dam safety risk management for hydroelectric …
TRANSCRIPT
DAM SAFETY RISK MANAGEMENT FOR HYDROELECTRIC PROJECTS
DAVID S. BOWLES Professor and Director Institute for Dam Safety Risk Management Utah State University Logan, Utah, U.S.A. Managing Principal RAC Engineers & Economists Providence, Utah, U.S.A. ABSTRACT Portfolio Risk Management is a risk-informed approach for improved management of dam safety for a portfolio of dams in the context of the owner’s business. It can be used to identify ways to strengthen technical and organizational aspects of a dam safety program, and to provide valuable inputs to various business processes. Portfolio Risk Assessment is a decision-support tool, which is incorporated in Portfolio Risk Management. It can combine engineering standards and risk assessment approaches to provide a systematic means for identifying, estimating and evaluating dam safety risks, including comparisons with other industries. It should be periodically updated to provide a basis for managing prioritized queues of investigations and risk-reduction measures to achieve more rapid and cost-effective reduction of both knowledge uncertainty and risk. Individual dam and Portfolio Risk Assessment are a standard of practice in Australia and are being applied by the US Bureau of Reclamation, the US Army Corps of Engineers and others in the UK, for example. When properly conducted and used within its limitations, the Portfolio Risk Assessment process is generally considered to be robust, adaptive, defensible for corporate governance, and to justify its cost through such benefits as increased funding, identification of failure modes that were not previously recognized, identification of opportunities for improved risk management, and more rapid “knowledge uncertainty” and risk reduction.
1. INTRODUCTION 1.1 Traditional and Risk Assessment Approaches Traditionally, dam safety has been viewed as mainly a technical matter, which has been judged and regulated using engineering standards. These standards have tended to evolve somewhat independently in sub-disciplinary areas, rather than through a comprehensive and integrated consideration of the overall safety of reservoir projects. This evolution has generally taken place in isolation from other engineering fields and industries in which public safety for low probability – high consequences risks are managed and regulated. As a result, the levels of risk or safety associated with dam safety standards vary significantly across different failure modes, and they can differ significantly from other areas in which public safety is managed and regulated. In addition, it is only recently that systematic procedures for identifying potential failure modes, referred to as potential failure modes analysis (PFMA), have been introduced to the dam safety field [1]. A result of the introduction of PFMA and RA has been that some failure modes that have been largely ignored in the past, such as overtopping failure caused by a failure of spillway gates to operate as required, have been found to be significant risk contributors for some dams. In addition, without the benefit of RA, some relatively high probability and consequences failure modes, such as piping at embankment dams, have received less attention than their contribution to overall dam safety risk would justify, and in some cases they have been ignored altogether. At the same time, significant investments have been made to reduce the risks associated with some low probability or low incremental consequences failure modes; thus achieving a slower rate of risk reduction than could have been accomplished with the same funding. In addition, the commonly adopted safety management processes of other industries have not yet been introduced to most dam-owning organizations. Some are concerned about using quantitative RA in dam safety for reasons such as limitations in approaches to estimating probabilities of failure. However, it is important to recognize that the traditional approach also has significant limitations in the way that it indirectly characterizes dam-failure risks and the manner in which uncertainties are addressed. Other industries, such as the nuclear industry [2], face similar concerns about quantitative RA and as a result they have adopted a “risk-informed” approach to their use by combining traditional and RA approaches. When PRA and PRM are adopted, it is still an option to retain engineering standards definitions of the ultimate safety targets; although the use of RA in PRM will sometimes expose a poor justification for these targets, and in other cases it will show justification for more stringent risk reduction measures than would normally be considered using the traditional approach alone. 1.2 Outline of paper This paper is based on the author’s experience in performing risk assessment on more than 650 dams in many countries for owners and regulators. It draws mainly on the evolving practice in dam safety risk management in the USA and Australia but also from experience in other countries including in Europe.
Section 2 discusses the components of risk management for dams and Section 3 provides additional details on the risk assessment process for an individual dam. Section 5 summarizes an example application for an individual dam the use of risk assessment results in decision making. Sections 5 and 6 discuss portfolio risk assessment and portfolio risk management, respectively, and should be of particular interest to mangers of hydropower dam systems. Section 7 contains some conclusions. Much of the material in this paper has been adapted from previous work by the author [3, 9, 10]. 2. RISK MANAGEMENT FOR DAMS 2.1 Components Dam safety risk management comprises the various component processes that are represented schematically in Figure 1. At the highest level, risk management combines risk assessment, risk control, and decision-making on all aspects of dam safety. Risk assessment comprises risk analysis, risk evaluation, and the formulation of decision recommendations. Risk analysis involves both risk identification and risk estimation.
Figure 1: Interrelationships between the components of dam safety risk management
[4]. 2.2 Risk Assessment Purpose A risk assessment should commence with a clear definition of its purpose. This includes an identification of the decisions that it is intended to use the results of the risk assessment to inform, the decision bases and the desired level of confidence as determined by the dam owner and other stakeholders. It should also include an identification of the factors affecting dam safety decision making in the context of the specific risk assessment purpose. Examples of some of the purposes for dam safety risk assessment have included the following:
• To systematically identify and better understand potential failure modes.
• To identify, justify and prioritize investigations and analyses to reduce uncertainties in risk estimates for individual dams and portfolios of dams.
• To strengthen the formulation, justification and prioritization of risk-reduction measures for individual dams and portfolios of dams.
• To justify decisions on reservoir operating restrictions as interim risk reduction measures.
• To identify ways to improve dam safety through changes in reservoir operation, monitoring and surveillance, safety management systems, staff training, emergency action planning and business decisions related to dam safety.
• To identify opportunities to improve the effectiveness of warning and evacuation plans.
• To identify cost-effective options for more rapidly achieving reduced dam safety risks.
• To justify expenditures on dam safety improvements to owners and economic regulators.
• To provide a framework for quantifying engineering judgment and communicating technical issues with dam owners in a more open and transparent manner.
• To facilitate the evaluation of dam safety risks to the public in a manner that allows comparison with other infrastructure and technological hazards.
• To provide a non-technical basis for communicating dam safety risks to the public.
• To provide a basis for development of a safety case or safety demonstration for owners and regulators.
• To assess the adequacy of insurance coverages. • To strengthen the basis for corporate governance related to dam safety risks. • To strengthen the exercise of the owner's duty of care, due diligence and
legal defensibility with respect to dam safety incidents or dam failure. 2.3 Risk Assessment Scoping and Risk Identification The process of scoping and selecting the extent and level of detail or complexity for a risk assessment should build on the statement of purpose and on a failure modes identification process. In this process, all potential failure modes for the subject dam are enumerated and described, including the relationship between each failure mode and those types of consequences of failure that it is relevant to consider to satisfy the statement of purpose. Investigations and analyses may be identified to assess the physical plausibility of some failure modes. A structured and systematic process should be followed to adequately complete the potential failure modes identification. The scoping process continues with a narrowing of the list of physically-plausible failure modes to a subset of those that it can be justified to include in the risk assessment to achieve the statement of purpose with the desired level of confidence. These can be referred to as “significant” failure modes. The list of failure modes that are considered to be significant, and other aspects of the scoping of a specific risk assessment, such as the level of detail and types of consequences that are to be addressed, can vary for different risk assessment for the same dam that are conducted for different purposes.
2.4 Risk Estimation The next step of risk estimation is the process of quantifying probabilities and consequences for all significant failure modes. System response or fragility relationships are developed for each failure mode with a level of detail and associated effort that can vary with the scope that is justified for the risk assessment. Traditional engineering analysis, reliability analysis and engineering experience and judgement are all important in estimating these relationships. Dam break modelling provides the basis for the estimation of dam failure consequences for each failure mode and for a range of exposure conditions affecting potential life loss. The author and his colleagues have developed a dam safety risk analysis tool, DAMRAE [5], to perform these calculations and to present results so that they can be readily interpreted and used to support dam safety decision making. 2.5 Risk Evaluation The process of examining and judging the significance of the estimated risk is termed risk evaluation. The UK Health and Safety Executive [6] have a well-established framework for risk evaluation in the UK context. It is widely used for regulating the risk associated with hazardous industries in the UK. It has also significantly influenced the development of risk evaluation approaches for dams in Australia [7] and the USA [8]. The HSE framework for the tolerability of the risk can be used to assess the estimated risk for an existing dam. Other factors, such as the dam owner’s business or legal considerations can also be important in the overall risk evaluation process. In countries with common law legal systems, this process is not complete until the extent to which the risk can been reduced “as low as reasonably practicable”1
or “ALARP” has been evaluated. This requires the formulation of risk control (treatment) options that can include structural measures and strengthened recurrent dam safety management activities, such as monitoring and surveillance, emergency action planning, and staff training. In a mature risk-informed dam safety programme, and consistent with traditional dam safety practice, it should also includes periodic updates of any earlier risk assessments.
The overall risk assessment framework for individual dams is summarized in Section 3.1. The risk analysis, risk evaluation, and risk control components of dam safety risk management are summarized in Sections 3.2 - 3.4, respectively. 3. RISK ASSESSMENT FOR INDIVIDUAL DAMS 3.1 Overall Framework An overall framework for dam safety risk assessment is presented in Figure 2. The “column” structure in this figure shows the risk analysis process as a five-step sequence of modelling: 1) the initiating events, 2) the system responses, 3) the
1 HSE (2001) refers to the implementation of the ALARP principle as requiring a “gross disproportion” test applied to individual risks and societal concerns, including societal risks. The gross disproportion is between the cost of an additional risk reduction measure and the estimated amount of the risk reduction.
outcomes, 4) the exposure factors, and 5) the consequences. Both external (e.g., floods, earthquakes, and upstream dam failures) and internal (e.g., the initiation of piping through an embankment dam under static loading) initiating events are considered. Each external initiating event is divided into a number of loading intervals to achieve numerical precision in the risk analysis calculations. Several sub steps may be necessary to adequately characterize the system response to a range of magnitudes of initiating events that can lead to the outcome of dam failure or no failure. Various types of consequences of dam failure may be considered, such as the following: loss of life, economic damages, financial impacts on the owner, environmental damages, and societal effects.
Figure 2: Framework for dam safety risk assessment [9].
There are four major components in a risk assessment, as illustrated by the “row” structure of Figure 2. These are as follows: 1) risk identification, 2) risk estimation, 3) risk evaluation, and 4) risk treatment. In Figure 2, the term “risk treatment” refers to the consideration of risk management (control or reduction) alternatives using risk analysis and risk assessment. Various levels of effort have been proposed for performing risk assessments [11]; but underlying these is the concept that risk assessments should be staged [12], with additional detail being justified by the expected gains in understanding, defensibility and the desired level of confidence in decision making to manage the risks. This is referred to as a “decision-driven” approach in a National Research Council [13] report: “Risk characterization (analysis) should be a decision-driven activity, directed toward informing choices and solving problems.”
3.2 Risk Analysis Risk analysis involves both risk identification and risk estimation (first two rows in Figure 2). Risk identification is the process of recognizing the hazards (initiating events) to which the dam is exposed, potential dam failure modes, and the resulting adverse consequences. Dam failure modes are often represented using event trees, fault trees and logic trees, which comprise a risk analysis model. The proper application of these approaches requires some specialized expertise, similar to the need for specialized engineers to apply unsteady-state flood routing or finite element stability analysis models in dam engineering, for example. Senior engineers routinely oversee the application of these models and the interpretation of their results, although they may not personally have the hands-on skills to apply them. In a similar way, senior engineers can develop the necessary skills to effectively oversee the application of risk analysis tools to dams. Risk estimation consists of determining loading, system response and outcome probabilities, and the consequences of various dam failure scenarios. No-failure scenarios are considered so that incremental consequences can be estimated as the difference between the consequences estimated for failure and no-failure scenarios. Probability and consequence estimates are then input to the risk model. Consequences are a function of many factors including, the nature and extent of the breach, the extent and character of the flooding, the season of the year, the warning time, and the effectiveness of evacuation and emergency action plans. Risk reduction alternatives are developed and analysed in a similar manner to the existing dam with selected inputs, such as system response probabilities, changed to represent the improved performance estimated for each alternative. 3.3 Risk Evaluation Once risks have been identified and quantified for an existing dam or various risk reduction alternatives, they are evaluated against tolerable risk guidelines, including the ALARP principle in the case of risk reduction measures. These guidelines can serve a useful role in the development of the safety or business cases for addressing dam safety issues. However, dam safety decisions should be made by those responsible for ensuring dam safety after all the relevant factors have been appropriately assessed and weighed; they should not be the automatic result of applying a tolerable risk guideline to the outcomes of a risk analysis [14]. Thus risk assessment does not prescribe dam safety decisions. These decisions need to be made by the dam owner in conjunction with the regulator, if applicable, and other stakeholders. However, each party can expect to be in a better position to make informed decisions or to prioritize dam safety work when they supplement traditional engineering approaches with insights obtained from an appropriately conducted risk assessment. The appropriate use of risk assessment currently incorporates reference to traditional engineering standards in a risk-informed approach. This is the approach to dam safety risk assessment that is widely practiced in Australia, by the Bureau of Reclamation and the US Army Corps of Engineers in the USA, and in other fields, such as the nuclear, offshore and process industries where risk assessment is used.
3.4 Risk Control From a business or management perspective, risk control (treatment) options can be grouped into the following categories (Figure 3), although these are “not necessarily mutually exclusive or appropriate in all circumstances” [15]:
1) “Avoid the risk” - this is a choice, which can be made before a dam is built, or through decommissioning an existing dam.
2) “Reduce (prevent) the probability of occurrence” – typically through structural measures, or dam safety management activities such as monitoring and surveillance, and periodic inspections.
3) “Reduce (mitigate) the consequences” – for example, by non-structural approaches such as effective early warning systems or by relocating exposed populations at risk.
4) “Transfer the risk” – for example, by contractual arrangements or sale. 5) “Retain (accept) the risk” - “after risks have been reduced or transferred, …
residual risks … are retained and … may require risk financing (e.g. insurance).”
Figure 3: Risk control options [Adapted from 16]. In addition to the “prevent” and “mitigate” approaches to reducing the probability and consequences of dam failure, respectively, a third fundamental approach, referred to as “control”, should be used wherever practicable to limit the consequences associated with a failure by, for example, using fail-safe features. While the first three options listed above reduce the risk to which third parties are exposed, the fourth and fifth options only affect the risk that the owner is responsible for, and not the risk to which third parties are exposed.
4. AN INDIVIDUAL DAM EXAMPLE 4.1 Overview
This example is of a risk assessment that was performed for the Sacramento District of the U.S. Army Corps of Engineers to explore the justification for imposing an operating restriction on Lake Success to reduce the probability and consequences of an Earthquake-induced dam failure. The potential for both a sudden overtopping failure and a delayed “seepage erosion through cracks” failure were considered.
The risk assessment focused on the seismic performance of the dam, the potential life loss and economic consequences of Earthquake-induced dam failure, and the estimated residual risk and degree of risk-based justification for the existing operating regime (FCD – flood control diagram) and five Potential Operating Restrictions (ORs) referred to by a code, which includes the reduced maximum target pool elevation, as follows: OR.640, OR.630, OR.620, OR.600 and OR.580. Risk assessment inputs were supported by seismic deformation analyses under various Earthquake loadings and pool elevations, dam break-inundation modeling, and reservoir simulation.
Evaluations against tolerable risk guidelines from Reclamation [17], ANCOLD [7], and the UK HSE [6], together with insights into the relationship between pool elevation and dam failure risk, provided important inputs for the decision to implement an operating restriction. A more detailed description of this study and a recently completed update of this risk assessment can be found in papers by the author and his colleagues [18, 19]. 4.2 Risk Assessment against Tolerable Risk Guidelines The following summarizes some key outcomes of the Risk Assessment of the short-term risk reduction measures.
1) OR.600 is the least severe restriction that is estimated to remove the justification for considering short-term risk reduction measures under the USBR Annualized Life Loss (ALL) guideline for Earthquake (Figure 4b). However, within the uncertainty associated with the risk analysis, OR.620 is estimated to be essentially at the boundary of 0.01 lives/yr for justifying short-term measures. The estimated effect on Annual Probability of Failure (APF) and ALL, expressed as /yr-ft and lives/yr-ft, respectively, of the less likely higher pool elevations under OR.640 and OR.620 compared with the Existing FCD can be seen by in Figures 4d and 4e, respectively.
2) Even the most severe restriction considered, OR.580, does not appear to meet the long-term USBR ALL guideline for Earthquake of 0.001 lives/yr (Figure 4b), although it is estimated to meet the USBR APF guideline of 1 in 10,000/yr (Figure 4a).
3) Increasingly severe operating restrictions lead to significant reductions in the estimated probability of progressively lower ranges of the numbers of lives lost. For example, for successive implementation of OR.640, OR.620 and OR.600, the probability of life loss is estimated to decrease most significantly in the approximate ranges of 75 - 600 lives, 10 - 75 lives, and
OR.580 OR.610
OR.620 OR.630
OR.640
Existing
0.0E+00
1.0E-03
2.0E-03
3.0E-03
4.0E-03
5.0E-03
0 2 4 6 8
Total Annual Cost ($M/yr)
Prob
abili
ty o
f Fai
lure
(/ye
ar)
Total for All Failure ModesTotal for All Failure Modes (Initial Estimates)USBR APF Guideline
OR.580
OR.600 OR.620 OR.630 OR.640
Existing
0.00
0.02
0.04
0.06
0.08
0.10
0.12
0.14
0 2 4 6 8
Total Annual Cost ($M/yr)
Ann
ualiz
ed L
ife L
oss
(live
s/ye
ar)
Total EarthquakeTotal Earthquake (Initial Estimates)USBR ALL Guideline for Short Term Risk ReductionUSBR ALL Guideline for Long Term Risk Reduction
1.E-07
1.E-06
1.E-05
1.E-04
1.E-03
1.E-02
1 10 100 1,000
Incremental Number of Fatalities
Ann
ual E
xcee
danc
e Pr
obab
ility
of
Incr
emen
tal N
umbe
r of F
atal
ities
Limit of Tolerability - Existing DamsLimit of Tolerability - New Dams & Major AugmentationsExisting FCDOR.640OR.620
Figure 4a: Total APF for all options and USBR APF Guideline (/yr).
Figure 4b: Earthquake ALL for all options and USBR ALL guideline (lives/yr).
Figure 4c: Societal Risk for Existing FCD, OR.640 and OR.620 and ANCOLD Guidelines.
590
600
610
620
630
640
650
660
670
680
690
700
0.0E+00 5.0E-05 1.0E-04 1.5E-04 2.0E-04 2.5E-04 3.0E-04
Total Probability of Failure (/yr-ft)
Pool
Ele
vatio
n (ft
MSL
)
Existing FCD OR.640 OR.620
590
600
610
620
630
640
650
660
670
680
690
700
0.000 0.005 0.010 0.015 0.020 0.025
Earthquake Annualized Life Loss (lives/yr-ft)
Pool
Ele
vatio
n (ft
MSL
)
Existing FCD OR.640 OR.620
(50)
-
50
100
150
200
250
300
350
400
ImprovedWarningSystem
OR.640 OR.630 OR.620 OR.600 OR.580
Potential Operating Restriction
Adju
sted
Cos
t per
Sta
tistic
al Li
fe S
aved
($M/
life)
ACSLS - Operating RestrictionsACSLS - Improved Warning SystemIncremental ACSLS - Operating Restrictions
Strength of ALARP Justification for Risk Reduction (Bowles 2001; Moser 2003):
POOR
MODERATE
STRONGVERY STRONG
Figure 4d: Total APF vs. pool elevation for Existing
FCD, OR.640 and OR.620 (/yr-ft). Figure 4e: Earthquake ALL vs. pool elevation for
Existing FCD, OR.640 and OR.620 (lives/yr-ft).
Figure 4f: Total and incremental Cost per Statistical Life Saved and ALARP Ratings for all options.
less than 10 lives, respectively, as shown in Figure 4c. This figure also shows that despite reductions in the probabilities associated with high levels of life loss, Success Dam is estimated to remain in the “unacceptable” region for the ANCOLD [7] Societal Risk Guideline under OR.620.
4.4 The USACE Decision The Sacramento District’s Dam Safety Committee (DSC) decided to impose an interim operating restriction of 635 ft msl in March 2004 during the spring filling period after receiving the initial risk assessment results and while awaiting report finalization. However due to low inflows, this pool level was not attained in 2004. Following finalization of the report, the DSC decided to implement an operating restriction to 620 ft msl, OR.620, starting in 2005. The underlying objective of the DSC was to do all that was reasonably practicable to reduce the residual risk to the public. The USBR’s annualized life loss (ALL) Public Protection Guideline was a key factor in their decision making process. Based on the Risk Assessment results, the DSC decided to adopt an operating restriction that essentially met the USBR ALL guideline of 0.01 lives/yr for justification for short-term risk reduction. The risk assessment also showed that operating restrictions would be expected to have only moderate impacts on agriculture and flood control and that mainly for wet years. OR.630 was estimated by the water users to result in an average annual loss of about $1.0 m/yr, ranging from $0 in dry years to about $2.2 m in wet years, annual flood damages of about $0.6 m, ranging from $0 in dry years to about $3.1 m in wet years, and an average annual recreational loss of $2.1 m The risk assessment showed diminishing returns, in terms of reduction in ALL, with increasing severity of operating restrictions (Figure 4b). It was therefore important to carefully examine the justification for the increment of risk reduction from OR.630 to OR.620. The following factors helped to justify the decision to reoperate to OR.620 instead of OR.630:
1) The uncertainty associated with the ALL estimates was not explicitly estimated in this study using uncertainty analysis. However, various sensitivity studies, and the experience of District and RAC team members with using FLAC and similar models, lead to confidence that the final risk assessment was based on reasonable best estimates of inputs for the current technical understanding. Therefore, the level of confidence that ALL for Earthquake under the less restrictive operating restriction, OR.630, is less than 0.01 lives/yr, was considered to be too low to justify adopting OR.630 instead of OR.620 when lives are at risk.
2) It was considered that there would be relatively poor defensibility for a decision to adopt OR.630 when the USBR has an established practice, through its Public Protection Guidelines, of implementing short-term risk reduction measures when ALL exceeds 0.01 lives/yr. This concern was reinforced by the finding that other international tolerable risk guidelines were not met either.
3) The more restrictive OR.620 was estimated to have relatively small additional economic impacts: an increased average annual agricultural loss of about $0.5 m/yr, ranging from $0 in dry years to about $0.8 m in wet
years; no significant increase in annual flood damages; and an increased annual recreational loss of $ 0.7 m.
4) Incremental cost (ALARP) justification ratings [20] provide additional justification for proceeding with short-term measures (Figure 4f): “Very Strong” ratings for OR.640 and OR.630; and “Moderate” rating for OR.620.
4.5 Conclusions The use of risk assessment was found to be valuable in providing a rational and defensible basis for exploring the justification for implementing Potential Operating Restrictions at Lake Success. It provided new insights and understanding of the potential Earthquake failure modes, including the relative likelihood of sudden vs. delayed failure modes, and the relationship between pool elevation and dam failure risk (e.g. Figures 4d and 4e), including the potential for large scale life loss and major economic damages. The evaluation against the USBR’s Public Protection Guidelines provided a valuable comparison with the USBR’s established practice for evaluating dam safety risk and particularly for justifying short-term risk reduction measures. Use of other tolerable risk guidelines, including ALARP considerations, provided additional justification for decision making. Although significant risk reduction is estimated to be achieved through implementation of OR.620, the risk assessment shows that most tolerable risk guidelines will remain unmet until a structural fix is completed. Unlike most other dam safety risk reduction measures, the cost of operating restrictions is borne by the project beneficiaries through reduced water supply, flood control and recreation benefits. It was therefore important that the agricultural water users were involved throughout the risk assessment process and that they undertook the estimation of their economic impacts from Potential Operating Restrictions. It was also important to involve representatives from the downstream communities because they bore the risk associated with an Earthquake failure of the dam, and they bear some of the economic impact of Potential Operating Restrictions. In addition, the USACE decisions makers, the District Dam Safety Committee, was involved from the project inception, in decisions on the project scoping, in evaluation of preliminary results, and in discussions of the implications of final results for alternative decision options. A challenge for the USACE Engineering Team members was to set aside the conservative “design” or “factor of safety” perspective for the purpose of characterizing the expected seismic “performance” of the dam in developing “best estimate” risk analysis inputs. Interestingly, it was the USACE decision makers who showed the greatest interest in the effects of uncertainty in the risk estimates on the justification for various decision options. The results of changing various inputs were helpful in characterizing the level of confidence for this study.
5. PORTFOLIO RISK ASSESSMENT 5.1 Overall Process Portfolio Risk Assessment (PRA) is a decision-support tool for assisting owners with PRM. In the US Society on Dams (USSD) Emerging Issues White Paper on Risk Assessment [10], PRA was judged to be:
“a valuable and increasingly accepted approach for cost-effectively prioritizing dam safety remedial measures and further investigations for a group of dams. It provides insights that can better inform owners about the business and liability implications of dam ownership. PRA outcomes must be used with regard for the limitations of the approach and should be periodically updated.”
PRA should be implemented through a close partnership between experienced dam engineers, a PRA facilitator, the owner’s dam safety manager and high-level decision-makers, and other stakeholders, including the regulator, although perhaps only as an observer. PRA involves an initial implementation and updates, which may be coordinated with periodic design reviews for efficiency. The PRA process comprises the following major parts, which are represented by the major blocks in Figure 5:
1) Identification of the owner’s decision and business context; 2) Engineering assessment (EA);
Figure 5: Portfolio risk assessment process and outcomes [21].
3) Risk assessment (RA); 4) Prioritization of investigations and risk-reduction measures to develop
uncertainty-reduction and risk-reduction pathways; and 5) PRA Outcomes.
A key to deriving value from PRA is an understanding of the owner’s decision and business context so that the PRA process can be tailored to meet the specific information needs that will benefit the owner’s PRM program and related business processes, and other stakeholders (right side of Figure 6). We refer to this process as “outcome targeting” (see Figure 6). Some factors that should be considered in this process are discussed by the author [3].
Figure 6: Capturing PRA inputs, outcome targeting, and integrating PRA outcomes into the owner’s dam safety program and business processes [21].
Engineering and risk assessments for Initial PRAs are often based primarily on available information and engineering judgement. RA supporting studies are usually performed at a reconnaissance level and based on consistent best estimate procedures. By utilising available information (left side of Figure 6), Initial PRAs can be efficiently conducted with a minimum of RA supporting studies (center part of Figure 6) and then they can be used as a basis for prioritizing future investigations. As these investigations are completed, PRA updates should incorporate their findings. The level of RA and supporting studies should be kept under review and increased as the nature of decisions changes, such that the level of detail is “decision-driven” [13].
Sections 5.2 and 5.3 summarize the EA and RA parts of PRA. The prioritization part of PRA for investigations and risk-reduction measures is discussed in Section 5.4 and in more detail by the author [3]. PRA outcomes are listed in the “Outcomes” box in Figure 5 and are discussed in more detail by the author [3]. 5.2 Engineering Assessment Engineering assessments yield an inventory of the status of individual existing dams with respect to meeting a list of the prevailing engineering standards that pertain to the owner. EA utilizes a rating system, which is deigned to minimize conservative biases in cases where limited information is available. “Pass” and “No Pass” ratings are assigned when sufficient information is available to make these assessments with the normal high level of confidence. When insufficient information is available, “Apparent Pass" and "Apparent No Pass" ratings are assigned, based on engineering judgment, to indicate the expected rating after sufficient investigations are completed to the normal level of confidence in making such assessments. A list of potential risk-reduction measures to meet engineering standards is identified for all factors with “No Pass” or “Apparent No Pass” ratings. Another list of needed investigations associated with all factors with “Apparent No Pass” or “Apparent Pass” ratings is developed. 5.3 Risk Assessment Risk assessment includes the following steps for each dam:
a) Potential failure modes identification [i.e. PFMA or Failure Modes and Effects Analysis (FMEA)];
b) Risk analysis of existing dam to estimate probabilities and consequences for each potential failure mode;
c) Risk evaluation of existing dam leading to identification of investigations and potential risk-reduction measures in addition to those indicated by the EA;
d) Risk analysis of potential risk-reduction measures identified through EA and RA; and
e) Risk evaluation of risk-reduction measures. PFMA in Step a) provides the foundation upon which RA is built. Therefore, PFMA should be systematically and thoroughly conducted by experienced dam engineers. In addition to identifying those failure modes for which sufficient evidence already exists, it is important to identify investigations for those potential failure modes for which insufficient information is available to rule them out. The level of detail for estimating life loss and other types of consequences should be appropriate for the type and level of decisions for which information from the PRA is to be used and the level of confidence that the owner and stakeholders require [10]. A common shortcoming in RAs is to spend much less effort estimating the consequences than the probabilities of failure, but this should be avoided because the consequences can affect dam safety decisions, which are based on a risk-enhanced approach, as much if not more than the estimates of the probabilities.
The risk evaluations in Steps c) and e) can include application of life safety, financial, economic, and other business or stakeholder risk evaluation guidelines. In countries with a common law legal system the as low as reasonably practicable (ALARP) principle should be part of these evaluations [20]. The outcomes of these risk evaluations are usually only indicative for Initial PRAs and in this case they should not be used for decisions on long-term levels of safety. As PRA updates incorporate the results of investigations the outcomes of these risk evaluations should become more reliable, provided that the confidence in estimation of consequences is also appropriately increased. In PRA, it is essential that dam safety risks are characterized using a valid risk metric. The importance of this was emphasized in the ASDSO report on Risk Characterization for Dams [23]. Although Index Approaches involve less effort than PRA, they provide limited insights into failure mechanisms and distort “risk estimates” because they do not use a valid risk metric. Therefore, comparisons with risks in other fields, tolerable risk evaluations, and estimates of the cost effectiveness of risk reduction to provide funding justification cannot be made. If distorted “risk estimates” are used, the opportunity cost of Index Approaches can be high if significant risks are overlooked, available funds are ineffectively used, or a less convincing case is made for funding. 5.4 Prioritization Prioritized queues of investigations and risk-reduction measures should be managed in a coordinated manner and reprioritized as the PRA is updated with the results of completed investigations, including a revaluation of the urgency of investigations and risk-reduction measures. The author discusses the role of the formulation and prioritization of investigations and risk-reduction measures, and the justification of risk-reduction measures in PRM in Bowles [3]. The term “risk-reduction pathway” is used to describe a proposed sequence of risk-reduction measures formulated to reduce the failure risk for an individual dam or for a portfolio of dams [23]. The term “uncertainty-reduction pathway” is used to describe a proposed sequence of investigations formulated to reduce knowledge uncertainties about dam safety issues and thus to provide information for engineering and risk analyses in support of decisions about the need, urgency, and justification of risk-reduction measures. The management of risk- and uncertainty-reduction pathways should be a key focus of PRM, with the goal of achieving significantly more rapid risk reduction than traditional management approaches, especially for portfolios of dams. In practice, risk-reduction measures are often prioritized using a combination of criteria. Figure 7 shows the estimated annualized life-loss risk reduction projected for a program of structural fixes developed for the SA (South Australian) Water Corporation’s 17 large dams [4] in which two prioritization criteria were applied. The fixes were prioritized by decreasing magnitude of the cost effectiveness of reducing annualized life loss, estimated from an Initial PRA, until a point of diminishing returns was reached. From that point, the remaining fixes were prioritized by decreasing magnitude of the cost effectiveness of reducing economic
risk costs to the community. Figure 7 includes a comparison of the more rapid rate of risk reduction based on the PRA with the slower rate estimated for a traditional standards-based prioritization approach, which was being followed prior to conducting the Initial PRA. This dramatically illustrates the advantage of using PRA, rather than a traditional approach, to formulate the risk-reduction pathway for the same set of fixes. The traditional approach simply does not provide the information needed to identify the most rapid risk-reduction pathway. It is important to recognize that using PRA to manage the uncertainty-reduction and risk-reduction pathways still leaves open the option of adopting standards-based safety goals, which is what SA Water did. Cost-effectiveness prioritizations, such as that shown in Figure 7, can serve as a starting point for developing risk-reduction pathways. However, if reducing high existing risks is judged to be more important, fixes that address these can be prioritized first, using both short-term and long-term risk-reduction measures, and then cost effectiveness can be used after high existing risks have been reduced. Sometimes this is done for all existing risks that exceed a tolerable risk limit for life safety risks. Prioritizations have sometimes been adjusted to account for the timing of capacity upgrades, which may be determined by considerations other than dam safety, but which provide an opportunity to combine the design and construction of dam safety works with other works. It is sometimes useful to display risk-reduction pathways against projected timing of project completion or timing of expenditures, instead of cost, as shown in Figure 7. In some cases it is useful to group prioritized fixes into risk-reduction phases and to describe them according to their urgency, risk reduction character, type or strength of justification, or differences in their funding or approvals processes. This approach can enhance the understanding of lay decision makers, facilitate effective management, and improve the chances of funding.
Figure 7: Risk reduction for the PRA approach and traditional approaches for SA Water’s large dams [4].
As summarized in Section 6.3, a Management Information System (MIS) can be used to model different prioritization scenarios and to explore their implications for various aspects of the owners risk profile over time, including probability of failure, life safety, economic, financial, environmental, and other types of risks. The effects of different rates or phases of funding, or different allocations of resources to dams that have life-loss potential compared with dams that do not have identified life-loss potential, can be explored. Changes in schedule resulting from the need to complete additional investigations or due to construction delays can also be explored and tracked. Options can be explored for lumping some types of fixes for a group of dams, such as adding spillway debris barriers, instead of implementing them individually. Risk trading can be explored as discussed by the author [3]. Uncertainty-reduction and risk-reduction pathways should be reprioritized using updated information as it becomes available from completed investigations, and RA supporting studies. 6. PORTFOLIO RISK MANAGEMENT 6.1 Need Portfolio Risk Management (PRM) is a risk-informed approach for improved management of dam safety for a portfolio of dams in the context of the owner’s business. As such, it is not an additional activity to be added to an existing dam safety management program, but rather it is an improved approach to the owner’s entire dam safety management program. While the technical evaluation of dam safety must be approached on a dam-by-dam basis, many organizations have responsibility for a group of dams. The likelihood that an owner of many dams will experience a dam failure is determined by the number of dams and their probabilities of failure, with the organization’s least-safe dams dominating the result. The owners of groups of dams face all the challenges of individual dam ownership, but they also face the additional challenges of managing dam safety risks across their portfolio. The risk-informed approach combines insights from traditional engineering standards and risk assessment (RA) approaches. The traditional approach is familiar to dam safety professionals, but it cannot relate dam safety levels to public safety levels in other fields, and its outcomes can be difficult for lay decision makers to understand, which can hinder the justification of dam safety funding. RA helps to compensate for these weaknesses in the traditional approach, although it is relatively new in dam safety practice. Both the traditional and risk assessment approaches have limitations in characterizing the safety or risk associated with dams; and it is important that these limitations be properly communicated and considered at all times. While the traditional engineering standards approach, which is followed by most US regulators, for example, in a relatively prescriptive manner, is designed to protect public safety, dam owners have to address additional considerations that can determine their overall effectiveness in achieving dam safety, especially for portfolios of dams. These considerations vary between owners, but include the following needs:
• An auditable, logical and defensible approach for relating low-probability high-consequence dam safety risks to corporate governance;
• Optimizing the priority and urgency of risk reduction programs; • Justifying dam safety capital and operating expenditures; • Meeting duty of care obligations; • Meeting contractual obligations; • Maintaining a license to operate; and • Protecting the business from the liability associated with a dam failure or a
dam safety incident, which might be widely publicized. For owners to effectively relate these considerations to dam safety management requires more than just meeting traditional engineering standards or regulatory requirements; and this has been a major driver for the development of PRA and PRM. 6.2 Example of a Portfolio Risk Management Process 6.2.1 Overview Figure 8 is a generalized flowchart that illustrates the major features of the evolving US Army Corps of Engineers (USACE) dam safety portfolio risk management process. The process comprises a hierarchy of activities that are used to assess and manage the risks associated with the USACE inventory of about 630 dams. The outer loop of activities in Figure 8 comprise routine dam safety activities and normal operations and maintenance (O&M), which are routinely performed on all dams in the USACE inventory. The activities inside the outer loop deal with the assessment and management of dam safety issues, including the design and implementation of risk reduction measures.
RoutineInspections
Instrumentation PeriodicInspections
PeriodicAssessments
Safety Concern?Routine &
On-Going
IssueEvaluationAnd IRRM
RemedialAction?
Incident orSpecialEvent
RehabConstruction
ModificationReport
RiskReclassified?
Figure 8: Generalized USACE portfolio risk management process for dams [24].
USACE uses the Dam Safety Action Classification (DSAC) system to provide consistent and systematic guidelines for appropriate actions to address the dam safety issues and deficiencies of its dams. USACE dams are placed into a Dam Safety Action Classification class based on their probability of failure or the individual dam safety risk estimate considered as a combination of probability of failure and potential life safety, economic, environmental, or other consequences. Initially, all USACE dams have been assigned to one of the first four of the five DSAC classes based on a screening level of risk assessment. The intent is that the classification of a dam is dynamic over time, changing as project characteristics are modified or more refined information becomes available affecting the loading, probability of failure, or consequences of failure. The five classes depict the range of dams from those critically near failure in DSAC Class I, to those considered adequately safe in DSAC Class V. Between these two extremes are three DSAC classes that define distinctly different levels of actions and urgencies of action that are commensurate with a transition in safety status from critically near failure to adequately safe. 6.2.2 Routine dam safety activities and normal operations and maintenance (O&M) The outer loop of Figure 8 depicts continuing and recurrent actions of routine dam safety activities and normal O&M, periodic assessments (PA), potential incident identification, and review of the DSAC class. All USACE dams are in the outer loop regardless of their DSAC class. The ideal end state for all USACE dams is that they are only in the outer loop of the process diagram. All USACE dams undergo PA on a routine and systematic schedule not to exceed ten years. Periodic Assessments include a revised Periodic Inspections (PI) process and baseline risk assessment or update of a previous risk assessment, including a potential failure mode analysis. The PI occurs more frequently than the PA; but typically at not more than five-year intervals. This ensures that all dams in the USACE portfolio are systematically and routinely evaluated leading to a high likelihood of detecting dam safety issues in a timely manner. 6.2.3 Non-routine dam safety activities Interim Risk Reduction Measure (IRRM) plans are developed and implemented as justified for all DSAC I, II and III dams until permanent risk reduction measures are implemented. Because of their urgent and compelling safety issues, dams in DSAC Class I are immediately processed through an expedited version of the process represented inside the outer loop to implement interim risk reduction measures and confirm failure modes to validate the classification through an external peer review process. The next step is the Dam Safety Modification (DSM) study and preparation of a decision document to determine the appropriate risk reduction measures, thus bypassing the Issue Evaluation studies (IES). Staged implementation of investigations and risk reduction measures are employed to speed the process.
Formulation and evaluation for a full range of risk reduction alternatives with preliminary level cost estimates are performed under the DSM study. A detailed risk assessment is required and considers incremental risk reduction alternatives that together meet the USACE tolerable risk guidelines [8] and the cost effectiveness of additional risk reduction below the tolerable risk limit guidelines as part of the ALARP evaluation. However, the level of detail for the risk assessment and DSM study should only be what is needed to justify the modification decision. The DSM decision document presents the rationale for the alternative recommended, to include life, economic and environmental risk reduction, and other non-tangible aspects. The report shows how this alternative complies with the tolerable risk guidelines and makes the safety case. The Dam Safety Modification decision document includes a comparison of alternatives and the recommended plan to include actions, components, risk reduction by increments, evaluation of the risk in relation to the tolerable risk guidelines, implementation plan, detailed Risk Cost and Schedule Assessment and various environmental studies. If the decision is for additional study and investigation the project will be prioritized and scheduled with the other dams recommended for Dam Safety Modification studies. If the decision is to approve the report, and risk reduction measures are required, the project will be prioritized for funding and moved to the resource queue to wait for funding to implement the risk reduction measures. Once the approved risk reduction measures are implemented the DSAC class will be reviewed and modified as appropriate and the IRRM plan will be reviewed and modified. All dams placed into DSAC Class II and III will have IRRM plans developed and implemented. Unlike DSAC Class I dams, Issue Evaluation Study (IES) Plans are prepared and the dams are put into the funding and resource queue for these studies The purpose of the IES is to better determine the nature of the safety issue, the justification for proceeding with a DSM study, and the degree of urgency for action within the context of the full USACE inventory of dams. More than one IES may be required on an iterative basis if more detailed investigations and analyses are needed to develop the necessary level of confidence in the result and recommendations of the IES. After the IES, is completed and based on the results of the study the DSAC class is reviewed and modified as appropriate. Based on the risk assessment performed during the IES, a dam could be reclassified into any DSAC class. If a dam is put into the DSAC Class I, it will then be addressed using the DSAC Class I expedited process summarized above. If a dam is in DSAC Class II, III, or IV, it will be reviewed to determine if a DSM study is justified. If the determination is that a DSM study is justified, then the project is prioritized and scheduled and sent to the funding and resource queue for these studies. From that point forward the process is the same as for DSAC Class I as summarized above. DSM studies may justify additional data gathering and detailed studies beyond those at the IES stage. The process for DSAC Class IV dams is the same as for DSAC Class II and III dams except that no IRRM plan is required. 6.2.4 Role of Prioritization and Queues There are three prioritization processes and associated queues in the USACE dam safety portfolio risk management process, as follows:
1) Prioritization of Issue Evaluation Studies; 2) Prioritization of Dam Safety Modification Studies; and 3) Prioritization of approved remediation projects waiting construction funding.
Prioritization and queues are necessary due to resource limitations and the desire to reduce overall portfolio risk as efficiently as possible. Each queue contains the set of dams awaiting studies or processing to the next step in the overall dam safety portfolio risk management process. While the intent is that each queue is eventually cleared, it is possible that a higher priority dam, from a dam safety issue viewpoint, could come into a queue and move ahead of others that are already there based on the safety status for an individual dam and other circumstances. 6.2.5 Dam Safety Decision Points There are four major types of decision points in the USACE dam safety portfolio risk management process, as follows:
1) Approve Dam Safety Action Classification at several points in process: a) After a screening assessment, b) After an external peer review for a DSAC Class I dam, c) After an Issue Evaluation Study, d) After completion of a Dam Safety Modification study; e) After implementation of a risk reduction measure; f) After an incident triggers a safety concern;
2) Selection of Interim Risk Reduction Measures or heightened monitoring; 3) Determination if Dam Safety Modification studies are justified based on the
results of the Issue Evaluation Study; and 4) Approval of Dam Safety Modification Reports.
6.2.6 Role of Risk Assessment
There are five specific instances of the use of risk assessment evaluations in the USACE dam safety portfolio risk management process, as follows:
1) Screening Portfolio Risk Assessment (SPRA); 2) Interim Risk Reduction Measures Plans (IRRMP); 3) Periodic Assessments (PA); 4) Issue Evaluation Studies (IES); and 5) Dam Safety Modification (DSM) studies.
These risk assessments vary in purpose and therefore in the data required level of detail and desired robustness of analysis, and in uncertainty and confidence in the results. Table 1 shows the relationships of the primary and secondary uses of the outcomes of the risk assessments in terms of the purpose of the various studies that the risk assessments are associated with. However, in all cases the level of detail should only be what is needed to justify the decision(s) that will be informed by the risk assessment.
Table 1: Primary and secondary use of risk assessment outcomes in the USACE dam safety portfolio risk management process [25].
6.3 Management Information System An important requirement for successful PRM is an organized means of managing dam safety information. A well-designed Management Information System (MIS) is therefore an important tool for PRM. It can include the following capabilities, which are represented schematically in Figure 9:
• To provide a Data Base of Record for archiving all types of dam safety information for the portfolio, including design documents, inspection reports, monitoring data, maintenance records, operational records, and incident reports;
• To capture new information, including the outcomes of investigations, inspections, and design reviews, and the completion of risk-reduction measures;
Figure 9: Schematic of a management information system for PRM [3].
• To perform PRA Update and Initial calculations; • To generate Portfolio Risk Profile Update Reports documenting changes in
estimated risk and uncertainty levels for various management levels; • To provide Dam Safety Issue Tracking Reports for individual dams and the
entire portfolio for management of the Recurrent and Improvement Programs, including tracking the queues of investigations and risk-reduction measures;
• To model alterative prioritizations or urgencies of investigations and risk-reduction measures (i.e. uncertainty-reduction and risk-reduction pathways) and thus explore the effects of such factors as changes in levels and timing of funding, staging, risk trading, and grouping of dam safety issues for investigation and risk reduction; and
• To generate Specialized Reports containing technical- and business-related information that is relevant to specific business processes and stakeholders.
An MIS can provide the following types of information for each dam and for the portfolio:
• Potential failure modes; • Engineering assessment ratings against engineering standards; • Existing dam estimated probabilities of failure and consequences; • Existing dam risk evaluation against tolerable risk guidelines; • A list of needed investigations, their prioritization, urgency, schedule, and
status; and • A list of potential structural and non-structural risk-reduction measures with
their strengths of justification for implementation, estimated residual probabilities of failure and consequences, residual risk evaluations against engineering standards and tolerable risk guidelines, prioritization, urgency, schedule, and status.
A MIS with most of the capabilities summarized above has been developed by the author and his colleagues an implemented by a large UK dam owner.
6.4 Organizational Integration Improved organizational integration of dam safety considerations can be an important benefit of PRM. It can be achieved through properly utilizing information from PRA in different parts of a dam owner’s organization where its benefits can be realized. Well-designed MIS reports containing only the information relevant to a particular department can help to facilitate this process. The effectiveness can be improved through establishment of a high-level Dam Safety Coordination Group to oversee PRM from its inception, with membership from all departments in the owner’s organization that relate to dam safety. However, accountability to the CEO or government agency head is essential and will demonstrate that organizational leadership assigns high importance to this process. Some examples of business uses of PRA outcomes [26] are listed below, although the degree to which each can be achieved will depend on the scope and level of detail of the PRA process for a particular organization:
• Corporate risk management prioritization schemes that address all risks faced by the owner and not just dam safety risks;
• Business contingency planning for dam failure and non-dam failure risks; • Community emergency evacuation planning through an improved
understanding of dam failure modes, their detectability, consequences, available warning time and any seasonal occurrence or initiating event-related factors;
• Loss financing, including insurance, to assess the adequacy of the existing insurance provisions and to better inform the owner’s finance officer or risk manager and its underwriters about dam safety risk exposure;
• Legal considerations, due diligence, internal control, corporate governance, and legal defensibility of dam safety decisions;
• Business criticality through relating dam safety issues to meeting contractual obligations, licensing requirements, and key business results indicators;
• Community consultation with the affected public(s), including risk communication of dam failure modes, the likely consequences, and steps being taken to manage and reduce the risks; and
• Benchmarking through obtaining information on risk-reduction decisions and pathways from comparable dam owners to provide an input to due diligence, corporate governance, and legal liability evaluation processes.
7. CONCLUSIONS Dam safety management is intrinsically risk management. Just as individual dam safety management can be strengthened by using a risk-informed approach that combines risk assessment with the traditional approach, so can the safety management of a portfolio of dams. In fact, the potential benefits can be greater because it is typically the case that the opportunities for cost-effective risk reduction are greater in a portfolio of dams than for a single dam, because of the need to allocate resources across multiple dams, and because of the greater chance that the owner of a portfolio of dams will experience a failure or a serious incident, which could threaten the survival of a private or governmental dam-owning organization.
Today, in an increasingly competitive world, most dam owners face a need to better justify expenditures and to use scarce resources as effectively as possible; but, at the same time, in this post-Katrina era, there is a growing desire by the public to know that it is being adequately protected. In addition, in a post-Enron world, the public expects greater accountability and transparency in corporate governance, and this applies to both the private and public sectors. PRM provides a framework to help dam owners to address these challenging and potentially conflicting demands that are now being placed on them. PRM can be used to strengthen the owner’s dam safety program, and to provide valuable inputs to various business processes, such as capital budgeting, legal evaluations, loss financing, and contingency planning; and thereby strengthen the integration of dam safety into the owner’s overall business. However, PRM should not be viewed as an additional activity for dam owners; rather, it is a framework for improved dam safety management, which should encompass all on-going activities of a Recurrent Program, and the investigations, decision and risk-reduction aspects of an Improvement Program. To be effective, PRM must be carefully designed for the unique context of a particular dam owner as it affects dam safety funding and decision making, including regulatory considerations; and it must be accountable to and used by the highest decision-making level in the owner’s organization. PRA is a decision-support tool, which is incorporated in PRM. It should include an engineering assessment component based on current engineering standards. The RA component is founded on PFMA and other technical inputs from dam engineers. It provides a systematic means for identifying, estimating and evaluating dam safety risks, making comparisons with other industries, and benchmarking against other portfolios of dams. PRA should result in a “living document”, which is periodically updated to incorporate new or improved information about portfolio dams and to meet the changing requirements of the owner and other stakeholders. Thus, through the iterative use of PRA, owners can judiciously manage prioritized queues of investigations and risk-reduction measures, making use of such strategies as staging, risk trading and grouping, to achieve more rapid and cost-effective reduction of both knowledge uncertainty and risk than would otherwise be achievable. Although RA is an essential and valuable aspect of PRA and PRM, the ultimate dam safety target levels can still be based on engineering standards, without sacrificing most of the benefits of using PRA and PRM; although increasingly risk-based justifications are replacing engineering standards especially for extreme-event initiated failure modes. Since PRA was first introduced in Australia [27, 28, 29], Initial PRAs have been completed for most portfolios of dams in that country and it is now considered a standard of practice. Following demonstration projects on about 60 Corps flood control and multipurpose dams [30], a Screening PRA (SPRA) process has been applied to all of the US Army Corps of Engineer’s portfolio of about 630 dams; and a comprehensive PRM and PRA process is now being developed by USACE [24]. PRA has been accepted in a government audit in Australia [31] and by a UK government business licensing organization [32]. When properly conducted and used within its limitations, PRA is generally considered to be robust but adaptive, defensible for corporate governance, and to justify its cost through such benefits as: increased dam safety funding, identification of failure modes that were not previously
recognized, identification of opportunities for better risk management, and more rapid risk reduction. 8. ACKNOWLEDGEMENTS The author acknowledges that the development of many concepts in this paper have been stimulated through discussions with numerous professional colleagues in many countries. Most of the management concepts in this paper have been tested on projects for private and government owners and regulators. 9. REFERENCES [1] FERC. – “Dam Safety Performance Monitoring Program, Chapter 14,
Engineering Guidelines.” 2005. [2] Jackson, S.A. – “Future Trends in Nuclear Safety Research.” Presented at
25th Annual Water Reactor Safety Meeting, Bethesda, Maryland, 1997. [3] Bowles, D.S. – “From Portfolio Risk Assessment to Portfolio Risk
Management.” ANCOLD Bulletin, Vol. 137, pp. 13-32, 2007. [4] Bowles, D.S., A.M. Parsons, L.R. Anderson and T.F. Glover. – “Portfolio Risk
Assessment of SA Water’s Large Dams.” ANCOLD Bulletin, Vol. 112, pp. 27-39, 1999.
[5] Srivastava, A., D.S. Bowles, and S.S. Chauhan. – “Improvements to DAMRAE: A Tool for Dam Safety Risk Analysis Modelling.” Proceedings of the ANCOLD Conference on Dams, Adelaide, South Australia, Australia. November, 2009.
[6] HSE. – “Reducing Risks, Protecting People: HSE’s Decision-making Process. Risk Assessment Policy Unit, Health and Safety Executive.” HSE Books, Her Majesty’s Stationery Office, London, UK, 2001.
[7] ANCOLD (Australian National Committee on Large Dams). – “Guidelines on Risk Assessment.” Australian National Committee on Large Dams, Sydney, New South Wales, Australia. October, 2003.
[8] Munger, D.F., D.S. Bowles, D.D. Boyer, D.W. Davis, D.A. Margo, D.A. Moser, P.J. Regan and N. Snorteland. – “Developing Tolerable Risk Guidelines for the US Army Corps of Engineers Dams in Collaboration with Other Federal Agencies. Proceedings of the US Society on Dams 2009 Annual Lecture, Nashville, TN. April, 2009.
[9] Bowles, D.S., L.R. Anderson, and T.F. Glover. – “The Practice of Dam Safety Risk Assessment and Management: Its Roots, Its Branches, and Its Fruit.” Eighteenth Annual USCOLD Lecture, Buffalo, NY, 1998.
[10] USSD 2003. – “Dam Safety Risk Assessment: What Is It? Who’s Using It and Why? Where Should We Be Going With It?” U.S. Society on Dams Emerging Issues White Paper by the Committee on Dam Safety. Working Group on Risk Assessment. April 2003.
[11] McCann, M.W., and G. Castro. – “A Framework for Applying and Conducting Risk-Based Analysis for Dams.” Eighteenth Annual USCOLD Lecture Series, Buffalo, New York. August, 1998.
[12] Bowles, D.S., L.R. Anderson, T.F. Glover, and S.S. Chauhan. – “Portfolio Risk Assessment: A Tool for Dam Safety Risk Management.” Proceedings of USCOLD 1998 Annual Lecture, Buffalo, New York, 1998.
[13] NRC (National Research Council). – “Understanding Risk: Informing Decisions in a Democratic Society.” National Academy Press, Washington, D.C. pp. 249, 1996.
[14] Bowles, D.S. – “Alamo Dam Demonstration Risk Assessment: Results”. Presentation to the U.S. Army Corps of Engineers, Los Angeles, CA, January, 1999.
[15] AS/NZS. – “Risk Management.” Australian/New Zealand Standard, AS/NZS 4360, Stathfield, New South Wales, Australia, and Wellington, New Zealand, 1995.
[16] Bruce, R.L., A. Minty, and C.A.J. Gregory. – “Holistic Risk Management.” In: Integrated Risk Assessment, Melchers and Stewart (Eds), Balkema, Rotterdam, 1995.
[17] USBR. – “Guidelines for Achieving Public Protection in Dam Safety Decisionmaking.” U.S. Department of the Interior, Bureau of Reclamation, Denver, Colorado, pp. 19, 2003.
[18] Bowles, D.S., L.R. Anderson, T.F. Glover, S.S. Chauhan and R.S. Rose. – “Risk-Based Evaluation of Operating Restrictions to Reduce the Risk of Earthquake-induced Dam Failure.” Proceedings of the 2005 USSD Annual Lecture, Salt Lake City, Utah, 2005.
[19] Bowles, D.S., L.R. Anderson, M.E. Ruthford, D.C. Serafini, and S.S. Chauhan. – “A Risk-based Reevaluation of Operating Restrictions to Reduce the Risk of Earthquake-induced Dam Failure.” Proceedings of the 2010 USSD Annual Lecture, Sacramento, CA. April, 2010.
[20] Bowles, D.S. – “ALARP Evaluation: Using Cost Effectiveness and Disproportionality to Justify Risk Reduction.” ANCOLD Bulletin, Vol. 127, pp. 89-106, 2004.
[21] Bowles, D.S. – “Advances in the Practice and Use of Portfolio Risk Assessment.” ANCOLD Bulletin, Vol. 117, pp. 21-32, 2001.
[22] ASDSO. – “Risk Characterization for Dams. Report of the Steering Committee.” 2003.
[23] Bowles, D.S., and L.R. Anderson. – “Risk-informed Dam Safety Decision-Making.” ANCOLD Bulletin, Vol. 123, pp. 91-103, 2003.
[24] Halpin, E. – “Risk Management for Dam Safety A Joint Approach by USBR, FERC, and USACE.” Presented at the workshop on ‘The Future of Dam Safety Decision Making: Combining Standards and Risk’ at the USSD Annual Meeting, Nashville, Tennessee. April, 2009.
[25] USACE (U.S. Army Corps of Engineers). – “ER 1110-2-1156.” Draft. 10 July, 2009.
[26] ICOLD. – “Risk Assessment in Dam Safety Management: A Reconnaissance of Benefits, Methods and Current Applications.” International Commission on Large Dams (ICOLD) Bulletin 130, 2005.
[27] SMEC/RAC. – “Review of Headworks.” Final Report, Volume 1 Main Report. Technical consulting report prepared for the Office of Water Reform, Department of Conservation and Natural Resources, Water Victoria, Victoria, Australia, 1995.
[28] Watson, D., D.S. Bowles, L.R. Anderson, T.F. Glover, C. Gratwick, P. Jacob, and G.S. Tarbox. 1997. “Statewide Review of Headworks Dams: Status, Risks, Future Business Focus, and Approach to Regulation.” Transactions of the 19th ICOLD Congress, Florence, Italy, 1997.
[29] Bowles, D.S. – “Potential Role for Portfolio Risk Assessment in Dam Safety Evaluation.” Presentation to the Snowy Mountains Hydro-Electric Authority, Cooma, New South Wales, Australia, 1996.
[30] Bowles, D.S., L.R. Anderson, T.F. Glover, and S.S. Chauhan. – “Demonstration Portfolio Risk Assessment for Huntington District Dams.” RAC Engineers & Economists Technical Consulting Report to the U.S. Army Corps of Engineers, 2003b.
[31] Auditor-General’s Office. – “Water Management by Non-Metropolitan Urban and Rural Water Corporations.” Victoria, Australia, 2000.
[32] Hughes, A.K., and K.D. Gardiner. – “Portfolio Risk Assessment in the UK: A Perspective.” Proceedings of the British Dam Society Annual Meeting, Canterbury, U.K., 2004.