Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 74
7
Consideration of Risk in
Dam SafeW Evaluations
INTRODUCTION
This report is concerned with risks arising from two types of events in the
environment external to dams: extreme floods and earthquakes. Obviously
dams and, consequently, the owners and others dependent on dams are
subject to many sources of risks other than floods and earthquakes. A consid-
erable number of these risks, including risk of dam failure from whatever
cause, can lead to legal liabilities. The subject of legal liabilities and how
they may be incurred is discussed in Chapter 8. This chapter compares the
risks of dam failure with other man-made risks and includes discussions on
the nature of risks from extreme floods and earthquakes, the attempts to cope
with such risks, and how society has handled other types of risk with simi-
larly potentially serious consequences.
RELATIVE IMPORTANCE OF RISK OF DAM FAILURES
There are some data that compare the impacts of dam failures to the
impacts of other man-made and technological hazards in terms of a number
of risk-related parameters. One study (U.S. Atomic Energy Commission,
1974) presents data in terms of annual probability of numbers of fatalities
resulting from several man-made disasters, including dam failures. There it
was concluded that deaths are considerably more likely to result from dam
failures than from nuclear power plant disasters. Also in terms of 100 or
fewer fatalities resulting from a single event, it was concluded that dam
74
OCR for page 75
Risk in Dam Safety Evaluations
failures presented less threat than several other disasters, such as air crashes,
fires, and explosions. However, it is noteworthy that of all the disasters on
which data were presented for fatalities resulting from a single event, dam
failures were shown to pose the greatest threat. Specifically, the study indi-
cated that a dam failure causing 1,000 deaths might be expected on the
average of once in less than 100 years. More recently, Christoph Hohenemser
presented a discussion (Covello et al., 1983) on an approach to describing
risk in terms of 12 dimensions of hazard for 93 types of technological hazards,
including dam failures. Three of the dimensions are of particular interest:
"population at risk" (i.e., people in the United States exposed to the hazard);
"annual mortality" (average annual in the United States); and "maximum
potentially killed" (maximum credible number of people that could be killed
in a single event). Information presented indicates that the total population
at risk from dam failures is in the same range (10 million to 100 million) as
from several other hazards, such as fireworks accidents, skyscraper fires,
train crashes, smoking, toxic effects from asbestos spray, and radiation from
nuclear wastes. Further, information indicates that the maximum number
of people who could be killed in a worst event is probably greater for dam
failures than most any other kinds of hazards. Only a few hazards (princi-
pally those related to nuclear and war activities) are indicated to have poten-
tial for killing more people in a single event. Thus, many people both
individually and collectively are potentially at risk from dam failures.
This would seem to underscore the importance of good dam design, mainte-
nance, and safety programs in a safety conscious society. Data on annual
mortality may suggest that these objectives are generally being achieved.
According to Hohenemser, on the average, the number of deaths resulting
from dam failures in the United States annually is in the range 10-100. This is
in the same range as fatalities from dynamite blast accidents where the
population at risk is far fewer and elevator falls- where the population at
risk is greater. Many more deaths result from appliance accidents, commer-
cial airline accidents, radiation from medical x-rays, train crashes, sand
about 30 other of those 93 causes tabulated. On the other hand, it is notewor-
thy that, according to Hohenemser, the annual mortality from bridge col-
lapses (and a relatively few of the other hazards such as polychlorinated
biphenyIs, radiation from nuclear reactors, and a few others) is fewer than
10 in the United States, while the population at risk is greater than for dams.
Others have noted that most catastrophic dam failures have been caused by
site-specific factors that are not necessarily applicable at other sites. For such
reasons it is difficult to compare historical records of fatalities resulting from
dam failures with those brought about by other causes. While it is difficult to
draw any conclusions relevant to the charge of this committee, it is clear
(from these data and from our own intuition and experience) that dam
75
OCR for page 76
76
SAFETY OF DAMS
failures represent a relatively low chance but great impact type risk to people
and property. This low chance of failure can probably be attributed in
general to good engineering design and construction of clams.
These data are designed to provide a rough comparison of hazarcls, proba-
bilities of occurrence, and current outcomes across a number of areas. One
cannot draw a direct conclusion regarding whether the risk management in
one area is optimal or even satisfactory. The committee believes that risks
shouIcI be managed by balancing the benefits of additional safety against the
costs of achieving the lower risks. The above data contain no information on
either the additional safety that would be possible in each area or the addi-
tional cost of enhancing safety. Thus, these data have no direct interpreta-
tion in terms of what would be optimal or even satisfactory safety goals for
dams. However, they provide evidence of the outcomes of risk management
in various areas and of what society seems willing to tolerate in terms of
current hazards, probabilities of occurrence, and outcomes.
THE DESIGN PROCESS
The design of a structure (or machine) may be described simply ant]
concisely as (1) finding the loads that the structure will bear ant] (2) propor-
tioning the component elements to withstand those loads. This simple expla-
nation may imply that the process is direct, the future loading can be
determined, no judgment on the part of the designer is required, and the
finished design involves no risks. This is not true. Few structures are so
simple that the designer need not apply judgment. Also, the designer nor-
mally works with codes and standards that include allowances, based on
past experience, for variations from the design model in such aspects as
loadings, ultimate strengths, and workmanship and provide a factor of
safety in all designs.
When it is attempted to design for extreme floods and earthquakes, the
process becomes much more involved. At the present level of knowledge of
extreme floods and earthquakes, the outstanding characteristic of such
events is their indeterminacy. The only clues as to what may be expected in
the future lie in man-made records and in physical evidence of past events,
such as large earthquakes, extreme floods, and high rainfalls. But, whatever
the future may bring, it will not exactly duplicate the past. From available
evidence, estimates can be made of the probable maximum limits of future
floods and earthquakes, but the size and timing of extreme floods and earth-
quakes cannot be certain. Hence, any such design involves an unknown, a
risk factor.
As described more fully in Chapters 5 and 6, two basic approaches have
evolved for providing estimates of extreme hypothetical flood and earth-
OCR for page 77
Risk in Dam Safety Evaluations
77
quake loadings. The deterministic approach is a procedure that seeks by
analyses and reasonable combination of the causative processes to estimate
the magnitude of a hypothetical flood or an earthquake at the dam site that
has little or no chance of being exceeded. However, experience has shown
that, as more data become available, estimates of such extreme events also
change. The probabilistic approach seeks, by statistical study of past histori-
cal events, to estimate the return periods or annual probabilities of occur-
rences of extreme hypothetical flood or earthquake events of various
magnitudes. Such estimates, also, have changed, sometimes radically, as
more data have become available.
Both the deterministic and probabilistic approaches to establishing design
requirements for floods and earthquakes have deficiencies. However, when
considering resource allocations, the probabilistic method has one basic
advantage: it furnishes estimates of frequency of occurrence of the design
event. Of course, even if reliable estimates of probabilities of future flood or
earthquake events at a dam site are established, there remains the problem of
selecting the frequency of event appropriate for design.
COMPARISONS OF RISK MANAGEMENT STANDARDS
An attempt has been made to compare the current criteria for analysis of
safety of dams against extreme floods and earthquakes with standards of
other groups, particularly federal agencies, for management of other types
of risks having similar potential social impacts. It was found that each such
standard is so specific to the subject matter and practices of its particular
fields that cross-discipline comparisons are difficult.
The federal government became active in risk management in a major
way only recently. While some regulation of ship safety goes back more than
a century, and the Food and Drug Administration (FDA) was created in the
early part of this century, federal safety regulation is largely a product of the
period since 1966. Just prior to that date, FDA was given a major increase in
its responsibilities to actively regulate the safety of food and drugs. The year
1966 marked the creation of the National Highway Traffic Safety Adminis-
tration. In short order there followed the creation of the Environmental
Protection Agency (EPA), the Occupational Safety and Health Administra-
tion (OSHA), the Mine Health and Safety Administration (MHSA), and the
Consumer Product Safety Commission (CPSC).
As discussed in The Strategy of Social Regulation (Lave, 1981), it seems
that Congress, assuming that increasing safety would be easy and cheap,
often has mandated that safety be achieved within a few years of creating a
program and rarely thought about the cost of achieving safety. With a few
exceptions, Congress does not specify the safety goal. One exception is the
OCR for page 78
78
SAFETY OF DAMS
Delaney clause of the Food, Drug, and Cosmetic Act, in which the goal is
zero risk and is impossible to achieve.
The area of federal risk management has been characterized by contro-
versy. Virtually every new regulation or agency decision is challenged in
court, often with one party arguing the decision is too stringent and another
party arguing that it is not sufficiently safe. This has led agencies to be
intentionally vague about their safety goals; they have tried to avoid com-
mitting themselves or even being terribly specific about the goals for a spe-
cific decision. Thus, what follows is a review of staff practices, of particular
standards, more than of official agency policy as set out in the Federal
Register. This is particularly true for EPA and F DA.
There has been a recent review of agency attempts to comply with Execu-
tive Order 12291 requiring benefit-cost analysis of major (more than $100
million) agency decisions (Dower, 1983~. Dower characterizes agency prac-
tice on assigning values to physical measures of benefits. While this is not
directly part of agency safety goals, it is closely related. He reports that the
Federal Aviation Administration (FAA) does explicit translation of prema-
ture deaths into dollars. Other agencies do some translation but do not use
the dollar estimates in making official decisions.
The Nuclear Regulatory Commission went through a formal process to
define safety goals for nuclear power plants. The agency formally adopted a
goal that the risk of cancer in the most exposed population due to nuclear
power would not be an increase in the cancer risk of more than 0.1 percent,
or no more than one additional cancer in a background level of 1,000 can-
cers. This goal proved controversial in two senses. The first was that it is not
clear how to translate the goal into individual engineering standards for
nuclear reactors. The Nuclear Regulatory Commission hopes to slowly work
through a process where this goal will be a direct guide to their regulatory
staff. The second was that some consumerists claimed that this safety goal
was insufficiently stringent. One of the commissioners pointed out this goal
would sanction thousands of deaths due to nuclear power during this cen-
tury, if many additional reactors are built and the exposed population is
large.
Much of the agency risk statements are not goals so much as statements of
what is a de minimus risk level. The Supreme Court vacated the OSHA
benzene standard in 1980 on the grounds that OSHA had not found that
occupational exposure to benzene constituted a "significant risk" at the prior
standard. Reasoning that the law does not concern itself with trivia, the
plurality of the court appeared to adopt a principal that would apply to all
federal agencies: the agency must first find that the risk is "significant"
before it can act. Accordingly, agencies have attempted to work toward a
definition of what is a significant risk or what is a de minimus risk.
OCR for page 79
Risk in Dam Safety Evaluations 79
The FDA has hacI a difficult time with the absolute nature of the Delaney
clause. To deal with contaminants in food colors, the FDA promulgated a
rule that would allow carcinogenic contaminants if the resulting risk were
small, perhaps one additional cancer in one million exposed people over
their lifetimes. In general, this risk level of one in one million seems to be a
sort of level to distinguish what is a negligible risk from one worth taking
action on.
The EPA has adopted a similar approach. The Carcinogen Assessment
Group has evolved rules within the group that specify a risk level of one in
one million or one in 100 thousand as being the rule of thumb to distinguish a
negligible risk.
The FAA specifies the failure rate for commercial aircraft components.
Each component is to have a failure rate less than 1O-~3 per hour (9 x 10-~°
per year). About 100 persons are killed in commercial airline crashes each
year in the United States, although presumably, a small proportion of these
are due to equipment failure, as distinct from human error.
When EPA enforces statutes for control of toxic substances and pesticides,
the staff is instructed to balance the benefit of the product against the health
risk. This leads to a much lower level of safety than is used for air or water
pollutants under EPA statutes. Similarly, the FDA regulates drugs with the
same sort of risk-benefit trade-off. If a drug is effective and there is no other
effective drug that has less undesirable side effects, then the FDA will ap-
prove even drugs with extremely high risks, such as drugs for chemotherapy
for cancer.
All of the agencies seem to require greater safety when many people could
be killed at the same time. That is, they are more risk averse where many
people are simultaneously at risk.
RETROFITTING TO MEET NEW STANDARDS
Many dam owners, including federal agencies, have found that dams
built years ago fail by considerable margins to meet current agency stan-
dards for new dams. Many spillways at existing dams are deficient in light of
such current standards. A much smaller but significant number of existing
dams is suspected to present problems under earthquake loading standards
currently used for design of new dams. No complete estimate is available for
the cost of upgrading existing dams in the United States to meet current
criteria for new dams, but it is evident that such costs could mount into the
billions of dollars.
As noted elsewhere, as we continue to collect data on extreme rainfalls,
floods, and earthquakes, we can expect our estimates of maximum events to
be adjusted generally upward, resulting in even more dams that fail to meet
OCR for page 80
80
SAFETY OF DAMS
the current criteria for new dams. Also, in general, the cost of retrofitting an
existing dam to provide additional spillway capacity to pass a new design
flood (as the result of a new probable maximum flood (PMF) estimate) can
be expected to be higher than providing the same increase in capacity in a
new dam. The same situation is usually found when considering upgrading
an existing dam to meet current earthquake criteria. The question arises,
then, whether safety standards for new dams should be applied to retrofit-
ting existing dams. The problem is a very general one for risk management.
New information can tell us that the risk of a technology is different from
what we thought it was when we adopted certain criteria. Should this
trigger corrective action for an existing structure? The answer ought to
depend on the amount of risk and the cost of correction. The committee
believes that risk management decisions should be based on a balancing of
benefits and costs. Insofar as the costs of entrancing safety are much larger for
existing dam than for one about to be built, this balancing would call for less
safety in the existing dam. This is not to say that an unsafe dam would be
tolerated, but that new dams would be designed to be "extremely" safe while
existing dams were only retrofitted to be "very" safe.
How do other federal agencies deal with analogous problems? The answer
is that all of them in fact distinguish between what is required of new
installations and what is required in terms of retrofitting or remedial action.
For various reasons, very few agencies have formal decision methods to
apply for this purpose. In such decisions, government agencies are faced
with problems of achieving balance between two social principles: equity
and efficiency. Equity demands that all citizens be treated similarly. Effi-
ciency demands that government not be unduly disruptive of legitimate
actions of its citizens.
Peter Huber has examined the legal and regulatory aspects of this old-new
risk situation in a perceptive manner (Huber, 1983~. The following are
extracts from his article in the Virginia Law Review:
Federal systems of risk regulation subtly but systematically distinguish the devils
we know from the ominous unknown. An old risk-new risk double standard pervades
regulatory statutes and decisions construing them. In a rough way the distinction
between old and new risks makes good economic and political sense. Regulation of
old risks presents problems and costs different from those encountered in regulation
of new risks. In practice, however, the old-new division is usually ad hoc, inade-
quately developed, and inconsistently applied.
Risk-regulating statutes of all types share one common characteristic: they divide
the regulatory universe between "old" and "new" sources of risk. What do "old" and
"new" mean? For the present, a rough intuitive definition will suffice. Old risks are
those to which society has been widely exposed before Congress or an agency finds
federal regulation necessary. These risks are associated with products already on the
market, with entrenched economic interests, or with an established technology. New
OCR for page 81
Riskier Dam Safety Evaluations
81
risks loom on the horizon, threatening to undermine the perceived safety of the status
quo. They include new sources of exposure to an old type of hazard, such as a new
aircraft design, as well as risks associated with new technology such as nuclear
power. Old risks are risks which society has already embraced or come to tolerate;
new risks are those tied to unrealized opportunities.
If the difference between old and new risks is easy to explain, the cause of the
systematic division of the two is not. The reasons underlying that division are a
central focus of this chapter. Old risks derive from settled production and consump-
tion choices and from established technology. Their regulation therefore often faces
large economic and social obstacles and incurs transition costs. As the Food and Drug
Administration (FDA) learned when it attempted to ban saccharin, old risks have
identifiable and self-aware constituencies. New risks, on the other hand, may be
regulated with less direct disruption of settled expectations. Their regulation incurs a
different type of costs—lost opportunity costs. Lost opportunity costs are usually
difficult to measure, and the bearers of these costs may be neither identifiable nor
self-aware. As a result, the political costs of new-risk regulation may be compara-
tively low whether or not the economic costs of new-risk regulation are significant.
Regulatory statutes thus systematically treat new risks more stringently than old
ones.
Dividing the risk universe between old and new sources may seem reactionary,
showing an irrational bias against technological change. Yet, the division grows from
the usually correct assumption that transition costs are higher than lost opportunity
costs. In addition, the division seems politically inevitable. Congress is simply un-
willing to improve our risk environment without carefully attending to the impact
on established expectations. On the other hand, Congress is quite willing to resist
deterioration of that environment with disciplined firmness.
One agency, the Nuclear Regulatory Commission, did consider a formal
criterion for addressing this problem when it was proposing its quantitative
safety goals (U.S. NRC, 1981~. In essence, it was suggested that all new
nuclear reactors should be required to meet certain safety goals; however,
when analysis of existing reactors showed the safety goals were not met, the
required action would depend on the level of excess risk. While the proposal
was not passed, it is described here as a unique example of one attempt to
relate quantitatively relative levels of risk to required response. It was pro-
posed that, if the risk exceeded the goals by a factor of 300 or more (e. g., goal
of 10-5, but indicated risk of 3 x 1o-3), immediate corrective action would
have to be taken "within days"; where risk exceeded goals by a factor of 10-
100, action must be taken "within months"; if by a factor of 3-10, action
within years, and if by a factor of less than 3, action must be considered.
The Federal Aviation Administration comes closer to using a formal
method than any other agency surveyed. If a risk is determined to mean a
failure rate of 1 in 1 billion hours (1 in 114,155 years) or less, then it is
considered extremely improbable or sufficiently remote not to take correc-
OCR for page 82
82
SAFETY OF DAMS
five action. For greater risks, action is determined by a benefit-cost analysis.
Benefit-cost analyses could show that a new safety device makes sense on
new aircraft but not on older aircraft because of the greater cost of retrofit-
ting.
The Occupational Safety and Health Administration does not officially
treat new plants and old plants differently. Obviously, it would be socially
unacceptable for a federal regulatory agency to adopt policies that explicitly
advocate allowing some workers, doing the same work for similar wages, to
be regularly exposed to greater risks than other workers just because they
worked in a plant that was more costly to make safe. In fact, however, when
OSHA promulgates a standard (as they did for lead exposure), individual
firms have managed to negotiate different phase-in schedules if they can
show they are doing the best they can to come into full compliance. OSHA
has also issued individual interim lead standards for specific smelters.
The Environmental Protection Agency also does not have a formal proce-
dure for distinguishing between the new and the existing risks, although it is
quite common for EPA to make such distinctions based on cost differentials.
Thus, for example, emission standards differ for older and newer automo-
biles, and new source performance standards for power plants show a strong
bias toward stiffer standards for new plants. Ethylene dibromide (EDB) was
banned from further use in some products but different acceptable standards
were applied to products containing EDB, varying according to their prox-
imity to human consumption. Many other EPA examples could be cited.
By contrast, examples can be cited of situations where retrofitting is re-
quired if the danger is perceived as serious and immediate or if the cost of
reducing the danger is low. Recall of automobiles to correct deficiencies
related to safety, smoke detectors in residences, sprinkler systems for hotels,
and correction of design deficiencies in commercial aircraft are some exam-
ples of such required retrofitting. The actions of the National Highway
Transportation Safety Administration (NHSTA) illustrate that agency's ap-
proach to the problems in deciding when retrofitting should be required.
NHTSA specifies safety standards to be applied to vehicles of a specified
model year and thereafter. To date, NHTSA has never required manufactur-
ers to recall and retrofit these safety features into existing autos. For exam-
ple, seat belts were required in 1968 and subsequent models, but prior
models need not be retrofitted. NHTSA must decide every time there ap-
pears to be a safety problem in a given model whether to require recall or to
tolerate the problem in existing cars, because the expense of recall is too
great, but must ensure that the problem is corrected in the subsequent pro-
duction.
The Federal Energy Regulatory Commission (FERC) has addressed this
problem as it relates to the higher estimates of probable maximum precipita-
OCR for page 83
Risk in Dam Safety Evaluations
83
tion (PMP) contained in Hydrometeorologic Reports 51 and 52 (Schreiner
and Riedel, 1978; Hansen et al., 1982) of the National Weather Service (see
Appendix A). FERC does not require reevaluation of an existing spillway at
a licensed project solely because of the higher PMP estimates if the following
conditions have been met.
· A reasonable determination of PMP has been made previously.
· A probable maximum flood (PMF) has been properly determined.
· The project structures can withstand the loading or overtopping im-
posed by the PMF.
O ˘˘ O
These examples suggest that different agencies handle the problem differ-
ently, that most of them do not have a general formal criterion for distin-
guishing risk acceptabilities, but that all of them do in fact recognize the
need to be responsive to the greater costs of applying new safety standards to
what exists than of applying these standards to what we do in the future.
A different approach to evaluating risk may sometimes be appropriate to
decisions regarding an existing dam. Long-term experience with the type of
dam involved or the functions it serves may indicate a good possibility that
the dam will soon be abandoned and breached, or it may be replaced or
rebuilt. Also, we may expect that technologies for evaluating dam safety and
correcting deficiencies will continue to be developed. These considerations
may sugggest that the primary determinate of need for upgrading the dam
should be its probable safety over a relatively short time in the future, (say,
over a 25- or 50-year period), rather than its safety over some indefinitely
long period. Methods for determining probabilities of occurrence in definite
time periods are discussed in Appendix D.
Representative terms from entire chapter:
extreme floods
