Professional Documents
Culture Documents
VALERIO, STEVEN C.
STUDENT NO. COURSE & YEAR SUBJECT & SECTION
2016141805 CE / 3 CE175P-5W / B2
MODULE ASSESSMENT SIGNATURE
MODULE 3 PRJ3
1
Similarly, maintenance and operational decisions long in the past,
and often forgotten, influence present-day assumptions and actions
concerning the operation of equipment in ways that can have
unexpected outcomes now and in the future.
The complexity of the ‘whole-system’ operational process is
determined by operational arrangements within the dam-owning
organisation, and by the people who are responsible for
implementing the operational arrangements within the various parts
of the organisation.
• Management Practices
The dam safety management practices that have emerged in recent
years (ICOLD, 2011) focus on physical and operational barriers
intended to prevent hazardous conditions from progressing to failed
states (Figure 2.1).
The upper part of Figure 2.1 – according to the paradigm of Reason
– represents the barriers required to prevent hazardous conditions
from emerging within the physical system. These are the
components of the active failure.
The lower part of the figure represents activities put in place by the
organisation to ensure the adequacy of the barriers. These are the
components of the latent conditions.
2
Reason extended this thinking, as illustrated in Figure 2.2, to follow the
causal path that an organisational failure typically follows, and the
corresponding stages of the subsequent investigation into that failure.
Reason makes two organisational factor distinctions between active
failures and latent conditions:
o Active failures usually have immediate and short-lived effects at
the point that they occur, while latent conditions may remain
dormant for a long time without discernible effects until they
interact with local circumstances in a way that results in a
failure. Active failures tend to be unique to a specific event.
o Active failures usually occur at the human–system interface,
whereas latent conditions develop at the upper levels of the
organisation and within the related design, production,
contracting, regulatory and governmental organisations. Latent
conditions can contribute to a number of different accidents if
they remain undiscovered and uncorrected.
The contributions to latent conditions are many in the organisation, but
can be broadly outlined as including the following:
o licensing arrangements
o societal expectations (including political expectations in the past
and present)
o the organisation’s social responsibility (including corporate
values and principles)
o risk appetite (strategic and operational risk)
o the organisation’s strategies and policies
o organisational culture
o organisational arrangements
o management and procedural arrangements (including asset
management arrangements, and the maintenance and
replacement regime)
o human resourcing and competence (including compensation and
rewards)
o budgeting, financing and investment arrangements
3
o system reliability and availability targets and measures
o human factors
o design of the operations regime
o implementation of the operations regime (including forecasting)
o operator error in real-time operations
o failures in the safety assurance process.
Underlying every technology is at least one basic science, although the
technology may be well developed long before the science emerges
(e.g., glassmaking). Overlying every technical or civil system is a social
system that provides purpose, goals and decision criteria.
As Leveson points out:
o Effectively preventing accidents in complex systems requires
using accident models that include that social system as well as
the technology and its underlying science. Without
understanding the purpose, goals and decision criteria used to
construct and operate systems, it is not possible to completely
understand and prevent accidents.
In recognition of the social dimensions of systems safety, the matters of
o licensing arrangements
o societal expectations (including political expectations in the past
and present)
o the organisation’s social responsibility (including corporate
values and principles)
Some elements of the system controls are more critical than others under
normal operational conditions.
However, less critical elements can become critical to hydraulic control
if the system transitions to a state that renders them so.
Thus, a decision to defer maintenance of a redundant feature may be the
final causal factor in loss of control if it is called into service.
• Legal regime and licensing
The legal regime and licensing of the jurisdiction in which the dam is
located govern the modus operandi of the owner-operator.
Legal regimes for the storage and release of water have existed since
ancient times (the Code of Hammurabi, c. 1780 BCE), although the
punishments for violations have changed.
The legal regime varies from country to country, with two general
concepts being common: a prescriptive concept and an objectives-based
concept.
The prescriptive concept sets out what is to be done and may include
precise instructions of how implementation is to occur, whereas the
objectives-based concepts set out what outcome should at least be
achieved, without specifying if this will be sufficient and without
defining how the objective should be achieved.
4
These two concepts are formalised in the two generally known legal
systems:
o the Roman system, with its origins on the European mainland,
and
o the common law system, with its origins in England.
There are a number of important differences between these regimes that
lead to different ways of determining what is ‘safe enough’.
Of particular relevance is the difference between the Roman system,
where everything that is not explicitly forbidden is allowed, and the
common law system, where what is not explicitly allowed is forbidden,
unless it can be justified, where necessary in court (Ale, 2005).
This leads to totally different interpretations between the two systems
as to the meaning of the terms ‘as low as reasonably achievable’
(ALARA) and ‘as low as reasonably practicable’ (ALARP).
Within these regimes, licensing arrangements generally define
responsibilities and boundaries for the operation of dams and reservoirs.
These licensing arrangements generally guide the focus of those
responsible for directing the dam-owning organisation.
However, a factor such as social responsibility could determine that,
although perhaps not required, outflow modification of floods during a
flood event is appropriate.
• Societal expectations and owner’s social responsibility
The societal expectations with respect to the development, ownership
and operation of dams have changed dramatically over the last 30 years.
The most significant changes have occurred with respect to the design
of new dams.
The outputs of this process provide the essence of the reservoir–river
objectives for the system and the requirements of the operational
regime.
5
Essentially, this is that stage at which the different, and often competing,
engineering, economic, environmental and social parameters are
brought together to create the overall system objectives and constraints.
Ideally, the objectives for the system are best cast in terms of a single
statement of user need if possible, and the system operational
requirements characterised in some type of hierarchical format with
what might be termed ‘key capability requirements’ (must-have
attributes) at the highest level, with capability requirements (should-
have attributes), elective attributes (should have if reasonably
achievable) and discretionary attributes (nice to have if reasonably
achievable) beneath.
The operational challenge at this point is to transform these broadly
stated objectives, requirements and attributes, which can be considered
in light of three water management actions (‘store’, ‘pass’ and ‘divert’),
into dynamic hydraulic operations control functions.
These dynamic hydraulic operations control functions are achieved
through management actions that themselves draw on various other
capabilities, such as engineering, environmental sciences,
manufacturing and production processes, etc., all of which are
integrated with a management system of some type.
Operational Objectives
• The essence of operating objectives as embodied in a water-use plan is:
How much water needs to be released?
How is the water released?
When is the water released?
• Dams and reservoirs are very significant assets built for a purpose. They are
best managed in terms of an asset management system with associated asset
management processes
6
• Rarely is there a single purpose of a reservoir, although there are numerous
examples of dams built with the only objective being to control and mitigate
the floods.
• Such flood-control reservoirs often remain empty for prolonged periods of time
and fill only during flood periods, attenuating flood waters.
• There are also reservoirs built strictly for irrigation, and in many countries, there
are thousands of small dams built and operated by famers to provide water for
crops.
• Some dams are built for recreation, with the only objective being to capture
water during freshet and maintain a water level during the rest of the year for
boating, swimming or fishing.
• Some dams are built strictly for hydroelectric generation, and their only purpose
is to maximise power output.
• What happens most often, however, is that a single-purpose dam changes in the
way it is operated over time because other goals are added due to growing
demands.
• In many cases the construction of the dam invites further development
downstream, and the expectations of riparian communities change.
• Where once there was no demand for flood control, now communities have
been built in the downstream floodplain which require protection.
• The dam could have been built with the only goal to generate power but now
the communities demand that the dam should also provide recreation.
• Reservoir storage
In a typical reservoir the entire available storage might be divided in
three zones as illustrated in the figure.
7
For a single-purpose reservoir the two upper zones can be collapsed into
one to serve the single dedicated purpose.
The purpose of the inactive zone (sometimes also called the ‘dead zone’)
is to maintain a minimum pool level and provide storage for
accumulating sediment.
• Water Use Plan
The water use plan is a statement of the role of the dam and reservoir in
the regional water resource system. This plan states the objectives of the
facility and the constraints under which it operates.
These constraints will include, for example, the necessary power it is
scheduled to generate, the qualities and quantities of downstream water
releases for other purposes (e.g., ecological, water supply or
recreational), and flood routing requirements.
The water use plan typically summarises the hydrology and discharges
of the river system and reservoir, and categorises the schematic flow
configuration and waterways
• Operating concepts
The operation of a single-purpose reservoir is much simpler than that of
a multi-purpose one. Consider a reservoir dedicated strictly to flood
control.
8
The most effective operation of the reservoir is to keep it empty at all
times except for times of heavy inflows, which if released would cause
adverse impacts downstream.
If inflow exceeds a threshold, excess inflow can be stored, and only the
amount up to the threshold would be released.
However, even such a simple case gets more complicated in practice.
Every reservoir has a finite storage, and the inflows are uncertain.
Therefore, following the simple rule explained above, inflows can lead
to damages that would be avoidable if the operating rule was constructed
in such a way that the purpose of the operation was to capture only the
highest inflows.
Operational Strategies
• Dams and reservoirs are typically constructed to achieve one or more primary
objectives.
• The primary objective(s) may have secondary, tertiary or even lower order sub-
objectives, which together form the overall objectives for the reservoir–river
system.
• Alternatively, it may be that once the primary objective(s) have been defined
and the means of achieving them determined, other potential functions are
identified and incorporated as additional objectives.
• Once defined, the objectives, their interrelationships and interdependencies
together define the operational regime of the system.
• Reason for the system and its operational regime
Water management systems differ from many other productive systems
in that they constitute human-altered natural systems that utilize a
naturally occurring resource without fundamentally altering the
physical properties of that resource (i.e., the water), although
characteristics of it, such as its potential energy, temperature, soluble
and suspended contents, and the like may be changed.
In the modern context, the reservoir–river and the operational regime
for a water management system are determined in part by the owning
organisation and in part with the consent of society.
The boundary between societal controls and the owner’s responsibilities
is broadly defined in licensing and regulatory arrangements.
However, there is not a distinct separation between the influence of
external societal factors and the owner’s internal operational system.
Rather, there are interdependencies and feedback paths between the
external influences and the internal controls.
The conceptual flows and feedbacks in the reservoir–river system are
suggested in Figure 2.11.
9
The main horizontal paths are the flows from upstream to downstream.
Some of these are through production waterways, some through
spillways, some through the dam, and so forth.
Influencing these flows are a large number of considerations, shown as
bubbles and boxes with arrows suggesting lines of influence.
• Whole life-cycle water asset management
The management of physical assets such as dams, hydraulic production
systems and supporting infrastructure has a long history, arguably
dating back to Egyptian and Mesopotamian times when water system
assets were managed by means of robust design.
More formal methods of asset management emerged in the 1970s, and
systematic approaches to physical asset management have emerged over
the past 20 years or so.
The activities within the dotted boundary represent in-service asset
operations, which from the perspective of a management system
hierarchy, is commonly considered.
The culture and traditions of the organisation, together with the
prevailing engineering practices, operational arrangements and the
societal expectations of a dam–reservoir system, provide the
overarching framework for the functional performance and reliability of
the system.
The ‘directing mind’ of the owning/operating organisation will typically
have some flexibility concerning operational choices within legally
binding parameters.
Excursions outside the legally binding parameters are always possible
due to some breakdown of the physical or organisational control
process, which may have legal consequences depending on the outcome
and the legal enforcement regime.
These latent conditions are an inevitable part of any organisation, and
they are not necessarily the result of bad decisions.
10
Resources are rarely equitably distributed across organisational
activities, and the distribution of resources may be based on sound
commercial arguments.
However, these inequities create quality, reliability or safety problems
for someone somewhere in the organisation at some later point in time.
The ‘directing mind’ of an organisation can, and usually does, influence
the design, construction, operation and maintenance of the system over
the whole life cycle, as this is where the control of financial resources
and expectations of the organisation are determined.
As judgements are made at all levels of the organisation, how
individuals at various levels interpret the organisational risk appetite
may also be an influencing factor.
Individuals may introduce personal values into decision-making.
Other factors are inappropriate reward and compensation structures, a
culture with characteristics that lead to unfavourable management
and work practices (e.g. ‘blame and train’ safety management, poor
appreciation by non-technical executives of their role in ensuring the
integrity of the technological and built systems), etc.
Qualitative modelling of dam safety management activities
• In the modern context, safe management of operational activities built on the
concept of control processes (feedback loops) is built into the human,
technology, organisational and, more recently, information systems to ensure
continued safe operation of the system as a whole.
• Barrier-based methods of safety management provide a useful means of
addressing the problem of loss of flow control in dam and reservoir systems.
• In a general sense, barriers can be characterised in different ways (Svenson,
1991), although the idea of barriers in the management of risk has earlier
origins.
• Barriers can be defined simply in terms of equipment, built entities or rules that
can stop the development of an accident.
• Alternatively, a distinction between three types of barriers – passive, active and
procedural barriers – may be made.
• One way is with regard to their temporal relation to an actual or hypothetical
accident. Typically, barriers may be considered to be preventive or protective.
• Barriers that are designed to work before a specific accident
• event takes place serve as preventive measures. Such barriers are supposed to
ensure that the accident does not happen, or at least to slow down the
development of conditions that may result in an accident.
• Barriers that are intended to work after a specific initiating event has taken place
serve as means of protection.
• These barriers are intended to shield the environment and the people in it, as
well as the system itself, from the adverse effects of the accident.
• Barriers may be either active or passive and are not necessarily physical in
nature.
11
If a barrier is active, it involves one or more functions, the results of
which achieve the purpose of the barrier.
If a barrier is passive or inactive, it means that it serves its purpose by
its presence rather than by actively doing something.
• Overall, for the purposes of this book, the process of engineering the system to
safely retain water and pass flows through and around the dam in a controlled
way benefits from the use of qualitative barrier analysis and the various other
related methods, of which two of several are briefly outlined below.
• In general, the full suite of barrier types and uses can be applied in various ways
and in various places to any flow-control system.
• The human–technology–organisation (MTO) process, which focuses on the
interaction between humans, technologies and organisations (Lundberg et al.,
2009), is one development related to the barrier concept.
• It was developed for accident and incident analysis, and further developed for
improving accident investigation, safety, quality and efficiency within
companies and organisations.
• MTO is associated with at least three different (but related) domains:
MTO as a set of analytical techniques. In this domain the MTO concept
focuses on the methods that analyse the relationships between humans,
their activities and the organisational and technological context in which
these activities take place.
MTO as a human factors specialist domain. In this domain the MTO
concept is foremostly perceived as a specialist domain, supported by
knowledge of human factors, psychology and other human-related
sciences.
MTO as a metaphor for system thinking about safety. In this perspective
the MTO concept is viewed neither as a set of specialist domains nor as
a set of specific methods, but as a general attempt to develop a safety-
culture thinking that focuses on the entire socio-technical system
(including technology, human factors and organisational issues).
• Hollnagel’s FRAM (Hollnagel, 2012), which can be related to MTO, is used
here to illustrate the way in which the systemic approach can be applied in a
qualitative way to both physical assets and operational activities, as would be
set out in a management system.
• Qualitative modelling of spillway gate maintenance and testing activity
Inspection, testing and maintenance of spillway gates is an essential
element of the operational management of dams and reservoirs, as it is
the means of assurance of the relevance and accuracy of spillway gate
reliability parameters used in a spillway system reliability analysis.
The broader application is in the reliability of the totality of the
discharge function, and the example outlined below is just as applicable
to the maintenance, inspection and testing of the hydraulic production
systems.
12
It is also applicable to any other function that relies on maintenance,
inspection and testing, including human competence.
The four principal steps in a FRAM analysis (Figure 2.14) are:
o Identify essential system functions and characterise each
function by means of six basic parameters (based on the
structured analysis and design technique).
o Identifying essential system functions and characterising
each function by six basic parameters. The functions are
described through six aspects, in terms of their input (I,
that which the function uses or transforms), output (O,
that which the function produces), preconditions (P,
conditions that must be fulfilled to perform a function),
resources (R, that which the function needs or
consumes), time (T, that which affects time availability)
and control (C, that which supervises or adjusts the
function), and may be described in a table and
subsequently visualised in a hexagonal representation.
o The main result of this step is a FRAM ‘model’ with all
basic functions identified.
o Characterise the (context dependent) potential variability (using
a checklist).
o Characterisation of the (context dependent) potential
variability through common performance conditions.
Eleven common performance conditions (CPCs) are
identified in the FRAM method, and these are used to
elicit the potential variability:
availability of personnel and equipment
training, preparation and competence
communication quality
human–machine interaction and operational
support
availability of procedures
work conditions
goals – number and conflicts
available time
circadian rhythm and stress
team collaboration
organisational quality
o These CPCs address the combined human, technological
and organisational aspects of each function.
o Define functional resonance based on possible dependencies
(couplings) between functions.
o The output of the functional description of step 1 is a list
of functions, each with its six aspects.
13
o Step 3 identifies instantiations, which are sets of
couplings between functions for specified time intervals.
o The instantiations illustrate how different functions are
active in a defined context. The description of the aspects
defines the potential links between the functions.
o Identify barriers for variability (damping factors) and specify
required performance monitoring.
o Barriers are hindrances that may either prevent an
unwanted event taking place or protect against the
consequences of an unwanted event.
o Besides recommendations for barriers, FRAM is aimed
at specifying recommendations for the monitoring of
performance and variability, to be able to detect
undesired variability.
16
These matters of ‘how’ and ‘extent to which’ are complex matters that frequently
reflect a wide range of organisational positions and views over considerable periods
of time.
Operating Concepts
• It is quite obvious that the operation of a single-purpose reservoir is much
simpler than the operation of a multi-purpose one.
• Let us consider first an example of a reservoir dedicated strictly to flood
control. The most effective use of such reservoir is to keep it essentially
empty at all times, with the exception of periods when the inflow volume,
if released in its entirety, would cause adverse impacts downstream.
• Thus, if the inflow exceeds a certain threshold level, the excess inflow can
be stored in the reservoir and only the amount equal to the threshold would
be released.
• However, even such a simple case gets more complicated in practice
because every reservoir has a finite storage, the inflows are uncertain and
following the simple rule explained above can lead to damages that would
be avoidable if the operating rule was constructed in such a way that the
purpose of the operation would have been to capture only the highest
inflows.
17
studies oriented toward providing general guidance for system
operations (USACE, 1997).
• Rule Curves
o The reservoir rule curve describes the ideal or target reservoir pool
elevation, and thus storage volume, as a function of season.
o Deviations from the rule curve provide a basis for making decisions
relative to releases. In addition to the rule curve(s), operating rules
also specify quantities of water to be released throughout the year
and in relation to pool elevation, quantities of power generated and
flood releases to be made. These rules reflect contracted and non-
contracted services provided to users, but also the required
environmental flows.
o A modification of a rule-curve approach replaces a single target line
with the bounds (upper and lower) for the targeted variable.
18
the pool elevation and some other variable characterising inflow
either directly or indirectly.
• The DSS at the ‘planning level’ (DSS-P) focuses on strategic goals of the
operation and the ways to achieve them. The outcome of the considerations
at this level is a general strategy and operating policy that can be expressed
as a set of rules.
• The ‘operation level’ (DSS-O) takes the general direction from the
planning-level rules and determines reservoir releases for the entire system
in a way that maximises the utilisation of available water resources.
• To reach a release decision the DSS-O can use the same models as those
applied at the previous level, but with a higher degree of resolution.
• The simulations can be carried out with shorter time steps, and the
probabilistic characterisation of system components and inputs can be more
detailed. Similarly, the optimisation schemes selected at this level can
accommodate dynamic aspects of system behaviour.
• The ‘implementation level’ (DSS-I) may seem to be quite simple, because
in fully automated systems (where all sluiceway gates are remotely
operated) the only decision required from the system operator is to push the
button that activates the gate or turns the generators on or off.
• It should be pointed out that in the actual management of a river system the
release decisions are in fact recommendations for the system operator, and
it is up to the system operator to accept the suggested releases or prompt the
DSS for more possible scenarios and additional suggestions.
• This caveat is easy to understand if one bears in mind that the outcomes of
simulation– optimisation analyses are carried out on a simplified model of
the real world and that the simplifications are unavoidable in order to make
22
the decision-making problem mathematically and computationally
tractable.
23
• These on-demand failures are complex and may be caused by a gate
component that can be repaired in minutes to hours, or a component that
may cause complete failure of the gate system and unexpected release of
the reservoir containment.
Spillway Accidents
• Most work in dam safety risk analysis addresses the reliability of system
components and their interactions under random and usually extreme
loadings.
• In practice, many or most accidents involving flow-control systems do not
originate in component (un-)reliabilities or component failures under
random loadings.
• Rather, they are caused by chains of events involving not only technical
system components but also control functions and communications.
• In gated spillway operation, the release function, unlike the conveyance
function, involves active control by a human being, and therefore adds an
important dimension to the associated risks.
• Folsom Dam, 1995
o Folsom Dam is a concrete gravity structure designed and
constructed by the US Army Corps of Engineers (USACE).
o Construction was begun in 1948 and the dam was put into service
under US Bureau of Reclamation (USBR) management in 1956.
o The dam, together with its reservoir, Folsom Lake, is a component
of the Central Valley Project in California, which provides flood
control, hydropower and irrigation water to California’s Sacramento
and San Joaquin Valleys.
o The original spillway works consist of five Tainter-type service
gates, each 50 ft (15 m) high by 42 ft (13 m) wide, and three
emergency gates of the same width but 53 ft (16 m) high.
o On 17 July 1995, the gate No. 3 structure failed due to overstressing,
releasing nearly 40% of the water in Folsom Lake before the gate
could be repaired.
24
o Temporary closure of the stoplogs at the time of failure was not
possible because the bracketing for such an emergency closure had
not be designed into the spillway system.
o The after-incident report conducted by the USBR attributed the
failure to a design flaw in the gate structure that allowed stresses to
concentrate in one of the strut arms of the gate.
o The gates rotate on 32 in. (0.82 m) brass and steel trunnion pins.
These trunnions were inadequately lubricated and began to corrode.
o This increased friction on the bearings and transferred load to the
struts. The gates are raised by a high-torque electric motor, which
engages hoisting chains attached to each side of the gate structure.
o The capacity of the motor allowed for the continued lifting of the
gate despite the resistance of the bearings. This caused bending
25
stresses in the gate structure, which was designed principally to
resist axial stress.
o The investigation team determined that the failure loading was due
to trunnion friction moment, which increased over time due to
corrosion of the pins.
o This had been overlooked in the initial design, and consequently the
strut bracing, and struts had not been sized adequately.
o With the failure of the joint connecting the first diagonal brace on
the right side of the gate, the two lower struts failed around their
weak axes.
26
o Before the breach, river levels upstream of the dam had reached 7.38
m (24.22 ft), 3 m (10 ft) above flood stage and breaking the May
2004 record of 6.60 m (21.66 ft).
o However, the stream flow at the time was 40 m3/s (1400 ft3/s) less
than the 2004 record peak stream flow of 740 m3/s (26 000 ft3/s).
o The dam had three vertical lift gates, but only two of these could be
opened during the high pool elevation, and the embankment
subsequently overtopped, leading to a 60 m long section of the
embankment washing away.
o The downstream towns of Hopkinton and Monticello were
evacuated, affecting some 8000 residents.
o In Monticello, 50 homes and 20 businesses were destroyed, leading
to several tens of millions of dollars’ worth of damage.
o The city’s sewage treatment plant was flooded, leaving residents
without services.
o In December of the same year, a consulting panel of engineers
released a report concluding that the cause of the failure ‘was
internal erosion in the embankment coupled with overtopping flow’.
o The study identified malfunctioning spillway gates and increase
reservoir pool level as exacerbating an existing problem with the
dam’s design.
o In April 2014, ground was broken on a $16 million project to replace
the failed dam.
o The spillway gates had been difficult to operate in the past.
o The gate guides are tapered at the bottom, and sometimes the gates
would stick in the closed position or at small gate openings.
o A crane had been used in previous floods to operate the spillway
gates.
27
o The lack of maintenance of the embankment section immediately
south of the spillway and the 2H : 1V downstream slope made
inspection of the dam for seepage flows difficult.
o The breach of Delhi Dam did not cause any loss of life.
o This is attributed to several factors: the concrete core wall probably
slowed down the rate of the dam breach; the warning of dam failure
was sent several hours before the breach; the flood wave was
dissipated in farm fields, which reduced the level of flooding in the
downstream communities of Hopkinton and Monticello; door-to-
door warnings were issued in Hopkinton and Monticello, and
residents whose homes would have been inundated were evacuated.
• Statistical history of gate failure incidents
o An international survey of dam owners undertaken by Hobbs and
Azavedo (2000) reported the ‘causes’ of gate accidents and failures
shown in Table 8.1.
28
• Gated spillways contain a complex integration of structural, mechanical and
electrical (SME) components that must operate on demand.
• There is a wide variety of such systems with differing SME components
that have been designed all over the world.
• USACE (1992) states that the inclusion of crest gates allows the spillway
crest to be placed significantly below the maximum operating reservoir
level, in turn permitting the entire reservoir to be used for normal operating
purposes.
• This results in a much narrower spillway facility than an uncontrolled
spillway avoiding the problems associated with high unit discharge/high-
velocity flow and increased operation and maintenance costs.
• The American Society of Civil Engineers (ASCE) defines the function of a
water control gate as being to control the flow of water through a conduit
or opening.
• ASCE (2012) states that these gates may be used to perform one or more of
the following functions: regulating, flood control, emergency closure or
maintenance closure.
• In his survey of USACE flood-control projects, Schultz (2013)
differentiated gates as
o high flow (service, spillway and maintenance gates),
o low flow (gates, valves and bulkheads) and
o powerhouse (gates and valves)
• Types of Spillway Gate
o As stated earlier, a number of different types of gates are used in
spillway projects to control the flow of water.
o Table 8.2 lists typical uses of the most common gate types.
29
o However, the primary control gates used in spillway crests around
the world are the vertical lift gate (wheeled or slotted) and Tainter
or radial gates.
o This is due to their reliability and simplicity of design. Smaller and
older structures often use simple stoplog gates.
o Vertical lift gates have a roller-type support system that transfers the
hydraulic load from the gate to the sides of the water passage.
o The rollers minimise the friction forces when moving the gate,
thereby keeping the operating-mechanism capacity as low as
possible. These gates can be used in any range of head for spillway
or intake gates.
o Wheel-mounted gates can generally be operated under full or partial
differential head, and are used for emergency closure, flood control
and, sometimes, flow regulation.
o USACE (1992) considers Tainter gates to be the most economical,
and usually the most suitable, type of gate for controlled spillways
due to their simplicity, light weight and low hoist-capacity
requirements.
o A Tainter gate is a segment of a cylinder mounted on radial arms
that rotate on trunnions anchored to the piers.
o Spillway flow is regulated by raising or lowering the gate to adjust
the discharge under the gate.
30
o Figure 8.7 shows the configuration of Tainter gates with wire rope
and hydraulic hoist systems.
31
The radial shape provides efficient transfer of hydrostatic
loads through the trunnion.
A lower hoist capacity is required.
Tainter gates have a relatively fast operating speed and can
be operated efficiently.
Side seals are used, so gate slots are not required. This
reduces problems associated with cavitation, debris
collection, and buildup of ice.
Tainter gate geometry provides favourable hydraulic
discharge characteristics.
o Disadvantages include the following:
To accommodate location of the trunnion, the pier and
foundation will likely be longer in the downstream direction
than would be necessary for vertical gates. The hoist
arrangement may result in taller piers especially when a wire
rope hoist system is used. (Gates with hydraulic cylinder
hoists generally require shorter piers than gates with wire
rope hoists.) Larger piers increase cost due to more required
concrete and will usually result in a less favourable seismic
resistance due to greater height and mass.
End frame members may encroach on water passage. This is
more critical with inclined end frames.
• Inventory of gate systems
o Schultz (2013) undertook an inventory of 295 of the 328 USACE
flood-control dams with the aim of determining the types of gates,
valves and bulkheads in current use at USACE flood-control
structures.
o Schultz also collected data on the time to repair and failure data for
a wide variety of components in the fault trees used for these
projects.
o The gates types and their associated hoist systems are summarised
in Table 8.3.
32
• Historical performance of gated spillways
o Recent failures of gated systems such as Folsom Dam in California
and Delhi Dam in Iowa show that these complex SME systems have
numerous flaws due to limited or poor maintenance, inadequate
design or lack of operation, which result, in addition to human error,
in the potential for catastrophic failure of the systems
o There are a number of surveys reported in the literature on the
historical failures of gate systems and their resulting consequences
(Erbisti, 2004; Lewin, 2001a; Lewin et al., 2003).
o New South Wales Dam Safety Committee (2010) gives the details
of six dam projects where gate failures were the primary cause of
significant events. These data (adapted from Hobbs and Azavedo,
2000) are shown in Table 8.4.
33
o Hobbs (2003) also inventoried dam owners from all over the world
to get a perspective on incidents involving dam gates. He recorded
over 60 incidents of gate problems; a summary of these data is given
in Table 8.5. It is interesting to note that the percentage of human
factors causing dam-gate incidents is nearly 1 in 4.
34
o The incident data are broken down into failure modes and by the
consequences of the incidents.
36
o Step 3 involves the construction of the fault tree. The logic of
constructing the fault tree along with system schematics is described
in the subsequent sections of this chapter.
o Step 4 is the evaluation of the fault tree, which includes both the
quantitative and qualitative evaluation.
o The last step emphasises the interpretation of the fault tree in terms
of providing potential impacts based on the objectives.
• Fault-tree building blocks
o Three main symbols are employed in an event tree: events, logical
gates and transfers.
An event symbol is used for primary events that are not
developed further on the fault tree, and for intermediate
events found at the output of a logical gate.
The function of a logical gate is to either permit or prevent
the passage of the fault logic up to the top, and the logical
gate symbol reveals the type of relationship that input events
require for the output event.
The function of a logical gate is derived from Boolean logic
symbols.
Transfer symbols are used to connect the inputs and outputs
of relevant trees, connecting the fault tree of a subsystem to
its system.
o Standard fault tree symbols can be found in the US Nuclear
Regulatory Commission (USNRC) guidance document, NUREG-
0492 (Vesely et al., 1981).
• Component fault categories: primary, secondary, and command
o The classification of faults into primary, secondary and command
faults can be helpful for better analysis of the system.
A primary fault occurs as a result of the system’s
malfunction while the environmental factors are fully
controlled.
A secondary fault is not caused by the system’s malfunction
but results from environmental factors that negatively affect
the system. That is, the component fails under unplanned
conditions, such as excessive vibration, higher than expected
temperature, etc.
In contrast to primary and secondary faults, which are cause
by component failure, a command fault is attributed to the
proper operation of the component but at the wrong time or
in the wrong place (e.g., loss of signal or control power
causes a component failure).
o These categories often serve as a checklist to ensure the
completeness of a fault tree in the sense of covering different types
of fault.
37
• Passive versus active components
o In most cases it is useful to divide categories of components into
passive and active.
A passive component contributes to the functioning of the
system. This component may operate as a transmitter of
energy or load from place to place (e.g., current or force; or
a mechanism, such as a pipe, in which the output of one
active component becomes the input for a second active
component).
An active component contributes to the operation of the
parent system and can modify the performance of the
system. Generally, the function of an active component
depends on its input signal (e.g., a valve or a switch the
opening or closing operations of which can improve the
system’s behaviour).
o From the reliability perspective, the most important difference
between failure of an active component and failure of a passive
component is the difference in their failure rates, which is often
about two or three orders of magnitude.
Human reliability analysis for spillway systems
• Spillway systems are composed of a variety of mechanical, electrical and
structural components that have to function and interact together as a system
to control the inflows and outflows of water into a reservoir.
• All the components in a spillway system are required to function
successfully under a wide variety of natural hazards such as floods, icing,
debris and earthquakes.
• Dam projects have a number of beneficial purposes, including flood control,
hydropower, navigation, recreation and water supply (public water or
irrigation).
• Many of these projects are designed to be multi-purpose, such that they
provide many benefits to society.
• However, spillway systems are inherently complex, and human error plays
a critical role in the success or failure of spillway systems.
• Human reliability analysis (HRA) will be an important part of the overall
risk-analysis process.
• Overview of spillway systems
o A typical spillway system can be composed of the following
subsystems:
spillway gates, weir (controlling the overflow), discharge
chute and energy dissipator
hydropower facilities (penstock, turbines and outlet works)
low-level outlet works.
o Each of these subsystems has SME components that function
separately from each other.
38
o However, the subsystems are highly dependent on each other for the
overall successful operation of the spillway project, as they have to
be operated in concert with one other.
o A certain reliability level is required for the gate operation in a
scheme (typically run-of-the-river schemes) where the reservoir is
small, and the water is rising rapidly.
o A plan view of an example system is shown in Figure 8.12.
o The primary human interaction with the spillway comes into play
throughout the daily operations process. The system is modelled
using a watershed–reservoir–spillway model (International
Commission on Large Dams (ICOLD)) and is shown in Figure 8.13.
39
o Operating rules are written for the spillway to programmatically
decide what the sequence of the subsystems will be in order to
permit the safe passage of the outflows downstream of the spillway.
o The primary goal of the system is to continue the generation of
power at the maximum output possible without having to exercise
the spillways gates.
o The outflows from the spillway gates have to be monitored carefully
to ensure that the hydraulic jumps are controlled and cavitation on
the spillway slope does not cause a failure of the spillway chute.
o Humans are tasked with making the decisions and implementing
actions to operate the spillway system in a safe and efficient manner.
o This involves both cognitive and physical responses that could lead
directly to a human failure event.
o Depending on the event sequence, the human error could either
create consequences ranging from minor spillway erosion, complete
shutdown of the hydropower facility or even catastrophic failure of
the spillway system.
o It is important to incorporate in the system model a full
understanding of human errors in spillway systems and to develop a
proper methodology for the HRA, as discussed later in this chapter.
• Human reliability analysis
o Human error has been classified by Reason (1990) into three levels:
behavioural, contextual and conceptual.
o Reason concludes that the first two types include the different errors
that can result from the same process, but the conceptual level leads
to understanding the causal mechanisms using more theory than
observation.
o Therefore, the conceptual level is more robust in terms of
understanding human error in spillway systems.
o Some examples of human error are skill-, rule- and knowledge-
based errors, intentional and unintentional errors, errors of omission
(failure to take actions) and errors of commission (actions that
should not be taken).
o For spillway systems, many of the human errors occur during the
operations phase, but they also occur in design deficiencies,
maintenance practices or strategies, lack of updated safety manuals
and upper management decisions regarding such systems.
o A method for identifying human error in spillway processes has
been developed by Boeing for the US National Aeronautics and
Space Administration (NASA) (Broughton et al., 1999).
o The methodology is called the Human Factor Process Failure Modes
and Effects Analysis (HF PFMEA). This process is qualitative in
nature but identifies the behavioural functions, potential human
40
errors and performance-shaping factors for the task that is being
investigated.
o This process is similar to a typical failure modes and effects analysis
(FMEA) but also accounts for the frequency of human error and the
consequences of such errors.
o A more robust procedure for examining human errors associated
with spillway gates is the Information, Decision and Action in Crew
(IDAC) model discussed in Chang and Mosleh (2007).
o IDAC is a dynamic simulation environment that models an
operator’s natural responses to a potential failure situation. The
responses are influenced by the use of performance-influencing
factors (PIFs) that are internal (cognitive, psychological, physical,
etc.) or external (organisational, environmental, etc.).
o Even though the application of the IDAC model is directed toward
nuclear plant operations, the methodology is useful in identifying
the critical human errors that could occur during the operation of a
spillway during critical natural and man-made events.
o The operations of the two types of system are very similar and the
IDAC process should be investigated and developed further for
spillway system operations.
o The HRA process established by NASA for use in their Exploration
Systems Mission Directorate programme is composed of the
following steps (Chandler et al., 2006):
Problem definition – determine what type of analysis, tasks
and human actions are considered.
Task analysis – a systematic process to identify, list and
break down each task.
Error identification – what and where are the human errors
and their consequences?
Error modelling – visualisation of the data and information
obtained in the previous tasks using master logic diagrams,
event trees or fault trees.
Quantification and integration in the probabilistic risk
assessment (PRA) process (NASA, 2002) – assignment of
human error probabilities (HEPs) in the risk calculations and
tying these to the PRA, event-tree analysis or fault-tree
analysis.
Error management – minimisation of the errors of the
potential human errors, and mitigation to increase overall
system reliability.
o This process can also account for the dependencies between human
errors.
o NASA also recommends including in the HRA the assessment of
errors of both omission and commission.
41
o The process takes into account all initiating actions and considers
both cognitive responses and physical actions.
• Estimation of human-error probabilities
o A significant number of HRA methods that have been developed
over the past 25 years can be found in the literature.
o Many of these applications have been focused on nuclear power
plant or the aerospace field, but their adaptation to other lines of
engineering is very feasible.
o These HRA methods were developed either on the basis of
predefined task analysis or by using expert elicitation methods.
o The methods also include the ability to include both error recovery
as well as the task dependencies of subsequent tasks in the same
event sequence.
o With regard to spillway systems, these HRA methods are very
focused on nuclear power plant and would need significant
adaptation before they could be applied to the operation of spillway
subsystems
o The methodology of THERP (Swain and Guttmann, 1983) permits
tasks to be studied during normal operating conditions as well as
abnormal operating conditions that are important for spillway
systems.
o The method also has the element of time and incorporates a time–
reliability curve to modify the HEP based on the time it takes to
perform a task or action.
o However, there are a few pitfalls to this methodology.
o THERP is a very time-consuming and costly process.
o It requires the development of HRA event trees that can sometimes
be very complex, especially if there are a large number of events and
possible recovery paths in the critical sequence.
o However, the methodology should be adaptable for use in the
estimation of the HEPs for the hydropower facilities, as these are
very similar in design and operation to nuclear power plant.
o The other method recommended for use with the spillway gates and
outlet works is ATHEANA (USNRC, 2000).
o This HRA technique is based on error-forcing contexts (EFCs),
which are characterised into two groups: those errors that are
directly characteristic of the initiation of the event sequence, and
those errors that are characteristic of the system.
o The ATHEANA methodology uses expert elicitation as the
cornerstone to be developing HEPs.
o Expert judgement is also used to estimate the weighting factor for
each of the EFCs and HEPs.
o In particular, ATHEANA covers the following steps in its HRA
process (USNRC, 2000): identify the human actions to be assessed;
42
define human failure vents (HFEs) pertinent to performing these
human actions incorrectly; and determine the HEPs for the defined
HFEs, including consideration of likely recovery actions.
o ATHEANA follows a more formalised and structured approach and
has a set documented process.
o USNRC (2000) also states that this process helps to identify the
following critical HRA and HEP information:
o Identify operational vulnerabilities that could set up potentially
unsafe actions (UAs) (e.g., procedure weaknesses and operator
knowledge limitations and biases).
Identify plausible deviations from nominal conditions or
plant evolutions that might cause problems or
misunderstandings.
Identify important performance-shaping factors that are
relevant to both nominal and deviation conditions.
Identify other aleatory factors that could significantly affect
the likelihood of the HFEs and their uncertainties (i.e.,
investigating a broad range of potential influences).
o Unfortunately, like THERP, there are drawbacks to this
methodology, as it was not directly developed for spillway systems.
o The biggest problem with ATHEANA is that it is heavily reliant on
expert opinion.
o The procedure is both time and labour intensive, and the results can
be both hard to replicate and calibrate.
o However, USACE has had good experience using Expert Opinion
Elicitation (EOE) procedures in risk assessments of their civil works
infrastructure.
o The ATHEANA process would, however, be considered a viable
HRA methodology for spillway systems because these systems are
not newly designed and the ability of experts to estimate
probabilities should be realistic.
• Recommended HRA applications for spillway systems
o The incorporation of HRA into a system model for spillways is
imperative to show how human error can cause failure of the entire
system.
o The documentation of existing HRA methods is very important in
understanding the human performance functions from both the
cognitive and physical perspective.
o There are many HRA options available to analyse spillway systems,
even though none have a direct application.
o The development of a new holistic HRA model is a critical task for
the future of spillway risk assessment, but there are some robust
options that can be used in the HRA.
43
o HP CFEMA and IDAC are two methods for developing the causal
events and root causes, including the error modes (internal or
external).
o THERP and ATHEANA can, with some modifications, easily be
used to estimate the HEP for hydropower facilities and spillway
systems.
o Other HRA procedures could be useful, but it is recommended that
a study similar to the NASA (Chandler et al., 2006) methods study
be completed by USACE for spillway systems.
o Another emerging modern technology that seems to be promising
when it comes to simulation of the human aspects of the operation
of a hydropower system is the agent-based simulation.
o This methodology treats the entities/departments/operators of an
organisation as independent agents, a situation that is realistic in
terms of how modern organisations are set up.
The advantage of this method is that it allows simulation of
decision-making and output control generation in all kinds
of situations.
Unlike the older methods where it was only possible to
evaluate the failure rate of the individuals, agent-based
technology allows even potential corrective actions by
departments or individuals involved in the different
operating situations to be taken into account.
o Agent-based simulation opens up a new dimension of dynamic
simulation where the socio-technical system is addressed in terms
of behavioural science and the advances in this technology are used.
o There are other emerging and currently used technologies that offer
a very different approach to determining the reliability of human
agents.
o Most of the currently used approaches originate from the chain-of-
events thinking, based on the assumptions that:
uncommon scenarios occur in succession, pass through
multiple barriers of defence and result in an accident
human operators can be treated as just another component in
the system
probabilities of human errors in these causal scenarios can
be calculated or estimated.
o All these assumptions are now being questioned.
o More on the different approaches based on a control-theoretic view
of human and organisational error can be found in Hollnagel (2004)
and Leveson (2004).
44
• Part 4 Modelling Dam and Reservoir
o Chapter 11 Postscript
Development of risk analysis in dam safety
• Prior to the early 1990s, quantitative probability and risk analysis were
unrealised concepts in dam safety practice.
• However, the calamitous failure of Teton Dam, Idaho, in 1976, followed by
a series of less spectacular but more deadly dam failures in the later 1970s,
led to national interest in the USA for improved dam safety policies, and
the potential to use risk analysis as an instrument for improvement became
of interest.
• The 1986 USBR report Guidelines to Decision Analysis was seminal among
these.
o Guidelines to Decision Analysis laid out a comprehensive,
quantitative risk approach to dam safety based on contemporary
benefit–cost thinking (USBR, 1986).
o The report built on and fundamentally extended the thinking
reflected in the National Research Council reports of 1983 and 1985
(NRC, 1983, 1985).
o These safety criteria for natural hazards were essentially
deterministic.
o The USBR’s approach replaced these deterministic loading criteria
with probabilistically specified hazards; that is, with annual
exceedance probabilities of levels of inflow or water levels, and of
magnitudes of seismic events.
o This was a fundamental break with traditional practice, but it would
be a decade before this changed perspective was to enter practice.
• However, in parallel, interest in the implementation of a risk approach was
evolving in Australia, culminating in the publication of Guidelines on Risk
Assessment by the Australian National Committee on Large Dams
(ANCOLD, 1994).
• The USBR’s Guidelines to Decision Analysis (USBR, 1986) was
progressive for the time as it adopted probabilistic criteria for the extreme
loads of hydrology and earthquakes.
• Nonetheless, adverse conditions during normal operations, for example, due
to slope instability or internal erosion, were not tackled with the same
vigour.
• ANCOLD defined risk assessment as ‘The process of deciding whether
existing risks are tolerable and present risk control measures are adequate
and if not, whether alternative risk control measures are justified or will be
implemented’.
• Australian regulatory practice was also strongly influenced by that
country’s nuclear safety initiative, and specifically by the work of D.J.
Higson (Higson, 1978, 1985, 1990).
45
• These early risk-based guidelines and the following guidance of 2003 were
instrumental in promoting the practical use of quantitative risk criteria in
dam safety around the world (ANCOLD, 2003).
• The Dam Safety Interest Group, affiliated with what was then the Canadian
Electricity Association, undertook at this time a comprehensive study of
quantitative risk methodology.
• This resulted in the publication by Thomas Telford of the book, Risk and
Uncertainty in Dam Safety (Hartford and Baecher 2004), which captured
and extended the aforementioned simultaneous developments in the USA,
Australia and elsewhere during the 1990s.
Effectiveness of current risk-analysis approaches to dam safety
• Current risk-analysis approaches to dam safety have been effective in
transitioning the enterprise from its deterministic underpinnings as late as
the 1980s when the National Research Council reports were drafted.
• While, to some extent, these new risk-analysis approaches primarily
provided a probabilistic veneer to the earlier deterministic thinking, they
went a long way to incorporating probabilistic descriptions of hazard and
reliability-based thinking about structural and geotechnical fragility.
• This was an important progression and has served the industry well. These
new approaches led to a different and more subtle appreciation of the effect
of uncertainty on dam safety, and it can be argued that they led to a much
richer understanding of the potential failure modes of dams.
• Indeed, the potential failure modes analysis (PFMA) process pioneered by
the FERC, USBR and USACE is a major achievement of this body of work
(USBR and USACE, 2012).
• A parallel development over the same period of time, and strongly aligned
with the movement toward quantitative risk analysis, was an increased
focus on loss of life as the driving criterion for dam safety.
• A further parallel development over the same period of time, and one that
is clearly associated with risk-analysis thinking, was the increasing
emphasis on quantifying expert engineering judgement. This goes under
several names, the most common of which is ‘expert elicitation’.
• The past 20 years have seen extensive and intensive use of quantified expert
opinion, the use of which has now extended widely beyond dam safety
applications.
• Subjective probabilities and their application to dam safety risk are
principally directed toward epistemic uncertainties.
• Today, we distinguish between epistemic uncertainties, which have to do
with the state of knowledge, and aleatory uncertainties, which have to do
with natural variations in time or space.
o Epistemic uncertainties are properties of the mind. They have to do
with how much we know.
46
o Aleatory uncertainties, on the other hand, are properties of nature.
They are what they are, and more effort invested in knowing them
can make their assessment more precise, but they can never be
reduced.
• The advent of risk analysis in dam safety drove home the distinction
between these two types of uncertainty, which had not been well understood
previously (Hartford and Baecher, 2004).
The next generation of risk analysis for dam safety
• Despite the successes of the risk-analysis techniques introduced in the
1990s and early 2000s, these methodologies continued the earlier focus on
a small number of extreme loadings as design events.
• Today, as evidenced in Safety of Dams – Policies and Procedures (USACE,
2014) and in the later Federal Emergency Management Agency (FEMA)
report on (US) Federal Guidelines for Dam Safety Risk Management
(FEMA, 2015), the principal failure modes addressed in these risk analyses
are of only three types: hydrological overtopping due to reservoir inflows
exceeding available discharge capacity, structural or geotechnical
instability due to extreme seismic ground shaking, and normal operating
failures due to internal erosion or piping.
• We know today, by studying past dam accidents and failures, that the chains
of events leading to accidents and failures are seldom so simple. There is
almost never a simple root cause of an event.
• An accident or failure may occur following a modest hydrological event,
not because that event was so extreme in itself, but because an unfortunate
chain of other events also occurred, and when taken in combination they led
to a failure.
• They are much more common than accidents or failures due to extreme
hazards.
• It is usually the case that these unfortunate chains of events involve
operational and other considerations that would not normally be
accommodated in traditional dam safety investigations or contemporary
probabilistic risk analysis.
• This is not a criticism of traditional dam safety or contemporary risk
analysis, merely an observation that these systems-engineering type failures
involve considerations that we have not heretofore included in our models
and analyses.
• The needs and constraints of dam safety risk analysis differ somewhat from
these other industries, but the concepts presented here are very similar.
• These systems-engineering focused approaches are not replacements for our
current generation of dam safety risk-analysis tools but are extensions to
them.
The goal of this book
• The purpose of this book was threefold.
47
o First, it was intended to point out that most accidents and failures of
dams occur not because of simple extreme loadings but because of
the systems interactions of hazards, disturbances, mechanical and
electrical systems, and human operators.
It is the interactions between these many things, influenced
by organisational practice, that cause accidents and failures.
This is not unique to dam safety but applies across the
spectrum of technogenic risks.
o Second, when one approaches dam safety from a systems-
engineering view, many individual technological considerations
must be brought to bear.
The breadth of these considerations is much greater than in
contemporary dam safety risk models.
The considerations involve the dynamic time-varying
aspects of hydrology, weather and other factors.
o Third, advances in computation, numerical modelling, statistics and
other technologies have allowed us to develop sophisticated
simulation models with which to combine these many
considerations.
These models allow us to incorporate dynamic aspects of
loads, fragilities and operations.
• As will be clear to the reader, we are in the early stages of learning how to
develop and apply system simulations of dam operations.
• The present book suggests how these problems can be approached, but it is
too early yet to provide packaged tools.
• These will be developed over the coming years, as will our understanding
of how to apply the results of systems simulations to practical problems.
Summary
• In the USBR’s 1986 Guidelines to Decision Analysis it was noted:
o During normal operation, loading conditions may generate a failure
mechanism by acting on structural defects inherent to the dam.
Examples of failure mechanisms that may occur during normal
operation of embankment dams include slope instability and internal
erosion due to piping. The loading condition for internal forces is a
function of the reservoir level and/or rate of change (e.g. high level
steady-state, rapid drawdown) and gravity loadings.
• Thirty years ago, and subsequently, the focus has been on risk associated
with structural defects and effects of extreme natural hazards.
• In the modern context, dam safety has a broader focus, and knowledge,
science and technology have advanced to the stage that a means of
addressing risk due to operational factors can now be incorporated in the
endeavour of dam safety management.
48