencies have not been addressed many years after they were identified. In some countries these dams are being transferred from government to private ownership, or at least to governmental entities which are expected to function according to business principles. Those who are becoming responsible for these dams can no longer expect government to fund dam safety remedial works, and often they are not protected by governmental immunity. Thus dam safety decisions are increasingly becoming business decisions rather than engineering decisions.

In the process of making dam safety decisions, it is necessary to consider a plethora of factors including public safety responsibilities, limitations on borrowings, market or other pricing constraints, business criticality, public opinion, loss financing, liability, and due diligence. In this context engineers are being challenged to justify the degree of conservatism associated with their dam safety recommendations, or the relative importance of addressing, seismic deficiencies compared with a spillway inadequacy, for example. In this context engineers are being asked to provide risk-based assessments which serve as inputs to a business decision making process in which dams are a key asset. The cost effectiveness of both structural and non-structural risk reduction measures has become a more prominent consideration. In short, dam safety risks are being managed in a more open, informed, and holistic manner than ever before.

Dam safety risk management is concerned with both recurring and nonrecurring activities. Routine activities such as preventative maintenance, surveillance, monitoring, and inspections play a very important role in preventing the development of conditions which could threaten the integrity of a dam. It is essential that each of these activities be performed by well-trained personnel under the supervision of qualified and experienced dam engineers. Decisions must be made on the frequency and extent of each of these activities.

Many dams require that operating rules be developed and faithfully implemented during flood operations. The development of these rules often involve risk tradeoffs between flood control and other project purposes, and sometimes margins of dam safety. In addition, dam safety emergency warning systems and evacuation plans can be very important for reducing the threat to life associated with dam failure for all types of dam failures modes. Decisions must be made on the detection of conditions which can lead to failure mode initiation, criteria for notification of authorities who are responsible for issuing warnings and overseeing evacuation, and the degree of redundancy in system design which is needed to achieve the desired level of reliability.

Engineering assessments of dam safety are characterized by uncertainties in foundation conditions and material properties in existing dams. These uncertainties can lead to over design, or at least to uncertainties in the costs of remedial works. Decisions must be made on the potential value of costly additional engineering investigations, testing, and analyses aimed at reducing these uncertainties. Similarly, the determination of design floods and earthquakes often involve subjective judgements which can significantly affect the cost of remedial works. Again, these judgements should be viewed from the broader perspective of inputs to dam safety decisions. Efforts should be made to better justify or improve these judgements if these efforts can be justified on the basis of the potential improvement in the quality and costs associated with dam safety decisions.

When deficiencies are identified with respect to engineering standards, decisions must be made as to the appropriateness of those standards for the dam in question. Also the urgency of addressing each deficiency must be assessed to prioritize remedial actions at a single dam or across a portfolio of dams. This assessment should include not only long term structural options, but a full range of nonstructural options. Consideration should also be given to interim risk control measures such as operating restrictions. A full assessment of the risks posed by existing structures and the potential for risk reduction through various alternatives should be systematically assessed by qualified and experienced dam safety professionals and provided to decision makers. Such assessments should include not only engineering, public safety, and economic aspects but also consideration of the social, cultural, and environmental consequences of dam failure and various remedial actions.

Risk management comprises a sequence, or more accurately a cycle, of steps beginning with risk identification and proceeding to risk estimation, risk evaluation, and risk control (aversion), which leads back to risk identification and a continuation of the cycle. In the following subsections the importance of a decision focus for dam safety risk management is emphasized, followed by a discussion of risk assessment procedures and acceptable risk, adapted from Bowles et al (1996)

A recent National Research Council (1996) report, Understanding Risk: Informing Decisions in a Democratic Society states that: "Risk Characterization should be a decision-driven activity, directed toward informing choices and solving problems". Thus the decisions issues are identified in Section 1.2 should drive the process of risk assessment. By making - risk assessment a decision-driven process a focus for risk assessment outputs is established, and a value added basis for deciding how much information is needed to conduct a risk assessment is provided, thus breaking any tendency indefinitely investigate dam safety deficiencies.

In striving to achieve a decision-driven process it is important to define decision issues, the decision-maker, the role of the community, and decision criteria. A full range of structural and non-structural measures for risk reduction should be considered, and the sequencing of their implementation should be arranged to achieve the most rapid risk reduction that can be justified. Such a risk-based approach to dam safety management can be expected to result in cost effective risk management, and often in more rapid and sometimes greater risk reduction than is the case for conventional approaches to dam safety decision making which engineering considerations and practice.

In this subsection the steps in a dam safety risk assessment, based on systematic evaluation of all credible failure modes, are summarized from Bowles (1990). In developing a holistic approach to business based asset management of dams Failure Modes Effects and Consequences Analysis (FNIECA) can also be most useful (see Table 1) for screening and prioritizing a wide range of dam safety-related activities, including the development of reliability-centered maintenance schedules. In addition, a new initiative by the U.S. Bureau of Reclamation to establish performance parameters which can be used to identify the potential for the initiation of failure modes through deviations from normal operating conditions has shown great potential for broadening the base of those who can play a meaningful role in dam safety surveillance and monitoring activities.

The four major steps in a dam safety evaluation risk assessment are shown as row headings in Figure 1. Risk identification involves recognizing and listing the various factors which could contribute to the risk of dam failure, and organizing these into logical event sequences which cover all "reasonably probable" failure modes. Such an organization is referred to as an event tree. It serves as the risk model for evaluation of existing dam safety, or the effectiveness of proposed rehabilitation (risk aversion) alternatives,

The second step is risk estimation which involves assigning probabilities to each branch in the event tree model and assessing the consequences of dam failure for each failure mode, which is represented by a separate branch in the event tree. Much engineering analysis, precedent, and the quantifying of engineering judgement is required for this step. The output is an estimate of the probability of failure and life loss or economic consequences that would be associated with each failure mode, or combination of failure modes, for the existing dam (i.e., the do nothing alternative). In addition, the identification and estimation steps typically provide both engineers and non-engineers with many valuable insights into the safety issues and options for a particular dam.

The third step in the risk assessment process is the decision as to what degree of safety, or equivalently what residual risk, is tolerable or acceptable. Although the engineer can supply informational inputs to this risk acceptance decision, the decision should be made by the dam owner, operator, or regulator on the basis of engineering and other inputs as discussed in Sections 1.1 and 2.2. The decision is especially sensitive and difficult where human lives are at risk, or where large investments will be required to improve safety.

Risk aversion, the fourth step, involves formulation, evaluation, and eventually implementation of structural and non-structural action or measures which are designed to reduce risks below current levels. Risk aversion can be achieved by reducing or avoiding the probability of dam failure, or it's consequences. Figure 1 lists some examples of aversion measures in the "row" labeled "aversion". These examples are linked by arrows to the probability or consequence that would be expected to be reduced by their implementation, The product of the aversion step Is an estimate of the reduction in probability of failure or life loss, economic, and other consequences.

A risk assessment should be staged to ensure that study efforts are expended efficiently. By performing a preliminary risk assessment, the relative importance of various factors (e.g., hydrologic loading vs. seismic loading, gate failure vs. toe erosion), and their associated uncertainties, can be assessed. This information can be used to allocate the study effort in such a way that relatively minor risk contributors are not given a disproportionate or unjustifiable part of the dam safety evaluation effort.

Dams, like many other technological facilities, produce benefits for society at a cost and with associated risks. The costs, especially for existing dams, are relatively certain; the benefits are quite likely if the project is well conceived and well managed; but the risks are typically low probability and sometimes catastrophic in nature. A "zero risk" safety goal is practically unattainable for dams and other technological facilities. Also the law of diminishing returns often applies with rapidly increasing expenditures in dam safety remedial actions yielding little risk reduction as a "zero risk" goal is approached. An appropriate balancing of risks, costs, and benefits is needed.

There are many ways to achieve a balance between the risks, costs, and benefits of a dam depending the choice of decision criteria. Acceptable risk criteria can be based on probabilistic, life loss, economic, or other considerations such as environmental, social, and cultural factors. A purely probabilistic criterion takes no account of the magnitude of consequences associated with a dam failure. In contrast, life loss and economic criteria usually include both consequence and probability measures. However, a solely economic criterion in which human safety is commensurated with economic costs and benefits involves placing a value on a human life and is thwart with ethical and moral problems. Unless life loss is not considered to be a potential consequence of dam failure, economic criteria should act be considered in isolation from life loss criteria in the evaluation of dam safety risks. Some examples of economic criteria include: insignificant incremental economic damages; acceptable benefit-cost ratio or rate of return on investment in proposed remedial action; and minimum total annual economic cost criterion used to select the capacity of the remedial alternative (Bowles et al 1996).

A practical approach to evaluating acceptable risk should consider the legal system which applies, the expectations and values of society and especially any affected communities, any practical limitations in achieving desired risk levels, and the economic and financial realities of risk reduction. The societal and individual life loss criteria which are summarized in the following, subsection, when combined with cost effectiveness criteria, are an attempt to address most of these considerations. For a more detailed discussion of acceptable risk criteria for dam safety the interested reader is referred to Bowles et al (1996).

2.4.1 Societal risk

Society expects higher levels of protection as the number of lives that would be lost from a single dam failure increases. The frequency-consequence charts (referred to as F-N charts of Figures 2 and 3 are a graphical tool for characterizing society's tolerance for loss of life. They can be used to evaluate the safety of dams and other technological facilities against societal risk criteria. On the vertical axis, the F-N chart contains, F, the (exceedance) probability (or frequency) of incremental loss of life exceeding the value, N, which is shown on the horizontal axis. Incremental life loss is defined as the difference between dam failure and no-failure life losses. Both the F and N scales are logarithmic. In Figures 2 and 3 the downward sloping lines are tolerable or acceptable risk criteria which are currently in use for dam safety. The decrease in these probabilities with increasing life loss, represents the decreasing tolerance of society for increasing magnitudes of life loss. The approach also allows for more stringent criteria to be applied to protect an identifiable individual than for random, unidentified individuals.

The F-N approach to dam safety evaluation is currently being used by British Columbia Hydro, the Australian National Committee on Large Dams, the Netherlands Government, the Government of South Africa, and the U.S. Bureau of Reclamation. Numerous other groups in various countries have adopted the approach for such purposes as land use planning, close to hazardous industrial facilities and nuclear power plants. In an evaluation of the risks associated with twenty Australian dams Bowles et al (1995) showed that existing hazard-based dam safety criteria for flood security from several countries can prescribe acceptable risk levels that are more stringent than those at nuclear power plants.

The F-N chart does not explicitly consider the cost of providing additional safety. However, in some cases (e.g., ANCOLD 1994), a more stringent objective criterion, and a less stringent limit criterion are defined (see Figure 2). In these cases Higsen (1990) proposes that the upper confidence limit estimates of F and N which represent an existing facility (dam) should be compared with the limit line and best estimates should be compared with the objective line.

The region between the limit and objective lines is a region in which risks are to be managed by the ALARIP principle, "as low as reasonably practicable". In the ALARP region risks are "acceptable only if all reasonable practical measures have been taken to reduce risks" (IAEA 1992). Rowe (1977) suggests that the ALARP concept can be evaluated in terms of a) cost-to-save-a-life, or b) diminishing economic returns associated with risk reduction measures. Based on these measures of cost effectiveness and also the legal construct of "de minimis" risk, application of the ALARP principle should not be limited to the zone between the limit and objective lines, but should be applied in all cases (Bowles et al 1996).

Cost-to-save-a-life for a dam safety risk reduction measure (e.g. rehabilitation measure such as widening a spillway or foundation soil densification, or an emergency warning and evacuation system) is defined as:

Typically, that part of the risk reduction measure costs which are not justified by the decrease in economic damages (calculated as the reduction in risk costs), are allocated to human safety in the numerator in the above expression. However, some risk reduction costs could also be allocated to the cost of reducing other risks such as those to the environment. The denominator is calculated as the difference between expected annual life loss for the existing dam and the risk reduction measure (corresponding to the difference between the value of F-N products associated with one-to-one downward sloping lines of the F-N chart for the existing dam and the risk reduction measure). For a given risk reduction alternative, cost-to-save-a-life combines the cost of improving public safety, the decrease in the probability of potential life loss, and the change in the number of lives which would be lost, into a single measure of cost-effectiveness on a per statistical life saved basis. It should not be confused with placing a value on a human life. Cost-to-save-a-life for a remedial action can be compared with values obtained for other activities which are judged to be socially comparable risks and thus make an assessment of ALAR.P considerations and "de minimis" risk. It can also be used to prioritize dam safety rehabilitation expenditures, and thus maximize the rate of public safety improvements at a single dam, or for a portfolio of dams, subject to the limited availability of funds and consideration of societal risk limit and objective criteria.

Societytypically expects a higher level of safety for an identifiable individual than for random deaths of people who cannot be identified prior to the occurrence of a life threatening event. For example, if a person lives immediately below a dam which had the potential to fall in the event of a major earthquake and would have little or no chance of escape, then that person would be counted as an identifiable life loss. Individual risk criteria are usually applied to the individual who has the highest probability of life loss due to dam failure. The limit and objective values of acceptable probability of life loss for this most critically exposed and identifiable individual would normally be lower than the random individual represented at N=1 for societal risk criteria on an F-N chart. Commonly used values would be 10^-4 and 10^-6 per year for limit and objective values of acceptable probability of life loss, respectively (B.C. Hydro 1993, Shortreed et al 1995).

The following a summary of benefits that are commonly realized from the application of a risk management approach to dam safety:

Risk-based approaches to reservoir and dam safety management have sometimes been maligned misunderstood, or ignored. However, dam safety management Is and always has been intrinsically risk management. Today, the changing context for dam safety management described in Section 1.1 is providing a natural setting for the adoption of risk assessment. When property conducted by experienced dams engineers it can provide valuable and understandable inputs to the decision making process. Increasingly these decisions are becoming broadly based business decisions rather than the traditional predominantly technically-based decisions. When a decision-driven approach to dam safety risk assessment is adopted, it can be efficiently conducted in a manner which adds value to the decision process and improves the quality of the decisions themselves. Risk assessment should be a well-documented process which facilitates transparency amongst professionals and other dam safety stakeholders. Although there are no guarantees in a common law system, it would seem reasonable that by following a risk management approach the dam owner should be better able to identify strategies which minimize his legal liability while more rapidly realizing greater public safety in a more cost effective manner than would otherwise be the expected. As the number and variety of practical applications of risk management increase, the practice of risk assessment and risk management in the dam safety field can be expected to become better developed, better understood, and more widely accepted by the profession. This process is already underway in several countries and is about to begin in others.

1. ANCOLD (Australian National Committee on Lar3e Dams) (1994), "Guidelines to Risk Assessment," Sydney, New South Wales, Australia.

2. B.C. Hydro (1993), "Guidelines for Consequence-based Dam Safety Evaluations and Improvements."

3. Bowles, D.S. (1990), "Risk Assessment in Dam Safety Decision making." In Risk-based decision making in Water Resources, Proceedings of the Engineering Foundation Conference, American Society of Civil Engineers, (Eds. Y.Y. Haimes and E.Z. Stakiv), Santa Barbara, California, October.

4. Bowles, D.S., L.R. Anderson, and T.F. Glover (1995) "Comparison of hazard criteria with acceptable risk criteria." Proceedings of the Annual Meeting of the Association of State Dam Safety Officials, Atlanta, Georgia, September.

5. Bowles, D.S., L.R. Anderson, and T.F. Glover (1996), "Risk assessment approach to dam safety criteria". Proceedings of American Society of Civil Engineers, Geotechnical Engineering Division Specialty Conference on "Uncertainty in the Geologic Environment: From Theory, to Practice," April.

6. Higsen, D.J. (1990), "Nuclear Safety Assessment Criteria." Nuclear Safety, Vol. 31, No. 2, April-June.

7. IAEA (International Atomic Energy Agency) (1992), "The Role of Probabilistic Safety Assessment and Probabilistic Safety Criteria in Nuclear Power Plant Safety," Safety Series No. 106, Vienna, Austria.

8. National Research Council (1996), "Understanding Risk: Informing Decisions in a Democratic Society." National Academy Press, Washington, D.C., 249 pp.

9. Nielsen, N. (1996), "Development of an Asset Management Strategy," Proceedings of the ANCOLD Seminar on "Asset Management of Dams," Melbourne, Australia, March.

10. Rowe, W.D. (1977), "An Anatomy of Risk," Wiley, New York, 487p.

11. Shortreed, J., K. Dinnie, and D. Belgue (1995), "Risk Criteria for Public Policy", Proceedings of the First Biennial Conference on "Process Safety and Loss Management in Canada," Institute for Risk Research, University of Waterloo, Waterloo, Ontario, Canada. pp 131-158.

12. SMEC/RAC (1995), "Review of Headworks". Final report to the Office of Water Reform, State of Victoria, Melbourne, Australia, Volume 1, Main Report, 118 pp.

The work upon which this paper is based has been performed through a series of research and consulting projects. Major projects have been conducted for: Office of Water Reform (now the Water Bureau), State of Victoria, Australia; Office of the Utah State Engineer; U.S. Bureau of Reclamation, and Utah Water Research Laboratory at Utah State University. The author has drawn on his experience in completing risk assessments on more than seventy dams for these and other dam owners, operators, and regulators in the U.S. and overseas.

Biographical Sketch--Dr. David S. Bowles

Dr. Bowles is a Professor of Civil and Environmental Engineering at Utah State University, Logan, Utah, U.S.A- and until recently was Director of the Utah Water Research Laboratory, a large and well recognized water research group in the U.S.A. He is also a Principal with RAC Engineers & Economists which specializes in risk-based approaches to dam safety evaluation and management. He has held senior management positions with Law Engineering, a large U.S. consulting firm, and has worked in design and construction engineering in the U.K. He holds a B.Sc. in Civil Engineering from The City University, London, and a Ph.D. in Civil and Environmental Engineering specializing in Water Resources and Hydrology from Utah State University.

Dr. Bowles is a licensed Professional Engineer and is certified as a Professional Hydrologist by the American Institute of Hydrology. He is a member of many professional organizations and is a Fellow of the American Society of Civil Engineers (ASCE) and the American Water Resources Association (AWRA). He has just been appointed to chair a new U.S. Committee on Large Dams (USCOLD) Task Group on Risk Assessment and Risk Management.

Dr. Bowles has pioneered the development and practical application of risk assessment procedures to darn safety decision-making. Since 1985 he has been responsible for dam safety risk assessments on more than seventy dams in the U.S. and overseas. In addition, he has conducted seminars and workshops for dam owners and operators, regulators, and professional groups in many countries.

Currently Dr. Bowles serves as a member of a six-person Peer Review Team for the dam safety programs of six U. S. Department of the Interior agencies, including the U. S. Bureau of Reclamation. He has also served as a technical advisor to the U.S. Bureau of Reclamation for their revision of dam safety risk assessment procedures and the development of acceptable risk criteria, and has facilitated dam safety and emergency operations risk assessments for Reclamation dams. He is currently serving as a dam safety risk assessment consultant to the Water Bureau, State of Victoria, Australia, and the Murray-Darling Basin Commission, Australia.

In addition, to dam safety risk assessment, Dr. Bowles is an expert in the determination of probable maximum floods. He is currently responsible for the determination of spillway evaluation floods for seven Sevier River dams in Utah. Also he serves as a Specialist Consultant to Sinclair Knight Merz for the re-evaluation of spillway design floods for the Snowy Mountains Hydro-electric Authority dams, New South Wales, Australia.