DAMS AND
SAFETY
DAMS AND
SAFETY
The safety of dams is the subject of studies that are very close to the notion of cindynics, both for their construction and their operation. Our very warm thanks to Jacques Lecornu, General Secretary of the International Commission on Large Dams, for giving the readers of the Cindynics Letter an update on this question.
Dams make a vital contribution to the management of water resources.
They make it possible to meet the needs of population, of agriculture and industry, they improve navigation conditions; in certain cases, they provide renewable hydroelectric energy.
Dam lakes regulate the natural flow of rivers, either by laminating high-water levels, or by supporting low-water level flows, while at the same time enabling fish-growing activities. The lakes often become home to leisure activities; they are able to create and maintain marshy areas hat are favourable to biodiversity. For all these reasons, dams are a source of riches and, were they to disappear, it is in fact one sixth of humanity that would see its living conditions become unbearable.
Nevertheless, on average 1% of dams have suffered an accident over a long period of time. Even though this figure might appear quite low, material losses and the loss of human lives that are the consequences of such accidents are unacceptable.
The engineers who design the project, who carry it out, who monitor and operate the dams are responsible for their safety. Right from protohistoric times, we see the builder taking on full responsibility. One of the oldest legislative codes -the Hammurabi Codex -designated the architect as being responsible for the possible failures of his buildings, and in fact his life was at risk in such cases. A Chinese legend dating back to the same period states that dam builders were held responsible for the floods caused by their rupture; considered criminals, they were tortured and executed. However, Tao added that later such men were considered to be heroes who had been unjustly treated.
Dams have existed for a very long time. One of the oldest known dams, located in Jawa (Jordan), dates back 5000 years. The first known accident, which happened at the Kafara dam (Egypt), is also very old (4600 years).
Following this accident, Egyptian engineers appear to have waited several centuries (800 years) before trying their hand again. This brief review of dam "prehistory" testifies to the human capacity for invention in the face of an often unpredictable nature and the test of time:
Dams are characterised by a life-span that is measured in centuries and which as such cannot be compared with the majority of industrial constructions or tools.
1 - THE ROLE OF THE CIGB/ICOLD (INTERNATIONAL COMMISSION ON LARGE DAMS)
Practicing cyndinics 60 years before the word was even invented, some one hundred countries decided to pool their experience in order to improve the safety of existing and future dams.
These countries -today numbering 81 -decided to meet in 1928 to create an international association, the CIGB/ICOLD, whose objectives are enshrined in its current statutes:
« The objectives of the Commission are to encourage progress in the designing of projects, in the construction, operation and maintenance of large dams and associated civil engineering works, by collecting relevant information and studying related questions and more particularly the technical, economic, ecological and social aspects. »
The CIGB/ICOLD is organised on two levels:
- At the national level, with a view to encouraging the development of knowledge through national committees,- At the international level, as a federal structure.
2 -ACCIDENT ANALYSIS
Feed-back from experience, and its dissemination, plays a fundamental role in the design and management of dams. The richer the deposit of experience, the more meaningful will be the experience: this obvious fact is a necessity for structures whose downstream population is limited and which are not very subject to accidents.
One may evaluate at around 40,000 the number existing large dams (i.e. dams higher than 15 meters). Some 300 accidents have been identified and analysed.
One new dam is built every day and the average construction time is four years.
Among the publications of the CIGB/ICOLD, the most important source of information on accidents is the Bulletin « Lessons drawn from dam accidents (1974) ».
This document analyses in particular the types of structures (gravity, buttress, earthfill, rockfill dams, etc…) adapted to the foundation, the available materials and the morphology of the valley.
Since then, a large number of publications have been produced, such as Bulletin n° 99 "Dam Failures -Statistical Analysis". In this publication, accidents and events are analysed according to the type of dam involved and to their cause. The aim is to increase the awareness of engineers about the different phenomena involved (with, to a certain degree, their level of probability), and the sequence of events that may lead to a disaster.
The building of a dam is not an end in itself, which finishes with the filling of the reservoir. The structure will need to be the object of auscultations and inspections throughout its "life-span" in order to ensure its permanence.
3 -SCIENTIFIC APPROACHES AND MODELS FOR BUILDING AND OPERATING DAMS
3.1. A multidisciplinary approach
For a very long time, the art of the dam builder remained purely empirical, highlighted by some remarkable innovations; only later did it draw on a scientific base.
Today, it involves knowledge drawn from a large number of disciplines:
- geology, seismology, geotechnical engineering- hydrology
- soil and rock mechanics,
- structural behaviour monitoring, aging, instrumentation
- operational research, human behaviour analysis, etc ...
Each specialist uses specific tools coming from different sectors (mechanics of continuous media, resistance of physical-chemical materials).
In the area of safety, it is the "rare" or "extreme" phenomena which are particularly interesting.
The aim is also to define, during the project design phase, a "design flood" and a "design earthquake".
For the foundations, it is of course not only the overall behaviour that is significant. Indeed, possible discontinuities, their extension (preferential discharge sites), and the stability of the foundation subjected to different stresses (gravity, uplift, hydrodynamic stress, etc...) are fundamental. This is also the case for filldam or rockfill dam embankments and for foundations in loose terrains.
For each discipline, a detailed analysis of the overall behaviour is agreed upon, along with that of local behaviour in extreme situations.
3.2. Identification of "acceptable" hazards
Uncertainty is assessed in order to establish the level of probability of failure.
Thus, each specialist carries out analyses that aim to find out the relevant parameters: in principle, the statistical tools required for this task are available, providing one disposes of a sufficiently large number of measurements or "memory".
For example, a series of hydrological measurements over a period of one hundred years is ideal; for earthquakes, it is preferable to dispose of data covering several thousand years, because identified earthquakes are rare events that have not been well reported.
Thanks to the Fischer-Tippet laws, statisticians are able to link the annual probabilities Pa of the likelihood of an event and the cumulated probability Pn over n number of years: (1-Pa) exp n= 1-Pn
The work undertaken in the various disciplines needs to be undertaken on a consistent basis.
Thus, it would be absurd to take a return period equal to 10 -5 for a design earthquake and a value of 10 -4 for the frequency of the design flood. The level of precaution adopted for one would be excessive with respect to the other.
Another problem concerns the heterogeneous nature of the rock foundations (joints, shear joints, faults) and the layers in loose soils. A sufficiently detailed exploratory drilling campaign should, in principle, raise any doubts, establish the scale of the problem, and define the values for significant parameters: how to be sure that the reconnaissance is sufficient? However, drilling requires time and is an expensive operation.
For a project of a 100 km dike, for example, should one envisage drilling every metre, every ten meters or every one hundred meters? And what should be the depth of these drillings?
A traditional geological survey, on a much vaster scale, makes it possible to distinguish the zones that are probably more heterogeneous and therefore require a closer meshing than the more homogeneous zones, where the distance between drillings can be greater.
3.3. The human factor and project management
The head of the engineering team in charge of the studies needs constantly to adapt the team's objectives right from the design stage and he or she needs to guide the work of each specialist consequently.
However, decisions based on judgement sometimes lead to major risks when establishing a project and later during the monitoring and maintenance activities.
It has been possible to bring to light some classic examples of human behaviour that almost inescapably lead to an accident with serious consequences: a feeling of infallibility, a too simplistic approach, lack of communication between the different specialists of the project team, subordination of risk management to other constraints (speed of execution of the studies, etc...), i.e. one finds the majority of the "cindynogenic" deficits that are well known to the IEC.
In order to avoid these pitfalls, the project team will need to be solidly structured, while remaining open to new ideas, in order to avoid the traps that result from such behaviour; the team needs to be able to consider the limitations of a multidisciplinary approach and take into account their inherent uncertainties.
4 -THE RISK COMPONENTS
4.1. Risk Assessment
The relatively recent notion of risk management is the result of research on the reliability of complex industrial systems involving a very large number of different components, each of which is subject to failure.
A appropriate architecture associated with a functional redundancy pushes the level of reliability of the system beyond that of each individual component. Among the industrial systems that demand a search for "total quality", "zero defect" or "zero risk" we can think of aircraft, missiles, submarines and nuclear power stations.
Event trees, fault trees
The functional analysis of failures requires the establishment of scenarios based on observed failures, from which are then construed "event trees" and "fault trees". The advantages of such an approach are obvious when it comes to seeking a rational analysis of the failure rate and the failure probabilities.
One is tempted to apply this rational approach to the problem of dam reliability.
However this is not easy. In fact, the components are not mass-produced industrial products with a measurable life-span and known default mechanisms. The components are the result of natural situations, which may be approached from a statistical standpoint, using measured values.
The overall risk of a dam rupturing integrates the elementary risks related to the uncertainties of the definition of a project flood, of the project earthquake, of the characteristics of the materials and the conditions of the foundations.
Nevertheless some aspects are related to machine risks.
A practical example: Operational safety of the dams
Thus it is necessary to open the floodgates of a low fall structure, in order to allow a strong flood level to pass, the return period for which is around 5000 years. Such a flood can have secondary consequences: power shutdowns, disruption of telecommunications, impassable road, destruction of electrical circuits by lightning (despite their earthing system).
The acceptable probability of dam failure by overtopping needs to be low, considering the unacceptable damages that would result from it.
For "major" risks the tarjet is a total guarantee of availability.
The control-command system will therefore need to include redundancies.
One should note that the components of a control chain, with the command mechanisms, may individually present an insufficient level of basic reliability with respect to the level of public safety judged to be acceptable. In certain cases, their reliability is not even sufficient to meet the required criteria for quality of service.
The architecture of the control-command system needs to include a real redundancy: by avoiding common nodes, it is possible to obtain the required level of reliability. One should note however that it is essential the required value be fixed based on a functional analysis.
This type of architecture may be illustrated by the following example. Given an intake gate presenting an unavailability factor equal to 4% (see above): to guarantee a turbine supply equal to 16 o/ooo, it is necessary to plan two parallel gates. But to ensure the same level of guarantee in the case of a closure, there is a need for two gates mounted in series.
4.2. Economic analysis
Risk is defined as the product of the probability of a harmful event -the hazard -by associated damages.
From a logical point of view, in any rational approach to the problem of safety, projects are classified according to decreasing risk levels, in order to deal with the most urgent problems first. It should be noted that two categories may be identified: casualties, and material losses.
Each country fixes its own objectives on this matter. For casualties, if a probability of 10 -3 is acceptable for one person, it is therefore logical to suppose that the acceptable risk is of 10 -4 for ten persons, 10 -5 for one hundred persons, and so on, inasmuch as the product of the probability multiplied by the predictable damages must remain constant. One will thus obtain a "constant risk" curve.
The idea was developed recently of varying the level of safety according to the risk, in countries such as Canada, Australia and Norway. In this way one seeks to adapt the level of risk to the predictable consequences downstream.
However, it is quite obvious that in densely populated areas such an approach raises serious difficulties.
However, it remains useful for ranking the work needing to be undertaken in a priority table, in order to identify such priorities.
4.3. Risk management
Several action families may be identified:
1. At the level of the dam, preventative action regarding the structure imply monitoring, auscultation and inspections destined to detect at the earliest possible moment any nefarious development and so trigger the necessary maintenance work; this is the "conditional" maintenance that is well-known in industry.2. Supplementary actions, that aim to reduce the consequences of a rupture (telephone, warning systems, evacuation plans).
3. Preventive actions downstream: high risk zones are identified so as to ban any building developments whose loss would be very serious in case of an accident.
Who is to held responsible for public safety and accountable in case of an accident? In many countries such responsibility is placed upon the public authorities.
Indeed, they have the possibility of imposing standards and of demanding checks destined to ensure the safety of the general public. The owners and dam operators are obliged to conform to these standards. Each country also establishes procedures for validating such projects. (In France, the regulatory environment is based on control procedures for structures of more than 20 m, these being developed and implemented under the directives of the Comité Technique Permanent des Barrages (Permanent Technical Committee for Dams).)
Standards aside, when a "disaster" happens one might consider that the authorities have failed in their duty to ensure public safety. It is generally civil society that assumes responsibility.
One may however consider more generally that the dam operator (or his insurance company) holds -or should hold -sufficient information to be able to avoid accidents, and that such an entity should therefore be held responsible for the consequences of an accident.
For certain risks (fire, ...), it is the insurers who cover the risks and in return participate in the development of the project in order to ensure that the construction meets their safety standards.
CONCLUSIONS: There have been good results from the implementation of cindynic methods over the last decades, however society's expectations remain high.
Undeniably, the pooling of experience has had an impact on results: an analysis of the evolution over time of the accident rate shows that the latter has been dropping continually for the last forty years (hazard has been divided by five). This improvement is undoubtedly the result of the introduction and improvement of site investigations, but also of the dissemination of knowledge about hazards.
This fact alone justifies the existence of the CIGB/ICOLD and leads us to hope that all countries in the world will join it.
What is the current rupture rate? One may take a value well below 1% for the life-span of a dam. If one takes a uniform distribution of risks, the annual risk for any given dam is of the order of 10 -5 on average.
It is however worth asking what is the real meaning of such statistics, which are all too often calculated from a base of a low population of ruptures.
One should also individually examine each dam in order to assess its real safety level, for quite
obviously there is no reason to suppose that it will reach the theoretical average, calculated from the whole population. Some dams are however, by their very nature, more dangerous than others: this is for example the case for low height earthfill dams.
The chief leverage for this progress has come from the promotion of safe techniques. It is a fact that the best way of improving safety is to publish compendia such as those mentioned above and to seek the most constructive measures. This is the role of the CIGB/ICOLD
Technical Committees. The experience gained around the whole world is communicated during the triennial Congresses, where safety has always been among the key issues discussed.
Historically, dam safety has always been considered as the essential function of the engineers' task; it is they who have to give account in case of accidents.
In this regard, the demands of society have recently gone well beyond the logic of "cindynics" in matters relating to safety, with the emergence of the so-called precautionary principle.
Jacques LECORNU
Secrétaire Général de la Commission Internationale des Grands Barrages (CIGB)
General Secretary of the International Commission on Large Dams (ICOLD)
Paris - France
Translation by Andrew WILES
|
|
|
. |
|
|
|
SERRE PONÇON |
|
. |
TIGNES |
|
|
SAINTE CROIX |
|
. |
GRAND MAISON |
|
|
VOUGLANS |
|
. |
MONTEYNARD |
|
|
BORT LES ORGUES |
|
. |
ROSELEND |
|
|
LE MONT CENIS |
|
. |
LE CHAMBON |
|
© Institut Européen de Cindyniques -Lettre n° - 29 - Janvier 2000