Technical Bulletin: Dam Safety Analysis and Assessment 2007 CDA#ACB Canadian Dam Association Association Canadienne des Barrages www.cda.caCDA technical bulletins are developed by bringing together volunteers representing varied viewpoints and interests to achieve consensus. CDA administers the process but does not independently test, evaluate or verify the contents ofthe documents. (CDA publishes this document for consideration by professionals who are properly qualified by {education and experience to carzy out dam analyses and safety assessments. CDA and its ‘membership disclaim any legal responsibilty for the use and application ofthe information provided herein, Copyright © 2007 by the Canadian Dam Association, All rights reserved. [No part ofthis publication may be reproduced, copied, stored, distributed or transmitted in any {form ot by any means without the prior written permission of the Canadian Dam Association Requests for permission should be addressed tothe Executive Director at the contact address provided at www.cda.ca,TECHNICAL BULLETIN: __Dam Safety Analy and Assessment (2007) CDAWACB Dam Safety Analysis and Assessment TABLE OF CONTENTS 1.0 Introduction a 2.0 Dam System ww. 3.0 Hazards. a 3.41 External Hazards 32. Internal Hazards... 4.0 — Failure Modes... eee 5.0 Quality of Analysis. veneer 6.0 — Loading Conditions and Stability a 7.0 Risk Assessment sesnnnsnen 9 74 Introduction. a 9 72. Equity and Efficiency col 73. Individual and Societal Risk. : s un 7A. Tolerability of Risk. vo u 75. Probabilistic Risk Assessment... ae 13 References. 7 aTECHNICAL BULLETIN: Dam Softy Analysis and Assessment (2007) CDAWACB 1.0 Introduction ‘The purpose of dam safety analysis is to determine the capability of the dam and systems to retain the stored volume and to pass flows around and through the dam in a controlled manner, This document provides a framework for the complex interactions of analysis, methodology, and juegement that are required in dam safety engineering. Since dam safety analysis supports decision-making related to public safety, the basis for judgement should be open to independent scrutiny and the line of reasoning from data to conclusions should be transparent. Failure mechanisms should be specified, with identification of natural events, processes or properties that influence the failure mechanisms. Analysis also requires detailed specification of the physical and engineering relationships within and among the failure mechanisms, 2.0 Dam System Prior to embarking on a dam safety analysis, bounds for the system and processes must be ‘established, The system to be analysed ranges from a tightly defined specific concern pertaining to one component of the dam, to the entire safety management system that has been established. to manage a dam safety program throughout the life cycle of the dam. The type of analysis varies, from one subset of the system to the next, making it necessary for the analyst to define the boundaries around what is being analysed, and to define the influences that cross the boundaries. 3.0 Hazards 3.1 External Hazards External hazards are beyond the control of the dam owner, and originate outside the boundary of the dam and reservoir system. External hazards include the following conditions: + Meteorological events ~ These include floods, intense rain events (causing local erosion, landslides, etc), temperature extremes, ice lightning strikes and wind storms, + Seismic events - These may be natural or caused by economic activity such as mining or even reservoir-induced seismicity. + Reservoir environment, including all reservoir rim features such as upstream dams, slope around the reservoir, etc, that pose a threat - The reservoir environment also includes any deleterious substances, or burrowing or other animals that can affect the physical performance of the dam, + Human attacks and vandalism‘TECHNICAL BULLETIN: am Safety Analysis and Assessment (2007), CDAWACB 3.2 Internal Hazards and maintenance of the dam Internal hazards are errors and omissions in the design, operati and water conveyance structures, including the following hazards: + Inadequate consideration (i. in the design, operation and maintenance) of the performance of the reservoir rim and upstream dams ‘+ Inadequate consideration of the impacts of seepage on downstream habitats, + Construction errors o design compromises to accommodate natural or imposed deviations from the design assumptions + Errors where maintenance requirements are not fully defined at the design stage + Errors and omissions in development and maintenance of operating rules or means of verifying adequate operation (e.g. water level recorders) and closure conditions Internal hazards can be further subdivided into the following sources: + Water (or tailings) barrier ~ This includes all elements retaining or interfacing with the body cof water (or tailings), including the main dam, any concrete spillway structure with waterftailings retaining function, saddle dams, ete. Spillway gates that function as water retaining subsystems form part of the water barrier. ‘+ Hydraulic structures ~ This includes all water conveyance structures required to direct water around or through the dam in a controlled way. Typically, spillway structure, low level outlet structure, and power water passages (canals and penstocks, etc.) + Mechanical and electrical sub-systems — This includes all mechanical and electrical ‘equipment and machinery required to control the reservoir level. This will encompass all mechanical and electrical subsystems and controls at the dam site and, in the case of remotely controlled dams, the remote control centre. The definition of the system boundary will include the boundary around the control systems. + Infrastructure and plans - The term ‘infrastructure’ is used to describe all physical infrastructure and equipment necessary for the collection of data and information required to verify the performance adequacy of the dam, The term ‘plans’ is used to describe all of the non-physical dam safety activities necessary to support dam safety, including the design, ‘construction, maintenance, and implementation of all operating and safety procedures that form part of the engineering design of the dam and safety system. Human error is included. ‘The infrastructure includes all instruments and their physical supports, as well as access roads, adits, portals, etc, required for siting and reading the instruments, ‘The plans include the engineering design of all operating orders, maintenance strategies and plans, surveillance procedures, and the emergency plans, all of which form part of the engineering design, Plans also inclucle forecasts such as inflow forecasting. In general, if some form of additional infrastructure or a plan is required to ensure adequate performance of the water barrier, the hydraulic structures or the mechanicalfelectrical system with respect to any failure mode of functional failure characteristic, then there is an ‘infrastructure’ hazard and corresponding failure modes.TECHNICAL BULLETIN: Dam Safety Analysis and Assessment (2007) CDAWACB 4.0 Failure Modes A ‘failure mode’ describes how element or component failures must occur to cause Toss of the system function. Ata general level, there are three dam failure modes: dam overtopping, dam. collapse, and contaminated seepage. At a lower level, failure effects become failure modes at the next higher level in the system, The system should be broken down into sub-systems to a level where there isa thorough understanding of the failure modes of the elementary sub-systems, + The overtopping failure mode is a situation where inadequate freeboard leads to the flow of water over the crest of the dam in a manner not intended or provided for in the design, construction, maintenance and operation of the dam. + The collapse failure mode pertains to inadequate internal resistance to the hydraulic and other forces applied to the dam, foundations and abutments, even though the hydraulic operation isin accordance with the design intent, ‘+ The contaminated seepage failure mode exists, primarily in mine tailings dams, where impoundmentireservoir geochemistry is incompatible with downstream regulatory limits and the geochemistry presents itself in downstream receptors as a result of dam or impoundment seepage. Figure 1 illustrates two different failure modes for an earthfill dam with a gated spillway. In Example A, human error and inadequate maintenance are the hazards that lead to power supply failure and ultimately dam failure. In Example B, the internal hazard of inadequate installed discharge capacity leads directly to dam failure. “The hazards or threats to the proper functioning of the dam and the modes by which sub-systems and systems of the dam can fail and result in the uncontrolled release of the water from the reservoir and loss of the faclity, can be represented on a matrix such as shown in Figure 2. For example, the two failure modes shown on Figure 1 are identified on Figure 2. ‘The failure in Example A resulted from human error in operating procedures combined with inadequate maintenance. Either the procedures for operation, maintenance and surveillance were not well-developed or they were not followed (these are both considered to be internal hazards in cell A8), and the management system controls (cell G8) failed to identify the non-conformances. ‘The hypothetical failure due to inadequate installed discharge capacity (Example B) resulted from ‘a meteorological hazard (cell A1) combined with an error in design of the hydraulic structure (cell ‘A6). Also, safeguards in the dam safety management system (cell G6) failed to identify the hazard (for example in a Dam Safety Review) or the deficiency was not corrected. In utilizing a Hazards and Failure Modes Matrix, the objective is to identify hazards relevant toa particular dam and to describe these hazards and associated postulated failure modes. The resulting matrix provides insight into the potential risks at the dam and assists in prioritizing remedial work required to rectify deficiencies and non-conformances, In general, the hazard should be coupled with the basic functional weakness of the functional failure characteristic. The idea isto identify, through examination or analysis of the dam system,TECHNICAL BULLETIN: Dam Salty Analysis and Assessment 2007) CDAwACB the vital basic conditions that have to exist between the hazard and failure mode to cause a failure sequence to progress to one of the global failure modes. For a particular dam, the matrix shown in Figure 2 can be used by first assuming that all combinations of hazards and failure modes apply, and then eliminating those that do not apply. A simple dam such as a concrete dam wedged in a narrowing canyon, and designed to operate as weit for flood passage purposes would be expected to have a small number of hazard-failure mode pairs, On the other hand, an earthfill dam on a poor foundation with a gated spillway on a rapidly responding reservoir in a seismic area also prone to unpredictable large floods would be expected to have a large number of hazard and failure mode pairs. Careful thought is required when de-populating the matrix as it is necessary to consider external hazards and internal hazards separately and together. Asa result, a functional failure characteristic may be vulnerable to external hazards and to internal hazards, and to combinations of interacting external and internal hazards, Similarly, external hazards can combine such as a reservoir landslide that can occur naturally, or as triggered by a meteorological or seismic event.‘TECHNICAL BULLETIN: CDAWACB Dam Sujety Analysis ad Assesment (2007) Figure 1: Example of Failure Modes and Effects Analysis Example A _ ey eropener apes lapses ou snap Aen s3g0W aUNTIYS one Ay ‘SCRIVZVH TWNUBLNI ‘SCUVZVH “WNUIXS aovevay XIE Sepoyn amnyreg pue sprezey Jo aydurexg -z amnSey Tana aes pa ay a ‘NULFTING TVIINHORLTECHNICAL BULLETIN Dam Safety Analysis and Assessment (2007). eee 5.0 Quality of Analysis Dam safety analysis covers a broad spectrum of approaches that are not equivalent. At one end, {formal and transparent analyses use models that are based on established physical laws and ‘mathematical relationships. The models are supported by relevant and validated data, Moving ‘across the spectrum, the role of formal analysis diminishes to the point where modelling may provide only a partial answer. There may be various ways of representing the features of the problem, each consistent with the available data, Expert judgement figures increasingly in the analysis. The quality of judgement depends on depth of relevant experience and availability of evidence from similar circumstances accumulated over time or across different disciplines. Eventually the point is reached where the uncertainties and lack of understanding are such that the analysis is based largely or wholly on expert opinion. The quality of analysis then depends on such characteristics as credibility, standing and independence of the assessors. In order to account for the conditions of great uncertainty that surround dam safety decisions, the following analysis is needed: ‘+ Uncertainties in parameters, analysis models and procedures, and uncertainties in results should be identified and dealt with using appropriate methods. ‘+ Deterministic analysis should utilize specific, predetermined states of the systems and loading conditions and use appropriate level of conservatism in selecting values of safety ‘coefficients and resistance variables, in order to properly account for presence of uncertainty. + Sensitivity analyses should be carried out as appropriate, Since the quality of decisions depends in part on the quality of the inputs and the procedures used to process the data, the following guidelines should be observed: ‘+ Methods of systems analysis should be used to the extent that is practicable and appropriate. + All stages of the analysis should be clearly documented and the rationale for assumptions and choices of methods and parameters should be identified. ‘+ Expert review should be carried out when appropriate, ‘+ Responsibility for the selection and implementation of analysis processes should be clearly identified, along with accountability for the overall analysis and its results + Qualifications and relevant experience of the analysts and reviewers should be documented. + All weaknesses and deficiencies in the analytic process, as well as unresolved issues, should be clearly identified ‘The analyses should be transparent and independently reproducible, The analysis should be structured in a manner that permits it to be readily updated as dam safety standards change, as scientific knowledge advances and/or as more information about the dam system becomes available.TECHNICAL BULLETIN: Dam Safety Analysis and Assessment (2007), CDAPACR In summary, the analysis process should be highly eredible, with sufficient scope, quality, completeness and accuracy to ensure the confidence ofthe owner, the regulator and the public in the safety ofthe dam. 6.0 Loading Conditions and Stability Dam safety analysis should assess the performance of the dam against the full spectrum of, possible operating and accident conditions in order to obtain complete understanding of how the structures are expected to perform in these situations and what level of deviation from the norm is tolerable. The design, construction and operation should be integrated with the analysis to censure that the design intent has been incorporated into the dam. Analysis should incorporate deterministic and/or probabilistic (to the extent presently feasible and practicable) approaches to demonstrate that an appropriate level of safety is achieved. With a standards-based (deterministic) approach to considering the safety of the dam, the usual (normal), unusual and extreme cases can be considered from the perspective of their exceedance frequency. Uncertainty in the assessment is partly accounted for in the following ways: ‘+ Assuming conservative (extreme) values for the loads ‘+ Assuming conservative (safe) values for resistance variables ‘+ Applying conservative safety coefficients With reference to Figure 2, a conservative design would underestimate the design resistance and ‘overestimate the design load; the gap is the nominal safely margin. If one characterizes the full uncertainty in load and the full uncertainty in resistance, the mean safety margin can be computed, and it will generally be significantly larger than the nominal safety margin. In this respect, the design load value is simply an upper fractile of the probabilistic load variable. In addition to the degree of conservatism built into the values and coefficients in the standards- based approach, risk is considered implicitly, often by application of classification schemes reflecting potential consequences of dam failure. ‘Qualitative risk assessment includes more explicit rigorous and representative consideration of risk factors by characterization of uncertainty in non-mathematical form, and uses schemes for indexing, scoring, and ranking risks. Quantitative risk assessment seeks to provide complete ‘mathematical specification of the uncertainty in the calculated estimates of risk. Probabilistic methods are now used widely in the assessment of design of structures in many industries, as outlined in HSE (2001b), NCHRP (2004) and Madsen et a. (1986).TECHNICAL BULLETIN: CDAWACB Dam Softy Analysis and Assessment (2007) enone Figure 2: Probabilistic and Deterministic Performance Goals ‘Newmar Looe \ Moan softy margin Denotes Probably of Fala REQUIRERENTS OF THE "STANDARD (eg fod, sanhquoke} 7.0 Risk Assessment 7.1 Introduction ‘The ultimate goal of dam safety management is to ensure that all dams present an acceptable level of risk to the population. However, since this ultimate goal is not always achievable, the alternative goal may be to reduce the risk to a tolerable level, provided that it passes the test of reasonable practibility. By definition, risk incorporates both the consequences of an adverse event and the probability of such an event occurring This document provides a framework that allows dam safety decisions to be made on the basis of ‘emerging probabilistic risk criteria, It provides background for dam safety decision-making in terms of uncertainty, outlines practices that may be used to understand and evaluate the consequences that could potentially result from failure of a dam, and explores the concepts behind risk-based approaches. ‘The current, most widely applied approach to dam safety decision-making has been essentially based on deterministic principles, rules and requirements that have been defined with the aim of ensuring a relatively high but unspecified level of safety. The rules and requirements are adjusted to provide proportionately higher safety levels when hazards or consequences are greater. The process of selecting, and assigning specific values to safety requirements has relied on “engineering judgement”, which does not explicitly and transparently take societal preferences into account.rraumicaL Buuen ety Ava od ov 00) = ‘There ate many uncertainties (both in terms of occurrence and magnitude) related to internal and external dam safety hazards. A considerable level of conservatism is built into the deterministic framework to provide assurance that safety margins are adequate. Analternative approach, risk assessment, is emerging, as a method to improve the way dam. safety decisions are made, particularly as those decisions become more complex and as society «lemands increased transparency and accountability (ICOLD 2005). Determination of failure probability is a complex task that is not readily accomplished with the current state of knowledge. The use of quantified risk methodologies is preferable for appropriate situations ‘where the scientific techniques are available. 7.2 Equity and Efficiency How safe is safe enough? Do applications using concepts of Probable Maximum Flood or Maximum Credible Earthquake as performance goals for high consequence dams provide sufficient level of safety? If so, is this level of safety appropriate or is it unjustfiably and unnecessarily high in some cases? Dam safety frameworks based on uncompromising deterministic criteria can create significant imbalance between costs incurred and risk reductions achieved, in a quest for a zero-tisk society. ‘This often leads to almost unbounded financial commitments to certain safety measures at the ‘expense of other measures that can be more beneficial to society. No human activity is completely free from risk of causing adverse effects, and measures reducing these risks beyond a certain threshold may be not practically achievable. While all stakeholders who could be adversely affected by a cam failure have rights to safety, there is @ need to maintain a balance between the ‘conflicting social objectives. In the past, technologically advanced societies would tolerate significantly greater losses to individuals, communities and environment in the interest of general economic progress, than. they do at the present. The current approach presupposes that the dam safety framework should ensure that no individuals or communities should be unduly affected in the interest of the broader societal interests. On the other hand, society does not have infinite resources to spend on. managing risks and often the resource spent inefficiently in one area is the same resource which is missing in another area where investment could be more beneficial. For example, itis not logical or equitable from a societal perspective to accept a certain level of risk from nuclear or chemical installation because of the benefits provided and then require different level of risk protection from a dam which also provides benefits to society. ‘The equity-versus-efficiency dilemma has been largely ignored in dam safety debates, thus leading to inconsistent judgments in the development of dam safety policies. Concerns about ‘equitable provision and financing of life safety protections impacted by engineering activities are relatively new in the broad area of public policy making. As an example, designing or upgrading a high consequence dam to pass the Probable Maximum Flood seems to be a sound and. justifiable dam safety practice. However, no comparable attempts have been made (with the ‘exception of nuclear installations) to protect other engineered structures against similar extreme events, 10‘TECHNICAL BULLETIN: Dan Safety Analysis and Assessment (2007), CDAWACB [Effective application of the balanced equity-cfficiency approach requires acknowledgment that both economic efficiency and social equity are legitimate goals that society wants to pursue, 7.3 Individual and Societal Risk In everyday life, decisions about risks are based on various considerations, some of which are subconscious and few of which are numetical. When the decisions affect a part of the society, in democratic societies the decision-making process is more and more frequently called into ‘question, That creates an increasing need to establish criteria on which the decisions can be made and justified, One effective way to address individual and societal concerns about the hazards ‘posed by dams is by characterization in terms of risk and derivation of tolerability criteria, ‘Individual risk’ relates to concerns of how individuals see the risk from a particular hazard affecting them and their property. It is usually defined as the risk to a hypothetical member of the public living in the zone that can be affected in the event that a hazard occurs, The criteria for individual risk depend on such factors as: whether or not the exposure is voluntary, whether the individual derives benefit from accepting the risk, whether the individual has some control over the risk, and whether the risk engendlers particular dread. “Societal risk’ is much more elusive than individual risk, for definition and estimation. In general, societal risk refers to hazards that, if realized, could impact society and thus cause socio-political response. Some see societal risk as simply a relationship between the frequency of a particular hazard and number of casualties if the hazard is realized, In one of the most exhaustive reports ‘on societal risk in hazardous industries, risk is described as “a much broader concept incorporating ‘many other dimensions of harm, in some cnses even the socio-poitic response in the aftermath of major ‘accidents, or even lesser accidents where these might give rise toa significant expression of public concern” (Ball and Floyd, 1998). In applications dealing with hazards from engineered installations where the predominant issue is life safety, societal risk is characterized by graphs showing frequency of ‘events that could cause multiple fatalities. 74 Tolerability of Risk ‘The matter of tolerability of risk to individuals and society has received considerable attention by regulators in various countries and industries (Ale 2005; HSE 2001a and 2001; NSW Dam Safety Committee 2006; Rimington 2008). The concept of tolerability of risk is fundamentally a matter of political choices, preferences and policies. The emerging view is that risk and uncertainty, as essential factors that have to be considered in the dam safety decision-making process, should be explicitly included and expressed. When accepted, the concept provides guidance on how to establish criteria for separation of acceptable, tolerable and unacceptable risks. To the extent that data and technology are available, the criteria can be subsequently used to support transparent and informed decision-making processes that are logical, consistent and capable of clearly identifying the trade-offs between economic efficiency and social equity. ‘The general idea of levels of risk that may be acceptable or unacceptable to the public, dam. ‘owners and regulators has always been present in dam safety considerations. More recently efforis have been made to define the criteria that separate different categories of risk. The following risk categories are recognized (HSE 2001a; Rimington et al, 2008) u‘TECHNICAL BULLETIN: CDAWACB am Safety Analysis and Assessment (2007) _ + Broadly acceptable risk - An annual risk of casualty that is lower than 10* from any particular source is generally taken as a negligible level of r + Unacceptable risk - An annual risk of casualty to members of the public from a hazardous facility in excess of 10* has been explicitly deemed to be intolerable under normal circumstances. This does not preclude individuals from regular participation in sporting or recreational activities involving much higher levels of risk, often in the range of 10? to 10%, + Tolerable risk - An annual risk of casualty (fatality) between the values of 10% and 104, provided the risk is as low as reasonably practicable at the time. More detailed discussion of how tolerability criteria have developed in the past in different countries and in different hazardous industries can be found in Hartford etal. (2008) Tolerable Individual Risk Many countries in the world maintain databases on causes of death to their citizens. The data can be analysed and compiled in the form of a statement of what a particular community seems to have historically accepted as @ reasonable risk (that is, what the society is willing to live with). For example, in Australia (Planning NSW, 2002) criteria have been outlined for assessment of acceptability of risks associated with potentially hazardous developments. Criteria for individual fatality risks for new installations range from 0.5 x 10* for hospitals, schools, childcare facilities and old age housing, to 05 x 10+ for workers at industrial facilities. The criterion for persons. ‘occupying residential premises is 106 per annum. Tolerable Societal Risk Societal risk criteria with respect to life safety are most commonly expressed as either single or ‘multiple anchor points (with fatalities and frequencies as coordinates) or as lines on an FN diagram, These graphs illustrate the risk where there is a potential for multiple fatalities, by relating a cumulative plot of frequencies or probabilities (F) and the consequences (number of casualties, N) on a log/log plot. Very frequently the FN lines are defined by a single anchor point and the slope of the line. Most of the known FN criteria are drawn with slopes of between -1 and - 2 on log/log diagrams, Slope -1 is commonly regarded as risk neutral’ and slope -2 as ‘risk averse’ to multiple fatalities or large scale accidents. It appears that, at least in some jurisdictions, the societal aversion to risk increases with the magnitude and severity of losses. The Netherlands ‘which uses slope -2 is an example of a society with progressively increased aversion to societal risk (Ball and Floyd 1998). On the other hand, Hong Kong which uses slope -1 is risk-aversion neutral (Hong Kong 2003). ALARP Principle ‘An action reducing risk is clearly necessary ifthe risk is unacceptable. A less firm but ‘unequivocal statement can be made about broadly tolerable risk. The Health and Safety Executive in the United Kingdom (HSE 2002) understands tolerable risk as “a risk within a range that society ‘ar live with so as fo secure certain net benefits lisa range of risk that ae do not regard as negligible or 1s something we may ignore, but rather as something woe need to keep under review and reduce it sill further ifand as we can.” Further refinement of this statement is known as the ALARP principle. ‘According to this principle, risk should be As Low As Rensonably Practicable. This requirement originates from the duty to reduce risks to life to the point where further risk reduction is 2TECHNICAL BULLETIN: CDAWACB am Safety Analyst and Assessment (2007) impracticable or requires action that is grossly disproportionate in time, trouble and effort to the reduction of risk achieved. 7.5 Probabilistic Risk Assessment ‘The term risk is often used in different contexts with different intended meanings. Some view risk ‘asa threat or a hazard without attaching any specific quantitative measure to the term. Some understand the same term as a probability of an event with adverse consequences, In engineering applications, risk usually means a combination of the probability and the adverse consequences ‘ofan event. If this combination is expressed as the product of probability and consequences, it simply represents the probabilistic expectation (expected value) of the consequences, Quantitative estimates of the risk (probabilities and consequences of possible adverse events) can be used as indicators of safety levels achieved and may be compared with specific safety goals also expressed in probabilistic terms, A probabilistic safety goal is usually expressed in terms of the annual probability of an adverse event and the associated consequences. A flood characterized by a peak daily inflow with a certain return period (frequency of occurrence, or probability of exceedance) is an example. Such defined safety goals can be subsequently used as a design oF operational objective and interpreted as a desirable target for establishing reliable performance of safety. The selection of safety goals can either be based on arbitrary criteria or be ‘established within the broader context of societal and individual tolerance/acceptance of risk. ‘The safety management framework should make transparent all factors considered in decision- making on risks and thus help reassure the public and stakeholders that risks to people, property and environment are properly addressed. At the same time, the framework should ensure that the dam owners, n responding to economic pressures, will not be imposing intolerable risks. The framework should address all ethical, social and economic considerations of how to achieve the necessary trade-offs between benefits to society and adequate protection to individuals. ‘The Canadian Dam Association accepts the principle that the risk should be as low as reasonably, practicable (ALARP), and suggests ris extera with respect to life safety that are consistent with the risk categories outlined in Section 4, and values used in other hazardous industries (Ale 2005, Ball and Floyd 1998, HSE 2001, IAEA 2006, NSW 2002) As illustrated on Figure 1, the maximum level of societal risk for life safety should be less than 10°/year for loss of one life that was not explicitly foreseen and identified in advance of the failure; a higher risk is considered “unacceptable”. The high societal aversion to catastrophic casualties should be reflected in setting the maximum performance goal in cases where more than 4100 lives would be jeopardized. The risks should be made as low as reasonably practicable (ALARP) until they fall within a “broadly acceptable” regiori, which is set 100 times lower" ‘The maximum level of individual risk should be less than 104/year. This is considered in terms of the ‘maximally exposed individual’ that is permanently resident downstream of the dam. ‘Typically, the maximally exposed individual is exposed to the hazard significantly more than 50% of the time, 1 The same criteria can be expressed also asthe anchor point of (1,108) andthe slope ofthe FN line equal to 1 extending from N=1 1oN < 100 with the consequences cut-off at N= 100, 3TECHNICAL BULLETIN: CDA®ACB Dam Safety Analysis and Assessment (2007) Figure 1; Societal Risk Criteria for Dam Safety 108 2 q 4 10 Unacceptable Risk = 10 inacceptable Ris! a g E 10° 2 Z 1 3 ™ 07 Broadly Acceptable Risk 1 10 100 1000 Number of Fatalities N In order to calculate the risk to the individual, probabilistic methods must be available to quantify ‘each factor in the following equation to calculate the Probability of Loss of Life (Pic) for the ‘maximally exposed individual, Prot x Preitreiévem —* —Prataiy/Feitwe where Pi = Unconditional probability of fatality for maximally exposed individual from a hazardous event Pew = Unconditional probability thats hazardous event will occur of specified type and magnitude range Pranieew = Conditional probability that the dam will actually fall given the event Pratssiee = Conditional probability of loss of life, given dam failure ‘The risks calculated by the above formula need to be aggregated over all dam failure initiating events in order to obtain the total risk tothe individual. The conditional probabilities Praiwscou that dams wil fail, given an event, vary widely depending con the failure modes and the nature of the loadings. The actual value for a particular dam and “‘TECHNICAL BULLETIN: CDAWACB Dam Safety Analysis ad Assessment (2007) event is often dificult to determine precisely. Hence, in some cases where no additional information is available, valid dam safety decisions can often be made on the basis of relatively simple analyses by making the very conservative assumptions that Praiwatew= 1 and Prusinyrater= 1, For example, these conservative and necessary assumptions are applicable to flood ‘events resulting in major overtopping of unprotected earth embankments, Risk-based analytical methods to support sound decisions and set performance goals with “appropriate conservatism are discussed in ICOLD (2005) and Hartford and Baecher (2004) Hartford and Baecher specifically address the characterization and quantification of risks and uncertainties in dam safety analysis, and also provide extensive bibliographic references. References ‘Ale, B,L.M. 2005. Tolerable or Acceptable: A Comparison of Risk Regulation in the United Kingdom and in the Netherlands, Risk Analysis, Vol. 25, No. 2, 2006. Ball, David J. and Peter J. Floyd. 1998. Societal Risk, Final Report prepared for Health and Safety Executive, United Kingdom. Hartford, DN-D. and Gregory B. Baecher. 2004, Risk and Uncertainty in Dam Safety. CEA Technologies Dam Safety Interest Group. Thomas Telford. ISBN: 07277 3270 6. Hartford, DIN.D, R.A. Stewart and P.A. Zielinski. 2004. “On the Matter of Dam Safety Standards for Floods and Other Natural Hazards’. Proceedings of 6th Int. Conf. on Hydroscience and Engineering (ICHE-2004), May 30 — June 3, Brisbane, Australia Hong Kong, Government of, 2003, Societal Risk Guidelines for Acceptable Risk Levels. HSE (Health and Safety Executive, United Kingdom), 2001a. Reducing Risks, Protecting People — HISE’s Decision Making Process, HSE Books. HSE (Health and Safety Executive, United Kingdom). 2001b. Probabilistic Methods: Uses and Abuses in Structural Integrity. Contract Research Report 398 IAEA (International Atomic Energy Agency). February 2005. Risk Informed Regulation of Nuclear Facilities: Overview of the Current Status. [AEA-TECDOC-1436. ICOLD (International Commission on Large Dams). 2005, Risk Assessment in Dam Safety Management. Bulletin 130, Madsen, 1.0, S, Krenk and N.C. Lind, 1986, Methods of Siructural Sfety. Prentice-Hall NCHRP (National Cooperative Highway Research Program).2004. Load and Resistance Factor Design (LRFD) for Deep Foundations, NCHRP Report 507, Transportation Research Board, Washington DC. NSW (New South Wales, Australia) Dams Safety Committee. 2006 June. Risk Management Policy Framework for Dam Safety, Attachment 2, 18TECHNICAL BULLETIN: CDAWACB Da Safety Analysis and Assessment (2007), Planning NSW (New South Wales, Australia), 2002. "Risk Criteria for Land Use Safety Planning”. Hazardous Industry Planning Advisory Paper No. 4, Sydney. Rimington, }.,]: McQuaid and V. Tebojevic, 2003, Application of Risk-Based Strategies to Workers! Health and Safety Protection: UK Experience. Reed Business Information, ISBN 905901275 5. 16