Click for next page ( 75


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 74
7 Consideration of Risk in Dam SafeW Evaluations INTRODUCTION This report is concerned with risks arising from two types of events in the environment external to dams: extreme floods and earthquakes. Obviously dams and, consequently, the owners and others dependent on dams are subject to many sources of risks other than floods and earthquakes. A consid- erable number of these risks, including risk of dam failure from whatever cause, can lead to legal liabilities. The subject of legal liabilities and how they may be incurred is discussed in Chapter 8. This chapter compares the risks of dam failure with other man-made risks and includes discussions on the nature of risks from extreme floods and earthquakes, the attempts to cope with such risks, and how society has handled other types of risk with simi- larly potentially serious consequences. RELATIVE IMPORTANCE OF RISK OF DAM FAILURES There are some data that compare the impacts of dam failures to the impacts of other man-made and technological hazards in terms of a number of risk-related parameters. One study (U.S. Atomic Energy Commission, 1974) presents data in terms of annual probability of numbers of fatalities resulting from several man-made disasters, including dam failures. There it was concluded that deaths are considerably more likely to result from dam failures than from nuclear power plant disasters. Also in terms of 100 or fewer fatalities resulting from a single event, it was concluded that dam 74

OCR for page 74
Risk in Dam Safety Evaluations failures presented less threat than several other disasters, such as air crashes, fires, and explosions. However, it is noteworthy that of all the disasters on which data were presented for fatalities resulting from a single event, dam failures were shown to pose the greatest threat. Specifically, the study indi- cated that a dam failure causing 1,000 deaths might be expected on the average of once in less than 100 years. More recently, Christoph Hohenemser presented a discussion (Covello et al., 1983) on an approach to describing risk in terms of 12 dimensions of hazard for 93 types of technological hazards, including dam failures. Three of the dimensions are of particular interest: "population at risk" (i.e., people in the United States exposed to the hazard); "annual mortality" (average annual in the United States); and "maximum potentially killed" (maximum credible number of people that could be killed in a single event). Information presented indicates that the total population at risk from dam failures is in the same range (10 million to 100 million) as from several other hazards, such as fireworks accidents, skyscraper fires, train crashes, smoking, toxic effects from asbestos spray, and radiation from nuclear wastes. Further, information indicates that the maximum number of people who could be killed in a worst event is probably greater for dam failures than most any other kinds of hazards. Only a few hazards (princi- pally those related to nuclear and war activities) are indicated to have poten- tial for killing more people in a single event. Thus, many people both individually and collectively are potentially at risk from dam failures. This would seem to underscore the importance of good dam design, mainte- nance, and safety programs in a safety conscious society. Data on annual mortality may suggest that these objectives are generally being achieved. According to Hohenemser, on the average, the number of deaths resulting from dam failures in the United States annually is in the range 10-100. This is in the same range as fatalities from dynamite blast accidents where the population at risk is far fewer and elevator falls- where the population at risk is greater. Many more deaths result from appliance accidents, commer- cial airline accidents, radiation from medical x-rays, train crashes, sand about 30 other of those 93 causes tabulated. On the other hand, it is notewor- thy that, according to Hohenemser, the annual mortality from bridge col- lapses (and a relatively few of the other hazards such as polychlorinated biphenyIs, radiation from nuclear reactors, and a few others) is fewer than 10 in the United States, while the population at risk is greater than for dams. Others have noted that most catastrophic dam failures have been caused by site-specific factors that are not necessarily applicable at other sites. For such reasons it is difficult to compare historical records of fatalities resulting from dam failures with those brought about by other causes. While it is difficult to draw any conclusions relevant to the charge of this committee, it is clear (from these data and from our own intuition and experience) that dam 75

OCR for page 74
76 SAFETY OF DAMS failures represent a relatively low chance but great impact type risk to people and property. This low chance of failure can probably be attributed in general to good engineering design and construction of clams. These data are designed to provide a rough comparison of hazarcls, proba- bilities of occurrence, and current outcomes across a number of areas. One cannot draw a direct conclusion regarding whether the risk management in one area is optimal or even satisfactory. The committee believes that risks shouIcI be managed by balancing the benefits of additional safety against the costs of achieving the lower risks. The above data contain no information on either the additional safety that would be possible in each area or the addi- tional cost of enhancing safety. Thus, these data have no direct interpreta- tion in terms of what would be optimal or even satisfactory safety goals for dams. However, they provide evidence of the outcomes of risk management in various areas and of what society seems willing to tolerate in terms of current hazards, probabilities of occurrence, and outcomes. THE DESIGN PROCESS The design of a structure (or machine) may be described simply ant] concisely as (1) finding the loads that the structure will bear ant] (2) propor- tioning the component elements to withstand those loads. This simple expla- nation may imply that the process is direct, the future loading can be determined, no judgment on the part of the designer is required, and the finished design involves no risks. This is not true. Few structures are so simple that the designer need not apply judgment. Also, the designer nor- mally works with codes and standards that include allowances, based on past experience, for variations from the design model in such aspects as loadings, ultimate strengths, and workmanship and provide a factor of safety in all designs. When it is attempted to design for extreme floods and earthquakes, the process becomes much more involved. At the present level of knowledge of extreme floods and earthquakes, the outstanding characteristic of such events is their indeterminacy. The only clues as to what may be expected in the future lie in man-made records and in physical evidence of past events, such as large earthquakes, extreme floods, and high rainfalls. But, whatever the future may bring, it will not exactly duplicate the past. From available evidence, estimates can be made of the probable maximum limits of future floods and earthquakes, but the size and timing of extreme floods and earth- quakes cannot be certain. Hence, any such design involves an unknown, a risk factor. As described more fully in Chapters 5 and 6, two basic approaches have evolved for providing estimates of extreme hypothetical flood and earth-

OCR for page 74
Risk in Dam Safety Evaluations 77 quake loadings. The deterministic approach is a procedure that seeks by analyses and reasonable combination of the causative processes to estimate the magnitude of a hypothetical flood or an earthquake at the dam site that has little or no chance of being exceeded. However, experience has shown that, as more data become available, estimates of such extreme events also change. The probabilistic approach seeks, by statistical study of past histori- cal events, to estimate the return periods or annual probabilities of occur- rences of extreme hypothetical flood or earthquake events of various magnitudes. Such estimates, also, have changed, sometimes radically, as more data have become available. Both the deterministic and probabilistic approaches to establishing design requirements for floods and earthquakes have deficiencies. However, when considering resource allocations, the probabilistic method has one basic advantage: it furnishes estimates of frequency of occurrence of the design event. Of course, even if reliable estimates of probabilities of future flood or earthquake events at a dam site are established, there remains the problem of selecting the frequency of event appropriate for design. COMPARISONS OF RISK MANAGEMENT STANDARDS An attempt has been made to compare the current criteria for analysis of safety of dams against extreme floods and earthquakes with standards of other groups, particularly federal agencies, for management of other types of risks having similar potential social impacts. It was found that each such standard is so specific to the subject matter and practices of its particular fields that cross-discipline comparisons are difficult. The federal government became active in risk management in a major way only recently. While some regulation of ship safety goes back more than a century, and the Food and Drug Administration (FDA) was created in the early part of this century, federal safety regulation is largely a product of the period since 1966. Just prior to that date, FDA was given a major increase in its responsibilities to actively regulate the safety of food and drugs. The year 1966 marked the creation of the National Highway Traffic Safety Adminis- tration. In short order there followed the creation of the Environmental Protection Agency (EPA), the Occupational Safety and Health Administra- tion (OSHA), the Mine Health and Safety Administration (MHSA), and the Consumer Product Safety Commission (CPSC). As discussed in The Strategy of Social Regulation (Lave, 1981), it seems that Congress, assuming that increasing safety would be easy and cheap, often has mandated that safety be achieved within a few years of creating a program and rarely thought about the cost of achieving safety. With a few exceptions, Congress does not specify the safety goal. One exception is the

OCR for page 74
78 SAFETY OF DAMS Delaney clause of the Food, Drug, and Cosmetic Act, in which the goal is zero risk and is impossible to achieve. The area of federal risk management has been characterized by contro- versy. Virtually every new regulation or agency decision is challenged in court, often with one party arguing the decision is too stringent and another party arguing that it is not sufficiently safe. This has led agencies to be intentionally vague about their safety goals; they have tried to avoid com- mitting themselves or even being terribly specific about the goals for a spe- cific decision. Thus, what follows is a review of staff practices, of particular standards, more than of official agency policy as set out in the Federal Register. This is particularly true for EPA and F DA. There has been a recent review of agency attempts to comply with Execu- tive Order 12291 requiring benefit-cost analysis of major (more than $100 million) agency decisions (Dower, 1983~. Dower characterizes agency prac- tice on assigning values to physical measures of benefits. While this is not directly part of agency safety goals, it is closely related. He reports that the Federal Aviation Administration (FAA) does explicit translation of prema- ture deaths into dollars. Other agencies do some translation but do not use the dollar estimates in making official decisions. The Nuclear Regulatory Commission went through a formal process to define safety goals for nuclear power plants. The agency formally adopted a goal that the risk of cancer in the most exposed population due to nuclear power would not be an increase in the cancer risk of more than 0.1 percent, or no more than one additional cancer in a background level of 1,000 can- cers. This goal proved controversial in two senses. The first was that it is not clear how to translate the goal into individual engineering standards for nuclear reactors. The Nuclear Regulatory Commission hopes to slowly work through a process where this goal will be a direct guide to their regulatory staff. The second was that some consumerists claimed that this safety goal was insufficiently stringent. One of the commissioners pointed out this goal would sanction thousands of deaths due to nuclear power during this cen- tury, if many additional reactors are built and the exposed population is large. Much of the agency risk statements are not goals so much as statements of what is a de minimus risk level. The Supreme Court vacated the OSHA benzene standard in 1980 on the grounds that OSHA had not found that occupational exposure to benzene constituted a "significant risk" at the prior standard. Reasoning that the law does not concern itself with trivia, the plurality of the court appeared to adopt a principal that would apply to all federal agencies: the agency must first find that the risk is "significant" before it can act. Accordingly, agencies have attempted to work toward a definition of what is a significant risk or what is a de minimus risk.

OCR for page 74
Risk in Dam Safety Evaluations 79 The FDA has hacI a difficult time with the absolute nature of the Delaney clause. To deal with contaminants in food colors, the FDA promulgated a rule that would allow carcinogenic contaminants if the resulting risk were small, perhaps one additional cancer in one million exposed people over their lifetimes. In general, this risk level of one in one million seems to be a sort of level to distinguish what is a negligible risk from one worth taking action on. The EPA has adopted a similar approach. The Carcinogen Assessment Group has evolved rules within the group that specify a risk level of one in one million or one in 100 thousand as being the rule of thumb to distinguish a negligible risk. The FAA specifies the failure rate for commercial aircraft components. Each component is to have a failure rate less than 1O-~3 per hour (9 x 10-~ per year). About 100 persons are killed in commercial airline crashes each year in the United States, although presumably, a small proportion of these are due to equipment failure, as distinct from human error. When EPA enforces statutes for control of toxic substances and pesticides, the staff is instructed to balance the benefit of the product against the health risk. This leads to a much lower level of safety than is used for air or water pollutants under EPA statutes. Similarly, the FDA regulates drugs with the same sort of risk-benefit trade-off. If a drug is effective and there is no other effective drug that has less undesirable side effects, then the FDA will ap- prove even drugs with extremely high risks, such as drugs for chemotherapy for cancer. All of the agencies seem to require greater safety when many people could be killed at the same time. That is, they are more risk averse where many people are simultaneously at risk. RETROFITTING TO MEET NEW STANDARDS Many dam owners, including federal agencies, have found that dams built years ago fail by considerable margins to meet current agency stan- dards for new dams. Many spillways at existing dams are deficient in light of such current standards. A much smaller but significant number of existing dams is suspected to present problems under earthquake loading standards currently used for design of new dams. No complete estimate is available for the cost of upgrading existing dams in the United States to meet current criteria for new dams, but it is evident that such costs could mount into the billions of dollars. As noted elsewhere, as we continue to collect data on extreme rainfalls, floods, and earthquakes, we can expect our estimates of maximum events to be adjusted generally upward, resulting in even more dams that fail to meet

OCR for page 74
80 SAFETY OF DAMS the current criteria for new dams. Also, in general, the cost of retrofitting an existing dam to provide additional spillway capacity to pass a new design flood (as the result of a new probable maximum flood (PMF) estimate) can be expected to be higher than providing the same increase in capacity in a new dam. The same situation is usually found when considering upgrading an existing dam to meet current earthquake criteria. The question arises, then, whether safety standards for new dams should be applied to retrofit- ting existing dams. The problem is a very general one for risk management. New information can tell us that the risk of a technology is different from what we thought it was when we adopted certain criteria. Should this trigger corrective action for an existing structure? The answer ought to depend on the amount of risk and the cost of correction. The committee believes that risk management decisions should be based on a balancing of benefits and costs. Insofar as the costs of entrancing safety are much larger for existing dam than for one about to be built, this balancing would call for less safety in the existing dam. This is not to say that an unsafe dam would be tolerated, but that new dams would be designed to be "extremely" safe while existing dams were only retrofitted to be "very" safe. How do other federal agencies deal with analogous problems? The answer is that all of them in fact distinguish between what is required of new installations and what is required in terms of retrofitting or remedial action. For various reasons, very few agencies have formal decision methods to apply for this purpose. In such decisions, government agencies are faced with problems of achieving balance between two social principles: equity and efficiency. Equity demands that all citizens be treated similarly. Effi- ciency demands that government not be unduly disruptive of legitimate actions of its citizens. Peter Huber has examined the legal and regulatory aspects of this old-new risk situation in a perceptive manner (Huber, 1983~. The following are extracts from his article in the Virginia Law Review: Federal systems of risk regulation subtly but systematically distinguish the devils we know from the ominous unknown. An old risk-new risk double standard pervades regulatory statutes and decisions construing them. In a rough way the distinction between old and new risks makes good economic and political sense. Regulation of old risks presents problems and costs different from those encountered in regulation of new risks. In practice, however, the old-new division is usually ad hoc, inade- quately developed, and inconsistently applied. Risk-regulating statutes of all types share one common characteristic: they divide the regulatory universe between "old" and "new" sources of risk. What do "old" and "new" mean? For the present, a rough intuitive definition will suffice. Old risks are those to which society has been widely exposed before Congress or an agency finds federal regulation necessary. These risks are associated with products already on the market, with entrenched economic interests, or with an established technology. New

OCR for page 74
Riskier Dam Safety Evaluations 81 risks loom on the horizon, threatening to undermine the perceived safety of the status quo. They include new sources of exposure to an old type of hazard, such as a new aircraft design, as well as risks associated with new technology such as nuclear power. Old risks are risks which society has already embraced or come to tolerate; new risks are those tied to unrealized opportunities. If the difference between old and new risks is easy to explain, the cause of the systematic division of the two is not. The reasons underlying that division are a central focus of this chapter. Old risks derive from settled production and consump- tion choices and from established technology. Their regulation therefore often faces large economic and social obstacles and incurs transition costs. As the Food and Drug Administration (FDA) learned when it attempted to ban saccharin, old risks have identifiable and self-aware constituencies. New risks, on the other hand, may be regulated with less direct disruption of settled expectations. Their regulation incurs a different type of costslost opportunity costs. Lost opportunity costs are usually difficult to measure, and the bearers of these costs may be neither identifiable nor self-aware. As a result, the political costs of new-risk regulation may be compara- tively low whether or not the economic costs of new-risk regulation are significant. Regulatory statutes thus systematically treat new risks more stringently than old ones. Dividing the risk universe between old and new sources may seem reactionary, showing an irrational bias against technological change. Yet, the division grows from the usually correct assumption that transition costs are higher than lost opportunity costs. In addition, the division seems politically inevitable. Congress is simply un- willing to improve our risk environment without carefully attending to the impact on established expectations. On the other hand, Congress is quite willing to resist deterioration of that environment with disciplined firmness. One agency, the Nuclear Regulatory Commission, did consider a formal criterion for addressing this problem when it was proposing its quantitative safety goals (U.S. NRC, 1981~. In essence, it was suggested that all new nuclear reactors should be required to meet certain safety goals; however, when analysis of existing reactors showed the safety goals were not met, the required action would depend on the level of excess risk. While the proposal was not passed, it is described here as a unique example of one attempt to relate quantitatively relative levels of risk to required response. It was pro- posed that, if the risk exceeded the goals by a factor of 300 or more (e. g., goal of 10-5, but indicated risk of 3 x 1o-3), immediate corrective action would have to be taken "within days"; where risk exceeded goals by a factor of 10- 100, action must be taken "within months"; if by a factor of 3-10, action within years, and if by a factor of less than 3, action must be considered. The Federal Aviation Administration comes closer to using a formal method than any other agency surveyed. If a risk is determined to mean a failure rate of 1 in 1 billion hours (1 in 114,155 years) or less, then it is considered extremely improbable or sufficiently remote not to take correc-

OCR for page 74
82 SAFETY OF DAMS five action. For greater risks, action is determined by a benefit-cost analysis. Benefit-cost analyses could show that a new safety device makes sense on new aircraft but not on older aircraft because of the greater cost of retrofit- ting. The Occupational Safety and Health Administration does not officially treat new plants and old plants differently. Obviously, it would be socially unacceptable for a federal regulatory agency to adopt policies that explicitly advocate allowing some workers, doing the same work for similar wages, to be regularly exposed to greater risks than other workers just because they worked in a plant that was more costly to make safe. In fact, however, when OSHA promulgates a standard (as they did for lead exposure), individual firms have managed to negotiate different phase-in schedules if they can show they are doing the best they can to come into full compliance. OSHA has also issued individual interim lead standards for specific smelters. The Environmental Protection Agency also does not have a formal proce- dure for distinguishing between the new and the existing risks, although it is quite common for EPA to make such distinctions based on cost differentials. Thus, for example, emission standards differ for older and newer automo- biles, and new source performance standards for power plants show a strong bias toward stiffer standards for new plants. Ethylene dibromide (EDB) was banned from further use in some products but different acceptable standards were applied to products containing EDB, varying according to their prox- imity to human consumption. Many other EPA examples could be cited. By contrast, examples can be cited of situations where retrofitting is re- quired if the danger is perceived as serious and immediate or if the cost of reducing the danger is low. Recall of automobiles to correct deficiencies related to safety, smoke detectors in residences, sprinkler systems for hotels, and correction of design deficiencies in commercial aircraft are some exam- ples of such required retrofitting. The actions of the National Highway Transportation Safety Administration (NHSTA) illustrate that agency's ap- proach to the problems in deciding when retrofitting should be required. NHTSA specifies safety standards to be applied to vehicles of a specified model year and thereafter. To date, NHTSA has never required manufactur- ers to recall and retrofit these safety features into existing autos. For exam- ple, seat belts were required in 1968 and subsequent models, but prior models need not be retrofitted. NHTSA must decide every time there ap- pears to be a safety problem in a given model whether to require recall or to tolerate the problem in existing cars, because the expense of recall is too great, but must ensure that the problem is corrected in the subsequent pro- duction. The Federal Energy Regulatory Commission (FERC) has addressed this problem as it relates to the higher estimates of probable maximum precipita-

OCR for page 74
Risk in Dam Safety Evaluations 83 tion (PMP) contained in Hydrometeorologic Reports 51 and 52 (Schreiner and Riedel, 1978; Hansen et al., 1982) of the National Weather Service (see Appendix A). FERC does not require reevaluation of an existing spillway at a licensed project solely because of the higher PMP estimates if the following conditions have been met. A reasonable determination of PMP has been made previously. A probable maximum flood (PMF) has been properly determined. The project structures can withstand the loading or overtopping im- posed by the PMF. O O These examples suggest that different agencies handle the problem differ- ently, that most of them do not have a general formal criterion for distin- guishing risk acceptabilities, but that all of them do in fact recognize the need to be responsive to the greater costs of applying new safety standards to what exists than of applying these standards to what we do in the future. A different approach to evaluating risk may sometimes be appropriate to decisions regarding an existing dam. Long-term experience with the type of dam involved or the functions it serves may indicate a good possibility that the dam will soon be abandoned and breached, or it may be replaced or rebuilt. Also, we may expect that technologies for evaluating dam safety and correcting deficiencies will continue to be developed. These considerations may sugggest that the primary determinate of need for upgrading the dam should be its probable safety over a relatively short time in the future, (say, over a 25- or 50-year period), rather than its safety over some indefinitely long period. Methods for determining probabilities of occurrence in definite time periods are discussed in Appendix D.