The beginning
In 1982 I headed a dam design team with a very active program of design work for several new dams. The work was being done by what we now term “the traditional standards-based approach”. Looking back over some forty years, that approach can now be seen as a form of risk assessment and management, which had served the dams world well, especially for the design of new dams.
But two developments in 1982 were to send my thinking in a new direction.
Firstly, one of our designs was for Clarrie Hall Dam, a concrete faced rockfill dam (CFRD) in the Tweed valley, which was well-advanced in construction. The downstream face was armoured with steel mesh for flood protection. The point had been reached where meshing was dictating the rate of embankment rise, which was slowing rapidly. It became clear that the embankment would not reach spillway level before the onset of the very marked wet season in early 1983. Drawing on experience elsewhere, particularly with meshed dams and cofferdams in Tasmania, a risk analysis was undertaken to better understand how risk could be minimised for the downstream residents. It showed very clearly that the meshing should stop immediately, and the embankment should be raised rapidly to get to spillway level during the dry season. A flood warning and evacuation plan was established to protect people in the event of any low likelihood, but possible, flood during the dry season.
Secondly, we had commenced analysis and design for Dungowan Dam, which had a serious deficiency in flood capacity. The commission related to flood capacity only. As part of this work an economic analysis was undertaken. It was immediately apparent that the only justification for the cost of new spillway capacity was the reduction of risk for downstream residents. How to value that aspect? In 1973 the American Society of Civil Engineers had recommended assigning a monetary value to life. That approach had been followed for Kangaroo Creek Dam in South Australia. But a review of literature showed no consensus in favour of that approach. The earthfill dam had no fully intercepting filters, raising in my mind the folly of addressing only the flood hazard. The reason being that all necessary safety improvements would most economically be implemented together.
The dam had only one spillway gate, operated automatically by headwater level, raising questions of reliability to operate as intended. There was no helpful guidance from traditional standards on how to deal with that issue.
These developments aroused in me a strong interest in risk analysis, with a consequent massive review of literature from high level philosophic musings to the practical applications in other industries. That interest has never left me.
NSW Dams Safety Committee
In 1989 I was appointed to the NSW Dams Safety Committee (DSC), the state regulator. It was soon apparent to me that non-engineer decision makers had no real understanding of traditional standards, such as factor of safety. Also, there was resentment in some quarters that improvements costing millions of dollars were being dictated by rules made in Paris – a reference to the ICOLD central office. However, these lay people did understand potential consequences and they had a reasonable grasp of probabilities attaching to those consequences.
Here I was able to raise the need for comprehensive reviews of dam safety, taking into account all hazards and failure modes. Gradually guidance notes were issued for other hazards, such as earthquake.
DSC relied increasingly on ANCOLD risk guidelines in formulating its surveillance and safety review requirements.
After publication of the 2003 ANCOLD risk guidelines, the DSC felt sufficiently confident to start work on a proposal to its Minister for a risk-based approach to dam safety as an option for dam owners. After extensive local and international review, a proposal went forward. In August 2006 the NSW government endorsed the risk assessment policy framework, incorporating tolerable life safety criteria, as proposed by DSC.
Thereafter, ANCOLD guidance gave dam owners the option to support their dam safety improvement proposals by risk assessment.
ANCOLD guidelines
ANCOLD Guidelines on Risk Assessment 1994
At the 1987 ANCOLD conference a decision was made that guidelines on risk assessment would be prepared. A small working group of four people, led by the late Neil Wellington, was convened – reflecting the few people who had any knowledge of the subject at the time. Neil and I were the main authors of the ANCOLD Guidelines on Risk Assessment published in January 1994. The focus was on developing tolerable life safety criteria, rather than on the practical steps in undertaking risk analyses. The guidelines were not perfect, mainly because of a paucity of guidance elsewhere, especially on societal risk. But we got some key concepts correctly and we introduced ANCOLD folk and others to the language of risk analysis and assessment.
In the aftermath of publication, two main lessons lodged in my mind:
- One reaction in some quarters was that the traditional approach is precise, while this risk assessment business is highly uncertain. That is an illusion. Analysis reveals that the traditional approach requires selection of a value at various steps in the process, and then leaving behind and forgetting about the uncertainties. By contrast risk assessment aims to expose and acknowledge the uncertainties. Risk assessment does not create uncertainties – they are inherent to dam safety problems. For example, at the time, consequences were in three “big boxes”, with life safety categorised as “Loss of identifiable life expected” or “No loss of life expected, but the possibility recognized” or “No loss of life expected”. Surely there was uncertainty and analyst dependency there. Even the estimation of Probable Maximum Flood was uncertain, the phrase “the worst flood-producing catchment conditions that can be realistically expected” in the definition likely to be interpreted differently by different people.
- Another reaction was that our work was premature because a sound scientific foundation had not been established for analysis methods and assessment criteria. My conclusion was that we have real dam safety problems now and “you learn by doing”. Nothing is forever with dams because safety is periodically reviewed. Whilst we should do the best that current knowledge permits at any given time, a search for “better science” should not be an excuse to let an intolerable risk stand.
However, the overwhelming reaction within the ANCOLD fraternity was one of interest and a clamour for more guidance on the undertaking of risk analyses.
ANCOLD Guidelines on Risk Assessment 2003
Serious work on the next edition of the guidelines got under way in the late 1990s. This time I was the Convenor of a working group of thirteen people, reflecting a rapid growth of interest in and knowledge of risk assessment principles.
There was now much help from work elsewhere. The United Kingdom Health and Safety Executive (HSE) had in 2001 completed its one-and-a-half-decade mission to establish tolerable life safety risks. Under commission from HSE, Professor David Ball and Dr Peter Floyd had published a comprehensive review of societal risk in 1998.
In 1997 the first international meeting on risk assessment specific to dams was held in Trondheim, Norway. This meeting established a very helpful network of people working on risk assessment for dams.
The ANCOLD guidelines published in October 2003 drew on the learning from the developments in the preceding two paragraphs and were greatly improved as a result.
ANCOLD Guidelines on Risk Assessment 2022
For these guidelines, I was one of a six person working group convened by Shane McGrath. There was a sixteen person Reference Committee to oversee the direction taken in the production of the guidelines. This approach reflected the growing maturity in the application of risk assessment within the ANCOLD community. The approach of a relatively small number of people producing guidelines, overseen by a larger group of people of diverse interests and experience, is a good model in my opinion.
There was now a large body of experience in the use of risk assessment within ANCOLD itself, making these latest guidelines even more specific to decision-making for dams.
How to do risk analysis for dams
In the mid-1990s the dam design group, which was an amalgam of my earlier design group and the former Water Resources design group, was commissioned to undertake a risk analysis for Hume Dam on the border of New South Wales and Victoria. By agreement of the responsible governments, the work would include all of the dam components within Victoria. The work involved the determination of probabilities of failures of various types but did not require the estimation of consequences.
The story of this work is summarised in Q. 76 – R. 18 of the Twentieth ICOLD Congress, Beijing, China in 2000 and in ANCOLD Bulletin 112.
This was the first major attempt to undertake risk analysis following publication of the 1994 ANCOLD Guidelines on Risk Assessment. In effect we had to invent a rational method of doing risk analysis. Our work was greatly assisted by colleagues within the design group and by Australian and international reviewers appointed by the then Department of Land and Water Conservation.
Two things stand out in my memory from this work:
- Firstly, the need to truncate distributions when undertaking Monte Carlo simulations.
- Secondly, the great value in applying risk analysis techniques to understand the reliability of spillway gates.
Truncation
The so-called Normal distribution (Gaussian distribution) extends from minus infinity to plus infinity. The heights of men fit very well to the Normal distribution. There has never been a man who was minus 1.3m tall. Nor has there been a man who was 10.2m tall. But, with the software of the time, such outlandish values could be selected by a Monte Carlo simulation if there was no truncation of the distribution.
This reality came home to us whilst starting on Monte Carlo simulation for the analysis of Hume Dam. Distributions need to be truncated at feasible values. If negative values are impossible, zero may be a sensible lower truncation. For example, for the tensile capacity of concrete lift surfaces. But not always – it would make no sense for the height of men. In other cases, a reasonable truncation may be two standard deviations, which in both directions captures 95.4% of the total sample space of the full distribution. The task we faced was to ensure there was a negligible probability of real values outside of the truncation limits.
Spillway gates
Hume Dam has 29 vertical lift gates. There were five input power sources plus a standby generator. But the risk analysis showed that at high flood levels in the reservoir it was certain that all gates would fail for want of power. Safety would then depend on independent back-up systems being able to lift gates in a timely manner that would prevent overtopping of the southern embankment. The failure modes analysis alone was sufficient to demonstrate vulnerabilities not previously recognised. Removing the gate vulnerabilities was one of the first safety improvement measures to be implemented.
Later risk analyses of spillway gate reliability have repeatedly demonstrated the value of the risk approach.
One of my later involvements was on a dam where spillway gates were operated remotely from a distance of some hundreds of kilometres. That brings into play the reliability of the feed from the dam to the operations centre (conveying imagery and data on dam status) and the reverse feed (conveying gate actuation instructions). Relay hardware was at risk from natural hazards and from malicious human interventions. This experience reinforced in my mind the concept of a whole dam system, embracing all elements with a potential to affect dam safety.
On other dams, the ability of on-site operators to access remote decision makers who need to authorise gate releases has been an issue.
On another dam, access to the dam under flood conditions has been an issue, as it can also be post-earthquake.
All of these issues are best understood through the application of risk analysis techniques. Monte Carlo simulation has been shown to improve understanding of the risks.
The so-called “traditional standards-based approach” has been notably unhelpful as regards the probability of gates operating as intended, though many owners have established good rules on back-up power, maintenance and periodic testing. Decision-making and long-distance communication have too often been neglected.
Dam failure due to piping
If we go back to the beginning of our interest in risk analysis in the 1980s, we as dam designers already knew the rules which would assure that the dams we designed would be safe from piping failures. The issue which emerged with Dungowan Dam, and then with other existing embankment dams, was: “Where do dams, without fully intercepting filters, or with poorly graded filters, or exposed to under-seepage, or with possibly corroding conduits, or with other negative features, stand as regards safety?” That was a conundrum.
Fortunately, Robin Fell and his colleagues had been gathering data to assist risk assessment. They soon took up the challenge of piping failures, initially culminating in the so-called “Piping Toolbox” in 2008. That provided a science-based rational approach to the estimation of piping risk for existing dams lacking the modern protective features. Improvements have continued since that time.
The main benefits have been two:
- Tolerable levels of safety have been assured; and
- The major costs of retrofitting to incorporate the full suite of contemporary protective features have often been found to be unnecessary.
Improvements
Appendix H generally
Whilst estimates of risk are inherently uncertain, the mathematics of probability are by and large precise.
It was my habit to use scientific notation and to set six decimal places. That was done originally to avoid any accumulation of rounding errors. We all knew how to round to a sensible figure at the end of computations. Another habit was to compute along two different pathways wherever possible. I recall a case where the two six decimal place outcomes did not match in the second or third place. That should not happen. Tracking back through the two pathways, revealed an error in a formula.
In any event, Appendix H is meant to assist practitioners to apply the mathematics of probability wherever possible.
Ang and Tang, 1975 and Benjamin and Cornell, 1970 are cited as references to deal with matters beyond those set out in Appendix H. There is a later text Ang, A.H-S. and Tang, W.H., 2007, Probability Concepts in Engineering: Emphasis on Applications in Civil and Environmental Engineering. The working group had no familiarity with this later edition, so that it was not cited in Appendix H. It would be good if this later text could be assessed and, if appropriate, cited in any future revision of the risk guidelines.
More generally, the aim of Appendix H is to provide the best assistance to practitioners engaged in risk analysis. To that end, feedback from ANCOLD members and others on what more, or less, should be in the appendix would be helpful for any future working group.
Appendix H negative correlation
There is a difficult issue of negative dependency, as set out in the right column, page 193 and upper left column of page 194 of the ANCOLD Guidelines on Risk Assessment 2022. This difficulty will not arise at all for many dams. Where it does arise, the difficulty will vary from dam to dam. But it would be good for any future working group to be able to get feedback, likely though published papers, on experience in dealing with this issue.
F-N versus f-N
There is a discussion of the slope of the Societal Risk limit line in the last paragraph, right column, page 105 and terminating in the first sentence, first paragraph, page 106 of the ANCOLD Guidelines on Risk Assessment 2022.
Since I see errors being made in this matter, it would be good to include in any future risk guidelines Figure 7 from Zielinski (2019) referenced in the ANCOLD Guidelines on Risk Assessment 2022, along with the mathematics supporting that Figure 7 – with appropriate attribution of course.
Challenges
Climate change
This issue will largely be one for the Bureau of Meteorology (BoM) to address. It comes to mind because at the Doon Doon gauge on the northern rim of the Wilsons River catchment starting at 1800h on Sunday 27 February 2022, there was 927mm of rain fell which in the following 24 hours. This contributed to the flood devastation in Lismore NSW. That is the largest 24-hour rainfall ever recorded in NSW. It was 1.29 times the AEP 1 in 2000 rainfall for that duration and location given by BoM.
Climate change is going to affect dam safety in my opinion. A future risk guidelines working group needs to be alert to the issue and to take advice from specialists in climate science on the implications for risk guidelines.
Fewer experienced dam designers
According to the latest ANCOLD Register of Large Dams updated to January 2022, there were 64 such dams constructed in the 1980s versus 4 constructed in the 2010s. Of the latter 3 were component dams of the Enlarged Cotter Dam.
This is troubling for risk analysis because in some respect every large dam is unique. Designers almost always have at least a consulting role during construction. They get to see how their designs worked out and the surprises which foundations stripping, excavation and grouting exposed.
In my experience, difficult problems of probability estimation have come to a consensus through workshop debate among three or four experienced dam designers, who collectively may bring the stories of twenty-five or more dams to the table.
ANCOLD might usefully consider how to deal with this problem in relation to risk analysis.
Len McDonald
September 2024