2 Professor and Head, Civil and Environmental Engineering, Utah State University, Logan, ... for each dam is given in the bar chart below the table in Figure 1.
DAM SAFETY DECISION-MAKING: COMBINING ENGINEERING ASSESSMENTS WITH RISK INFORMATION David S. Bowles1, Loren R Anderson2, Terry F. Glover3, and Sanjay S. Chauhan4 Starting a quarrel is like breaching a dam; so drop the matter before a dispute breaks out. Proverbs 17:14 (NIV)
ABSTRACT A decision recommendation justification matrix is proposed as an effective tool for presenting decision justifications to decision makers. The matrix comprises ratings to summarize the outcomes of traditional engineering assessments and risk assessments. The approach can be adapted to any dam owner’s unique decision context and any national or jurisdictional engineering assessment practice or system of risk evaluation guidelines, including ALARP. Three decision types are addressed: setting tolerable risk goals for individual dams, identifying a risk reduction pathway for a portfolio of dams, and managing residual risk on an on-going basis. Examples of either the traditional engineering approach or a risk assessment approach leading to more stringent risk reduction justifications are illustrated. INTRODUCTION There is a consensus that risk assessment should be used as a supplement and not as a replacement for the traditional dam safety approach (USSD 2002). This is sometimes referred to as a “risk-enhanced” approach. It provides the benefits of improved understanding and management information from risk assessment for management, while maintaining an important reference to established good practice. In the risk-enhanced approach there exists a need to clearly and succinctly present risk assessment outcomes, alongside the traditional engineering approach outcomes, so that non-technical decision makers and other stakeholders can readily assimilate the significance of both. The approach must be suitable for summarizing a large number of engineering and risk assessment outcomes, both of which might be difficult for lay stakeholders and decision makers to readily understand. Dam safety decision processes vary from one owner to another. The engineering or risk analysis teams are typically asked to prepare a decision recommendation for the decisionmaker. Thus risk analysis is used to capture the knowledge and judgments of dam 1
Professor of Civil and Environmental Engineering and Director, Institute for Dam Safety Risk Management, Utah State University, Logan, Utah 84322-8200; and Principal, RAC Engineers & Economists. 2 Professor and Head, Civil and Environmental Engineering, Utah State University, Logan, Utah 843224110; and Principal RAC Engineers and Economists. 3 Professor of Economics, Utah State University, Logan, Utah 84322-3530; and Principal RAC Engineers and Economists. 4 Research Assistant Professor of Civil and Environmental Engineering, Utah State University, Logan, Utah 84322-8200; and Staff Engineer, RAC Engineers & Economists.
engineering professionals, while risk evaluation is used to judge the significance of the estimated risks. In this manner, risk assessment provides inputs to a decision process, but not the decision itself. In combination with information from other sources, including traditional engineering analyses and standards, a decision recommendation justification5 can be developed for investing resources in dam safety improvements. Such a justification is sometimes referred to as “business case”. The specific form of information included in a business case will vary depending on the decision context. Decisions about risk reduction measures (fixes) take place within the iterative framework of a dam safety program. Usually this would include a system of periodic inspections and safety reviews; and for owners with developed risk assessment programs, risk assessments would typically be updated at the time of periodic safety reviews. These provide an opportunity to review past decisions, and to obtain additional information so that an acceptable level of confidence can be achieved to make a defensible case for riskreduction measures, or for doing nothing. In this paper, we discuss ways to use this information for making a decision recommendation justification or business case for options under the three decision types, as follows: 1) Setting tolerable risk goals - How safe is safe enough? 2) Identifying a risk reduction pathway6 - How to reach safety goals for a single dam or a portfolio of dams? 3) Managing residual risk – How to maintain tolerable risk throughout the risk reduction pathway and beyond? ENGINEERING ASSESSMENT RATINGS Rating System Engineering assessments indicate whether dams are expected to meet established good engineering practice. A rating system, which was first developed for the Victorian Review of Headworks (SMEC/RAC 1995), has been broadened and adapted for owners in several countries. Pass, “P”, and No Pass, “NP”, ratings are assigned when sufficient information is available to make assessments with the normal level of confidence associated with established good practice in a particular country or jurisdiction. When insufficient information is available, Apparent Pass, “AP”, and Apparent No Pass, “ANP”’ ratings are judgmentally assigned by dam engineers to indicate the most likely outcome after sufficient investigations have been completed to achieve the usual level of confidence. “Apparent” (i.e. “AP” or “ANP”) ratings therefore indicate the need for investigations. “NP” or “ANP” ratings indicate the demonstrated or likely justification, respectively, for risk reduction measures to meet current engineering practice. 5
In using the term “justification” we do not imply an automatic decision based the result of applying a risk evaluation criterion to the results of risk analysis. 6 A risk reduction pathway is a sequence of risk reduction measures and associated investigations.
Ratings are assigned for a list of engineering assessment factors, such as those listed in Table 1, which were developed for the US Army Corps of Engineers (RAC 2002). Factors are grouped by types of initiating events and dam subsystems. The rating system does not impose any prescribed level of confidence or types of engineering analysis. Thus, it is completely adaptable to different jurisdictions. Presentation of Engineering Assessment The table in Figure 1 illustrates the presentation of engineering ratings for flood assessment factors for several hypothetical dams based on UK Reservoir Safety practice. The bar chart to the right of this table shows how the percentages of each type of rating can be displayed for each assessment factor across a portfolio of dams. A similar summary of the percentages of each type of rating across all types of assessment factors for each dam is given in the bar chart below the table in Figure 1. Engineering ratings can be aggregated for an initiating event type, such as floods, by using the lowest rating7 with dam failure potential across all factors of that initiating event type. They can also be used for screening to select a subset of a portfolio of dams for traditional or risk-based dam safety evaluations (RAC 2002). Application of this rating system has proven useful for communicating the status of dam safety and the status knowledge about dam safety, including the need for investigations, about dam safety for many portfolios of dams. It can be used to track and report changes as investigations or fixes are completed. TOLERABLE RISK Concept of Tolerable Risk Risk evaluation is “the process of examining and judging the significance of risk” (ICOLD 2002). The USBR makes routine use of its Public Protection Guidelines (USBR 1997) for evaluation of life safety risks at its dams. In Australia, it is common to consider the societal and individual life safety guidelines proposed by ANCOLD (1994, 2001). The terms acceptable risk and tolerable risk are not equivalent. Tolerable risk, rather than acceptable risk, is becoming generally accepted as the goal for risk management. Tolerable risk8 is defined by ICOLD (2002) as “a risk within a range that society can live with (1) so as to secure certain net benefits. It is (2) a range of risk that we do not regard as negligible or as something we might ignore, but rather as something (3) we need to keep under review and (4) reduce it still further if and as we can.” According to the HSE (2001), high individual risk and societal concerns may be classified as ”unacceptable” risks in that they would be “regarded as unacceptable whatever the benefits” unless they 7
In descending order, the engineering ratings are as follows: “P”, “AP”, “ANP”, “NP”. Numbers in parentheses are used to identify four ‘conditions for tolerability of risk”. The fourth condition is part of the ALARP principle. 8
can be reduced to be tolerable or “there are exceptional reasons for the activity or practice to be retained.” ALARP Evaluation It is common to qualify tolerable risk guidelines with the “as low as reasonably practicable” or ALARP principle. This principle is well-established risk management and has a strong basis in the common law legal system. ALARP is implied in the fourth condition of the definition of tolerable risk presented above. HSE (2001) refer to the implementation of the ALARP principle as requiring a “gross disproportion” test applied to individual risks and societal concerns, including societal risks. The gross disproportion is between the cost9 of an additional risk reduction measure and the estimated amount of that risk reduction. Rowe (1977) proposed that cost/benefit measures, such as cost per statistical life saved (CSLS)10, be used to assist in implementing this test. Minimum values of CSLS, referred to as the value of preventing a fatality [VPF, (HSE 2001)], can be used to estimate the degree of disproportionality. Such estimates should inform and not to prescribe the ALARP test outcome and ensuing decisions. Incommensurable and intangible factors should be included in the overall ALARP evaluation. Rather than use a single threshold value of CSLS (i.e. VPF) for comparison with values estimated for risk reduction measures, we believe that it is preferable to associate ranges of values of CSLS with the strength of “ALARP justification” to proceed with a measure. The use of only a single value appears to be inconsistent with the common law legal framework, which provides for no such prescriptions or “bright lines”. Table 2 is an example of ALARP justification ratings defined for ranges of increasing magnitudes of CSLS. It is based on U.S. Federal Government practice (OMB 1992) and Viscusi (1998). However, Table 2 should be considered only illustrative. Each owner should develop their own position on the definition and interpretation of such ratings. Fundamental to the evaluation of the ALARP principle is the identification of potential risk reduction measures that can be examined to assess whether or not the gross disproportion test has been met. Hence, Fischhoff et al. (1981) state, “One accepts options, not risks.” The careful development of such options, based in part on a failure modes analysis for the existing dam and the proposed remedial measures, is an essential part of an ALARP evaluation. We consider that it should become standard engineering practice to provide assurance that ALARP is met. HSE (2001) state that a comparison against “existing good practice” could be used as an ALARP test if such practice is known to be ALARP. However, at this time, it is not clearly established what aspects of 9
Where cost in considered in broad terms that may include time and effort in addition to monetary aspects. CSLS or VPF are not a value placed on a human life and neither are they the amount of compensation for an accidental loss of life paid by insurance or as the result of legal proceedings. CSLS is the cost of achieving an increment of life safety risk reduction. For example, a CSLS of $10M would result from reducing a risk by 1 in 10,000 per year for 10 persons at risk at an annualized cost of $10,000 per year [CSLS = $10,000/(10/10,000)]. 10
existing good dam safety practice would be ALARP, and which might fall short or go beyond satisfying ALARP. RISK ASSESSMENT RATINGS Ratings are also used to summarize the outcomes of applying risk evaluation guidelines. Several examples of these are defined in Table 3. For example, an “N-StrongL&S” (strong justification for long- and short-term risk reduction) or “N-StrongL (strong justification for long-term risk reduction) rating are used if the USBR (1997) Tier 1 guideline is not met (“N” = “No”) at the level of 0.01 or 0.001 lives/year, respectively. If this guideline is met at the level of 0.001 lives/year, the “Y-ALARP?” rating is used to indicate that the guideline is met (“Y” = “Yes”), but that ALARP still needs to be evaluated. If ALARP is satisfied, a “Y” rating is assigned. Table 3 includes ratings for the USBR (1997) Tier 2 and the ANCOLD (2001) societal life safety risk guidelines. DECISION RECOMMENDATION JUSTIFICATION MATRIX A decision recommendation justification matrix is illustrated in Figure 2. This example comprises the following four major parts: engineering ratings, life safety risk ratings, economic loss risk ratings, and fix justification ratings. In this example the last part comprises B/C ratio and ALARP (CSLS) justification ratings (see Table 2), although other factors, such as environmental, social, and political considerations, could be included if pertinent to the decision context. Figure 2 contains an example of the application of the engineering and risk assessment ratings to two hypothetical existing dams and their risk reduction measures. The measures are sequenced to be additive; thus for Dam A, the supplemental emergency action plan (EAP) (A3) is implemented in addition to a stability berm and filter (A2). The authors have seen examples in practice, which correspond closely to these hypothetical examples. The existing Dam A (A1), under normal operating conditions, does not satisfy the USBR Tier 1 guideline, as indicated by the “N-StrongL&S” normal operating life safety risk rating in Figure 2. This rating is interpreted that there is a strong justification for longand short-term risk reduction. After implementing a stability berm and filter (A2), and a supplemental emergency action plan (EAP) (A3), the Tier 1 guideline under normal operating conditions is still not met, but the rating is improved to “N-StrongL”. This rating indicates that there is still a strong justification for long-term risk reduction, although the ALARP fix justification rating is poor. This is an example of a dam with extensive downstream development and a high potential life loss for normal operating failure modes. Although measures A2 and A3 reduce the life safety risk, it is not small enough to satisfy the Tier 1 guideline. No other structural or non-structural risk reduction measures can be identified for this dam. Therefore two options appear to exist; either the dam is decommissioned on the basis that it poses an unacceptable risk, or it is continued in operation. In the latter case, expert engineering review should take place and it may be appropriate to seek community consent for imposing this level of risk.
In contrast, existing Dam B (B1) does not satisfy the USBR Tier 1 guideline for floods. This is indicated by the “N-StrongL&S” rating for flood life safety risk in Figure 2. The first stage 1:10,000 annual exceedance probability (AEP) flood risk reduction measure (parapet wall) (A2) has a “N-StrongL” rating for the Tier 1 guideline, but the second stage 1:100,000 AEP raise and anchoring (A3) meets this guideline and satisfies ALARP, as indicated by the “Y” rating. The “poor” ALARP fix justification rating for A3 in Figure 2 supports the satisfaction of ALARP. It is also supported by an ALARP evaluation to identify and evaluate risk reduction options (see Section on “ALARP Evaluation). The third stage risk reduction measure (A4) is needed to provide PMF flood capacity for this dam. Although the PMF fix is justified to meet engineering practice, as indicated by the change in the flood engineering ratings from “NP” to “P”, it is not justified by any risk ratings. In Figure 2 color or shading are used to highlight decision recommendation justifications for proceeding to the next level of a fix, thus readily identifying these for decision makers. Double lines are placed under an entry to indicate the lowest risk fix that a particular type of rating provides justification for. In using risk information to make a business case, it is important to take into account the uncertainties in quantitative risk estimates. Both sensitivity and uncertainty analyses can play a useful role in doing this, but the key issue is the robustness of decision recommendation justifications, and ultimately the overall business case. This can be displayed using variations of the decision recommendation justification matrix, although these are not illustrated in this paper. DAM SAFETY DECISION TYPES Type 1) Setting Tolerable Risk Goals The principle focus of the question posed in this section is how low a risk level is low enough in the long term, or how safe is safe enough? The engineering assessment approach uses standards and current good practice as a basis for addressing this question and the risk assessment approach uses tolerable risk guidelines. Since these are different bases for judging safety, it is not surprising that they may lead to inconsistent decision recommendation justifications. Figure 4 illustrates the various combinations of decision recommendation justifications that can be obtained from the two approaches. Consistent decision recommendation justifications for the engineering and risk assessment approaches are identified using dark shading in Figure 4 and inconsistent justifications are identified by cross-hatching. Cases in which further investigations are needed are identified by medium shading with arrows to indicate the direction in which the dam might move on this figure. The four types of ratings from an engineering assessment result in the following three types of decision recommendation outcomes, which are shown in the rows in Figure 4: •
“No fix” - no justification for a fix because the dam meets current practice as indicated by all “P” ratings
• •
“Further investigations” – further investigations are justified because the normal level of confidence in engineering assessments has not been achieved for all assessment factors as indicated by at least one “AP” and “ANP” rating “Fix” – a fix is justified because the dam does not meet current practice as indicated by at least one “NP” rating.
The following four types of decision recommendation justifications can result from the various risk ratings can be grouped into four types, which are shown in the columns of Figure 4: • • • •
“No fix" – justified by only “Y” ratings for all life safety and economic risk ratings. Any additional other risk reduction measures that can be identified have B/C ratios significantly less than one and poor ALARP justification ratings. “Further investigations" – because an adequate level of confidence in assessing the risks11 has not been reached, or an ALARP evaluation has not been completed with adequate confidence. “Long- and short-term fixes” – because at least one life safety or risk rating is an “N-StrongL&S”. ”Long-term fix” – because at least one life safety or economic risk rating is not a “Y”.
Thus, if a dam meets all risk evaluation guidelines, including ALARP, with adequate confidence, the risk assessment can be said to provide a justification for no further risk reduction measures12. Alternatively, if a dam does not meet all risk guidelines and ALARP, with adequate confidence, the risk assessment can be said to provide a justification for risk reduction, or at least for further investigations to improve the confidence in the risk evaluations. There is a conventional wisdom that risk assessment will always leads to a less stringent decision recommendation justification than the engineering standards approach. However, this is not necessarily the case. Consider for example, Dam A, which is located close to large population center. The proposed structural fix (A2 in Figure 2) meets all aspects of current practice, but even with additional non-structural measures (A3) it is not expected to meet tolerable life safety risk criteria. In this situation it may be decided to discontinue operation of the dam because the risk is unacceptable13. Alternatively, after community consultation, it may be decided that continued operation is justified as an exception to the risk guidelines because the dam provides essential societal benefits. Thus, satisfying current engineering practice does not guarantee that tolerable risk will be achieved.
11
For the risk assessment approach, further investigations may be needed to improve the confidence in consequences estimates rather than engineering-related issues. 12 This does not mean that other considerations may not provide a justification for risk reduction. 13 See section on “Concept of Tolerable Risk”.
In other cases the systematic steps of failure modes analysis and ALARP evaluation in the risk-based approach may result in identifying dam safety issues that would not have been recognized using only the traditional engineering approach. Since the riskenhanced approach is now available, even with its limitations, it would seem that an owner has an obligation to use it to an appropriate degree. Conversely, tolerable risk may be met with less extensive risk reduction measures than are needed to meet engineering practice. Dam B in Figure 2 is an example of this. All risk-based justifications are exhausted by the 1 in 100,000 AEP flood capacity fix (B3). Only the justification of meeting engineering practice is left for the PMF fix (B4). This is only an example and not a general statement. If an owner decides to proceed with a long-term fix that is less than the PMF, and the regulatory framework allows this, it is important that there is adequate confidence in the risk-based justifications, and that the owner should obtain legal advice and arrange for community consultation, if appropriate. The USBR has successfully used community consultation in cases of less than PMF longterm fixes. There is no “objective” or universal answer to the question of how safe is safe enough? As higher levels of safety are achieved, for example in a staged approach to fixing Dam B in Figure 2, the number and strength of engineering and risk-based decision recommendation justifications for further risk reductions are usually reduced. By properly applying failure modes analysis and ALARP evaluation, useful inputs can be provided for developing a defensible business case for dam safety decisions, a greater degree of defensibility for those decisions, and an assurance that all reasonably foreseeable failure modes have been identified and adequately addressed. The decision recommendation justification matrix, illustrated in Figure 2, has proven useful for supporting staged and long-term decisions on tolerable risk goals or target safety levels. Type 2) Identifying a Risk Reduction Pathway The decision recommendation justification matrix can be used to communicate the justification for a risk reduction pathway for a portfolio of dams. Figure 3 illustrates this approach for Dams A and B. The various fixes are ordered in a descending order of the strength of justification to proceed. Approaches to establishing this order include rankings that consider the following: cost effectiveness of life safety risk reduction (CSLS), cost effectiveness of economic risk reduction, probability of failure, and unmet engineering and risk ratings (Bowles 2000). Type 3) Managing Residual Risk Residual risk exists at all times in a dam safety improvement program, even after all structural measures have been completed to meet engineering standards and current practice. The decision recommendation justification matrix can be used to track and report changes in engineering and risk assessment outcomes. These may result from new engineering information, changes in conditions that affect consequences, changes in the dam safety decision process, including tolerable risk guidelines, improvements in
engineering and risk assessment practice, or new opportunities for cost effective risk reduction made possible through technological advances. When developing a long-range program for dam safety expenditures it might be useful to know that a particular dam is expected to shift to an “intolerable” category in a few years as the result of projected development. Thus, the owner could budget and plan for risk reduction measures. Maintaining tolerable risk14 requires continuing vigilance through means such as monitoring and surveillance, well-trained field staff, and good operating and maintenance procedures. Effective risk management should also utilize information from the riskenhanced approach in different departments of the dam owner’s organization. Some examples of business uses of risk assessment outcomes are discussed in Bowles (2000) and include business contingency planning, loss financing and insurance, and legal considerations. CONCLUSIONS This paper presents rating systems for engineering and risk assessment outcomes and a dam safety decision recommendation justification matrix for communicating dam safety risk reduction recommendations to decision makers and other lay stakeholders. The ratings are adaptable to any current practice of dam engineering, dam safety risk assessment, and other decision factors. The matrix can be used to summarize a large body of information on the present safety status of a single dam or a portfolio of dams. It can be used to indicate how engineering and risk evaluations are expected to change as staged risk reduction measures are implemented. It also tracks where additional investigations are needed and whether or not ALARP has been fully evaluated and met. The approach clearly displays the source of the justification or business case for decision recommendations. It can be useful in support of the following types of decisions: setting long-term safety levels or tolerable risk goals; identifying risk reduction pathways for a portfolio of dams; and managing residual risk on an on-going basis.
The goal of the ratings and decision recommendation justification approach is to empower decision makers to use the extensive body of information that results from engineering and risk assessments in considering decision recommendations and making decisions. The use of color aids quick visual interpretation. By integrating engineering and risk assessment the benefits of both approaches are made available to decision makers and other stakeholders. Variations in the approach can be used to communicate the effects of uncertainties on decision recommendations and the strength of a business case. ACKNOWLEDGEMENTS The authors acknowledge the support of Utah State University in developing ideas for this paper. They also acknowledge the many dam owners and private and governmental dam owners in various countries for whom they have conducted dam safety risk 14
See conditions 3) and 4) in definition of tolerable risk.
assessments on more than 400 dams. These clients have helped them to develop practical insights into the wide range of decision contexts in which dam safety decisions are made. A longer version of a similar paper was presented at the 2002 ANCOLD Annual Meeting under the title, “Risk-informed Dam Safety Decision-making”. REFERENCES ANCOLD (1994). ANCOLD Guidelines on Risk Assessment, January. ANCOLD (2001). Draft ANCOLD Guidelines on Risk Assessment, July. Bowles, D.S. (2000). Advances in the Practice and Use of Portfolio Risk Assessment. Proceedings of the Australian Committee on Large Dams Annual Meeting, Cairns, Queensland, Australia. Fischhoff, B., S. Lichtenstein, P. Slovic, S.L. Derby, and R.L. Keeney (1981). Acceptable Risk. Cambridge, UK: Cambridge University Press. HSE (Health and Safety Executive) (2001). Reducing Risks, Protecting People: HSE’s decision-making process. Risk Assessment Policy Unit. HSE Books, Her Majesty’s Stationery Office, London, England. ICOLD. 2002. Risk Assessment in Dam Safety Management: A Reconnaissance of Benefits, Methods and Current Applications ICOLD Bulletin, Draft, International Commission on Large Dams, August. OMB (Office of Management and Budget). (1992). The Budget for Fiscal Year 1992, Part Two, IX.C. Reforming Regulation and Managing Risk-Reduction Sensibly. U.S. Government. 8 p. RAC (RAC Engineers & Economists). (2002). Huntington District Demonstration Portfolio Risk Assessment. Report to the U.S. Army Corps of Engineers. December. Rowe, W.D. (1977). An Anatomy of Risk. New York, NY: John Wiley & Sons. SMEC/RAC (Snowy Mountains Engineering Corporation Ltd. and RAC Engineers & Economists). (1995). Review of Headworks. Volumes 1-3. Prepared for the Office of Water Reform, DNRE, Victoria, Australia. USSD (United States Society on Dams) (2002). Dam Safety Risk Assessment: What is it? Who’s using it and why? Where should we be going with it? USSD Emerging Issues White Paper. December. USBR (U.S. Bureau of Reclamation). (1997). Guidelines for achieving public protection in dam safety decisionmaking. Dam Safety Office, Department of the Interior, Denver, Colorado. 19 p. Viscusi, V.K. (1998). Rational risk policy. Oxford University Press Inc., Oxford, New York. 138 p.
Table 1. Example of Engineering Assessment Factors for Corps of Engineers (RAC 2002) FLOOD INITIATING EVENTS Concrete Gravity Section External stability Internal stability Foundation Piping Abutment Foundation Stability (Dam Structure) Overall flood capacity PMF Overtopping Spillway and stilling basin system Structural Stability Hydraulic capacity Walls - overtopping Gates - structural capacity Gate piers - structural capacity Erodibility Mechanical Systems Electrical Systems Obstructions • Drift and Debris • Failed Slopes Sill Outlet Works Piping Electrical Systems Mechanical Systems Stability • Intake • Tunnel/Conduit Obstructions
Embankment Geotech • Piping • Stability Toe erosion Surface Erosion Wave action Abutments Foundation Piping Reservoir Rim Stability Loss Of Capacity Erodibility Mines Instrumentation
Embankment Liquefaction Stability (includes excessive deformation) Foundation Liquefaction Stability Fault movement Instrumentation
EARTHQUAKE INITIATING EVENTS Concrete Gravity Section External stability Internal stability Reservoir Stability Loss Of Capacity Mining Spillway and stilling basin system Structural Stability Gates - structural capacity Gate piers - structural capacity Appurtenances Outlet works
NORMAL OPERATING INITIATING EVENTS Concrete Gravity Section Foundation sliding Foundation piping Stresses within dam body Reservoir Reservoir rim stability Appurtenances Outlet works piping Outlet works gates Embankment Piping Slope stability Foundation Piping Stability Instrumentation Deterioration of Materials
Table 2. ALARP Justification Ratings (Illustrative Example Only) ALARP Justification Rating
Range of Cost-per-statistical-life saved ($M/life) Greater than or equal to
Less than
Very Strong Strong Moderate
3 30
3 30 140
Poor
140
Table 3. Summary of Risk Evaluation Ratings used in Figures 2 and 3 Life SafetySocietal Risk
Risk Evaluation Type ANCOLD Limit of Tolerability (2001) Interim EXISTING DAM Amended Societal Risk Limit of Criteria Tolerability (for all failure NEW DAMS & modes MAJOR combined) AUGMENTATIONS15 USBR (1997) Interim Tier 1 Public Protection Guidelines (for flood, earthquake and static failure modes separately)
Rating Code N Y-ALARP? Y N Y-ALARP? Y N-StrongL&S N-StrongL Y-ALARP? Y
USBR (1997) Interim Tier 2 Public Protection Guidelines (for total of failure modes)
N Y-ALARP? Y
Economic/ Financial
NSW (1993) Total Asset Management Risk Example Guidelines (for flood, earthquake and static failure modes separately)
N-Imperative N-Required Y-ALARP? Y
Explanation Does not meet limit criterion - F-N plots above limit criterion Meets limit criterion - F-N plots below limit criterion, but ALARP still needs to be evaluated Meets limit criterion and ALARP (e.g. has only a poor ALARP justification) Does not meet limit criterion - F-N plots above limit criterion Meets limit criterion - F-N plots below limit criterion, but ALARP still needs to be evaluated Meets limit criterion and ALARP (e.g. has only a poor ALARP justification) Strong justification for long- and short-term risk reduction measures - Expected incremental loss of life exceeds 0.01 lives/year Strong justification for long-term risk reduction measures - Expected incremental loss of life between 0.01 and 0.001 lives/year Diminished justification for long-term risk reduction measures, but ALARP still needs to be evaluated – Expected incremental loss of life less than 0.001 lives/year Expected incremental loss of life less than 0.001 lives/year and meets ALARP (e.g. has only a poor ALARP justification) Increasing justification to reduce probability of failure - Probability of failure exceeds 1 x 10 –4 /year Decreasing justification to reduce probability of failure, but ALARP still needs to be evaluated Probability of failure less than 1 x 10 –4 /year Probability of failure less than 1 x 10 –4 /year and meets ALARP (e.g. has only a poor ALARP justification) Major risk - Imperative that risk reduction be implemented Medium risk - Risk reduction required in a reasonable time Low risk - Risk reduction to be ALARP, but ALARP still needs to be evaluated Low risk - Risk reduction meets ALARP
15
According to the glossary in the draft ANCOLD (2001) guidelines, “major augmentations of existing dams … refers to modification of an existing dam involving a relatively large expenditure and creating a significant new benefit (typically, but not always, a major increase in volume of stored water), such that the economic case for marginal risk reduction would be approaching that for a new dam.” McDonald (Personal Communication, November 17, 2002), Chair of the Working Group that prepared the ANCOLD (2001) draft guidelines, states, “It is (a) subjective (guideline), since there are no clear boundaries that can be defined. Indeed, the distinction we have made can be seen to flow from the ALARP principle. If there is low marginal cost to build in additional safety, then do it if significant risk remains.”
12
Figure 1. Example of Presentation of Engineering Ratings for UK Reservoir Safety DAM: Flood Concrete Gravity Section Under drain system External stability Internal stability Foundation Piping Abutment Foundation Stability (Dam Structure) Overall flood capacity Design Flood - Static Flood Level Wave Surcharge Spillway and stilling basin system Structural Stability Hydraulic capacity Walls - overtopping Gates - structural capacity Gate piers - structural capacity Erodibility Mechanical Systems Electrical Systems Obstructions Drift and Debris Failed Slopes Sill Embankment Toe erosion Surface Erosion Wave action ---
D
E
F
G
H
---
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
-----------
P P
NP NP
NP NP
AP AP
P P
-----
P P P N/A N/A P N/A N/A
ANP NP NP N/A N/A ANP N/A N/A
P NP (NP) N/A N/A P N/A N/A
(ANP) AP AP N/A N/A P N/A N/A
P P P N/A N/A P N/A N/A
-----------------
P AP N/A
NP P N/A
NP P N/A
P P N/A
P P N/A
-------
P P P ---
P NP P ---
P P P ---
P P P ---
P P P ---
---------
Engineering Ratings - Flood Categories Only
ANP + NP
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0% M
N
P
P
AP
Q
ANP
R
NP
13
Figure 2. Example of a Decision Recommendation Justification Matrix for Risk Reduction for two Hypothetical Dams A and B
Figure 3. Example Decision Recommendation Justification Matrix for Risk Reduction Measures for a Portfolio of Dams Figure 4. Combinations of Decision Recommendation Outcomes from Engineering and Risk Assessments
14
