|
Recently published as a yellow paper, the revised DIN 19700 includes, for the
first time in Germany, elements of a probabilistic-based approach to the world
of reservoirs and dams. A generally conclusive regulation for the dimensioning
of the design flood for reservoir systems is set out.
The probabilistic approach has, as its long-term objective, assessment of the
failure probability of a given structure, in this case a dam, or an attempt
to quantify the risk that ensues as a result, so as to be able to:
- compare the occurrence probabilities and/or the concomitant risk of different
failure mechanisms with one another;
- recognize unacceptably high risks and to avert them; and,
- quantify the overall failure probability of the dam and the overall risk
which results from that construction.
However, this assumes that procedures capable of ascertaining failure probability
exist for all aspects of a dam construction, and for all the relevant mechanisms.
This article will therefore outline fundamental considerations, look at the
required tools, indicate gaps in our present knowledge, and attempt to give
the dimensioning of design flood its rightful place in the process.
Generally, and as seen from the deterministic approach which has been taken
until now, the safety of a structure against failure is verified by comparing
influences with resistances. Influences and resistances are thus accepted
as deterministic variables.
If the resistances are sufficiently stronger than the influences, this is
considered adequate. It is only indirectly, via the safety coefficient, that
consideration is given to the fact that both are variable. Also not taken
into consideration is the realization that overload at a particular point
need not necessarily lead to a failure of the whole structure. On the one
hand, the effects may only be local; on the other, overall function may be
only partly restricted.
In the case of a rockfill dam, for example, a slope failure at the downstream
face does not automatically lead to the spontaneous and uncontrollable escape
of water because:
- the landslip might leave the crest of the dam undamaged; or,
- the water level might be naturally low anyway (or low as a result of precautionary
measures already taken) so that the remaining portion of the dam after failure
is not overtopped.
In other words, the failure of part of a dam cannot be equated with the loss
of operational capability or, indeed, with a catastrophe waiting to happen.
As a rule (or at least more often than not) the ‘dam system’ will reveal powers
of resilience over and above partial failure.
Another example of system resilience lies in observation and measurement. Operators
are required to inspect their dams regularly and to carry out safetyrelated
measurements [DVWK, 19911]. This safety measure
would not be stipulated if it did not promise an increase in safety levels.
In any safety analysis, then, we need more than mere proof that one component
will not fail. We need to consider the event sequences which begin with the
event triggered, and which can lead to different outcomes depending on the situation,
on the reaction of additional components (the multiple barrage principle, for
instance) and on the actions of personnel involved.
Event sequences can be systematically analysed by an event tree (or fault tree).
The example given in Fig. 1 shows one possible event sequence for erosion in
a zoned dam, and shows graphically that, in many cases, design, quality assurance
and organizational measures are involved or could be involved in the prevention
of an undesirable event.
An occurrence probability (pfi) can be
allocated to a triggering event, just as probabilities (1-pfi)
can be allocated to reactions, in such a way that they are successful (Fig.
2). The overall probability of failure (those that are the paths in Fig. 2
marked with an ‘F’), thus ensues, as shown in Fig. 3.
Figs. 1 to 3 indicate the formally conceivable ramifications of a single
scenario, in this case, that of erosion. A dam, however, is endangered by
all kinds of influences. ‘Hazard’ is the superordinate definition for anything
that can cause the dam not to function as designed. Hazards can lead to:
- malfunctions;
- damage; and,
- failure.
However, here we will only look at the hazards which can cause dam failure.
The total of all hazards at a specific structure is given if, in a rectangular
scheme, the components of the dam (Where?) can be entered on the one axis and
all conceivable influences (By what cause?) can be entered on the other.
Not every item in this scheme indicates a hazard, but it does permit all possible
hazards to be traced. Different items will be occupied for different kinds of
dam structures. A scheme which applies generally to dams is shown in Fig. 4;
a more compact depiction, showing the hazards relevant to the Bigge reservoir,
is shown in Fig. 5.
Each item in the compact hazard diagram is the start point for the development
of one or other of the event trees.
We have already seen from Fig. 1 that individual influences can originate
in very different spheres.
Therefore, the probability of the events and the reactions can only be determined
in a number of different ways. We usually refer to three ways:
- calculations anywhere where the physical and numerically verifiable boundaries
are present;
- the (statistical) evaluation of experiences; and,
- free assessment or engineering judgement.
Table 1 gives an overview of the hazards which might be enumerated from the
vantage point of today.
It should be stressed that this will naturally lead to varying degrees of outcome.
We will show here how in principle it is possible to derive event probabilities
from existing threshold conditions.
For materials such as soil and rock as well as concrete and steel, various
relationships are governed by the Mohr-Coulomb law which states the dependency
between compressive strength and the parameters of c and j (Fig. 6). Assuming that, for the
purposes of ascertaining failure probability of a dam slope, there are enough
adequate test results for c and j, then these may be depicted in
an appropriate c-j diagram as points. Both c and j form a frequency distribution
of their own, yet both together exhibit a bell-shaped distribution across
the c- j level (Fig. 6). Each point on
the c- j level, however, also corresponds
to a specific safety value h. From this we can construct
lines of h = const (Fig. 6), one of
which, h = 1.0, touches a contour
line of the bell-shaped distribution. The point of contact indicates the failure
probability of the slope.
Over the past few years, and prompted by the goal of developing a reliability
analysis, useful probabilistic models have even been developed for physical
processes which previously avoided strict calculation.
Worth singling out as an example would be the methodology published by Witt
and Brauns [19882] which describes the
erosion and filtration behaviour of earth materials. It is based on an estimation
of the probability that a fine grain in a mass of earth acting under the force
of the gradient will find a consecutive row of pores that are so large that
the fine grain can move through.
By ‘experience’ we mean here our knowledge about the frequency and size of
certain events, for example, that of flood, regional distribution and the
magnitude of earthquake events. We can also include in the same category the
statistical distribution of wind, waves, ice and rare temperature occurrences.
What is common to them all is that, from a restricted period of observation,
one has to point to extreme influences that, statistically, only ever come
about over very large time intervals. The whole problem of extrapolation from
such a series of observations need not detain us here.
Table 1 shows a series of risks and events for which the probability of occurrence
and/or failure can, at present, only be determined by engineering judgement.
This, at least in the field of reservoir management, means procedures such
as observation, measurement and inspection. We have already mentioned that
regular measurements and inspections along the dam do have a certain safety-promoting
function.
Nevertheless, it is not yet possible to quantify the benefit, which is why
it is not normally integrated into any safety analysis. This is unsatisfactory
because, even from the point of view of the economic use of resources, it
would seem reasonable to evaluate dam monitoring procedures and optimize them.
A beginning was made in the reservoir sector more than 10 years ago; however,
this work has not yet been built on [DGEG, 19883].
Measurements and inspections have short-term and long-term effects on the
level of safety of a dam. Of short-term significance are those monitoring
procedures which allow for the early recognition and/or prevention of failure
scenarios which occur suddenly and without warning. Of long-term significance
are those systems which permit the behaviour of the dam to be followed over
time. In terms of reliability analysis, the former are particularly important
and should be incorporated, with priority being given to:
- seepage quantity measurement;
- the observation of water pressure in the dam and in the abutment; and,
- the observation of non-elastic movements on the slopes.
One (certainly formal) example of how this might happen for the event erosion
is shown in Fig. 1.
In this context, relatively straightforward accounts [Rissler, 19984]
together with documentation on collapses which have occurred (USBR, 19775;
ICOLD, 19746] already show that monitoring
procedures as a contribution to the prevention of undesirable incidents have
to be very reliable in terms of time and space if they are to offer any kind
of success.
This not only applies to observations, measurements and inspections as such,
but also, to an equal extent, to the follow-up phases of ‘decision’ and ‘countermeasure’.
All of this suggests that human intervention can be especially beneficial in
the case of retrograde erosion processes and landslips in the vicinity of the
reservoir banks, whether this be aimed at prevention per se or at easing
the effects. During any evaluation for a safety analysis, one would therefore
have to weigh up whether the trio of observations, measurements and inspections
can be carried out with any kind of precision, reliability and frequency. Since
this, at the time of writing, is still most difficult to judge, we will leave
the safety-promoting effect of human intervention outside our remit.
Table 1 shows a further finding. Any reliability analysis which is conducted
before the start of construction and which includes uncertainties caused by
construction errors and serious breakdowns in communication must, automatically,
produce more unfavourable results than a similar analysis carried out at the
end of trial operations, that is, at a time when the dam has already proven
its functionality. We are dealing in both cases with the same structure, and
the failure probability as such has not changed, but the knowledge about the
behaviour of the structure has grown.
This in turn implies that any reliability analysis is timepoint related. As
the above example shows, the analysis conducted in those circumstances will
lead to more favourable results, the longer the dam has been in operation. Yet
an opposite development must be taken into account as well. Structures age and,
as a result, new hazards come into play. Dams which have been in operation for
a long time are, perhaps, no longer as carefully monitored as at the beginning.
Dams can also change owners; the new management may see profit maximization
as the highest good; timely repair work may thus be postponed.
Conducting a probability-oriented safety analysis assumes that data are available
for all influences which are naturally variable, as well as data which describe
the variations. This can apply to resistances and to influences, that is,
to material parameters, to pressure, to the frequency with which certain events
occur and to the success or lack of success of control measures.
Previous experience has shown that the data situation is generally problematic
for the application of a probability- oriented reliability analysis. In particular,
if the analysis is to take place in retrospect, that is, after the period
of construction, and if, in the process, only data from laboratory trials
and field trials are used (for the purposes of identifying design parameters)
and/or from quality controls at the construction site which is usually generated
for a deterministic evaluation, then large deficits will ensue [DGEG, 19883].
As a rule, the number of samples is simply not enough to be able to define
even halfway plausible statistical parameters.
Having said that, one can permit a few simplifications without committing
any serious error. Thus, as outlined in Table 2, we can accept many influencing
factors as being of a deterministic nature, even though, strictly speaking,
they are also probabilistic.
The data situation is fundamentally problematic as regards soil and/or the
abutments. Only rarely is sufficient information available or obtainable for
the demand for adequate statistical material to be met.
Even more difficult is the problem when one aims to carry out a reliability
analysis on a structure already in existence since it, the dam, is likely
to cover the bedrock, thus making all the more difficult the retrospective
collection of data.
In Section 4.4, the influence of observations, measurements and inspections
was mentioned, and it was pointed out that, at present, it is still very difficult
to build these into a reliability analysis.
Seen from the angle of such analyses, observations, measurements and inspections
reveal two components:
- technical reliability for the recognition of hazardthreatening indicators;
and,
- the reliability of the person carrying out the measuring, notifying, organizing
and decision making functions.
It can be assumed that, in the field of reservoir management, a survey of the
human reliability factor in connection with the requirements set out here has
never been carried out. On the other hand, a study of human reliability in the
field of nuclear power stations was published in the USA as early as the 1980s
[Swain and Guttmann, 19807], and may be taken
in analogy. The factor is also detailed in terms of qualification levels, fatigue
and stress, and so on. In Reference 3 [19883]
from which Table 3 is taken, this attempts to estimate HEP (Human Error Probability)
in the case of activities involving monitoring instruments and noting things
down.
The fact that even the extreme values caused by natural forces cannot be
given in any reliable way means that we come across ample use of unfavourable
and extreme-value-similar conditions of assessment. Even if this, as a rule,
is not made explicit, we should be aware that there always is a certain residual
probability for excess which, in turn, implies a residual probability of failure.
The logical consequence is residual risk.
At the most recent DIN 19700/10 Committee deliberations about dimensioning
of the design flood, there was detailed discussion on how to do it full justice.
In the first place, honesty demands that we admit that over and beyond the
flood events which are assessable, even more extreme events could occur.
In the second place, there was some consensus that the dam itself should not
be burdened with this residual risk. For that would imply a situation which
does not exist in any other branch of engineering, please see
Deutscher Bündestag [19998]
and which would put the engineering product of dam or reservoir in a worse
position than others. After all, the uncertainty that extreme high water represents
for a dam could be, say, the uncertainty that the size of the most extreme
gust of wind represents for an aeroplane or that which the most extreme kind
of wave means for a ship. If we were to factor in an encounter with this residual
risk for those engineering products too, then no plane would take off and
no ship would leave its harbour.
Even atomic law and bioengineering legislation distinguishes between non-acceptable
risk and acceptable residual risk.
There can be no doubt that the society which requires engineering structures
and which is prepared to document this in the form of executive or administrative
permits will accept residual risk to a certain extent. For this reason, the
DIN Committee eventually decided that residual risks with floods should be
shown and evaluated accordingly. That is the state of debate as of the July
2001 meeting. Further discussions are scheduled, although no additional loading
case should accrue as a result. However, the author is of the opinion that
this must happen if it is intended to come up with any useful statements,
perhaps as set out in Table 4 by way of an example.
To calculate such risk, each line in Table 4 is allocated the occurrence probability
of the event x × BHQ2
(1.0 < x < [ e +
?]) to evaluate the consequences realistically.
In addition, in relation to this example, one would have to establish sufficiently
reliable models (with regard to width, stability, vegetation) as to the erosion
behaviour of special dam crest structures with a view to estimating the effects.
According to the case put forward by Kleeberg and Schumann [20019],
the former might well take some time to come about. To estimate the consequences
of overtopped dam crests, goal-oriented research would have to be initiated.
Independent of these considerations, line 8 in Table 4 indicates that the
scale of possible consequences is always fairly open-ended. In other words,
any reasonable scenario implies an even more horrendous outcome! One only
has to make clear here what large variations in results the different methods
for ascertaining the PMF (probable maximum flood) serve up or, equally, to
demonstrate what huge surprises the DVWK Information Sheet 20 ‘Maximized Regional
Rainfall Levels for Germany’ caused. It would be naïve to believe that
this development has already found its natural end. This all leads inexorably
to the realisation that, in everyday practice, faced with financial constraints,
it is not always possible to eliminate all risks, a realization which undoubtedly
forms the basis for society’s acceptance of risk as mentioned above.
In Germany, acceptance limits for the loss of assets or even human life are
not discussed, documented or socially defined (at least in public). It tends
to be an area of debate left to insurance companies and, probably, military
planning units.
In other countries, however, things are different (sometimes considerably
so). In 1997, for instance, the author had occasion to attend an ICOLD Risk
Assessment Workshop in Trondheim where representatives from various countries
talked about their concepts and, in some cases, about the implementation of
the concepts. The conclusions reached at the workshop are detailed in a previous
paper by the author [Rissler, 199810].
It is sufficient to say that there is basic agreement that discussion should
take place and include the issue of human life losses. To do so, what is now
known as an F-N diagram was devised to allow these acceptance limits to be
shown. Various F-N diagrams from different parts of the world were presented,
clearly based on the risks that prevail there.
Fig. 7 shows a proposal submitted by the US Bureau of Reclamation (USBR).
Via the ordinates in logarithmic scale, the diagram focuses on the annual
failure probability of a dam and, via the abscissa, also in logarithmic scale,
the humans live potentially threatened as a result. Each item within the diagram
stands for a risk R in the form of:
R = pf × L f
where pf represents failure probability
and Lf represents human lives.
In the diagram, the USBR defines different levels of risk as follows:
- small risk, that is, fewer than two endangered persons with economic
considerations dominating in the risk reduction scenario;
- high risk, that is, more than 200 endangered persons with the requirement
that this be proven by the best available methods and that it be reduced by
unfavourable load assumptions and adherence to the multiple barrage principle;
- acceptable risk, that is, a risk factor lower than R = 10-4 according to Eq. (1) (Line A-A in Fig.8);
- unacceptable risk, that is, a risk above the factor of R = 10-3 (Line B-B in Fig. 8); and,
- still tolerable risk, that is, 10-3 > R > 10-4 (Fig. 7).
If one enters the individual life risks set out in Table 5 on to this diagram,
one sees that the general individual life risk for normal citizens (= normal
jobs, normal risk of accident) is somewhat larger than R = 10-4/year,
whereas the risk for a person with a more dangerous occupation and/or with an
unusual sport as a hobby is at somewhat higher than 10-3/year.
If, however, one adds up the fatality risks in Table 5 for normal citizens (Case
1) and for those who go about a risky job and also have a passion for high risk
sports (Case 2), then, based on the simplified notion of all life risks as set
out in Table 5, one would arrive at an annual individual death risk of 3.45
× 10-3/year
(Case 1) or 9.15 ×10-3/year (Case 2). In fact, because of the incompleteness of the Table,
the real figures would be higher.
Assuming that the general individual life risk of a normal citizen may not
be essentially affected by the existence of a nearby reservoir, an additional
individual life risk of R < 10-4/year
would be acceptable and R < 10-3/year
just about tolerable. This reflects the value pairs compiled in Table 6. It
is the view of this author that these estimates could, in principle, be applied
to German society.
Therefore, according to this theory, the failure probability of a dam which
would put many people’s lives at risk if it failed would have to be lower
than with a dam the failure of which would only endanger a small number of
people.
This is a theory, of course, which is in contradiction to the prevailing opinion
in Germany which holds that all dams (irrespective of the immediate environment)
must be so safe that probably, if not certainly, no failure will ever occur.
By tacitly agreeing that the probability of failure is infinitely small, we
in Germany have hitherto declined to conduct risk assessments.
How, then, does the USBR recommendation compare with the intended guidelines
of the new DIN 19700/10/11 E in the event of floods? For dams, the DIN 19700/10/11
E sets a design flood BHQ2 with a recurrence
interval of 10 000 years which corresponds to an occurrence probability of
10-4/year. The dam, therefore, may not fail, and this has to be proven.
In the light of the above remarks, this requirement is independent of risk, and independent from the potential size of the damage, and thus deviates from USBR recommendations.
Assuming that the dam were to collapse as a result of slightly greater strain
and only one person were endangered, then the DIN 19700/10/11 E requirement
would just meet the acceptable risk criterion (Point X in Fig. 9). If, however,
the dam, when exposed to these extreme conditions, were to pose a risk to ten
or even 200 persons (Points Y and Z in Fig. 9), then this would considerably
exceed the yardstick of ‘tolerable’.
Indeed, it would be unacceptable; and if the limit of an acceptable risk were
reached (that is, 10-4/year/person), even
with assumed largest number of potentially endangered persons, then extra measures
would be needed to reduce that risk.
It must be proven, for example, that a dam will withstand exceptional flood
levels without collapsing. Since there are no reasonable extrapolation tools
available, we could and should fall back on the PMF in these extreme areas.
Alternatively, though, it could be shown that engineering design measures will
come into their own in the case of such an event. If the dam was built along
strict multiple barrage lines, then these precautions should bring on the required
risk reduction. Similarly, a dam crest able to withstand occasional overtopping
could also contribute to the minimization of risk.
That being so, the new DIN 19700/10/11 should indeed address the call for a
reduction of risk in addition to evaluating the residual risk, and formulate
it in such a way that the whole ideal of acceptable risk is taken into account.
As yet, no reliability analyses based on the probabilistic approach have
been conducted on the dams operated by the Ruhrverband as a result of experiences
gained in the processing of the BMFT Study [DGEG, 19883].
Nevertheless, a few major conclusions about safety assessment can be derived
from the earlier part of this article.
- All the main dam structures at large reservoirs are able to withstand a PMF
without the crest overtopping. Therefore, in the event of extreme flood levels,
the conditions identified for the case of potential risk to large numbers of
people have also been met.
- There are no large dams where a sudden collapse could occur within the dam
mass as a result of piping. This is the result of the structural design. Two
of the dams (Bigge and Henne) exhibit two-layered surface sealing with an intermediate
drainage layer, as well as an internal bituminous protective zone which is also
supplemented by a massive protective structure within the crest. Fig. 10 shows
a cross-section view of the Henne dam. The other two dams (Sorpe and Verse)
were built at the centre with a continuous core wall made of concrete, as shown
in Fig. 11. In the case of dams with surface sealing elements, any leakage in
the sealing would manifest itself by seepage appearing in the drainage zone
between the sealing layers. Even if this incident were to escape the attention
of the operating personnel, piping could not occur as the protective zone would
prevent it. In the case of dams with a concrete core, water could only ever
seep out as a result of concrete cracking, and such problems have indeed arisen
in the past. However, the quantitative progression of seepage water has always
been so slow that we could respond without any difficulty [Rissler, 200011].
- In the case of dams with a surface sealing element, the scenario of ‘rapid
sinking of water level’ (which would lead to an upstream slope failure) is irrelevant.
The concomitant failure probability is therefore precisely zero.
- In the case of the two dams with central concrete cores, Sorpe and Verse,
the lowering speed of the reservoir is comparatively low: at Sorpe approximately
1 m/day; at Verse about 0.5 m/day. The various upstream support masses are highly
permeable (rock backfill). Until we have more precise evidence, we can assume
that no unacceptably high porewater pressures can occur. In other words, the
scenario of ‘rapid sinking of water level’ can be discounted here too.
- Because of their crest protective structures, the Henne and Bigge dams comply
fully with the multiple barrage principle.
- The protective structures in the crest are, as far as is humanly assessible,
able to withstand any deliberate attempt to damage the dam crests and thus to
trigger a dam failure.
- All of the slopes adjacent to the reservoirs are so flat that landslips which
could cause floods need not be feared.
Thus the hazard diagrams, compared with that shown in Fig. 5, for example, become
somewhat simpler. Therefore, a reliability analysis takes only relatively few
scenarios into consideration.
This article has outlined a number of basic ideas about a comprehensive safety
analysis for reservoir dams and related analytical tools. Some gaps in our
knowledge were looked at and an appropriate place for the determination of
the design flood was found in this safety concept.
This led almost automatically to the question of ‘acceptable risk’ and some
pointers were given for answers, and also for certain developments worldwide.
It is hoped that this article will prompt renewed interest in the probabilistic
approach. Finally, it is worth recalling that many different branches of engineering
have already tackled this subject matter.
DVWK, (German Association of Water
Management and Cultivation), Leaflet 222, 1991.
2. Witt, K.J. and Brauns, J., "Erosions- und Filtrationsverhalten
von Erdstoffen. Sicherheitsuntersuchung auf probabilistischer Grundlage für
Staudämme".
Study for the Bundesministerium für Forschung und Technologie; 1988.
3. Deutsche Gesellschaft für Erd- ünd Grundbau, "Sicherheitsuntersuchung
auf probabilistischer Grundlage für Staudämme". Safety study
for the Bundesministerium für Forschung und Technologie; 1988.
4. Rissler, P., "Talsperrenpraxis", Oldenbourg Verlag, Germany;
1998.
5. US Department of the Interior, Teton Dam Failure Review Group, "Failure
of the Teton Dam, a Report of Findings"; April 1977.
6. ICOLD, "Lessons from Dam Incidents"; 1974.
7. Swain, A.D. and Guttmann, H.E., Handbook of Human Reliability Analysis
with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1278, Sandia;
1980.
8. Deutscher Bundestag, "Sondergutachten des Rates von Sachverständigen
für Umweltfragen: Umwelt und Gesundheit – Risiken richtig einschätzen",
Deutscher Bundestag, 14. Wahlperiode, No. 14/2300, December 1999.
9. Kleeberg, H.-B. and Schumann, A.H., "Ableitung von Bemessungsabflüssen
kleiner Überschreitungswahrscheinlichkeiten".
In: Wasserwirtschaft, No. 2; 2001.
10 Rissler, P., "Risikoeinschätzung für Talsperren –
Internationale Entwicklungen". In: Wasser & Boden, 50/9, 24-29;
1988.
11 Rissler, P., "Sanierung des Sorpe Haüptdammes nach dem
Düsenstrahlverfahren"; 15. Christian Veder Kolloquiüm, TU Graz,
Austria; 27-28 April 2000.
Prof Dr-Ing Peter Rissler obtained
his Engineering Diploma at the Technical University of Munich, Germany in
1968. He became Assistant Lecturer at the Technical University of Karlsruhe,
and then Senior Lecturer at the Technical University of Aachen. In 1977 he
was awarded his Dr-Ing degree with distinction, and at the same time he was
awarded the Borchers medal. His thesis was entitled "Definition of water permeability
of fractured rock". He then joined the Ruhr River Association as Head of the
Planning Department, where he is now Head of the Reservoir Division. In 1995
he was awarded the title of Honorary Professor at the Ruhr University, Bochum,
Germany.
He was General Reporter for Q74, ‚‘Performance of Reservoirs‘, at the 19th
ICOLD Congress in Florence, and is currently Vice-President of the German
Dam Committee.
Ruhrverband, Kronprinzenstrasse 37, 45128 Essen, Germany.
P. Rissler
|
