147

A COMPARISON OF METHODS FOR RISK ASSESSMENT OF DAMS
David S. Bowles.
Utah Water Research Laboratory and Department of
Civil and Environmental Engineering, Utah State
University, Logan, Utah 84322-8200
ABSTRACT
Risk-based procedures for assessing appropriate safety levels for new
and existing dams have been proposed for use in planning and design of
dams and screening of unsafe dams. The risk assessment framework and its
application to dams is presented. Approaches for estimating the various
types of probabilities and consequences needed to perform a comprehensive
dam risk assessment are described.
Several methods for planning,
screening, and design level risk assessment are summarized and compared.
The lecture closes with a discussion of the advantages of, commonly stated
objections to, and some unresolved issues related to, risk assessment of
dams.

1.
1.1

INTRODUCTION
Background

Interest in dam safety has grown in the past decade. According to
the National Research Council (1985), reasons for this growth include:
several disastrous dam failures or near failures in the United States and
other countries; the classification of approximately 3,000 high-hazard
dams as "unsafe" by the National Dam Inspection Program conducted by the
U.S. Army Corps of Engineers; the high cost of improving these "unsafe"
dams to meet current design standards; and the consideration, by many
states, of more stringent regulation of privately-owned dams.
Simultaneously there has been a growing interest in the potential for
using risk assessment procedures to provide a framework for addressing dam
safety problems.
Such procedures can provide a basis for evaluation of
proposed safety improvements for new or existing structures. The purposes
of thi s 1ecture are to present the ri sk assessment approach as it is
applied to dams, to compare several alternative procedures for dam risk
assessment, and to discuss some of the advantages, limitations, and other
issues relating to this application of risk assessment.
In this lecture the term "risk" will be used to mean "the potential
(probability) for the realization of unwanted consequences from impending
events" (Rowe, 1977). According to this definition, the term risk has two
dimensions associated with an undesirable event: the probability of its
occurrence, and the magnitude/of its consequences.
By thi s defi nit ion

L. Duckstein et al. (eds.), Engineering Reliability and Risk in Water Resources
© Martinus Nijhoff Publishers, Dordrecht 1987

148

economic damages resulting from a dam failure are considered to be a
component of the consequences which may include potential life loss and
environmental damage.
The term "risk cost" is used to describe the
expected value of economic damages on an annual basis.
1.2

Levels of Risk Assessment

Different levels of detail in the risk assessment procedures used for
dam safety evaluations are appropriate at different stages in the life of
a dam. As the data base for a dam grows and as the issues to be addressed
change from general questions of site selection, to specific issues of the
selection of design parameters, the degree of detail which can be
justified in the risk assessment grows correspondingly (Bowles et al.,
1978, Howell et al., 1980). For the purpose of this presentation, three
levels of risk assessment applications to dams are distinguished.
In
order of increasing detail they are the pI anning level, the screening
I evel and the des ign level.
At the pI anning level it is desirable to introduce an estimate of
risk cost associated with dam failure into the benefit-cost analysi s as a
means of incl uding societal risk into the process of deciding to build a
dam (Pate-Cornell and Togaras, 1986).
At this level the estimated
probabilities and consequences of dam failure are only approximate and
usua11y wi11 rely heavily on historical information (U.S. Water Resources
Council,1979).
The screenl!!.9.. problem is the identification and ranking of "unsafe"
dams in order of priority for expenditure of I imited funds to pay for
remedial action.
In this context the absolute values of probability and
consequence est imates are I ess important than a consi stent procedure for
estimating them so that an accurate ranking wi11 be achieved.
At the
screening level site-specific conditions would typica11y be evaluated
using reconnaissance level investigations and only approximate engineering
and economic analyses.
An example of the screening level is the method
developed for the Federal Emergency Management Agency (FEMA) by Stanford
University (McCann et al., 1985).
A desi!l!l. level risk assessment involves detailed questions such as
the selectlon of design standards and choices between design alternatives
for the dam and its appurtenance structures.
Carefu11y estimated
probabil ities and consequences must take into account site-specific
conditions based on detailed site investigations and engineering and
In addition the sensitivity of conclusions must be
economic analyses.
investigated with respect to uncertainties in the estimates of both
probabi I ities and consequences.
The only documented procedures at the
design level are by the U.S. Bureau of Reclamation (USBR, 1986).
Work
which contributed to these procedures includes Howell et al. (1980).
1.3

Outline of Lecture

---------------~--

The lecture is divided into five sections. After this introductory
section the overal1 framework for risk assessment and its application to
dams is presented in Section 2.
A description of approaches for
probability and consequence estimation is provided in Section 3. Several

149

methods of risk assessment which are currently in use or have been
proposed are classified by risk assessment level and compared in Section
4.
In Section 5 the advantages of, and commonly stated objections to,
risk assessment of dams are discussed. The lecture is closed in Section 6
with a presentation of conclusions and some unresolved issues.

2.
2.1

RISK ASSESSMENT FRAMEWORK AND ITS APPLICATION TO DAMS
General Framework

Ri sk assessment involves the identification, estimation and evaluation of risks associated with a natural or man-made system. The purpose
of risk assessment is to evaluate whether the present margin of safety or
reliability of the system is acceptable, or to select an alternative for
controlling risk in terms of either the probability or consequences of
system fail ure (see Fig. 1).
Ri sk management compri ses both the
identification~ estimation, and evaluation aspects of risk assessment and
the implementation aspects of risk control (see Fig. 2).
This lecture
emphasizes risk assessment although some references are made to the larger
problem of risk management.
Figure 3 illustrates the relationship between the steps of risk
identification, estimation, evaluation and control for environmental risk
management.
The implementation of risk control measures, which could be
structural or nonstructural in nature, would typically introduce new ri sk
factors which could lead to the need for a second-order risk analysi s.
The first two steps of risk identification and estimation are usually
performed by an analyst, such as an engineer or an economist.
Risk
evaluation and control are usually determined by a decision maker and
typically involve political judgments as to risk acceptability (e.g., how
safe is safe enough?). Examples of approaches used in each of these four
steps in an environmental risk management problem are given in Figure 3.
~_APJ> 1 i c a~ i on .!.9~l!~.

Dam engineering is not an exact science. The successful design and
construction of dams requires the app1 ication of judgment by highly
experienced engineers, geologists, hydrologists, and others. Traditionally the approach to dam design focuses deterministic analyses on extreme
events, such as the probable maximum flood (PMF) or the maximum credible
earthquake (MCE), and uses conservative estimates of such properties as
concrete or soil strength. Safety factors are used to evaluate the ratio
of resisting to overturning moments for such failure modes as slope instability. As a result, through the practice of the traditional approach,
which is based on the accumulation of many decades of dam engineering
experience, an impressive safety record has been achieved.
However, the traditional approach does not attempt to explicitly
quantify all significant risk factors for a dam. Nor does it explicitly
determine the degree of safety which can be justified for a particu1 ar
structure considering the potential consequences of a sudden release of
the contents of a reservoir following dam failure.
The risk assessment
approach provides the framework to make such a quantitative determination.

150

RISK ASSESSYENT
RISK
IDENTifiCATION

RI SK

RISK
EVALUATION
-ACCEPTABLE
RISK?

f----'----- EST IWATI ON

-DO NOTH ING
OR BASEL! NE

cm

I----

~ ~ IWPLEWENTATION

NO

RISK
EST IWAT I ON
-AVERS I ON
MEASURES

Of RISK
AVERS I ON
MEASURES

I--

---

Figure 1.

Risk assessment framework (after Bowles and James, 1986).

RISK MANAGEMENT

RISK
/

/~

(ANALYSIS)

RISK
IDENTIFICATION

RISK CONTROL

ASSESS~ENT

~
RISK
EVALUATION

RISK
ESTIMATION

/

RISK
AVERSION
Figure '2.

(IMPLE~ENTATION)

Components of risk management.

~

RISK
ACCEPTANCE

151

SCIENTIFIC
ANALYTICAL
JUDGEMENTS

r--------..,~ AND
RISK IDENTIFICATION

second order
(sensory perception; experience;
risk analysis
intuition; scientific investigations;
~ .--_ _-'-___e..,xtrapo Iat i on)

,..----'----,

RISK CONTROL
(standard setting;

monitori~

"'""tlt": ,"',,""'"t)

POLITI CAL
JUDGEMENTS

RISK ESTIIlATiON

>,:

~

I

(model ing; experimentatic
experience; intuition)
first order
risk ana lysis

RISK EVALUATION
(comparative risk analysis; risk-benefit

~ analysis; best practicable means
approach; risk acceptabi I ity)

Figure 3.

Environmental risk management (after O'Riordan, 1979).

The approaches to applying risk assessment to dams differ at the
planning, screening and design levels. The approach appropriate at the
most detailed, or design level, is presented below.
This presentation
follows the identification, estimation, aversion, and acceptance steps of
the approach as shown in Figures 1 and 2.
2.2.1
Risk identification.
Firstly a sequence of events is
identified beginning with events that can initiate dam failure and ending
Initiating
with the consequences of the failure (see Fig. 4 and 5).
events can be classified as external or internal. External events lnclude
earthquakes, floods, and upstream dam failure.
Internal events include
chemical changes in soil or concrete properties or latent construction
defects.
At low levels these events would not lead to dam failure.
However, at high inflow rates a rapid rise in pool level could lead to
overtopping, or a severe earthquake could result in structural deformation
or liquefaction. These and other dam-foundation-spillway-reservoir system
responses are failure modes which can lead to the outcome of the sudden
release of the reservoir contents.
The magnitud--eofthe resulting
property damage and life loss will depend on various ex~osure factors.
These include flood routing to determine the path of thel ood wave, the
area of inundation, and the travel time; the time of day and season of the
year; and the effectiveness of any warning systems and evacuation plans.

152

'INITIATING ISYSTEM RESPONSE
OUTCOME
EXPOSURE CONSEQUENCE
EVENT I! (FAILURE MODE). (PARTIAL/COMPLETE
FAILURE)
IDENT IFICAT ION EXTERNAL:
OVERTOPP I NG
ECONOM I C DAMAGE
TIUE Of DAY

------- -- I PIPING
ESTIMATION

rLo:;I~G---1J-F~~~U~~
L

AVERSION

l

: PROB (E)

BREACH

DEFORMAT I ON
SLOPE
INSTABILITY

EARTHQUAKE

I INTERNAL

:

~

UPSTREAM WATERSHED
CHANGES
UPSTREAM DAM
IMPROVEMENTS

C-

T

M

~

BREACH

STRUCTURAL
MODiFICATIONS

---r--- -

.,

WARN I NG SYSTm
fLOOD PROOfiNG
EMERGENCY
PREPAREDNESS

LOSSES

L

RELOCATI ONS
ZONING

L __ -f------J

,

.'I/YES

I MPLEMENTAT I ON

L ___ _

Figure 4.

i

_______________ J

i - -l
I

I

I
i

Of RISK.
_--LAVERSION MEASUREs}-

RISK
,/-- ASSESSMENT
';>__
"-. CRITERION _
MET? _/

'I'

I

i SELECTION

-~O:l---

ACCEPTANCE

rr

-lIr;P~;URE-l!- EXPECTEo-l

n .' PROB (LID)

rJ 'T'

PROB (0

L

STRUCTURAL
MODIFICATIONS.
I NSTRUVENTAT I ON.
OPE RAT ING
R£STRICATIONS

L __ _

L_

r-

--,

! PROB (FIE)

LOSS Of lifE

SEASON
WARNING mE

Risk-based method for assessing dam safety improvements
(adapted from Bowles et al., 1984).

Figure 5.

SYSTEM
RESPONSE

OUTCOME

• SEASON
• FLOOD WARNING TIME
• DAY OR NIGHT

EXPOSURE FACTORS

EXPOSURE

lOSS Of NATURAL
AESTHETICS

lOSS Of REVENUE

lOSS Of LIVES

REPARABLE
STRUCTURAL
DAMAGE TO DAM

IRREPARABLE
STRUCTURAL
DAMAGE TO DAM

PROPERTY
DAMAGE

CONSEQUENCE

Event-system response-outcome-exposure-consequence diagram for an Earth Dam (after Howell
etal .• 1980).

:::. ti

INITIATING
EVENT

...'"

154

Consequences are classified as life loss and economic loss which includes
property damage, cost of dislocations, and loss of project benefits.
During the identification step, professional judgment and experience,
review of available information, and site visits are used to develop a
list of the types of initiating events, system responses, outcomes,
exposure factors, and consequences which apply to a particular damfoundation-spillway-reservoir system.
A diagram such as that shown in
Figure 5 is then constructed to describe the event-consequence sequences
or initiating event-system response-outcome-exposure-consequence pathways.
Using the information assembled in Figure 5 an event tree (see Fig. 6) is
developed to describe each pathway associated with a particular range of
magnitudes of an initiating event (e.g., a range of reservoir inflow
magnitudes or a range of ground accelerations at the dam site associated
with seismic activity). The event tree is the risk model for the design
level risk assessment.
2.2.2 Risk estimation. The second step in the (design level) risk
assessment procedure is the estimation of the probability and consequence
components of risk. The types of probabilities to be estimated are shown
on Figure 4 and are as follows:

Annual probability of occurrence of loading (e.g. flood) in a range
of magnitudes, E - Prob(E)
Conditional probability (fragility) of dam failure by a specified
failure mode, F, given that loading occurs in the range, E - Prob
(FIE)
Conditional probability of the outcome, 0, release of reservoir
contents, given that failure mode, F occurs - Prob (O/F)
Conditional probability of life loss (and in some cases property
damage), L, for a population at risk given that the outcome 0
occurs - Prob (L/O)
Alternative methods for estimation of these probabilities are discussed in
Section 3.1.1. All event sequences defined by the event tree risk model
are considered.
Estimation of economic (LE) and life (LL) loss and
consideration of exposure factors are discussed in Section 3.2.
The partial risk cost for the ith pathway is obtained by taking the
product of the four probabi 1 it ies and the economic consequences as
follows:
ci

=

Prob (E) Prob (FIE) Prob (O/F) Prob (L/O) LE

(1 )

The total risk cost is obtained by summing the partial risk costs over all
N mutually exclusive pathways as follows:
C

N
l:

i=l

ci

(2)

155

INITIATING
EVENT

SYSTEM
RESPONSE

OUTCOME

J-40% PMF

No rma I

No Fa i lure

40-60% PMF

Auxi Iiary
Sp i Ilway

<

___________________________~~!::?_0..~~___________________________________ _
Dam Breach

______________ ~_a~__ I_u r~ _____________ jpJJl!<!t.P~~_qe_

60-80% PMF

~----

Auxi liary
Spillway
Failure

__________ Dam Breach
~
.
Spillway Damage

Dam
Overtopped

~

_____

Dam Breach
Crest Damage

Servi ce _ _ _ _ _ Dam Breach
Spillway _ _ _ _ _
Fai lure
Spi Ilway Damage

- - - - - -_ .. - - - - - - - - - - - - - - - - - - --- --------------Auxiliary ~ Dam Breach

80-100% PMF

Spillway
Foi lure

_____

Dam

~ Dam Breach

Overtoppec

.
Spillway Damage

Crest Damage

Service ______________ Dam Breach
Spi Ilway _ _ _ _ _
Failure
Spillway Damage

Figure 6.

Event tree for hypothetical dam considering hydrologic loading
only.

156

The probability of life loss for a population at risk due to a
failure described by the ith pathway is given by:

= Prob

Pi

(E) Prob (FIE) Prob

(O/F) Prob (LID)

(3 )

A hi stogram, P(LLj), of 1 ife loss can be constructed by summing the
pathway probabilities associated with pathways with potential magnitudes
of life loss consequences falling in several magnitude intervals:
P (LLj)

=

L Pi

in which
s

=

set of all pathways for which LLj

< LL < LLj+1

2.2.3 Risk aversion. The product of the second step is an estimate
of the probability of failure, the risk cost, and life loss that would be
associated with each failure mode, or combination of failure modes, for
the basel ine or do nothing alternative (see Fig. 1). If these risks are
unacceptable, the analyst moves to the third step.
This involves
formulation and evaluation of alternatives for risk aversion, which are
commonly referred to as remedial action or rehabilitation alternatives for
dams.
Risk aversion can be achieved by reducing the probabilities
associated with a pathway or by reducing the consequences. In both cases
structural or nonstructural measures may be cons i dered.
Fi gure 4 1 i sts
some examples of aversion measures and shows the probabil ity or
consequence that would be expected to be reduced by their implementation.
An important and sometimes difficult part of the evaluation of risk
aversion measures is the estimation of the reduction in the probabilities
or consequences that would be expected as a result of impl ement i ng a
measure.
For example, what would be the reduction in Prob (FIE) for
foundation failure during an earthquake if rock anchors were placed in the
foundation?
Or, what would be the reduction in Prob(L!O) if a flood
warning system and evacuation plan were implemented?
The product of the aversion step is an estimate of the reduction in
prob ab i1 it y 0 f fa i 1 ur e , the r i s k cos t, and 1 if e los s t hat can be
attributed to the impl ementation of a risk aversion measure.
Such
reductions are used as an estimate of the benefits of the measure and
hence a benefit-cost analysis can be performed.
2.2.4
Risk acceptance.
The final step in the risk assessment
process is the decision as to what degree of safety should be achieved, or
equivalently what residual risk will be accepted.
Although the analyst
can supply information and recommendations for this decision, it is
usually made by a decision maker such as the dam owner, operator, or
regulator. The decision is especially sensitive and difficult where lives
are at risk and where large investments will be required to improve safety
with 1 ittle or no effect on the project benefits, except of course to
their expected longevity considering the reduced 1 ikel ihood of dam
fa i 1ure.

157

3.
3.1

ESTIMATION. PROCEDURES
Probability Estimation

3.1.1 General approaches.
There are three general approaches to
probability estimation: historical/empirical, judgmental, and analytical.
The historical/em~irical approach utilizes historical frequencies of
events as probabihty estimates.
The larger the available sample size
used the better the estimates are expected to be. Thus a lDng record of
flows or seismicity can be expected to yield better (i.e., less uncertain)
estimates of extreme floods or earthquakes than a short record. Similarly
a 1arge data base of dam failures, categorized according to such factors
as the type, size, age, and location of the dam, can be expected to
provide better estimates of the probability of failure due to a specified
failure mode than would a small data base.
However, the available data
base for dam failures is usually small for a particul ar category of dam,
especially large dams, and in any case will provide only an estimate of
probability of failure for "average" conditions rather than for the
specific conditions of the dam which is under evaluation.
In order to incorporate add it i ona 1 i nformat i on about the study dam
obtained from field work, laboratory testing, engineering analyses and
expert judgment, the historical/empirical probability estimates are
treated as initial estimates which can be updated judgmentally using the
additional information.
The Bayesian approach to estlmatlon provides a
formal method for updating historical probabil ity estimates using
"judgmental" information, as follows:
Prob"(F/X)

Prob' {F)L(X/F)
Prob'(F)L(X/F) + Prob'(F)L(X/F)

(4)

in which
Prob"(F/X)

updated estimate of probability of failure given
additional information X about the dam

Prob' (F)

prior estimate of probabil ity of failure

Prob'(F)

prior estimate of probabil ity of no failure

L(X/F)

1ike 1 i hood of observing i nformat ion X given that the dam
were to fail

L(X/F)

likelihood of observing information X given that the dam
were not to fail

McCann et al. (1985) provide values for the likelihood functions, L, for
several dam failure modes although it is not clear what is the basis for
the suggested values.
The third method of probability estimation is the analytical method
in which models are used to transform probability distrlbubons of loads
and strength parameters into an estimate of the probability of failure.
For example, the probabil i stic slope stabil ity method of Sharp et al.

158

(1981) can be used to estimate the probability of slope failure due to the
spatial variability in shear strength in a zoned embankment. Yen (1986)
presents four methods for obtaining analytical probabil ity estimates:
direct integration, mean-value first-order second-moment method (MFOSM),
advanced first-order second-moment method (AFOSM) and Monte Carlo method.
Unfortunately the analytical approach usually requires additional
expensive field work in order to estimate distributions for strength
parameters.
Also, site specific information is often 1 acking and
realistic models necessary for estimating failure probabilities for such
phenomena as piping are not available.
At this time the analytical
approach is generally considered to be an approach which needs additional
research and development before it is ready for use in practical dam risk
assessments. Therefore, the historical/empirical approach with judgmental
updating where appropriate is most commonly used.
The four types of probabilities to be estimated in a dam risk
assessment were listed in Section 2.2.2 as Prob (E), Prob (F/E), Prob
(O/F) and Prob (L/O). Estimation of the first three probability types is
briefly discussed below and estimation of the fourth type is discussed in
Section 3.2.
3.1.2 Probability of initiating events, Prob (E).
Most commonly,
three types of loading conditions are considered for a dam risk
assessment:
static reservoir load, hydrologic (flood) load and seismic
load.
Other loading conditions may be identified for a particular
structure but only these three will be considered here.
Static loading can lead to various failure modes such as piping or
embankment instability.
The probability of reservoir loading (i.e.,
reservoir stage) being in a range that could lead to such failure modes
can be evaluated from information on the operating policies for the dam.
Hydrologic loading is evaluated in terms of peak inflow design rates.
Where measured flow data are available, a flood frequency analysis can be
performed to estimate the probability of occurrence of more frequent
events.
Depending on the length of record it might be reasonable to
extend such a frequency curve to events with return periods of 100 or 200
years (see for example Bulletin No. 17B, U.S. Department of Interior,
1982). However, the probable maximum flood (PMF) is associated with much
rarer events and its return period cannot be determined with confidence.
Since a probability must be estimated for flow ranges up through the PMF
in order to. perform a quantitative risk assessment it is customary to make
an arbitrary probability assianment for the estimated PMF. Typically this
would be in the range of 10- to 10- 6 per year. USBR (1986) suggests an
approach whereby the 5% and 95% confidence limits on the PMF are assigned
probabilities of 10- 6 and 10- 4 , respectively.
The frequency curve is
extended to the plotted point correspondi ng to the PMF, and thus a
probability of peak reservoir inflow being in any flow range up to the PMF
can be obtained.
Typically in a risk assessment the dividing points
between flow ranges are on critical flows associated with thresholds for
failure modes of the existing dam or its rehabilitation alternatives, or
with changes in the downstream stage-damage relationship.

159

The estimation of probabil ities of seismic load ranges has certain
similarities to the case of estimating the probabilities of hydrologic
load ranges.
Frequency analysis is performed on available historical
seismic data and then extensions are made to the maximum credible
earthquake (MCE). All known faults (and random locations if appropriate)
which could affect the dam site after attenuation is taken into account
must be considered and the probabil ity of accelerations at the dam being
in various ranges are estimated. As with the case of hydrologic loading,
acceleration ranges are based on critical values of acceleration
associated with thresholds for failure modes of the existing dam or its
rehabilitation alternatives.
3.1.3
Conditional system response probability or fragility, Prob
(F/E). For each loading type the event tree constructed during the risk
identification step (see Fig. 6) specifies failure modes or system
responses which could occur during initiating events with magnitudes in
each loading range. The relationship of Prob (F/E) and (E) is referred to
as the fragility. In some cases such as overtopping of an embankment dam
this relationship may approximate a step function (see Fig. 7a). In other
cases, such as a seismically induced failure mode in a region of low
seismicity, the fragil ity may be a smooth curve which does not reach a
probability of 1.0 at the maximum acceleration at the site.

1.0

o

o

PERCENT PMF

o

ACCELERAT ION, 9

1.0

o
Figure 7.

Examples of fragility relationships.

100

160

Fragility relationships are based on engineering analysis,
experience, and judgment. Research in the form of scale model studies,
numerical modeling, and evaluation of historical dam failures is needed in
order to improve our current estimates of these rel ationshi ps.
Uncertainty in estimates of the threshold at which Prob (F/E)
significantly departs from zero, or the steepness of the fragility curve,
leads to wider confidence limits on estimated probabilities of dam failure
and risk costs.
3.1. 4 Outcome prob ab i 1 it i es, Prob (O/F). The outcome of a failure
mode may be a partial or complete failure of the structure.
A complete
failure impl ies a breach with release of the reservoir contents and a
partial failure implies damage to the structure but no catastrophic
release of the reservoir contents.
For a seismically induced failure mode the type of outcome would
typically be dependent on the level of the reservoir at the time of the
failure. Thus an evaluation of the reservoir operating policy can lead to
an estimate of Prob (O/F).
For a hydrologically or statically induced
failure mode the outcome probability may be set equal to 1.0 since the
probability of reservoir level is usually accounted for in Prob(E) or it
can be used to account for other factors such as the duration of an
overtopping event which could determine the difference between a partial
and complete failure.

3.2 Consequence

Estimat~~

3.2.1 Types of consequences. The consequences of a catastrophic dam
failure can be grouped into various categories such as economic, life
loss, environmental, social, etc. In this lecture consequence estimation
for only the first two categories will be discussed.
This discussion
includes reference to estimation of exposure probabilities, Prob (L/O).
3.2.2 Economic damages.
The quantification of economic damages
requires identification of the inundated areas for each dam failure mode.
The inundated areas are obtained from dam break modeling and flood
routing. Land use characteristics and business activities which would be
affected by flooding and public facilities and service operations which
may be interrupted by flooding must be identified. Potential losses which
could result from dam failure, include property damages, incomes foregone,
and project benefits which are foregone because of the failure.
Damages that will occur without dam failure are defined as baseline
damages (see Fig. 8).
They include operational damages resulting from
normal spillway operations or overtopping prior to or without structural
fail ure.
Basel ine damages precede dam failure and are not properly
attributable to the uncontrolled release of reservoir storage. As such,
they must be deducted from the total estimate of flood damages in order to
determine those that are directly related to structural failure.
These
damages are not preventable by dam safety modification, except by
providing additional storage. They would occur regardless of the changes
made to spillways or outlet works.

I

i

//i/
~_____

!
!

act ion aIte rnat ive and re Iease
of rese rvo i r contents

.

"--

B - C = increase in damage
associated with fai lure of
ex ist ing dam and re Iease of
reservo i r contents

Figure 8.

--,---------,-

Example of determination of differential damages (adapted from USBR, 1986).

': . ---=-----.---

///
~ Fai lure of remedial action alternative
//
-- -A
--____
/ _- - - - C - A = reduct ion in damage
due to flood contro I storage
a
25
50
75
100
Percent PMF

,,//'

! ///

i /~

Fai lure of Existing Dam~

///

~

II~

-~-.-:--

!

,--;;---..._---8

o - C = increase in damage
_---0 ~ associated with failure of remedial

o - Typical remedial action alternative

C - Natural flow without flood control

B - "No action" (Existing dam overtopped - with fai lures)

A- Baseline ( Existing dam without failure)

'"

162

Damage estimates for a given failure mode must be made for
alternative loading conditions (e.g., flow range as a percentage of the
PMF).
These damages are estimated for agricultural, instream,
residential, publ ic and industrial losses incident to dam failure. Stagedamage ratio curves have been developed by the Federal Insurance
Administration (FIA) and used for residential structures. The U.S. Army
Corps of Engineers has developed stage-damage ratios which can be used for
commercial and industrial structures and for public facilities.
The
losses to residential areas from flood inundation include damages to
dwellings, costs of displacement during the time dwellings are repaired or
rebuilt, and damages to personal property which can be estimated from
local insurance records.
Dwelling values can be obtained for broad
residential districts from local records.
Business losses can be estimated for two categories of loss: capital
losses and employment and income losses. The former involves the losses
of equi pment, structures and contents.
Val ues are taken from i ndustri al
indices for various standard industrial code (SIC) industry
classifications.
Employment losses involve the jobs and associated
incomes that are lost due to flooding.
Current popul ation reports and
census reports are also of value in estimating commercial as well as
residential conditions.
The cost of repairing or replacing public facilities and services are
assumed as a proxy for damage estimates.
For example, bridges in the
flood path may be destroyed with the result that traffic will be forced to
take longer routes until they are replaced.
Agricultural losses are divided into capital losses, crop losses and
losses of the productive capacity of land. Capital losses are damages to
equipment and structures. Crop losses include foregone income from crop
operations which are partially or totally interrupted by flooding.
The
1osse s are est imated by crop type, aver age product i v e capac i ty of 1and
bases, and normalized prices for the crops involved. Input costs, such as
fertilizer and seed costs, should be included in the estimated damages
since their services in production are parti ally or totally lost due to
destruction of the crop.
Most of the analyses rel ated to these loss
estimates are simil ar to the economic benefit evaluations of standard
water development projects and loss estimation procedures and farm
enterprise budgets for use in the U.S. Such procedures are available from
the Division of Pl anning Technical Services of the USBR.
If any of the
inundated areas are expected to experience severe erosion or flood debris
damage, the productivity of the land is diminished.
Lost value of the
land should then be estimated and included in the damages.
The amount of warning time and emergency evacuation procedures affect
the amount of property damage.
Given sufficient time, people can
generally evacuate with some amount of property, including equipment,
personal cars and other high value but mobile items.
Livestock may also
be moved to higher ground or away from areas where they may be isolated by
flood.
These actions can reduce damages considerably.
Therefore, an
assessment of any currently installed or proposed emergency warning system
and subsequent warning times and the emergency evacuation procedures needs
to be compl eted in order to apply reduction factors (exposure

163

probabil ities) to the damage estimates, particul arly capital and personal
property estimates. Figure 9 shows graphically a probabilistic analysis
of a monitoring system and warning system.
In addit i on to property damages, loss of reservo i r benefi t s must be
estimated and included in the damage calculations.
These losses are
included for the period of time that reservoir storage is lost or reduced.
If the structure is to be repaired, then these losses are included for a
partial rather than project life basis, but the repair costs are included
in the estimates of losses.
3.2.3
Potential life loss.
The importance of considering the
potential impact of a dam failure on downstream populations cannot be over
emphasized. This issue is discussed in Section 5.2. In order to estimate
potential life loss the population at risk must be identified from
inundation maps.
Often there will be more than one population at risk
(e.g., recreational use below dam, r'anchers below dam, downstream town)
where populations are distinguished by location (and warning time) and
exposure characteristics (e.g., sparse such as farmers, dense as in a
town, seasonal as for campers, residential or business with different day
and night time characteristics).
Each population at risk must be evaluated separately with respect to
the effectiveness of a warning system, the length of warning time
considering the travel time for the flood wave, and the effectiveness of
evacuation plans. An evaluation of historical dam failures by USBR (1986)
indicates a very significant reduction in exposure probability for smaller
communities with adequate warning time over simil ar communities without
adequate warning time.
USBR (1986) found an exposure probabil ity of
0.0002 for situations in which the warni ng time exceeded 1. 5 hours.
Estimates of exposure probabilities for large metropolitan areas, or for
other speci al situations, can be improved by using evacuation model ing
(Jaske, 1985).
Differences in exposure probabilities associated with
different failure modes must be considered.
For example, if failure
occurred as the result of an earthquake, warning time would likely be less
than a failure resulting from hydrologic causes for which inflow forecasts
might provide forewarning of exceptionally large inflows.
hL~~Lt iV..!.!.Lt\.~~2.~.2.

Traditionally, estimates of loads on material strengths in
engineering design are made on a conservative basis.
In a risk based
approach additional estimates are made to describe a range of estimates of
each load or probability or consequence. With this "internal" estimate
approach the effects of uncertainty in the estimation of the inputs to a
dam safety decision can be explored and documented through sensitivity
analysis.
Where the recommended decision is sensitive to uncertain
factors additional efforts to reduce the degree of uncertainty can be
considered.
Alternatively, if the level of uncertainty cannot be
economically reduced the conservative design approaches can be used to
achieve acceptable safety standards. Since uncertainty exists in all the
inputs (e.g., probability and consequences) to a risk assessment the use
of sensitivity analyses is an important part of a comprehensive dam risk
assessment.

164

DeCISION TO
KoNITOR

FAILURE

OBSERVATION

T

J

<;::,~

;;j'

Lo s: :t U
RAINSTORM FORleAST'

Yes O,B

I
I

INTEflPRETATION

FAILURE

OCCUR'NCE

LEAD
TIME

SIGNALS
APPEARANCE

MODES

POTENTlAL-,-

COLLAPSE
AVOIDED

~\....

~

Contrlbution to
f_pected Value

'!> ~o

t " ~'I~'
S'(fJ Hed

E. . ACUATION--

~___---='-'--"'' -''_~
,---\

":0

i~

~.

. ""1 L055:0
~-=-'-""""-~

No 0.9

,, -0.5

P'lUDD~

Ves 0,6

0.0192

.-0.7

SPRINGS

, - 1 LoSS:£'"
a 'O ,8

loss: N.D

lou : N,D

0,12288
0.0096

,, -I L055:0

0.0336

c-_ _

_O'__
' __
.'0.7

LO$$:O

~eS Ol;.\;....---'-'-'-"""-'-'~

~-----<::l-="""J:2.to

0.9

0.00336
0.0384

a""0.4

'" ~o.!l-'---"'"-'=::-

'0

0.012
0.0504

a'l L055:0

~~r-_ _.:.l:.:O,.:..:,,-,N.:..:.D..
;;j'

of.
0,0144

0.0059
0.0147

.-0.8
0.10584

---------'~--

O.OOS4
lOSS:IH 11ves
o property
d.lIWIge
Loss: 0

Figure 9.

Total: 0. 4)87
•• : Proportion
of peoph

..

~ 44~

uved whO would

have been killed
otherwise

Probabilistic analysis of a monitoring and warning system (after
Pate-Cornell and Togaras, 1986),

165

4.

4.1

COMPARISON OF METHODS
Selection of Methods for Comparison

Methods compared are grouped into three categories based 1evel of
risk assessment.
The traditional or subjective engineering design
approach which does not expl icitly quantify ri sk or assess its
acceptability is excluded from this comparison.
Neither does the
comparison include generic evaluation approaches such as surrogate worth
trade-off (Haimes and Hall, 1984), ELECTRE (Gershon and Duckstein, 1983),
or multi-attribute utility analysis (Keeney and Raiffa, 1976). A recent
evaluation for the U.S. Army Corps of Engineers (University of Southern
California, 1985) includes the traditional engineering design and generic
evaluation approaches with an apparent emphasis considering hydrologic
loading.

4.2 Plann.0g Level

Methl2~_

At the pl anning level an estimate of risk cost associated with dam
failure can be "introduced into the benefit-cost analysis which is used to
provide the economic justification for a decision to build a dam. Baecher
et al. (1979, 1980) describe a method for estimating the risk cost at the
pl anning stage based on an average (or default) historical/empirical
failure rate of 10- 4 per year for large dams.
In a recent paper PateCornell and Togaras (1986) presented three case studies of planning level
risk assessments and extended the procedure to the case of sequential dam
failure.
The level of detail used in these planning level methods is
consistent with the level of effort which is expended on other planning
studies and the availability of site specific information.
Therefore,
this level would not be suitable for comparing the risks associated with
specific design alternatives for a proposed structure or for remedi al
action alternatives at an existing structure.
~~!~~~jn9 Level Methods

The screening problem is the identification and ranking of "unsafe"
dams in order of priority for expenditure ofl imited funds to pay for
remedial action.
By its very nature the screening problem implies that
several, and perhaps many, dams must be assessed. Therefore, the level of
detail required for analysis must be limited, and consistent procedures
will be important to achieve an accurate ranking. Screening level methods
are divided into index or qualitative methods and quantitative methods.

4.3.1 Index (qualitative) methods.
Both the U.S. Army Corps of
Engineers and the U.S. Bureau of Reclamation have developed index methods
for ranking existing dams in terms of a subjective measure of "risk."
Hagen I s (1982) method, developed for the Corps of Eng i neers, defi nes a
"relative risk index," R as the sum of an "overtopping failure score," 0
and a "structural failure score," S.
The overtopping failure score is
defined as follows:

o

=

in which

0(1) x 0(2) x 0(3)

(5 )

166

0(1)

additional number of homes endangered by failure

0(2)

project flood capability as percentage of current design flood
standard (PMF)

0(3)

= project

capability to resist failure by overtopping

and the structural failure score is defined as:
S

= S(l)

x S(2) x S(3)

(6)

in which
S(I)

number of homes endangered by failure at normal maximum
probabil ity

S(2)

evidence of structural distress

S(3)

potential seismic activity

The value assigned to each of the six factors is determined subjectively
based on site inspection, review of design and construction records, and
other available information.
It varies between 1 and 5 with 1 being the
most favorable. Thus the maximum or worst case index value would be 250
and a high score would lead to assignment of a high priority for remedial
action to reduce the risk of dam failure.
The Bureau of Reclamation index method was developed as part of their
Safety Evaluation of Existing Dams (SEED) (USSR, 1980) program.
The
evaluation process includes a site inspection and a review of avail able
information on dam design, construction, and operation.
A detailed
evaluation report is prepared and a numerical measure of the dam's
condition and damage potential, referred to as a site rating (SR) is
assigned.
The SR is obtained by summing the scores assigned to four
elements relating to the conditions of the dam (age, general condition,
seepage problems, and structural behavior measurements) and four elements
describing the damage potential (capacity, hydraul ic height, hazard
potential/hydrologic adequacy, and seismic zone). Each element is scored
on a scale of 0 to 9 with 0 being the most favorable value.
During the evaluation a list of recommendations for upgrading the dam
is made and their significance is represented by a weighting system (USSR,
1980). The sum of the weights for all recommendations is added to the SR
to give a "SEED" value which is used to rank the dam with respect to other
dams.
4.3.2 Quantitative methods.
Quantitative procedures for screening
level risk assessment of dams have been developed by Stanford University
for the Federal Emergency Management Agency (McCann et al., 1985) and by
MIT (Vanmarcke and Bohnenblust, 1982). The framework for both procedures
is similar to that described in Section 2.2. Each is summarized below.

167

The Stanford procedure is divided into three parts. The first part
involves identification of the expected losses from dam failure and
uti 1 i zes the information which is usually required for a Phase I
inspection of the National Dam Safety Inspection Program.
It involves
collection of data, estimation of the probabil ity of failure of the dam
due to various initiating events, dam breach modeling and flood routing,
and estimation of direct economic losses.
In the second part of the procedure the expected loss due to dam
failure is estimated from the failure probability and economic loss
estimates in the first part. Under the third part the cost and degree of
safety improvement for each rehabil itation alternative is considered.
Thi s information is presented on a cost-effectiveness basi s in order to
rank a portfol io of unsafe dams for the expenditure of 1 imited remedial
action funds. Since ranking is the objective of the Stanford procedure it
emphasizes standardized methods of analysis which can be expected to lead
to reasonably consistent and reproducible results.
Typically these
methods are simpl ifications of what would normally be done at the design
stage.
The MIT Screening Procedure is simil ar to the Stanford approach. It
is illustrated by a case study in which 16 Vermont dams are ranked for
remedial action using information available in inspection reports from the
National Dam Inspection Program.
The updating of historical
frequency/empirical probability estimates of dam failure using information
contained in the inspection reports using a Bayesi an procedure is
ill ustrated.

A framework for design level methods of risk assessment for dams was
proposed by Bowles et al. (1978) and was detailed by Howell et al. (1980).
A related approach was developed by the U.S. Bureau of Reclamation (USBR)
and has most recently been described by the USBR (1986). The design level
approach has been in use by the Engineering and Research Center of the
USBR for several years and by the writer in conjunction with risk-based
assessments of remedial action alternatives at several dams.
The USBR approach is divided into two major phases:
a hazard
assessment and a risk cost analysis of rehabilitation alternatives for
existing dam or design alternatives for new dam.
In the first phase the
consequences of dam failure are evaluated in order to establish the
minimum acceptable level of protection for an existing structure.
For
most dams this minimum protection level will be determined largely by the
consideration of potential life loss assuming that an effective warning
system and emergency action pl an has been adopted. For a new structure
the maximum loading conditions of the PMF for the inflow design flood and
the MCE for seismic loading would normally be used.
Once the minimum acceptable level of (protection) loadi ng before
failure has been selected, the risk cost analysis is performed to
determine whether or not higher levels of protection can be economically
justified.
The risk assessment follows the basic steps described in

168

Sections 2.2 and 3 of this paper and is illustrated by a hypothetical
example in USBR (1986).
Although the overall framework for the USBR approach resembles that
of the Stanford or MIT screening approaches the methods of analysis and
probability and consequence estimation are more detailed and correspond to
those normally used at the design stage of dams. A cruci al factor in the
successful performance of design level risk assessments is the
incorporation of professional judgment in the identification of
rehabil itation alternatives, identification and evaluation of failure
modes and outcomes, the subjective estimation and updati ng of
probabilities, the performance of meaningful sensitivity studies, and the
interpretation of risk assessment results.
Therefore, it is essential
that qual ified and experienced professionals, who would normally be
responsible for dam design, should also be responsible for design level
dam risk assessments.
5.
5.1

ADVANTAGES AND COMMON OBJECTIONS
Advan3~

Proponents of quantitative risk assessment of dams argue that it
provides a comprehensive framework for the evaluation and presentation of
dam design or remedial action alternatives. It requires the consideration
of the interaction between initiating events, failure moces, possible
outcomes, exposure conditions and consequences over the full range of
magnitudes of each.
Therefore, it aids in the identification of which
factors (e.g., loading types, failure modes, and exposure factors), or
ranges of factors, contribute most to the total risk associated with dam
failures, and which options are most promising or cost effective for
achieving risk reduction.
Presentation of the results of a quantitative risk assessment
provides a concise and systematic display of the economic and noneconomic
consequences of each al ternative which is considered.
The open
presentation of all alternatives requires a high degree of objectivity in
both the presentation and the supporting analyses.
The effects of
uncertainty in both the analyses and the exercise of professional judgment
can be displayed in a manner which allows for understanding of the degree
of technical confidence in the risk assessment.
In fact the rational
framework of risk assessment leads to clear documentation of the
information necessary for a good appreciation by lay people of the
significance of complex technical issues.
It, therefore, facilitates
constructive debate among opposing parties in the decision making process.
The information obtained from a risk assessment is an input to the
decision making process, and not the decision itself.
The decision maker can readily compare risk of failure at one dam
with that at another, or with the risk associated with other types of
publ ic works projects.
Also he can compare estimated risks with
acceptable risk criteria and can consider such quantitative measures as
est imates of risk reduction, residual risk, benefit cost ratios, cost
effectiveness or cost to save a life. Such measures can provide a useful

169

input to decision making on dam safety which is often a very emotional and
pol itically sensitive issue.
As the information base avail able to the
analyst grows, a risk assessment can readily be updated to include revised
estimates of probabilities and consequences, changes in uncertainty
bounds, new insights into the likely performance of the structure, or new
alternatives to be evaluated.
5.2

Common Objections

Frequently those unfamiliar with, or unconvinced about, the merits of
the risk assessment approach to the evaluation of dam safety will focus
attention on the 1imitations of the approach.
Al so, on occasion their
objections are based on misconceptions about the approach.
An ex amp 1e of the 1atter is the statement that "ri sk assessment
diminishes the role of engineering judgment."
This statement has been
made by some highly experienced engineers who fear that risk assessment is
an attempt to replace professional experience and judgment with automatic
decision rules which imply a level of knowledge of dam structure
performance which they know is currently beyond our reach. The truth is
that there can be no meaningful risk assessment of a dam without the
involvement of highly competent and experienced dam designers, geological
engineers, hydrologists, and others.
A risk assessment can only be as
good as the input provided by these professionals.
The risk assessment
approach requi res the quantification of the judgments of these
professionals and this can only be effectively achieved through involving
them in the entire risk assessment erocefs. The risk analyst can help to
manage the collection and synthesl s 0
information provided by dam
engineering professionals, but he can never substitute for the role of
experienced professionals. Under the risk assessment approach the role of
such professionals is expanded rather than diminished, since a much wider
range of loadings and other conditions is considered than would
traditionally be the case under the traditional "worst case" approach to
design.
In a simil ar vein, it is sometimes pointed out that "deterministic
approaches to analysis and design are time-tested and that no competent
professional can be expected to replace them with new probabilistic
methods until these have been similarly proven."
It is unlikely that
anyone would disagree with this statement. However, it should be pointed
out that an important basis for the inputs to a comprehensive ri sk
assessment is the deterministic analyses of slope stabil ity, dynamic
structural stability, dam break, flood routing, seepage, etc. Where new
analytical probabilistic methods are available they should be run in
parallel with the deterministic approaches in order to establish a basis
for their evaluation for potential future use.
Other commonly expressed objections to the risk assessment approach
focus on its present limitations. These include the fact that probability
and statistics are not broadly understood and are viewed with suspicion by
many. This objection is not a fundamental limitation of the approach, but
rather a handicap to its rapid acceptance which must be addressed by those
who pioneer its use.
In the long term it presents a challenge to
educators to better prepare the public to understand and deal ration~ly

170

with risk which impacts virtually every aspect of our lives.
Another
objection is that engineers, geologists and other professionals are
generally inexperienced at making subjective probability estimates. This
is certainly a val id concern and one that the pioneers in this field are
having to address.
Sensitivity analysis should be used to assess the
relative importance of errors in subjectively updated or estimated
probabil it.ll estimates.
Others express concern that the use of risk assessment implies
acknowledgment that there is "some chance of a dam failure occurring."
However, thi s fact is unchanged whether or not a ri sk assessment is
performed.
It would seem preferable to systematically identify and
examine all "reasonably probable" failure mechanisms and to invest wisely
in safety improvement measures rather than deceive ourselves that the
chance of dam failure is mysteriously reduced if we do not acknowledge
that such a possibility exists.
Currently, certain causes of dam failure, such as inadequate grouting
of an abutment, or piping of an embankment cannot be adequately assessed
with analytical tools and therefore the basis for their inclusion in a
risk assessment is highly subjective. However, this is not an inadequacy
of risk assessment per se, but rather of the current state-of-the-art in
dam engineering.
Another topic which is highly sensitive is the incorporation of life
loss potential into a risk assessment. Dam failure frequently results in
the loss of human life. No one would dispute the undesirability of this
anymore than they would dispute the undesirability of people losing their
lives from any other accidental cause. However, risk is unavoidable. It
is only the degree of risk which we can control, and then we are subject
to 1 imitations of how much safety we can afford to purchase. In the case
of dam safety the lives threatened are not necessarily those of the direct
beneficiaries of the presence of the dam and reservoir, and therefore they
are usually considered to be exposed to the risk of dam failure
involuntarily.
At one extreme of thi s sensitive topic are those who would advocate
placing an economic value on life and thereby integrating life loss into
an overall economic assessment of the consequences of dam failure. At the
other extreme are those who would require that the risk of life loss from
dam failure should be reduced to zero, which of course, is an impossible
requirement, although it can be approached as the investment of funds to
save a 1 ife become "infinitely" large. Obviously as individual s and as a
society we cannot afford such levels of safety.
However, the simple
inclusion of the value of 1 ife into an economic evaluation appears to be
equally unattractive, and even imnoral. On the other hand, to ignore the
issue implies a zero value of life which is obviously an unacceptable
alternative also.
Risk assessment does not require its users to take either extreme
position, or any other position on this issue. But as with the idea of
accepting some, albeit very small probability of dam failure, it does
enable us to openly address the issue in such a way that high levels of
human safety should be achieved with cost effectiveness. If the potential

171

life loss. from a dam failure is significant, then a hazard evaluation
would suggest the use of probable maximum flood and maximum credible
earthquake design criteria.
In other cases the most significant
reductions in the probability of life loss often can be made through the
nonstructura1 approach of a monitoring system, emergency warning system,
and evacuation plan.
Such systems are typically quite inexpensive to
design, install, and operate relative to the cost of structural measures.
If these systems can be used to reduce the probabil ity of 1 i fe loss to
very small levels, then the main basis for a decision on selection between
.structura1 alternatives for rehabilitation can be economic.
6.

CONCLUS IONS

None of the limitations to the risk assessment approach which have
been identified to date appear to warrant dismissal of the approach.
Further research is needed in order to develop improved approaches for
dealing with them, but meanwhile application of risk assessment to dams
can provide valuable insights into the choices available to the decision
maker. Such research can be effectively conducted through collaboration
between universities and experienced practicing dam engineers in the
public and private sector. Joint case studies on actual dams can be an
effective means for developing improvement in the risk assessment
approach.
The need for providing engineers and other professionals with better
backgrounds in probability and statistics has already been identified.
For the next gener at i on of professional s thi s need can be addressed
through the undergraduate and graduate curricula, but for the present
generation of professionals, workshops and short courses will be needed to
familiarize these individuals with the utility of risk-based approaches.
Related to the topic of education is the challenge of communicating
the results and conclusions of a risk assessment to the lay public and to
decision makers. In this regard, carefully prepared graphics and tabular
presentations combined with the use of analogies to more familiar business
and insurance situations can be very effective. Even when provided with
quantitative risk estimates, individuals are highly influenced by their
perceptions of the risk even if these are at variance with the estimates
obtained from a formal ri sk assessment performed by highly experienced
professionals.
An excellent example of this is in the nuclear field.
Just what the role of perceived risk should be in the field of dam safety
decision making needs to be defined.
Ri sk assessment should be recogni zed as a part of the overall cycl e
of risk management referred to in Section 2.1 of this lecture. The cost
effectiveness of nonstructural measures for improving and "managing" dam
safety should be remembered (see Fig. 4). Such measures include operator
training for detection of problems with a dam, frequent safety inspections
by qualified professionals, steps to limit growth of downstream
development in the potential inundation area, and implementation and
updating of an emergency action plan.

172

Successful appl ication of ri sk assessment and ri sk management
approaches to evaluating dam safety requires a combination of the skills
of experienced dam design professionals and risk analysts.
At this time
pioneering work has been completed or is currently underway on the
appl ication of design level risk assessment approach to evaluating
remedial action alternatives on several dams.
It is a field with both
technical and communications challenges but when properly used it can be a
valuable tool, particularly for those responsible for deciding remedial
action at existing dams.
Risk assessment can be expected to lead to
improved dam safety and more effective use of limited funds av~ilable for
rehabilitating existing dams.
ACKNOWLEDGMENTS
The ideas presented in thi s paper have developed over approx imate 1y
ten years as the result of a series of research projects and consulting
assignments in which the writer has been involved. The writer wishes to
acknowledge the important role that the following of his colleagues have
had in the development of these ideas: Dr. Loren R. Anderson, Dr. Ronald
V. Canfield, and Dr. Terry F. Glover.
REFERENCES
Bowles, D. S., L. R. Anderson and R. V. Canfield (1978) A systems approach
to risk analysis for an earth dam, Proceedings of 0:!,e International
~J)~~'3on Ri~and •.~.!..i.JE.-u.!..1:,L2!l-Water .~~~~pater100, Ontano,
canaua, 1 pp.
Bowles, D. S. and H. Y. Ko, Eds. (1984) Probabilistic characterization
soil properties, American Society o!.• Ci'd..J._Engill.~~Ls_, 182 pp.

of

Gershon, M. and L. Duckstein (1983) Multiobjective approaches to river
~;:~~. planning, ~~~~LJ3~~!:.!..J:l?!!:...-?~£.J:!.9.!:., Vol. 109, No.1, pp.
Hagen, V. K. (1982) Re-evaluation of design floods and dam safety,
Tran s ac t i o.n s 0f._..!..4.~._r..!!.! ern2lli!1..E-Lf.<!.!!9L~~...2.']_12!"9!._Q2!:'!?_.
Haimes, Y. Y. and W. A. Hall (1974) Multiobjectives in water resources
systems analysis: the surrogate worth trade off method, Water Resour.
Res., Vol. 10, No.4, pp. 615-624.
------.
Howell, J. C., L. R. Anderson, D. S. Bowles and R. V. Canfield (1980) A
framework for risk analysis of earth dams, Report submitted to Water and
Power Resources Service (U.S. Bureau of Reclamation), Engineering and
Research Center, Denver, Colorado, 87 pp.
Jaske, R. T. (1985)
FEMA's computerized aids for accident assessment,
Preprint No. IAEA-SM-280/85, International Symposium on Emergency
Plannlng ano~eparednesS-~uclear Facilities, Rome, Italy.

173

Keeney, R. L. and H. Ra i ffa (1976) Dec i si ons with Mulli pl~~~!.i.~~,
John Wiley, New York.
O'Riordan, T. (1979) Environmental impact analysis and risk assessment in
a management perspective, In: Emer~ency Risk Management, Edited by G.
T. Goodman and W. D. Rowe, Academlc ress, ~ew York, p.~.
Pate-Cornell, M. E. and G. Togaras (1986) Risk costs for new dams:
economic analysis and effects of monitoring, Water Resour. Res., Vol.
22, No.1, pp. 5-14.
-------~..
Rowe, W. D. (1977) An Anatomy of

Rl~~,

Wiley, New York.

Sharp, K., L. R. Anderson, D. S. Bowles and R. V. Canfield (1981) A model
for assessing slope reliability, Invited paper in Frost Action and Risk
Assessment in Soil Mechanics, Transport~tio_1! Res~2.~ch R~orc!'.§.9i, pp.
70-78.
u.S. Bureau of Reclamation (1980) Safety. Evaluation of.E_ist3.JJ.~~_
(SEEDl., Government Printing Office, Washington, D.C.
U.S. Bureau of Reclamation (1986) Guidelines to decision analysis, ACER
Technical Memorandum No.7, Denver, Colorado.
u.S. Department of Interior (1982) Guidelines for determining flood flow
frequency, Bulletin No. 17B, Hydrology Subcommittee, Interagency
Advisory Commlttee on Water Data.
University of Southern Cal ifornia (1985) Evaluation of risk assessment
methodologies for prioriti zing remedial dam safety projects, Final
Research Report submitted to National Science Foundation.
----Vanmarcke, E. H. and H. Bohnenblust (1982) Risk-based decision analysis in
dam safety, Report No. R82-11, Massachusetts Institute of Technology.
Yen, B. C. (1986) Rel iabil ity of hydraul ic structures possessing random
leading and resistance, In: Engineering Reliability and .!U.~~in Wat~!:.
Resources, Edited by L. Duckstein and E. Plate, Martlnus Nijhoff
Publlshers BV, Dordrecht, The Netherlands.