FERC Risk-Informed Decision Making Guidelines PDF

15d ago
3.05 MB
127 Pages

FERCRisk-Informed Decision Making GuidelinesChapter 2Risk AnalysisVersion 4.1March 20162-1


TABLE OF CONTENTSList of FiguresList of 2.1.2Definition2.1.3General Description2.1.4ConsiderationsTypes of Risk and Risk Measures2.2.1Types of Risk2.2.1.1Incremental Risk2.2.1.2Non-Breach Risk2.2.1.3Residual Risk2.2.2Risk Measures2.2.3Life Safety Risk2.2.3.1Individual Incremental Life Safety2.2.3.2Societal Incremental Life Safety2. Distribution of PotentialIncremental Life Loss2. Annual Life Loss (AALL) Life Safety2.2.4Annual Probability of Failure (APF)2.2.5Economic Considerations2.2.6Environmental and Other Non-Monetary ConsequencesLevels of Risk Analyses2.3.1General2.3.2Level 1 – Screening Level Risk Analyses2.3.3Level 2 – Periodic Risk Analyses2.3.4Level 3 - Semi-Quantitative Risk Analyses2.3.5Level 4 - Quantitative Risk AnalysesRisk Team2.4.1Composition2.4.2Roles and Responsibilities2.4.2.1Facilitators2.4.2.2Subject Matter Experts2.4.2.3Note Taker2.4.2.4Software ilitators2-i Matter ExpertsNote TakerSoftware OperatorExecution2.5.1Preparing for a Risk ication2.5.2Risk Analysis Meeting2.5.2.1Meeting Preparation2.5.2.2Meeting Agenda2.5.2.3Conducting the Risk Analysis2.5.2.4Heuristics and .4.2Quantitative Risk Estimates2.5.4.3Uncertainty 6Combining Risks2.5.5As-Low-As-Reasonably-Practicable (ALARP) Effectiveness2.5.5.3Level of Risk2.5.5.4Disproportion2.5.5.5Good Practice2.5.5.6Societal Concerns2.5.5.7Other Factors2.5.6Documentation during the Risk Building the Case2.6.4Portraying Risks2.6.5Presentation of ResultsReviews2.7.1General2.7.2Level 2 – Periodic Risk Analysis Products2.7.3Level 3 – Semi-Quantitative Risk Analysis Products2.7.4Level 4 – Quantitative Risk Analysis Products2.4.4.1Risk Review Board (RRB) Members2.7.4.2Risk Product Review Process2-ii

2.8ReferencesAppendices2A2B2C2D2E2F2GExample Risk Analysis Meeting AgendaCalculation of the Adjusted Cost to Save a Statistical Life (aCSSL)Risk Analysis Meeting Template and ExampleRisk Analysis Report TemplateF-N and f-N TemplatesExample Risk Review Board (RRB) Meeting AgendasRisk Review Board (RRB) Charge Questions2-iii

LIST OF FIGURESFigure 2-1Figure 2-2Figure 2-3Figure 2-4Figure 2-5Figure 2-6Figure 2-7Figure 2-8Figure 2-9Figure 2-10Figure 2-11Figure 2-12Figure 2-13Figure 2-14Figure 2-15Relationship between Risk Analysis, Risk Assessment, and RiskManagementThe Four Inundation ScenariosResidual RiskLevel of Risk FrameworkRelationship of the Levels of Risk Analysis within the Risk AnalysisProcessExample of SLPRA Risk IndexSLPRA Risk Index Scoring MatrixExample Portrayal of Level 3 Risk Analysis ResultsGraphic Illustration of ALARPExample of Contributions to Annualized Probability of Failure byReservoir ElevationExample of Contributions to Average Annual Life Loss by ReservoirElevationExample System Response Probability by Reservoir ElevationExample System Response Probability with Uncertainty by ReservoirElevationExample f-N Chart Portraying UncertaintyExample f-N Chart Portraying Specific Nodal Uncetainty for an IndividualPotential Failure ModeLIST OF TABLESTable 2-1Table 2-2Table 2-3Table 2-4Table 2-5Table 2-6Table 2-7Summary of Risk Analysis LevelsGuidelines for Minimum Qualifications of Key Risk Analysis PersonnelExample Summary of Annual Probability of Failure and Average AnnualLife Loss for each Potential Failure ModeExample of Summarizing Nodal ProbabilitiesExample of System Response Summaries by Reservoir LevelEstimated Number of Risk Review Board (RRB) MembersEstimated Risk Review Board (RRB) Minimum Review Time2-iv

ACRONYMSAEPannual exceedance RU.S. Department of the Interior, Bureau of ReclamationCSSLcost to save a statistical lifeD2SIDivision of Dam Safety and Inspections (FERC)FEMAFederal Emergency Management AgencyFERCFederal Energy Regulatory CommissionPARpopulation at riskPDFprobability density functionPFMpotential failure modePFMApotential failure mode analysisQRAquantitative risk analysisRIDMrisk-informed decision makingRRBrisk review boardSLPRAscreening level portfolio risk analysisSMEsubject matter expertSQRAsemi-quantitative risk analysisSSHACsenior seismic hazard analysis committeeUSACEU.S. Army Corps of EngineersVSLvalue of statistical lifeWTPwillingness to pay to prevent a statistical fatality2-v


CHAPTER 2RISK ANALYSIS2.12.1.1INTRODUCTIONGeneralThe Federal Energy Regulatory Commission (FERC) Division of Dam Safety andInspections (D2SI) is responsible for the development, dissemination, and interpretationof methodology guidance for use in conducting dam safety risk analyses. This documentdoes not try to describe in detail how to analyze risks. It only describes the generalpractices used by those who analyze risks. The current state-of-the-practice for analyzingdam safety risks is presented in the Best Practices in Dam and Levee Safety RiskAnalysis, a document developed by the Bureau of Reclamation (BOR) and the U.S. ArmyCorps of Engineers (USACE) for the purpose of summarizing the overall philosophy,methods, and approach to risk analysis for dam safety (BOR/USACE, 2015).2.1.2DefinitionAs defined by the International Commission on Large Dams (ICOLD), risk analysis is“the use of available information to estimate the risk to individuals or populations,property or the environment, from hazards. Risk analyses generally contain the followingsteps: scope definition, hazard identification, and risk estimation.” (ICOLD, 2005).The risk analysis process involves the scientific characterization of what is known andwhat is uncertain about the present and future performance of the dam system underexamination (ICOLD, 2005). It is a structured process aimed at estimating both theprobability of failure of the dam or dam components and the consequences of failure(often, though not always, restricted to those consequences resulting from uncontrolledrelease of the reservoir).Risk analysis is the first component of risk management, as shown on Figure 2-1 (FEMA,2015). It is the portion of the process in which the site-specific potential failure modes,structural performance, and adverse consequences are identified. It is also the processduring which a quantitative or qualitative estimate of the likelihood of occurrence andmagnitude of consequence of these potential events is made. A critical first step in a riskanalysis is identifying the site-specific potential failure modes at a given dam. Thefrequency of occurrence of the loadings (e.g., reservoir load levels, floods, earthquakes,ice loading, etc.) that could initiate potential failure and then cause adverse consequencesis estimated and considered as part of a risk analysis.2-1

Figure 2-1. Relationship between Risk Analysis, Risk Assessment,and Risk Management (revised from FEMA, 2015)2.1.3General DescriptionRisk analyses can provide valuable input to decisions made at various stages of a projectand serve other important purposes. Risk analysis is a tool that can assist and provideimportant insights to the decision making process for a single dam or within an inventoryof dams. Thus, several types of risk analyses can be used as described in Section 2.3.Risk analysis can be quantitative (i.e., the outputs and inputs are numeric) or qualitative.The first step common to all types of risk analyses is the identification of site-specificpotential failure modes. (See Chapter 14 of the FERC Engineering Guidelines for theEvaluation of Hydropower Projects for a description of the Potential Failure ModeAnalysis (PFMA) process). For a given dam or project, all of the relevant types ofloadings that may be experienced should be considered when identifying potential failuremodes. Risk analyses should consider the interactions between individual potentialfailure modes in order to properly understand the overall risk and how that risk can be2-2

reduced. The decision framework for a particular structure considers the rolled up riskacross all potential failure modes, which may not be a simple sum of the risk for eachpotential failure mode considered individually.2.1.4ConsiderationsThe event of interest in a dam safety risk analysis is dam failure which is defined as a setof events leading to sudden, rapid, and uncontrolled release of the reservoir impoundment(USACE, 2014). Further, it is recognized that there are lesser degrees of failure and thatany malfunction or abnormality outside the design assumptions and parameters thatadversely affect a dam’s primary function of impounding water could be considered afailure (FEMA, 2015). The probability of exceeding an analytical limit state (i.e. factorof safety less than one) is not the same as probability of failure. Limit state exceedance isonly one factor to consider and may not necessarily initiate failure of a potential failuremode. Similarly, the probability of a serious incident is not the same as probability offailure.Individual dams are often part of larger infrastructure systems. Within these watershedsystems, risk is attributed to the specific infrastructure that is the source of the risk. Thisincludes due consideration for cascading impacts in the ‘downstream’ direction. Iffailure or non-failure of the dam being assessed would result in overtopping andsubsequent breach of downstream dams and/or levees, then the risk associated with thesecascading failures would be attributed back as a consequence to the dam being assessed.Risks generated by failures of ‘upstream’ infrastructure are usually not considered at thedownstream dam being assessed. If failure of an upstream dam would result inovertopping and breach of the dam being assessed, then increases in the magnitude andfrequency of loading caused by failure of the upstream dam would not be included in therisk estimate.To support inventory prioritization decisions or to communicate the flood risk frommultiple flooding sources, there may be a benefit in estimating the risk from a systemsperspective in certain situations. These analyses can support improved prioritizationdecisions within the larger watershed to obtain more efficient and effective risk reductionacross the inventory. In these special cases, it may be appropriate to evaluate thecascading impacts of failure in both the ‘upstream’ and ‘downstream’ directions.The risk analysis results will be reviewed, scrutinized, and debated. The risk analyst orteam must be prepared to explain and defend the logic behind the risk estimate. Thisprocess leads to better decisions in an environment of imperfect information. A group ofexperts will rarely agree on all of the details of a risk analysis but can usually obtainagreement on the key decisions and the path forward. This agreement is achieved byworking for consistency between the risk estimate, recommended actions, andunderstanding of the situation (i.e. does it make sense?).2-3

2.2TYPES OF RISK AND RISK MEASURES2.2.1Types of RiskIn the dam safety context there are several different types of risk that can be identifiedand estimated. One way to think of these ‘types of risk’ is to first understand under whatconditions water being held by the dam might flow downstream and inundate thedownstream area. These conditions are called inundation scenarios (USACE, 2014). Therisk associated with a dam can be thought of in terms of four inundation scenarios shownin Figure 2-2. These include: breach prior to overtopping overtopping with breach inundation resulting from partial or complete release of the reservoir due to themalfunction of dam components or misoperation spillway flow without breach of the dam or overtopping without breach (nonbreach)For the fourth inundation scenario, “spillway flow” means the controlled release of waterthrough the outlet works or spillway up to and including full outlet works or spillwaydischarge.Breach Prior to OvertoppingOvertopping with BreachComponent Malfunction orMisoperationSpillway Flow Without Breachof the Dam or OvertoppingWithout BreachFigure 2-2. The Four Inundation Scenarios (from USACE, 2014)From these four different inundation scenarios, three different types of risk can beestimated. These types of risk include incremental risk, non-breach risk, and residual2-4

risk. Each of these types of risk focus on a different aspect of risk and are described inthe following sections. RiskThe ‘incremental risk’ is the risk (likelihood and consequences) to the reservoir area anddownstream floodplain occupants that can be attributed to the presence of the dam shouldthe dam breach prior or subsequent to overtopping, or undergo component malfunction ormisoperation, where the consequences considered are over and above those that wouldoccur without dam breach (USACE, 2014). Commonly incremental risk is the term mostoften considered when one uses the generic term, ‘risk’. The consequences typically aredue to downstream inundation, but loss of the reservoir can result in significantconsequences upstream of the dam as well.The incremental consequences are a component of incremental risk and are defined asfollows:IncrementalconsequencesConsequences associated with the estimatedperformance of the projectwith breach, componentmalfunction, ormisoperation-Consequences associated withthe estimated performance ofthe project without breach,component malfunction, ormisoperationThis definition, when applied to flood-induced breach, is such that incrementalconsequences for a particular inflow flood magnitude is the difference between theconsequences of a dam breach and the consequences of a non-breach at the inflow floodmagnitude.An important principle of reservoir operations is that a dam is not to be operated at anytime in such a way that the downstream flood severity is greater than it would have beenhad the dam not been constructed. This principle will be reflected when assessing andevaluating the risk associated with the non-breach inundation scenario. RiskEven if the dam functions as intended and the dam does not fail, the reservoir area andthe downstream affected floodplains may be in a state of high risk. This risk in thereservoir area and affected downstream floodplains is due to ‘normal’ operation of thedam (e.g. large spillway flows within the design capacity that exceed channel capacity) or‘overtopping of dams without breach’ scenarios. This is referred to as the ‘non-breach’2-5

risk (USACE, 2014). The non-breach risk is essentially the risk that exists even if theinfrastructure performs its intended function without failing.Most of the information needed

Risk analysis is a tool that can assist and provide important insights to the decision making process for a single dam or within an inventory of dams. Thus, several types of risk analyses can be used as described in Section 2.3. Risk analysis can be quantitative (i.e., the outputs and inputs are numeric) or qualitative.