FERC

Risk-Informed Decision Making Guidelines

Chapter 2

Risk Analysis

Version 4.1
March 2016

2-1
 
 2-2
 
 TABLE OF CONTENTS

List of Figures
List of Tables
Acronyms

2.1 Introduction
2.1.1 General
2.1.2 Definition
2.1.3 General Description
2.1.4 Considerations
2.2 Types of Risk and Risk Measures
2.2.1 Types of Risk
[Link] Incremental Risk
[Link] Non-Breach Risk
[Link] Residual Risk
2.2.2 Risk Measures
2.2.3 Life Safety Risk
[Link] Individual Incremental Life Safety
[Link] Societal Incremental Life Safety
[Link].1 Probability Distribution of Potential
Incremental Life Loss
[Link].2 Average Annual Life Loss (AALL)
[Link] Non-Breach Life Safety
2.2.4 Annual Probability of Failure (APF)
2.2.5 Economic Considerations
2.2.6 Environmental and Other Non-Monetary Consequences
2.3 Levels of Risk Analyses
2.3.1 General
2.3.2 Level 1 – Screening Level Risk Analyses
2.3.3 Level 2 – Periodic Risk Analyses
2.3.4 Level 3 - Semi-Quantitative Risk Analyses
2.3.5 Level 4 - Quantitative Risk Analyses
2.4 Risk Team
2.4.1 Composition
2.4.2 Roles and Responsibilities
[Link] Facilitators
[Link] Subject Matter Experts
[Link] Note Taker
[Link] Software Operator
[Link] Others
2.4.3 Qualifications
[Link] Facilitators

2-i
 
 [Link] Subject Matter Experts
[Link] Note Taker
[Link] Software Operator
2.5 Execution
2.5.1 Preparing for a Risk Analysis
[Link] Plan
[Link] Preparation
[Link] Communication
2.5.2 Risk Analysis Meeting
[Link] Meeting Preparation
[Link] Meeting Agenda
[Link] Conducting the Risk Analysis
[Link] Heuristics and Bias
2.5.3 Software
2.5.4 Methodology
[Link] General
[Link] Quantitative Risk Estimates
[Link] Uncertainty Framework
[Link] Confidence
[Link] Sensitivity
[Link] Combining Risks
2.5.5 As-Low-As-Reasonably-Practicable (ALARP)
[Link] General
[Link] Cost Effectiveness
[Link] Level of Risk
[Link] Disproportion
[Link] Good Practice
[Link] Societal Concerns
[Link] Other Factors
2.5.6 Documentation during the Risk Analysis
2.6 Documentation
2.6.1 General
2.6.2 Content
2.6.3 Building the Case
2.6.4 Portraying Risks
2.6.5 Presentation of Results
2.7 Reviews
2.7.1 General
2.7.2 Level 2 – Periodic Risk Analysis Products
2.7.3 Level 3 – Semi-Quantitative Risk Analysis Products
2.7.4 Level 4 – Quantitative Risk Analysis Products
[Link] Risk Review Board (RRB) Members
[Link] Risk Product Review Process

2-ii
 
2.8 References

Appendices

2A Example Risk Analysis Meeting Agenda

2B Calculation of the Adjusted Cost to Save a Statistical Life (aCSSL)
2C Risk Analysis Meeting Template and Example
2D Risk Analysis Report Template
2E F-N and f-N Templates
2F Example Risk Review Board (RRB) Meeting Agendas
2G Risk Review Board (RRB) Charge Questions

2-iii
 
 LIST OF FIGURES

Figure 2-1 Relationship between Risk Analysis, Risk Assessment, and Risk
Management
Figure 2-2 The Four Inundation Scenarios
Figure 2-3 Residual Risk
Figure 2-4 Level of Risk Framework
Figure 2-5 Relationship of the Levels of Risk Analysis within the Risk Analysis
Process
Figure 2-6 Example of SLPRA Risk Index
Figure 2-7 SLPRA Risk Index Scoring Matrix
Figure 2-8 Example Portrayal of Level 3 Risk Analysis Results
Figure 2-9 Graphic Illustration of ALARP
Figure 2-10 Example of Contributions to Annualized Probability of Failure by
Reservoir Elevation
Figure 2-11 Example of Contributions to Average Annual Life Loss by Reservoir
Elevation
Figure 2-12 Example System Response Probability by Reservoir Elevation
Figure 2-13 Example System Response Probability with Uncertainty by Reservoir
Elevation
Figure 2-14 Example f-N Chart Portraying Uncertainty
Figure 2-15 Example f-N Chart Portraying Specific Nodal Uncetainty for an Individual
Potential Failure Mode

LIST OF TABLES

Table 2-1 Summary of Risk Analysis Levels

Table 2-2 Guidelines for Minimum Qualifications of Key Risk Analysis Personnel
Table 2-3 Example Summary of Annual Probability of Failure and Average Annual
Life Loss for each Potential Failure Mode
Table 2-4 Example of Summarizing Nodal Probabilities
Table 2-5 Example of System Response Summaries by Reservoir Level
Table 2-6 Estimated Number of Risk Review Board (RRB) Members
Table 2-7 Estimated Risk Review Board (RRB) Minimum Review Time

2-iv
 
 ACRONYMS

AEP annual exceedance probability

ALARP as-low-as-reasonably-practicable

BOR U.S. Department of the Interior, Bureau of Reclamation

CSSL cost to save a statistical life

D2SI Division of Dam Safety and Inspections (FERC)

FEMA Federal Emergency Management Agency

FERC Federal Energy Regulatory Commission

PAR population at risk

PDF probability density function

PFM potential failure mode

PFMA potential failure mode analysis

QRA quantitative risk analysis

RIDM risk-informed decision making

RRB risk review board

SLPRA screening level portfolio risk analysis

SME subject matter expert

SQRA semi-quantitative risk analysis

SSHAC senior seismic hazard analysis committee

USACE U.S. Army Corps of Engineers

VSL value of statistical life

WTP willingness to pay to prevent a statistical fatality

2-v
 
 2-vi
 
 CHAPTER 2
RISK ANALYSIS

2.1 INTRODUCTION

2.1.1 General

The Federal Energy Regulatory Commission (FERC) Division of Dam Safety and
Inspections (D2SI) is responsible for the development, dissemination, and interpretation
of methodology guidance for use in conducting dam safety risk analyses. This document
does not try to describe in detail how to analyze risks. It only describes the general
practices used by those who analyze risks. The current state-of-the-practice for analyzing
dam safety risks is presented in the Best Practices in Dam and Levee Safety Risk
Analysis, a document developed by the Bureau of Reclamation (BOR) and the U.S. Army
Corps of Engineers (USACE) for the purpose of summarizing the overall philosophy,
methods, and approach to risk analysis for dam safety (BOR/USACE, 2015).

2.1.2 Definition

As defined by the International Commission on Large Dams (ICOLD), risk analysis is

“the use of available information to estimate the risk to individuals or populations,
property or the environment, from hazards. Risk analyses generally contain the following
steps: scope definition, hazard identification, and risk estimation.” (ICOLD, 2005).

The risk analysis process involves the scientific characterization of what is known and
what is uncertain about the present and future performance of the dam system under
examination (ICOLD, 2005). It is a structured process aimed at estimating both the
probability of failure of the dam or dam components and the consequences of failure
(often, though not always, restricted to those consequences resulting from uncontrolled
release of the reservoir).

Risk analysis is the first component of risk management, as shown on Figure 2-1 (FEMA,
2015). It is the portion of the process in which the site-specific potential failure modes,
structural performance, and adverse consequences are identified. It is also the process
during which a quantitative or qualitative estimate of the likelihood of occurrence and
magnitude of consequence of these potential events is made. A critical first step in a risk
analysis is identifying the site-specific potential failure modes at a given dam. The
frequency of occurrence of the loadings (e.g., reservoir load levels, floods, earthquakes,
ice loading, etc.) that could initiate potential failure and then cause adverse consequences
is estimated and considered as part of a risk analysis.

2-1
 
 Figure 2-1. Relationship between Risk Analysis, Risk Assessment,
and Risk Management (revised from FEMA, 2015)

2.1.3 General Description

Risk analyses can provide valuable input to decisions made at various stages of a project
and serve other important purposes. Risk analysis is a tool that can assist and provide
important insights to the decision making process for a single dam or within an inventory
of dams. Thus, several types of risk analyses can be used as described in Section 2.3.
Risk analysis can be quantitative (i.e., the outputs and inputs are numeric) or qualitative.

The first step common to all types of risk analyses is the identification of site-specific
potential failure modes. (See Chapter 14 of the FERC Engineering Guidelines for the
Evaluation of Hydropower Projects for a description of the Potential Failure Mode
Analysis (PFMA) process). For a given dam or project, all of the relevant types of
loadings that may be experienced should be considered when identifying potential failure
modes. Risk analyses should consider the interactions between individual potential
failure modes in order to properly understand the overall risk and how that risk can be

2-2
 
reduced. The decision framework for a particular structure considers the rolled up risk
across all potential failure modes, which may not be a simple sum of the risk for each
potential failure mode considered individually.

2.1.4 Considerations

The event of interest in a dam safety risk analysis is dam failure which is defined as a set
of events leading to sudden, rapid, and uncontrolled release of the reservoir impoundment
(USACE, 2014). Further, it is recognized that there are lesser degrees of failure and that
any malfunction or abnormality outside the design assumptions and parameters that
adversely affect a dam’s primary function of impounding water could be considered a
failure (FEMA, 2015). The probability of exceeding an analytical limit state (i.e. factor
of safety less than one) is not the same as probability of failure. Limit state exceedance is
only one factor to consider and may not necessarily initiate failure of a potential failure
mode. Similarly, the probability of a serious incident is not the same as probability of
failure.

Individual dams are often part of larger infrastructure systems. Within these watershed
systems, risk is attributed to the specific infrastructure that is the source of the risk. This
includes due consideration for cascading impacts in the ‘downstream’ direction. If
failure or non-failure of the dam being assessed would result in overtopping and
subsequent breach of downstream dams and/or levees, then the risk associated with these
cascading failures would be attributed back as a consequence to the dam being assessed.
Risks generated by failures of ‘upstream’ infrastructure are usually not considered at the
downstream dam being assessed. If failure of an upstream dam would result in
overtopping and breach of the dam being assessed, then increases in the magnitude and
frequency of loading caused by failure of the upstream dam would not be included in the
risk estimate.

To support inventory prioritization decisions or to communicate the flood risk from

multiple flooding sources, there may be a benefit in estimating the risk from a systems
perspective in certain situations. These analyses can support improved prioritization
decisions within the larger watershed to obtain more efficient and effective risk reduction
across the inventory. In these special cases, it may be appropriate to evaluate the
cascading impacts of failure in both the ‘upstream’ and ‘downstream’ directions.

The risk analysis results will be reviewed, scrutinized, and debated. The risk analyst or
team must be prepared to explain and defend the logic behind the risk estimate. This
process leads to better decisions in an environment of imperfect information. A group of
experts will rarely agree on all of the details of a risk analysis but can usually obtain
agreement on the key decisions and the path forward. This agreement is achieved by
working for consistency between the risk estimate, recommended actions, and
understanding of the situation (i.e. does it make sense?).

2-3
 
2.2 TYPES OF RISK AND RISK MEASURES

2.2.1 Types of Risk

In the dam safety context there are several different types of risk that can be identified
and estimated. One way to think of these ‘types of risk’ is to first understand under what
conditions water being held by the dam might flow downstream and inundate the
downstream area. These conditions are called inundation scenarios (USACE, 2014). The
risk associated with a dam can be thought of in terms of four inundation scenarios shown
in Figure 2-2. These include:

 breach prior to overtopping

 overtopping with breach
 inundation resulting from partial or complete release of the reservoir due to the
malfunction of dam components or misoperation
 spillway flow without breach of the dam or overtopping without breach (non-
breach)

For the fourth inundation scenario, “spillway flow” means the controlled release of water
through the outlet works or spillway up to and including full outlet works or spillway
discharge.

Breach Prior to Overtopping Overtopping with Breach

Spillway Flow Without Breach

Component Malfunction or
of the Dam or Overtopping
Misoperation
Without Breach

Figure 2-2. The Four Inundation Scenarios (from USACE, 2014)

From these four different inundation scenarios, three different types of risk can be
estimated. These types of risk include incremental risk, non-breach risk, and residual

2-4
 
risk. Each of these types of risk focus on a different aspect of risk and are described in
the following sections.

[Link] Incremental Risk

The ‘incremental risk’ is the risk (likelihood and consequences) to the reservoir area and
downstream floodplain occupants that can be attributed to the presence of the dam should
the dam breach prior or subsequent to overtopping, or undergo component malfunction or
misoperation, where the consequences considered are over and above those that would
occur without dam breach (USACE, 2014). Commonly incremental risk is the term most
often considered when one uses the generic term, ‘risk’. The consequences typically are
due to downstream inundation, but loss of the reservoir can result in significant
consequences upstream of the dam as well.

The incremental consequences are a component of incremental risk and are defined as
follows:

Incremental Consequences associated Consequences associated with

consequences = with the estimated - the estimated performance of
performance of the project the project without breach,
with breach, component component malfunction, or
malfunction, or misoperation
misoperation

This definition, when applied to flood-induced breach, is such that incremental

consequences for a particular inflow flood magnitude is the difference between the
consequences of a dam breach and the consequences of a non-breach at the inflow flood
magnitude.

An important principle of reservoir operations is that a dam is not to be operated at any

time in such a way that the downstream flood severity is greater than it would have been
had the dam not been constructed. This principle will be reflected when assessing and
evaluating the risk associated with the non-breach inundation scenario.

[Link] Non-Breach Risk

Even if the dam functions as intended and the dam does not fail, the reservoir area and
the downstream affected floodplains may be in a state of high risk. This risk in the
reservoir area and affected downstream floodplains is due to ‘normal’ operation of the
dam (e.g. large spillway flows within the design capacity that exceed channel capacity) or
‘overtopping of dams without breach’ scenarios. This is referred to as the ‘non-breach’

2-5
 
risk (USACE, 2014). The non-breach risk is essentially the risk that exists even if the
infrastructure performs its intended function without failing.

Most of the information needed to estimate the risk for non-breach scenarios is readily
available from the information gathered to perform a risk analysis to estimate the
incremental risk.

[Link] Residual Risk

The risk in the reservoir area and downstream of the dam at any point in time (i.e., prior
to, during, or after implementation of risk reduction measures) is referred to as ‘residual
risk’, i.e. the risk that remains (USACE, 2014). The residual risk associated with a dam
consists of two components as shown in Figure 2-3. It should be noted that the value of
residual risk is the same as the incremental risk for scenarios where there are no non-
breach risks (e.g. normal operation potential failure modes with spillway or outlet works
flows that do not exceed safe channel capacity.) Understanding the two components that
comprise residual risk is important.

Incremental Risk AND Non-Breach Risk Residual Risk

Breach Prior to
Overtopping
Spillway Flow Without
Breach of the Dam or
Overtopping Without
Breach

Overtopping with Breach

 Assess, consider, and communicate both
the incremental and non-breach risks
associated with the dam.
 The incremental risk informs the DSAC.
Component Malfunction or
Misoperation

Figure 2-3. Residual Risk (from USACE, 2014)

2.2.2 Risk Measures

Four types of risk measures are to be estimated and provided1:

1. Life safety risk – which includes incremental and non-breach risk.

                                                            
1
 See Section 2.3 for listing of risk measures to be provided for each level of risk analysis. 

2-6
 
 2. Annual probability of failure (APF).

3. Economic considerations – which includes incremental and non-breach

consequences.

4. Environment and other non-monetary consequences - which includes incremental

and non-breach consequences.

Each of these risk measures is discussed in the sections below.

2.2.3 Life Safety

Three types of incremental life safety risk are to be evaluated:

1. Individual incremental life safety risk using probability of life loss for the
identifiable person or group by location that is most at risk of loss of life due to
dam breach.

2. Societal incremental life safety risk expressed in two different ways:

a. Probability distribution of potential life loss.

b. Average annual life loss (AALL).

It is important that the contributions from all individual potential failure modes, loading
types, loading ranges, exposure conditions, subpopulations at risk, etc., are analyzed and
accounted for. This analysis and evaluation of each individual potential failure mode can
lead to an improved understanding of the potential failure modes and the exposure
conditions that most affect the incremental life safety risk. It can also provide insights
that can lead to the identification of both structural and non-structural risk reduction
measures, including interim risk reduction measures.

Non-breach life safety risks will also be considered.

[Link] Individual Incremental Life Safety

The individual incremental life safety risk is represented by the probability of life loss for
the identifiable person or group by location that is most at risk of loss of life due to dam
breach. This is computed from all exposure conditions and all potential failure modes
associated with all loading or initiating events, with due regard for non-mutually
exclusive potential failure modes.

2-7
 
Individual incremental life safety risk should be checked below the main and each
auxiliary structure (e.g., dike, saddle dam, etc.) to verify that the person or group, which
is most at risk, has been properly identified.

[Link] Societal Incremental Life Safety

[Link].1 Probability Distribution of Potential Incremental Life Loss. This societal

incremental life safety risk is represented by a probability distribution of the estimated
annual probability of potential life loss from dam failure or breach, for all loading types
and conditions and all potential failure modes and all population exposure scenarios.
This is displayed as an F-N chart which is a plot of the cumulative frequency2 of
incremental life loss of N or more lives (F) vs. incremental loss of life (N) associated
with the incremental flood risk, as shown on Figure 3-3 in Chapter 3.

[Link].2 Average Annual Life Loss (AALL). The value of this metric for a dam should
be estimated from all potential failure modes associated with all loading or initiating
event types and considering all exposure conditions associated with life loss. AALL is
displayed in an f-N chart as shown on Figure 3-4 in Chapter 3. The estimated life loss
plotted on the horizontal scale is the weighted average incremental life loss (N). This
value is averaged over all flood and earthquake loading magnitudes, all potential failure
modes and all exposure conditions (e.g. day and night) that are considered in the risk
analysis. The average value tends to be closer to the life loss estimated for those
potential failure modes that are most likely to occur. Simply put,N is the weighted
average life loss per failure and can be computed as AALL/APF.

[Link] Non-Breach Life Safety

The life safety risk associated with the non-breach inundation scenario is to be assessed,
communicated, and considered in guiding actions. The non-breach life safety risk is to be
plotted on the cumulative frequency distribution of potential life loss (F-N) chart with the
x-axis showing Life Loss, N, from non-breach flood, as shown on Figure 3-5 in Chapter
3.

2.2.4 Annual Probability of Failure (APF)

Annual probability of failure (APF) will be estimated for those potential failure modes
associated with the incremental risk. Annual probability of failure will be estimated from
all potential failure modes associated with all loading or initiating event types. Although
                                                            
2
In probability textbooks a cumulative (probability) distribution function (CDF) is defined to have probability “less
than or equal to” on the vertical axis and a complementary cumulative (probability) distribution function (CCDF) is
defined to have probability “greater than” on the vertical axis. Although similar to a CCDF, an F-N chart is subtly,
but in some cases importantly, different because it has probability “greater than or equal to” on the vertical axis
rather than “greater than” as in the CCDF.

2-8
 
only the combined annual probability of failure of all potential failure modes is to be
evaluated against this guideline, it is important that the contributions to the APF from the
individual potential failure modes, loading types, loading ranges, exposure scenarios, etc.,
are analyzed. The analysis and evaluation of the individual potential failure modes can
lead to an improved understanding of the potential failure modes that affect the combined
annual probability of failure of the dam. It can also provide insights that can lead to the
identification of both structural and non-structural risk reduction measures, including
interim measures.

2.2.5 Economic Considerations

Economic considerations include both the direct losses of the failure of a dam and other
economic impacts on the regional or national economy (USACE, 2014).

Direct losses include the damage to property located downstream from the dam due to
dam failure. These include damage to private and public buildings, contents of buildings,
vehicles, public infrastructure such as roads and bridges, public utility infrastructure,
agricultural crops, agricultural capital, and erosion losses to land. The sudden loss of the
reservoir due to a dam failure could result in losses to property and infrastructure within
the reservoir area (upstream of the dam). Direct losses also include the value from the
loss in services provided by the dam such as hydropower (incremental cost to replace lost
power), water supply (municipal, industrial, irrigation), flood damage reduction,
navigation (incremental cost for alternate transportation, if available), and recreation.

Another category of direct losses are the costs associated with the emergency response
for evacuation and rescue and the additional travel costs associated with closures of roads
and bridges. These losses are commonly included in computing direct economic loss due
to dam failure.

Another potential direct loss is the cost of repairing the damage to the dam. This is a
complicated issue and to some degree depends on the extent of damage to the dam. If the
dam can be repaired, these repair costs may or may not be counted as a direct economic
cost (loss). In the case of catastrophic failure, these rebuilding costs are typically not
included in the direct costs, as the decision to rebuild the dam depends on the post-failure
benefits (which the dam owner would have to evaluate separately) (USACE, 2014).

Indirect economic impacts are those associated with the destruction of property and the
displacement of people due to the failure. The destruction due to the failure flood can
have significant impacts on the local and regional economy as businesses at least
temporarily close resulting in loss of employment and income. Similarly, economic
activity linked to the services provided by the dam will also have consequences. These
would include economic impacts on business that provide goods and services for the
recreation activities associated with the reservoir. All these indirect losses then have

2-9
 
ripple or multiplier effects in the rest of the regional and national economy due to the
resulting reduction in spending on goods and services in the region. In this way, a dam
failure can have widespread economic losses throughout the region. These losses are the
increment to losses above those that would have occurred had the dam not failed. These
are often difficult to estimate or substantiate.

In addition to these economic considerations, the dam owner should consider the
financial losses (dam owners’ corporate business losses) and impacts from a dam failure.
These financial losses might include both direct and indirect impacts.

It is strongly recommended that the analysis of economic considerations be performed by

qualified economists.

2.2.6 Environmental and Other Non-Monetary Consequences

A dam failure has both direct and indirect consequences that cannot be measured in
monetary terms (USACE, 2014). These stem from the impacts of the failure flood and
loss of reservoir on environmental, cultural, and historic resources. In most cases, the
assessment of the impacts of dam failure will be the reporting of area and type of habitat
impacted, habitat of threatened and endangered species impacted, number and type of
historic sites impacted, and the number and type of culturally significant areas impacted.

An additional indirect non-monetary consequence could be the exposure of people and

the ecosystem to hazardous and toxic material released from landfills, warehouses, and
other facilities. An estimate of the locations and quantities should be compiled
identifying where significant quantities are concentrated. A potential additional source of
hazardous and toxic material is the sediment accumulated behind the dam. Identifying
and enumerating these indirect hazards could be important enough to require additional
consequence studies including estimating additional fatalities due to exposure to theses
hazards. Although these non-monetary consequences may not provide the sole basis for
risk reduction, they can provide additional information for decision making. They can
also be used to identify risks to be managed separately from dam modifications.

Intangible consequences are those that have no directly observable physical dimensions
but exist in the minds, individually and collectively, of those affected. Such
consequences are real and can support decisions. Intangible consequences can include
such things as (ANCOLD, 2003):

 The grief and loss suffered by relatives and friends of those who die;

 The impact of multiple deaths on the psyche of the community in which they
lived;

2-10
 
  The stress involved in arranging alternative accommodations and income;

 The sense of loss by those who enjoyed the natural landscape destroyed; and

 The fear of lost status and reputation of the dam owning/regulating organization(s)
and their technical staff.

The effect of these intangible consequences can be observed more noticeably in terms of
increased mental health expenditures and increased suicides.

2-11
 
2.3 LEVELS OF RISK ANALYSES

2.3.1 General

Risk analyses can be performed for a number of different purposes using a variety of
information. The level of detail (and rigor) included in a risk analysis should depend on
the confidence that is required to support the purpose of the risk analysis and the decision
to be made. To that end, the information and the uncertainty reflected in the risk
estimates will also vary. Generally, more detailed risk analyses require more detailed
engineering analyses and studies to try to better understand and reduce the uncertainty,
when and where possible, and increase the confidence in the risk estimates.

In general, dam safety risk analyses can be divided into four broad categories or levels:

Level 1 - Screening Level Risk Analyses

Level 2 - Periodic Risk Analyses
Level 3 - Semi-Quantitative Risk Analyses (SQRA)
Level 4 - Quantitative Risk Analyses (QRA)

Each level provides a different set of tools and methods that are proportionate in terms of
level of effort required, details considered, and confidence in their outcomes. These
levels of risk analyses provide a suite of scalable approaches that provide information to
promote critical thinking and guide a risk analyst’s judgment. The risk analysis methods
applied to each level are scalable and can be applied with varying degrees of effort (time,
resources, and cost) to provide the appropriate level of accuracy, rigor, and confidence
required to make credible risk informed decisions. It is important to understand that
every decision does not necessarily require a high level of rigor, detail, and precision in
the risk estimate in order to support a credible decision. These risk analysis levels vary in
purpose and therefore in the data required, detail, and robustness of analysis, and in
uncertainty and confidence in the results. However, in all cases the level of detail should
only be what is needed to support the decision(s) that will be informed by the risk
analysis. The analysis should be as simple as it can be, but not simpler. Figure 2-4
shows a general framework for each level of risk analysis.

These levels of risk analysis range from qualitative to quantitative approaches. In either
approach a comprehensive identification, written description, discussion, and evaluation
of factors that make events more or less likely to occur for each credible potential failure
mode are documented. The magnitude of consequences related to a potential failure is
also characterized, discussed, and documented.

Qualitative or semi-quantitative risk analyses can be desirable in some cases where it is

desired to apply risk analysis principles to the decision making without the time, cost, and
data/assessment requirements associated with a quantitative risk assessment; for

2-12
 
screening level analyses of an inventory of dams where it is desired to get a quick
evaluation of the risks so that risk reduction studies and actions can be prioritized; and for
sensitive cases that involve external interested parties that are more likely to understand
and accept qualitative assessments rather than detailed numerical analyses (FEMA,
2015).

Figure 2-4. Level of Risk Framework

A brief overview of the characteristics of each level of risk analysis is shown in Table 2-
1. Figure 2-5 illustrates the overall flow of the risk analysis process.

Additional information regarding each of the four levels of risk analysis is included in the
following sections.

2-13
 
 Table 2-1. Summary of Risk Analysis Levels
Typical Level System
Level Description Purpose/Outcome Type of Risk of Effort Loadings Consequences Response Uncertainty
1 Screening - Initial prioritization of inventory Incremental life safety Minimal effort. Rapid Simplified Common Qualitative to
- Identify dams that are potentially Economic (in very Lead by a single assessment using methods potential failure None
very high risk that require general terms) individual or simple, readily modes (PFMs)
immediate attention small team available tools using simplified
- Not appropriate for decisions tools
2 Periodic - Identification of all PFMs Incremental life safety Low to moderate Basic tools/ Simplified Common PFMs Qualitative
- Prioritization of additional studies Economic effort. Lead by a methods to methods using simplified
- Lowest level of risk analysis for Other single individual estimate annual approach
decisions (Independent exceedance
- Prioritization of inventory Consultant) or a probability
- Tolerable risk evaluation for small team (AEP)
existing conditions
3 SQRA - Project-wide assessment of risks Incremental life safety Effort can vary Basic tools/ Simple to Comprehensive Qualitative
- Identification of PFMs needing Economic greatly depending methods to intermediate evaluation of
further study Other on PFMs and estimate AEP methods PFMs using
issues. Team- semi-quant.
based, facilitated. approach
4A QRA - Lowest level of issue-specific Individual life safety Relatively simple/ Simple loadings Relatively Simple, Simple
risk analyses to determine if risks Incremental life safety routine models. with no simple to common PFMs approach to
are tolerable or unacceptable Non-breach life safety Team-based, challenging estimate. quantify
Annual Prob. Failure facilitated. technical issues Straight-
Economic forward.
Other

4B QRA - Intermediate level of issue- Individual life safety Moderate to high Intermediate Intermediate Intermediate Moderate
specific risk analysis Incremental life safety level of effort. difficulty. Use difficulty. Use difficulty approach to
Non-breach life safety Team-based, of additional of additional quantify
Annual Prob. Failure facilitated. experts may be experts may be
Economic required. required.
Other
4C QRA - Highest level of issue-specific Individual life safety Intense level of Complex, Challenging Complex, Detailed
risk analyses to determine if risks Incremental life safety effort. difficult and difficult. multiple PFMs approach to
are tolerable or unacceptable Non-breach life safety Sophisticated/ loadings. Use of Use of with multi- quantify
Annual Prob. Failure detailed models. additional additional disciplinary
Economic Team-based, experts likely to experts likely teams
Other facilitated. be required. to be required.

2-14 
 
 Figure 2-5. Relationship of the Levels of Risk Analysis within the Risk Analysis Process
2-15 
 
2.3.2 Level 1 - Screening Level Risk Analyses

A screening level risk analysis is a relatively low effort, simplistic method to quickly
assess risks (FEMA, 2015). The method uses simple tools and approaches in a
systematic manner to evaluate each dam within an inventory. The goal is to develop
relative risk estimates for each dam in a way that enables the relative risk among the
dams to be evaluated and priorities for further study or remediation to be established.

In this process, each dam is screened expeditiously to identify the dams requiring urgent
and compelling action with a low chance of missing any such dams. Also, a screening
level risk analysis provides information for preliminary classification/prioritization of the
dams in the inventory. Screening level risk analyses do not provide sufficient
information to confirm that a dam requires no additional risk evaluation. Typically a
screening level risk analysis is performed only once for every dam in an inventory.

Information on loadings, consequences, and analyses that relate to potential failure modes
and serve as inputs to the analysis are very basic and limited, typically consisting of data
already available or prepared just in advance of the screening effort. A screening level
risk analysis can be a valuable tool for identifying uncertainties related to potential failure
modes and significant dam safety issues. It can be used to prioritize additional actions
and more in depth studies. Screening level risk analyses can either be made
quantitatively or qualitatively (FEMA, 2015).

Typically, screening level risk analyses can be performed by an individual or a small

team of individuals over the course of a less than a day to a few days effort.

Since the results of a screening level risk analysis do not provide absolute values of risk,
the results of screening level risk analyses are not suitable for making a decision whether
the risks of certain potential failure modes are tolerable or unacceptable.

The U.S. Army Corps of Engineers and Bureau of Reclamation developed and
implemented screening-level risk tools early in their risk programs to provide an initial
prioritization of their inventories of hundreds of dams; however, these tools are no longer
being used or supported by these agencies as both have advanced to use higher-level risk
analyses in their risk management processes.

In 2010 FERC developed a screening level risk analysis tool referred to as screening-
level portfolio risk analysis (SLPRA). This risk tool uses a qualitative approach to
estimate failure likelihoods and consequence categories of identified potential failure
modes where the potential failure modes are subdivided into four categories – static,
flood, seismic, and operational. The results for each dam (in the form of potential failure
modes) are plotted in a risk matrix similar to Figure 2-6.

2-16 
 
 Extremely
High Static - IE
emb

Very High
Failure Likelihood Category

High Flood -
spillway
gates

Low
Seismic -
deformation Flood - IE

Very Low
Flood - Seismic -
overtopping found liq

Remote

0-6 7 8 9 10 11
Consequence Category

Figure 2-6. Example of SLPRA Risk Index

In order to provide a rough comparison of dams within an inventory, each block in the
matrix can be assigned a numerical value, as shown in Figure 2-7. The highest rated
potential failure mode from each of the static, flood, seismic, and operational categories
can be assigned a score based on where they plot in the matrix, and summed to arrive at
an inventory risk score. It should be noted that if the individual scores for all potential
failure modes were used, the inventory risk score would become unduly influenced by the
number of potential failure modes. It is important to understand that this score would add
no value to the screening level risk analysis results for a given dam and would only be
useful if used in the context of inventory-wide risk-based comparisons.

The inventory risk scores for each dam can be used to list the dams in order from high to
low to provide a relative ranking. However, others factors may affect the priority ranking
for the dams in a given inventory, depending on the needs. Therefore, the results from
Level 1 risk analyses should be used very carefully and consistently, and with a full
understanding of their intended use and limitations.

It should be noted that although FERC has developed a methodology to perform a Level
1 risk analysis, FERC does not require dam owners to perform this level of risk analysis.

2-17 
 
Dam owners with multiple dams that may want to prioritize their dam safety activities
may elect to use a screening level methodology such as SLPRA or some other screening
level methodology as an aid to evaluate the relative risks of dams within their inventories.

Extremely 1000 3000 5000 10000 30000 50000

High

Very High 500 1000 3000 5000 10000 30000

Failure Likelihood Category

High 300 500 1000 3000 5000 10000

Low 100 300 500 1000 3000 5000

Very Low 30 100 300 500 1000 3000

Remote 10 30 100 300 500 1000

0-6 7 8 9 10 11

Consequence Category

Figure 2-7. SLPRA Risk Index Scoring Matrix

2.3.3 Level 2 – Periodic Risk Analyses

Periodic risk analyses are more detailed and robust than Level 1 risk analyses. Periodic
risk analyses have evolved from:

1. The need for a more detailed risk characterization than a screening level risk
analysis, because the results of a screening level risk analysis are relatively crude.
The results from a Level 1 risk analysis can provide a relative ranking and
comparison of dams, but the results lack a level of detail and robustness that a
more sophisticated and comprehensive risk analysis provides.

2. The opportunity and ability to leverage an already significant investment in time

and effort to review documents and project information needed to perform a
periodic inspection and evaluation of the project. The Federal Guidelines for

2-18 
 
 Dam Safety require that all dams undergo a periodic inspection and review that
documents the condition of a dam at a point in time (FEMA, 1979). Significant
effort is required to prepare for these periodic inspections and reviews. This effort
includes reviewing project information, studies, analyses, performance and
monitoring information, and other key project data. Through the course of these
efforts, much project knowledge is amassed and evaluated. The incremental
addition of a periodic risk analysis to this process enhances the value of the effort
since additional engineering analyses and studies are typically not performed
specifically for a periodic risk analysis because the analysis generally relies on
existing information.

A number of Federal agencies have incorporated periodic risk analyses into their periodic
inspection and review programs. Examples include:

1. The risk analysis methodology developed and used by BOR in support of their
Comprehensive Review (CR) process.

2. The risk analysis methodology developed and used by the USACE in support of
their Periodic Assessment (PA) process.

The primary purposes of a Level 2 risk analysis are:

 Evaluate the project potential failure modes and associated risks;

 Identify the need for additional studies and determine the priority for those studies;

 Identify and prioritize any data collection, analyses, and study needs;

 Identify operations and maintenance, monitoring, emergency action plan, training

and other recurrent needs;

 Provide a better understanding of potential failure modes and a basis for future
dam safety inspections and activities; and

 Provide support to inform dam safety decisions for taking action (or not) to better
define risks through higher level studies, or reduce risks.

Level 2 risk analyses use semi-quantitative approaches, although quantitative risk

analysis approaches can be used in some cases. The risk analysis for a periodic dam
safety review can be performed by an individual or by small teams. A periodic risk
analysis focuses on all potential failure modes in order to determine which ones are
considered credible and significant at the dam.

2-19 
 
Typically, the only life safety risk estimated from a Level 2 risk analysis is incremental
risk. These risks are portrayed on a risk index or risk matrix chart, on an f-N or F-N plot,
or by some other method. Individual risk and non-breach risk are typically not included
in a Level 2 risk analysis. For those projects where economic consequences and other
consequences (environmental, cultural, etc.) may be significant or large, as a minimum, a
qualitative assessment of those consequences should be provided.

When possible, simple, qualitative assessments of as-low-as-reasonably-practicable

(ALARP3) considerations should be included.

FERC is in the process of developing methodology to perform Level 2 (Periodic) risk

analyses.

2.3.4 Level 3 – Semi-Quantitative Risk Analyses

A Level 3 risk analysis is typically the first step of risk analysis after a credible and
significant PFM(s) has been identified from a Level 1 or Level 2 risk analyses or has
been identified by some other dam safety activity (dam safety inspection concern, dam
safety analysis result, performance monitoring concern, etc.). Level 3 risk analyses are
performed prior to initiating a Level 4 risk analysis on a specific potential failure
mode(s). Level 3 risk analyses typically employ a semi-quantitative risk analysis
method.

The main purpose of a Level 3 risk analysis is to determine which potential failure modes
require additional study and evaluation (Level 4 quantitative risk analysis) and which
potential failure modes do not need additional study or risk analyses.

Level 3 risk analyses are typically the highest level and most robust risk analysis method
that considers the full range of identified potential failure modes. Higher-order risk
analysis methods (Level 4) typically only consider specific potential failure modes.
Level 3 risk analyses are more robust than Level 2 risk analyses and are typically
performed by a small team that is led by a trained risk facilitator. Generally, the results
of these risk analyses are not of sufficient detail or confidence to make decisions about
specific actions to take to implement permanent risk reduction measures; however, the
results should have sufficient confidence to make decisions about specific actions or
additional information needed to better define the risks.

In general, Level 3 risk analyses:

                                                            
3
As-low-as-reasonably-practicable (ALARP) considerations are presented and discussed in Section 2.5.5.

2-20 
 
  Take less time and effort to perform and are therefore less costly compared to
jumping straight into a Level 4 risk analysis.

 Provide valuable information as to what studies would be needed to support a

Level 4 risk analysis as well as the level of robustness those studies will likely
need. This also serves to inform what sublevel of a Level 4 risk analysis is needed
– A, B, or C, as discussed in Section 2.3.5.

Level 3 risk analyses can also be desirable in the following cases:

 A more detailed inventory screening assessment where it is desired to get a more

detailed evaluation of the risks (than a Level 1 or Level 2 risk analysis) so that risk
reduction studies and actions can be further prioritized.

 Non-dam structures, such as canal embankments or tunnels, etc. where it is desired

to apply risk analysis principles to the decision making without the time, cost, and
data/analysis requirements associated with a full blown quantitative risk analysis.

 Sensitive cases that involve the public to a high degree whereby those involved
(including reviewers) are more likely to understand general descriptors than full
blown numerical analyses.

The majority of the steps taken to perform a typical Level 3 risk analysis are very similar
to that of a potential failure modes analysis (PFMA) workshop, and include:

 Review basic statistics and key features of the dam (e.g., type of dam, height of
dam, reservoir volume, etc.).

 Review available design reports/design memos, construction photographs, and

engineering studies/reports, site investigations, etc.

 Review historical operating condition loadings (reservoir levels and freeboard).

 Review performance monitoring information from visual observations and

instrumentation.

 Review breach inundation studies (both “sunny day” and flood scenarios)
including probable impacts to downstream dams, roads and bridges, recreation
areas, permanent structures, recreation areas, and other property.

Additional information typically needed beyond that of a PFMA workshop include:

2-21 
 
  Development of flood-frequency hazard curves and flood routings. Of particular
note are the frequency of the flood of record, the frequency of the flood at the
spillway capacity, the projected frequency of the probable maximum flood (PMF),
and the flood frequency at the dam crest. Development of the flood frequency
hazard curves are discussed in the Best Practices for Dam and Levee Safety Risk
Analysis document (BOR/USACE, 2015).

 Development of probabilistic seismic hazard curves. Of particular note are the

ground motions associated with the approximate return period of the maximum
credible earthquake (MCE) and the ground motions used in any previously
performed seismic analyses along with their approximate return period.
Development of the probabilistic seismic hazard curves are discussed in the Best
Practices for Dam and Levee Safety Risk Analysis document (BOR/USACE,
2015).

 Development of consequence estimates. Consequence estimates, generally loss of

human life, for the most critical potential failure mode scenarios and locations are
needed. Interpolation/extrapolation of this information can be used to develop
similar estimates for other potential failure modes and for other potential failure
mode locations. Development of consequence estimates are discussed in the Best
Practices for Dam and Levee Safety Risk Analysis document (BOR/USACE,
2015).

 Other information that would help better define how the structure or feature would
perform given the projected loads (flood, seismic, etc.).

The methodology for performing Level 3 risk analysis is included in the Best Practices
for Dam and Levee Safety Risk Analysis (Semi-Quantitative Risk Analysis chapter)
(BOR/USACE, 2015).

The following steps are taken for each identified potential failure mode:

 Develop/Update/Review the potential failure mode and its full description (See
Chapter 14 of the FERC Engineering Guidelines). It is important to develop the
potential failure mode from initiation, through step-by-step development, to
breach of the dam so that all participants have a common understanding of
what is being estimated. Sketches/figures depicting the PFM location and
pathway can be very valuable. It is also important to understand what the breach
(or uncontrolled release of the reservoir) entails, as this has a direct bearing on the
consequences.

2-22 
 
  Develop/Update/Review the factors making the potential failure mode more likely
and less likely to occur, including analysis results and associated load probabilities
where applicable, and identify the key factors.

 Ask each team member to make their individual estimate of the failure likelihood
category prior to further discussion, considering whether the evidence is weighted
more toward likely or unlikely, and then discuss.

 Elicit likelihood categories from each team member, along with the reasoning
behind their estimate. This typically prompts discussion among team members.
After the discussion has died down, the facilitator summarizes what has been said,
proposing a “consensus” likelihood category and the reasoning why it makes
sense, and then asking if there are any objections. If objections are raised,
additional discussion ensues, and the process is repeated. If a consensus cannot be
reached, the range of categories is captured along with the reasons for each.

 A designated recorder captures the information, including the likelihood category

and the rationale for its assignment. The confidence in the rating is also captured,
along with the rationale for its assignment and what additional information could
be gathered to improve the confidence rating, if applicable.

 A similar elicitation process is repeated to arrive at a consequence category for

each potential failure mode. It is especially important during this process to note
differences between the likely breach flows associated with a potential failure
mode, and what has been assumed in the breach inundation studies. In many
cases, the breach outflow associated with a potential failure mode would be
considerably less than assumed in some older inundation studies that were
developed for the purpose of EAPs and not necessarily for estimating life loss
consequences.

Typically the only life safety risk estimated from a Level 3 risk analysis is incremental
risk. These risks are commonly portrayed on a risk index or risk matrix chart, by
potential failure mode, an example of which is provided on Figure 2-8. Individual risk
and non-breach risk are typically not included in a Level 3 risk analysis. A qualitative
assessment of economic risk and other significant risks should also be included.

Simple, qualitative assessments of as-low-as-reasonably-practicable (ALARP)

considerations should be included.

2-23 
 
 Risk-Driver PFMs
Very High

PFM BD-2: Backward Erosion Piping

through the Main Embankment
High

Foundation Material.
Likelihood of Failure

PFM BD-4: Concentrated Leak

Erosion (Scour) along the Main
Moderate

SD‐
1 Embankment Outlet Conduit.
PFM BD-16: Seismically Induced
BD‐2 Cracks through the Main
Low

BD‐4 Embankment.
PFM SD-1: Concentrated Leak
Erosion (Scour) along the Saddle
Remote

BD‐
16 Dike Conduits.
Level 1 Level 2 Level 3 Level 4 Level 5

Consequence Category
  
Figure 2-8. Example Portrayal of Level 3 Risk Analysis Results

2.3.5 Level 4 – Quantitative Risk Analyses

Level 4 risk analyses are typically focused on those potential failure modes that have
been identified as credible and significant from the results of the Level 3 risk analysis.
These potential failure modes may require additional engineering analyses, studies, or
investigations to support a quantitative risk analysis. These supporting activities are
completed to aid in quantifying and reducing uncertainty, if possible, and increasing
confidence in the resulting risk estimates. Field explorations, material testing programs,
detailed studies and analyses, or a combination of these may be performed to provide
additional information for the risk analysis. Analyses and studies may focus on loadings,
structural response, consequences, or a combination of these. The results of the Level 3
risk analyses should be used to help focus the scope of the Level 4 risk analysis studies.

Typically the scope of the Level 4 risk analysis is more rigorous than the level of detail
executed in the Level 3 risk analysis and is intended to achieve a defensible, risk-
informed basis for initiating permanent risk reduction studies or modifications or to
decide that the risks are tolerable. Generally, estimates of the risk for potential failure
modes that have some physical or visual manifestation can be established using existing
data and performance history. Such may not be the case for potential failure modes that
do not or have not had some visible or physical manifestation. In those instances the
collection of additional data may be required if the missing data required to assess
performance is not available or cannot be linked to a specific potential failure mode or
observation.

2-24 
 
Level 4 risk analyses are conducted primarily to inform the decision for making or not
making dam safety investments. The risk analysis results should confirm that the dam
safety risks are tolerable or not (with due consideration of uncertainty) and inform if risk
reduction activities are warranted. Thus the scope of the Level 4 risk analyses is to
estimate the risk (life safety, economic, and other risks) from all credible and significant
potential failure modes and to estimate the non-breach risk of the dam. Secondary
purposes of Level 4 risk analyses are:

 Verify/revise the prioritization of the project based on the findings;

 Verify if previously developed interim or permanent risk reduction measures are

appropriate or need to be revised or if additional interim or permanent risk
reduction measures are required; and

 Provide information to support prioritization and urgency of permanent risk

reduction studies or modifications.

Level 4 risk analyses are scalable to fit:

 The purpose of the risk analysis;

 The complexity of the issues being studied - both in terms of technical
difficulty/uniqueness of one or more engineering analysis methods and the
potential failure modes or in the sheer number of challenging engineering issues or
potential failure modes;
 The magnitude of the decision – including such things as high consequences,
political or societal considerations, high financial investment being considered,
and other factors;
 Uncertainty and confidence in the risk estimates;
 Ease or difficulty in estimating ALARP considerations; and
 Other factors.

Level 4 risk analyses can be simple and straight forward or can be highly complex and
require sophisticated engineering analyses. To capture this range, Level 4 risk analyses
are subdivided into three sublevels – Sublevel A, B, and C – with increasing robustness
and effort from Sublevel 4A to Sublevel 4C. Typical characteristics of each sublevel are
provided in Table 2-1.

In general, Sublevel 4A risk analyses are the most simplistic and basic quantitative risk
analyses. Typically the loading, consequences, and system response probabilities are
straightforward and do not include technical or analysis challenges; uncertainties are not
large and are not expected to strongly influence the outcome; and ALARP considerations
are relatively easy to determine. On the other extreme, Sublevel 4C risk analyses are

2-25 
 
typically very complicated and have technical and/or policy challenges that must be
addressed through state-of-the-art evaluations or analyses. Very often Sublevel 4C risk
analyses have multiple challenging issues in a variety of different subjects. Because of
the complexity of the issues, additional input is needed from highly experienced subject
matter experts. This also translates into increased scrutiny and need for reviews by
similarly experienced individuals. Probabilistic seismic and hydrologic loadings, where
they strongly influence the risk analysis results, will typically require senior seismic
hazard analysis committee (SSHAC)-type approaches as described in Bundtiz [Link].
(1997) and Kammerer and Ake (2012). In addition, consequence (loss of life and/or
economic) and ALARP considerations can be complicated and require more detailed
evaluations to inform the decision.

Sublevel 4B risk analyses are intermediate quantitative risk analyses and are typically the
most common sublevel risk analysis. Sublevel 4B risk analyses typically include
characteristics of both Sublevel 4A and 4C. Where certain aspects of the risk analysis
(loadings, system response for certain potential failure modes, consequences, ALARP,
etc.) strongly influence the results, additional analysis, robustness, and review may be
needed for those issues and may resemble a Sublevel 4C risk analysis for those issues.
Where aspects of the risk analysis are more straightforward and the final decision is not
sensitive to the results, then those issues more closely resemble a Sublevel 4A risk
analysis.

Through the course of performing a Level 4 risk analysis, the risk analysis might start out
at Sublevel 4A and as the results of preliminary evaluations and analyses become
available, the risk analysis may elevate to Sublevel 4B or 4C. The reverse is also
possible.

Regardless of the sublevel of Level 4 risk analysis, the general steps of a Level 4 risk
analysis include (adapted from USACE, 2014):

 Review/Revise/Update the potential failure mode analysis performed at the Level

3 risk analysis;

 Confirm/Identify which potential failure modes will be carried forward into the
analysis;

 Develop event trees and fault trees (as applicable) for each potential failure mode;

 Develop loading functions (hazard curves) for loading events to be carried forward
in the risk analysis;

 Determine the conditional probability of failure for each potential failure mode
carried forward in the risk analysis;
2-26 
 
  Estimate dam breach or other releases that may occur and the inundation
downstream;

 Estimate the consequences associated with each potential failure mode carried
forward in the risk analysis;

 Calculate risk estimates for incremental risk, ‘non-breach’ risk, and other risks;

 Build the case for why the risk estimates make sense and are consistent with the
current conditions of the project;

 Compare the incremental risk to the FERC-D2SI tolerable risk guidelines for life
safety (see Chapter 3); and

 Develop risk reduction alternatives, as appropriate, and evaluate whether risks are
considered ALARP for the alternatives. Build the case for why the recommended
actions are consistent with the risk estimates and conditions of the project.

The FERC-D2SI will provide guidance on the selection of the most appropriate risk
estimating process and methodologies to be employed in a Level 4 risk analysis. USACE
and Reclamation have developed risk analysis methodology guidance. Except as
otherwise noted by FERC-D2SI, risk analyses should use the latest version of the Best
Practices in Dam and Levee Safety Risk Analysis as a guide to the risk analysis process
(BOR/USACE, 2015).

Typically the entire suite of risks is estimated for a Level 4 risk analysis. These include
incremental life safety risk, non-breach risk, individual risk, economic risk, and other
significant risks.

Level 4 risk analyses are also performed in support of permanent risk reduction
modification studies. The risk analysis supporting these studies leads to definitive
decisions and documentation to support dam safety actions to achieve reduction in life-
safety risk, economic risk, and environmental risks. Additional data is typically gathered,
as appropriate, to support the decision to be made. The primary purposes of the Level 4
risk analysis for these studies are the determination or update of the risk estimate for the
incremental and non-breach risk; identification, evaluation, documentation support for,
and recommendation of, long-term risk management measures; and the estimation of the
incremental risk, the ‘non-breach’ risk, and residual risk of the remediated project.

The risk analysis developed in support of risk reduction studies must be reviewed and
updated at the 90-percent final design and again after implementation of the risk

2-27 
 
reduction measures (i.e., after construction) to determine if the risk management
objectives were achieved. Generally this is not a large effort unless details emerge from
the design or construction that impact the risk estimates. The scope of this work will
vary depending on the potential failure mode being addressed, the design and
construction details, and how well the risk reduction alternative was originally defined.

2-28 
 
2.4 RISK TEAM

The composition of risk teams for risk analyses depends on the level of the risk analysis,
the complexity and diversity of the potential failure modes being evaluated, and other
factors. In a very general sense,

 Level 1 risk analyses are typically performed by an individual that may or may not
have input or assistance from other subject-specific experts.

 Level 2 risk analyses are typically led by an individual with input provided from
one or more subject-specific individuals.

 Level 3 risk analyses are typically performed by a small team of individuals that
cover a broad range of expertise and led by an experienced risk facilitator.

 Level 4 risk analyses are typically performed by a multi-disciplinary team of

individuals that cover a broad range of expertise and led by an experienced risk
facilitator.

2.4.1 Composition

Risk teams typically vary in composition depending on the purpose, scope, level of risk
analysis, complexity, technical issues, and other factors being evaluated in the risk
analysis. In general, all risk teams for Level 3 and Level 4 risk analyses include:

1. One or more facilitators (or co-facilitators)

2. Subject matter experts
3. One or more note-takers

Other key individuals participating on the risk team include:

1. Project manager – An overall project manager should be assigned to establish,

monitor, track, and revise the project scope, schedule, and budget, as appropriate,
and to coordinate the many individuals and entities that may be involved in the
risk analysis.

2. Support personnel – Those individuals responsible for performing engineering

analyses and evaluations and gathering information in support of the risk analyses.

3. Owner personnel – These include engineering managers, dam safety personnel,

operations and maintenance personnel, and other dam owner personnel who have
knowledge of the project.

2-29 
 
 4. FERC staff – Dam safety engineers from headquarters and regional offices.

5. Review personnel – Internal or external reviewers, depending on project

requirements.

6. Software operator – For Level 4 risk analyses, one or more software operators are
required.

7. Other personnel – These may include personnel from emergency management

agencies, current and former Part 12D independent consultants, engineering
consultants with prior experience with the project, other regulators, and others.

Some of the personnel listed above may serve as the facilitator, subject-matter experts, or
note-taker, provided they meet the qualifications described in Section 2.4.3.

In addition, other interested parties and observers may be in attendance during all or parts
of a risk analysis meeting.

2.4.2 Roles and Responsibilities

The composition of a risk analysis team is similar to that of the PFMA core team
described in Chapter 14 of the FERC Engineering Guidelines, with the exception of the
addition of a software operator to the risk analysis team. However, the roles and
responsibilities of these team members are typically much more defined in a risk analysis,
as described in the sections below.

[Link] Facilitators

Facilitation is a critical part of the process to develop credible risk estimates during the
risk analysis meeting (BOR/USACE, 2015). In general, the facilitator:

 Meets with the team prior to a risk analysis to ensure engineering analyses are
completed to support the team risk analysis and ensure the team composition is
appropriate to develop credible risk estimates.

 Facilitates the team risk analysis, helping the team develop potential failure
modes, event trees, strategies for estimating risks, and developing ranges of
likelihood and consequence estimates.

 Reviews the final report ensuring that:

1. there is enough description that someone picking up the report in the future
can understand what the team was thinking and why;

2-30 
 
 2. the team’s estimates, factors, and justifications have been captured in the
report;
3. all work has been performed correctly and in accordance with sound risk
analysis principles; and
4. the results are adequately portrayed, and the case has been made as to why
they make sense. (The facilitator is not typically the author of the report,
but can be.)

Facilitators shoulder a heavy load as they are primarily tasked to ensure (BOR/USACE,
2015):

 Risk analysis methodologies are followed to develop risk estimates

 The methods used during the analysis are consistent with current practice
 Alternative viewpoints are elicited, discussed, and recorded
 The team contains the appropriate staff to arrive at a credible risk estimate
 The final report contains potential failure modes that are adequately described
with sufficient documentation to support the team’s risk estimates
 The case built reflects the information developed during the risk assessment
 The case built follows the general principles described in Section 2.6.3

The facilitator leads the risk analysis meeting to ensure the meeting stays on track and
that the team focuses on the issues to be addressed. The facilitator may have kick-off
discussions on the objectives of the risk analysis (owner’s needs, regulatory
requirements, etc.); team makeup; constraints of time, manpower, lack of knowledge;
bias; or work already accomplished (including previous risk analyses).

The facilitator monitors the flow of the meeting and initiates adjustments during the
meeting to help maintain focus. The facilitator may use the verbal descriptors provided
in the section on Subjective Probability and Expert Elicitation in the Best Practices in
Dam and Levee Safety Risk Analysis document (BOR/USACE, 2015) during the meeting
to help the team in formulating their probability estimates.

The facilitator is responsible for ensuring the risk estimates are solicited and provided by
only those members of the risk team that have the requisite qualifications to provide the
risk estimate for each node or estimate being provided. Individuals providing risk
estimates should meet the qualifications of a subject matter expert for the appropriate
level of risk analysis as discussed in Section [Link]. The facilitator does NOT provide
risk estimates during the course of the risk analysis meeting, but should point out
inconsistencies or other information that the facilitator feels the team has not adequately
considered.

2-31 
 
Flip charts are useful in that they provide a permanent record of the team discussions, and
allow the facilitator to capture important points of the discussion without having to direct
a note taker (BOR/USACE, 2015). The facilitator also works with the note taker and
software operator throughout the meeting to ensure the proper information is being
collected for future documentation.

It has proven to be advantageous to have two facilitators present for the risk analysis
meeting. This permits both facilitators to remain focused throughout the process by
switching off and supporting the facilitation process. It also provides senior level
knowledge to help facilitate difficult areas of the risk analysis that are specific to a given
engineering practice, and provides an opportunity for less experienced facilitators to learn
from more senior facilitators. This practice of using two facilitators, and the associated
cost, has proven to be extremely valuable. For some risk analyses, the co-facilitators may
not be needed.

[Link] Subject Matter Experts

Subject matter experts (SME’s) are those select members of the risk analysis team that
provide qualitative or quantitative risk estimates based on their knowledge, experience,
and judgment within their area(s) of expertise/technical discipline. Other members of the
risk team may provide comments, discussion, and even presentation of information,
results of engineering analyses/evaluations, or summary of some other type of
information; however, typically only subject matter experts provide risk estimates.

Other tasks and roles that SME’s fulfill:

 Review project data and engineering analyses

 Critically challenge analysis assumptions and findings and determine adequacy of
analyses/information available
 Understand limitations of data/applicability of analyses/etc.
 Provide expert judgment when additional analyses are needed

SME’s only provide risk estimates for those issues that they have the requisite knowledge
and expertise. SME’s must know the limits of their technical expertise.

[Link] Note Taker

The note taker is perhaps the second most important person in a risk analysis (other than
the facilitator). It is the responsibility of the note taker to capture, in writing, the key
discussions and concepts during the risk analysis. A good note taker can capture a group
discussion in a few sentences and does not attempt to simply record each statement made.
Comprehensive notes are of upmost importance as they form much of the content of the

2-32 
 
risk analysis report and record the key inputs, assumptions, and thoughts of the subject
matter experts in building the case for the results of the risk analysis.

The note taker should make sure all notes are clear and capture the discussions of the
group, including the intermediate decisions that are made prior to moving on to the next
subject. It can be helpful if the note taker uses a computer projector to display the notes
in real-time during the risk analysis meeting. This helps so that the participants can see
what is being captured and to make sure the notes adequately capture the information,
intent, and decisions. (A word of caution - the risk team members cannot get caught up
in wordsmithing each and every word of the notes. Otherwise, the risk meeting will get
bogged down and progress will come to a halt. Wordsmithing should be reserved for
reviewing the final report.)

Other tips:

 Taking notes during a risk analysis meeting is distinctly different that

administrative note taking. It is extremely helpful if the note taker is an engineer
with knowledge of the project in general. This is important because the note taker
must be familiar with engineering terms and concepts so that they can be
appropriately and timely captured during the discussions.

 It can be more efficient if the note taker is the primary author of the risk analysis
report. This provides an added motivation of the note taker to record good notes
and can improve the quality of the final product.

 It is also important to identify a backup or secondary note taker to supplement or

provide a backup set of notes in case the primary note taker becomes distracted or
cannot be present.

[Link] Software Operator

A software operator is required for Level 4 risk analyses. The software operator is
responsible for inputting risk analysis estimates into the computational risk software.
The software operator should be trained in the software being used and should have a
clear understanding of probability theory associated with risk analyses. When possible,
risk estimates should be input into the software as close to real time as possible so that
results can be vetted and missing or incorrect information can be corrected or adjusted.
Many times it will not be possible to input the risk estimates in real time because of the
complexity of the event tree construction and other factors. Generally the risk analysis
should not be delayed in waiting for the software operator to complete their tasks.
Instead, the risk analysis should proceed so long as adequate notes have been captured by
the note taker.

2-33 
 
[Link] Others

Other personnel in attendance at the risk analysis meeting may include supporting
personnel (operations/maintenance personnel, engineering support staff, emergency
management personnel, and management staff) and interested parties/observers. These
individuals typically participate in the discussions during the risk analysis meeting, but
generally do not provide risk estimates unless they have the qualifications of a subject
matter expert.

Owner’s staff – The owner’s staff/personnel may serve various roles on the risk team
provided they meet the qualifications. The owner’s personnel may serve as SME’s for
various aspects and topics of the risk analysis. For example, operations personnel may
serve as SME’s for operational aspects of the risk analyses. Engineering staff and
managers may serve as SME’s for those issues they possess the technical abilities and
experience, provided they meet the qualifications of an SME.

FERC staff – FERC personnel may serve as an SME for those issues they possess the
technical abilities and experience and meet the qualifications of an SME. It should be
noted that the presence of FERC personnel at the risk analysis meeting does not
constitute an endorsement or agreement of the FERC with the final results of the risk
analysis.

Independent Consultant – The independent consultant may serve as an SME for those
issues they possess the technical abilities and experience and meet the qualifications of an
SME. An independent consultant cannot serve as a risk analysis facilitator for those
projects in which they also served as the independent consultant within the last ten years.

Some additional guidance:

1. Diversity in the members of the risk team is an important factor in a successful risk
analysis. Participation from only the owner or only from members of a single
company or organization can lead to a strong bias in the results and outcome and
may invalidate the risk analysis results. This may not be avoidable, but should be
recognized.

2. Not everyone present at the risk analysis meeting provides a risk estimate. It is the
responsibility of the facilitator, working with the individuals in the room, to
determine who provides estimates for each node of each potential failure mode.
Inclusivity is not an objective of a risk analysis. Individuals must have the
requisite knowledge, experience, and qualifications to provide risk estimates.

2.4.3 Qualifications

2-34 
 
The following sections present a brief summary and general guidance regarding the
background, experience, training, and other qualifications of key risk analysis team
personnel.

It is recognized by the FERC that the qualifications presented in this section are lofty and
may be difficult to attain in the initial stages of risk analysis in support of RIDM. In
special circumstances, FERC may elect to reduce the minimum qualifications of certain
key risk personnel described in this section when, in the opinion of the FERC, the
qualifications of those individuals will not adversely impact the execution or results of
the risk analysis study.

[Link] Facilitators

The minimum qualifications of a risk analysis facilitator depend on the level of risk
analysis and guidelines are listed in Table 2-2.

A co-facilitator or secondary facilitator does not have to meet the qualifications of a

facilitator provided that the lead facilitator is present and monitoring the work of the co-
facilitator and intervening, if needed.

[Link] Subject Matter Experts

The determination of the minimum qualifications/experience of a SME is difficult and,

like those for a facilitator, depends on the level of the risk analysis. Table 2-2 provides
guidelines for minimum qualifications for a SME. It is recognized that not all SME’s are
equal.

Ideally each risk team will have between four to six qualified SME’s as risk estimators
for each risk estimate. Not all SME’s will be qualified to provide risk estimates for each
and every node or risk estimate. The facilitator will make the determination as to which
SME’s will serve as risk estimators for each node or risk estimate beforehand. Too many
risk estimators can lengthen the time and effort of the risk analysis while too few risk
estimators will not result in enough input from individuals with different experience or
understanding to have a valid estimate.

Experience has shown that it will likely be difficult to find four to six SME’s for risk
estimates that are related to loading (seismic and hydrologic) as well as consequences. In
these cases it may be acceptable to reduce the number of SME’s to two to three for these
particular estimates, as well as for other relatively straight forward estimates as
determined by the facilitator.

[Link] Note Taker

2-35 
 
The minimum qualifications of the note taker are listed in Table 2-2. Note takers should
be an engineer with at least five years of dam safety experience.

The note taker should have verbal and written command of the English language and can
type or write quickly enough to capture and document key information and discussions.
The note taker should have the ability to understand engineering terminology and
technical discussions and to discern what points and discussions are important to capture.

[Link] Software Operator

The minimum qualifications of the software operator are listed in Table 2-2. Software
operators should be an engineer with at least five years of dam safety experience.
Software operators should have training and experience in using the risk analysis
software being used for the risk analysis. It is also important that the software operator
have excellent spreadsheet and software skills and like the note taker, the software
operator should have the ability to understand engineering terminology and technical
discussions and to discern what points and discussions are important to capture.

2-36 
 
 Table 2-2. Guidelines for Minimum Qualifications of Key Risk Analysis Personnel
Facilitator Subject Note
Level 2 Level 3 Level 4A Level 4B Level 4C Matter Software Taker/
Periodic SQRA QRA QRA QRA Expert Operator Recorder
Dam Safety Experience
Years of dam safety experience
(investigations, studies, designs, construction, 10 10 15 20 20 10 5 5
etc.)
Primary author on dam analysis, design, or
construction (number of technical papers or 5 5 7 10 5
significant reports authored)
Lead reviewer or member on expert
panel/board for dam studies, design, or 4
construction (number of projects)
Lead technical role for one or more technical
disciplines for dam analyses (number of 2 2 4 4 5
projects)
Author, presenter, or participant in dam failure
or incident case history (number of case 2 3 4 5 1
histories)
Risk Analysis Experience (number of projects)
Participant as a subject matter expert (SME)
2 2 4 6
for a risk analysis
Primary author of Level 3 risk analysis reports 2
Primary author of Level 4 risk analysis reports 2 2
3rd party reviewer/independent review of Level
2
3 risk analysis reports
3rd party reviewer/independent review of Level
2 5
4 risk analysis reports
Facilitated level 3 risk analyses 2
Facilitated level 4A risk analyses 2
Facilitated level 4B risk analyses 2
Primary author of a technical publication on
2
dam safety risk analysis

2-37 
 
Training*
Base Courses
Overview of Risk Analyses R R R R R R R R
Best Practices in Dam Safety Risk Analyses R R R R R S S
Level 2 Risk Analyses R
Level 3 Risk Analyses R R R R R
Facilitation R R R S
Loadings and Consequences
Hydrologic Loading S S S R R
Seismic Loading S S S S R
Consequences S S S R R
Failure Modes and Risks
Internal Erosion Mechanics S R
Internal Erosion Risks S R
Overtopping/Overwash/Erosion of Soil and
S R
Rock
Seismic Analysis of Concrete Structures and
S R
Gates
Seismic Analysis of Embankments S R
Operational Risks S S R R
Risk Analysis
Failure Modes and Event Tree Construction S R R R
Risk Analysis Software Tools S R R R
Portrayal of Risks to Support Decisions S R R
Other
Professional License Requirements PE PE PE PE PE PE/PG
Regularly participates in professional society Yes Yes, Yes, Yes, Yes,
meetings/conferences/workshops/publications typically typically a typically a typically
(USSD, ASDSO, or similar) a technical technical a
member committee committee member
member member
R – Strongly Recommended
S – Suggested
*Training courses listed in this table are currently being developed by FERC. A training course schedule will be published and updated by FERC.

2-38 
 
2.5 EXECUTION

2.5.1 Preparing for a Risk Analysis

Good planning, preparation, and communication are essential elements to a successful

risk analysis. Ignoring or not fully integrating any one of these factors into the risk
analysis process will likely result in an inadequate risk analysis that could jeopardize the
results of the analysis and nullify the decision.

[Link] Plan

A detailed risk analysis project plan must be developed prior to initiating Level 3 and
Level 4 risk analysis work. At a minimum, the risk analysis project plan must include:

1. The objective(s)/purpose of the risk analysis.

2. Project description.
3. Summary of prior work, including a list and category for each potential failure
mode from the most recent Part 12D inspection report.
4. The scope of work for the level (and sublevel as appropriate) of risk analysis,
including any additional engineering analyses needed to support the risk analysis.
5. The proposed project team, including qualifications of individuals, roles and
responsibilities, communication protocols, etc.
6. Any special considerations, such as proposed deviations from risk methodologies
described in Section 2.5.4 or special considerations in the evaluation of ALARP
described in Section 2.5.5.
7. The project schedule, including key milestones, meetings, and product delivery
dates.
8. List of deliverables.

The scope of work must contain a detailed description of data preparation and site
characterization efforts and must identify any hydrologic, seismic, consequence analyses,
or instrumentation evaluations, etc. needed to adequately understand, evaluate, portray,
and communicate the risk at the project and project purpose accomplishments. In some
cases additional site geologic information or testing may be required.

Five copies of the risk analysis project plan must be submitted to the FERC Regional
Engineer for review and acceptance. The risk analysis project plan should be submitted
to the FERC a minimum of six months prior to initiating any investigation, analyses, or
other efforts in preparation of the risk analysis work. FERC will review the plan and
provide comments to the dam owner within 60 days of receiving the plan.

It is highly advised that a scoping meeting(s) be conducted with FERC staff prior to
developing the risk analysis project plan. FERC staff can provide guidance on

2-39 
 
expectations, potential pitfalls, and discuss potential scope and needs for engineering
analyses in support of the risk analysis. It is recommended that the scoping meeting(s)
take place prior to submitting the risk analysis project plan and a follow up meeting(s)
take place a minimum of three months prior to any facilitated risk analysis meetings to
make sure all the preparation tasks are on schedule and the required information will be
available in sufficient time for the facilitated risk analysis meeting. These coordination
meetings may be face-to-face or web-based/conference calls.

[Link] Preparation

All information relevant to the level of risk analysis to be conducted should be compiled
prior to the risk analysis. Preparing for a risk analysis takes substantial effort. Lack of
preparation is also the leading cause of schedule delays in conducting a facilitated risk
analysis meeting/elicitation and needing to conduct subsequent risk analysis meetings
which lead to project schedule and budget growth. Preparation activities for Level 3 and
4 risk analyses include:

1. Compile all available project information/files.

2. Identify additional information/analyses/etc. needed to perform the risk analysis.

These include analyses to support:

a. Loadings
b. Engineering evaluations and analyses to support system response estimates
c. Consequences

3. Meeting preparation and logistics.

Compile Background Information – All background information on the project must be

identified, gathered, collected, and assimilated for review by the risk team. This
information should be provided to the risk team prior to the facilitated risk analysis
meeting and would also need to be available during the risk analysis meeting. The
general rule is: collect all information on the project. If there is a question about the need
to bring/collect certain material, the facilitator and owner should discuss this in advance.

The types of material that should be collected and reviewed (if available) are identical to
that required for a PFMA session (See Chapter 14, FERC Engineering Guidelines) and
include but are not limited to:

 Original and subsequent design investigations and planning study reports and
exploration data (boring logs, laboratory testing reports, etc.).
 Original and subsequent design memos, analyses, design drawings and original
construction reports/photographs/inspection reports/as-built drawings/etc.
2-40 
 
  Any FERC or state agency construction inspection reports (these have been found
to be extremely useful, particularly if the original construction predates the Federal
Power Act).
 The most recent surveys for each of the project structures (i.e. horizontal and
vertical survey data). A detailed survey of the crest of all structures including
principal and emergency spillway crest elevations to confirm the freeboard
assumed in the discussions. Elevations of natural grounds that could result in
overflows around the structures should be considered. Also, the datum of the
project relative to surrounding grounds should be stated (i.e., conversion of project
records to NGVD).
 Recent and historic meteorological and pertinent river records from project or
nearby dam or gage records ([Link]
 Current hydrologic studies and the associated flood routings and any hazard /
consequence analyses.
 Operation records(particularly historic) of primary and secondary (e.g. fuse plugs)
spillway discharge rating curves, mechanism and response times for opening (i.e.,
stanchion gates, bulkheads, flashboards, gates) and problems (i.e., ice, debris).
 The most recent seismic loading parameters that have been prepared for the site
and print records of recent seismic activity ([Link]
 The current Emergency Action Plan.
 The most up-to-date aerial photographs of the downstream areas that could
potentially be impacted by failure of the project structures.
 Current or most recent dam safety engineering analyses, including stability and
stress analyses.
 The most recent monitoring and instrumentation data along with the historic
records of monitoring data (Dam Safety Surveillance and Monitoring Plan and
Reports). Large scale, easily readable, plots of monitoring data over the life of the
dam have proven extremely valuable and should be available at the PFMA
session. The licensee or consultant should also provide verification that the
instrumentation is properly functioning.
 The most recent underwater inspection report(s).
 Any incident reports.

The owner should establish a means to retain/archive all the information collected for the
risk analysis meeting. Appropriate information discovered, collected, or generated from
the risk analysis work should be included in an update of the Supporting Technical
Information Document (STID).

Assessment of Additional Work/Analyses - Once all the available information and

background data has been compiled and reviewed, the risk team must assess what
additional information, analysis, or work is needed, if any, for the risk analysis. The level
of detail and scope of the information and analyses needed for the risk analysis will be

2-41 
 
based on the level and complexity of the risk analysis. Sensitivity, uncertainty, and
confidence needs will also influence this.

Loading information/analyses

Examples of information/analyses that might be needed to provide input to additional

engineering analyses and the risk analysis include:

 Daily reservoir and tailwater data to develop reservoir elevation stage-frequency

curves.
 Stream gage data to support development of hydrologic loading frequency curves.
 Need for more detailed hydrologic studies (paleoflood, site-specific precipitation,
stochastic modeling, etc.) to support hydrologic loading frequency curves.
 Need for more detailed seismic studies to support the development of probabilistic
seismic hazard curves and other seismic hazard inputs time history curves, spectral
acceleration, etc.).

Based on the results of the loading analyses, the team will have to determine if the results
of the existing engineering analyses can be used or if supplemental engineering analyses
are needed due to changes in seismic or hydrologic loading.

System response information/analysis

Additional information and analyses may be needed in support of system response

estimates. Examples may include:

 Developing geotechnical/geological cross sections at key locations to be able to

assess the continuity of various units/deposits.
 Plotting piezometric water surface(s) on geologic cross sections to be able to
understand the movement of groundwater and estimate hydraulic gradients
through subsurface materials.
 Preparing detailed drawings that synthesize all pertinent data including boring
logs, instrumentation, geologic features, laboratory data, etc.
 Plotting gradation tests of various embankment or foundation materials.
 Plotting laboratory test results to estimate the mean and range of material property
values.
 Performing filter compatibility analysis of various subsurface materials.
 Performing engineering evaluations (stability, seepage, deformation, stress,
erodibility, etc.), including sensitivity analysis and probabilistic analysis, where
appropriate.

2-42 
 
Additional information and guidance is provided in the Best Practices for Dam and Levee
Risk Analysis (BOR/USACE, 2015).

Consequence information/analysis

Consequence estimates should be based on reservoir levels corresponding to potential

failure modes, dam break studies, and associated flood routing/inundation studies. The
team should evaluate if the current inundation mapping scenarios are appropriate and can
be used for consequence estimates or if additional supplemental analyses are required.
Additional dam breach and inundation mapping may be required if the current analyses
do not adequately model the breach characteristics (location, timing, width, etc.) of the
potential failure mode(s) being modeled and reasonable extrapolations or interpolations
cannot be made with confidence. Additional information in support of the risk analyses
may include:

 Population estimates within the inundation area

 Dam failure flood flow characteristics such as depth, velocity, and travel time
 Estimates of warning times and mobilization rates/effectiveness
 Evacuation routes
 Economic estimates
 Other factors

Meeting Preparation and Logistics – Some advice related to meeting logistics:

 Meetings should be scheduled far in advance. Risk facilitators and many subject
matter experts have full work schedules and coordinating such ‘in-demand’
individuals can be difficult. Rescheduling meetings can add significant delays to
the project schedule.

 Background information and reports should be readily available on-site at the risk
analysis meeting. Not all information has to be in hard copy form. Key pieces of
information should be captured for inclusion in the report.

 Flip charts and white boards should be available so figures and sketches can be
displayed to the participants. Large size non-distorted scale drawings posted on
the walls allows for sketching potential failure modes with proper appreciation for
differential heads, gradients, etc. Cameras should be available to capture these
images.

 A projector(s) should be used to capture and review written notes being taken
during the risk analysis and to display drawings, photographs, and other data that
may be available.

2-43 
 
  The meeting room size and environmental considerations (noise, temperature,
lighting, etc.) should be appropriate for the number of participants expected to
attend the meeting. It may be more challenging to find appropriate meeting
rooms/locations for larger size groups.

[Link] Communication

Communication is a critical element to the success of a risk analysis. Depending on the

level of risk analysis and complexity of the technical issues, risk analysis teams can be
small in size or can be large and include participants from numerous agencies,
organizations, and departments. In every case, communication of information to all
parties is critical. Some good communication practices for risk analyses include:

 Schedule an initial kickoff meeting with all parties. Communicate the overall plan
to conduct the risk analysis, including scope of work and schedule. Identify
critical milestones and information needed by whom and by when.

 Communicate changes to the scope of work and schedule changes with all parties
in a timely fashion.

 Record written meeting minutes and provide copies of the minutes to all parties.
Highlight/summarize key decisions, issues, and actions in the minutes, identifying
responsible parties and schedule commitments.

 Identify and resolve issues in a timely fashion.

2.5.2 Risk Analysis Meeting

If the risk team has been chosen properly, people will enter the risk analysis meeting with
the appropriate expertise, an open mind, and a willingness to achieve the best possible
results (BOR/USACE, 2015). When this occurs, appropriate interactions take place, and
additional ideas expand from those being discussed. This type of approach reaches a
better conclusion than any of the individual members could have on their own. However,
sometimes the team may stumble along one or more of the following lines. The risk
analysis facilitator must recognize when this is occurring, and try to direct the group
toward a more positive direction (BOR/USACE, 2015).

 A dominant individual may drive the way the team goes by “bullying” everyone
into thinking the way they do. It takes a fairly strong facilitator to deal with this,
and usually requires emphasizing and bringing out the opposing point of view as
well as drawing others into the conversation.

2-44 
 
  People may not say what they really feel for fear of appearing unknowledgeable,
and will tend to go along with the rest of the group even though they have
important input. This requires the facilitator to draw out their opinions by
directing questions specifically at these individuals.

 A contrary individual may have valuable information even though their approach
to communication may be difficult or challenging to the rest of the group. This
information and these opinions should not be quickly dismissed without due
consideration.

 The group gets tired due to the rigors of the meeting, and people agree just to get it
done. The facilitator is not immune to this trap. If it is obvious that proper
attention is not being paid to something, it is important to stop, take a break, and
discuss ways to invest proper time for the evaluation.

[Link] Meeting Preparation

Preparation for a risk analysis meeting is discussed in the Section 2.5.1 above. Strong
consideration should be given to delaying the risk analysis elicitation meeting if:

 Important information is missing or unavailable.

 The results of any engineering analyses performed to support the risk analysis are
not yet available.
 Key personnel (facilitator, key subject matter experts, etc.) are not able to attend
the meeting.

Conducting the meeting without this information or key personnel has the potential to
jeopardize the results of the risk analysis and may cause the need for a follow on meeting
to be scheduled.

[Link] Meeting Agenda

An example risk analysis meeting agenda is included in Appendix 2A. The agenda for
each risk analysis meeting will vary depending on the project-specific issues.

[Link] Conducting the Risk Analysis

A critical first step in a risk analysis is an evaluation of the design, construction, analysis,
and performance of a dam and an identification of the specific potential failure modes
that apply to that dam. If critical potential failure modes are overlooked, the risk analysis
results will be incomplete and misleading.

2-45 
 
It should be recognized that each dam is unique in terms of purpose, geologic setting,
design, structure, operations, and consequences. While certain dams may be similar to
other dams in type, design, and size, there are unique factors that need to be considered
when identifying potential failure modes and estimating risk.

Facilitators help the team through a PFMA and the risk analysis process. The facilitator
contributes to the process by bringing experience with risk analysis, consistency in
approach, knowledge of latest technology in risk analysis, and serves as a resource to the
risk team for technical input and questions (BOR/USACE, 2015). The facilitator must be
experienced and generally familiar with most aspects of dam design, construction, and
behavior. In addition, skills are needed to guide a team through the process. Facilitation
is a critical part of the process to develop credible risk estimates.

The facilitators are primarily tasked to ensure appropriate risk methodologies are
followed to develop risk estimates; the methods used during the risk analysis meeting are
consistent with current practice; alternative viewpoints are elicited, discussed, and
recorded; the team contains the appropriate staff to arrive at a credible risk estimate; the
final risk analysis report contains potential failure modes that are adequately described;
the recommendations reflect the information developed during the risk analysis; and risk
analysis report adheres to the principles and guidance provided in these risk guidelines
(BOR/USACE, 2015).

[Link] Heuristics and Bias

Heuristics and bias are important concepts to be aware of in conducting a risk analysis.
Bias is a particular tendency, trend, inclination, feeling, or opinion, especially one that is
preconceived or unreasoned. They can be systematic errors that one makes in specified
circumstances. Heuristic is a simple procedure that helps find adequate, though often
imperfect, answers to difficult questions - a kind of a mental and often unconscious
shortcut. Both heuristics and bias can have a dramatic and negative influence in the
elicitation of risk estimates. These must be recognized, and to the extent possible, the
risk analysis facilitator must strive to minimize their impacts to the estimates. Vick
(2002) describes many of these in detail. Some common heuristics and biases include
(adapted from Kahneman, 2011):

• Affect Heuristic – Judgments and decisions made by consulting one’s emotions

without consideration of the applicable information. (How do I feel about it?)
• Anchoring Effect – Occurs when one considers a particular value for an unknown
quantity before developing an estimate for that quantity. Estimates then stay close
to the initial number one considered. Any number that you are asked to consider
as a possible solution prior to an estimate will induce an anchoring effect.

2-46 
 
 Adjustment is a deliberate attempt to find reasons to move away from the anchor.
Adjustments almost always end prematurely.
• Availability Heuristic – The process of judging frequency by the ease with which
instances come to mind.
• Certainty Effect – Outcomes that are almost certain are given less weight than
their probability justifies.
• Confirmation Bias – People seek data that are likely to be compatible with the
beliefs they currently hold. They favor uncritical acceptance of suggestions and
exaggeration of the likelihood of extreme and improbable events.
• Conjunctive Fallacy – Occurs when one judges a conjunction of two events more
probable than one of the events by itself.
• Halo Effect - A common bias that plays a large role in shaping our view of people
and situations. The tendency to like (or dislike) everything about a person or
situation – including things you have not observed. Increases the weight of first
impressions (people, situations, information) sometimes to the point that
subsequent information is wasted or ignored.
• Hindsight Bias – The inability to reconstruct past beliefs will cause one to
underestimate the extent to which you were surprised by past events.
• Intuitive Predictions – These predictions are generally biased and tend to be
overconfident and overly extreme. Individuals have not learned to identify the
situations in which their intuition will betray them. The unrecognized limits of
professional skill help explain why experts are often overconfident. Whether
professionals have a chance to develop intuitive experience depends essentially on
the quality and speed of feedback, as well as on sufficient experience to practice.
• Narrative Fallacy - Flawed stories of the past shape our views of the world and
our expectations (predictions) for the future. We constantly fool ourselves by
constructing flimsy accounts of the past and believing they are true.
• Optimistic Bias – Everything is always good. Only see the favorable side of the
argument.
• Outcome Bias – Are influenced by the planned result or past results.
• Planning Fallacy – Overly optimistic forecasts of the outcome of projects.
Unrealistically close to the best-case scenario (planning and cost estimating).
• Plausibility vs Probability - They are not equal, but some folks treat them as
though they are.
• Possibility Effect – Causes highly unlikely outcomes to be weighted
disproportionately more than they deserve.

2-47 
 
 • Probability Neglect – The amount of concern is not adequately sensitive to the
probability of harm. You are imagining the numerator and ignoring the
denominator. An example – your teenager is late getting home.
• Probability of the Rare Event - People overestimate the probability of rare
events and overweight unlikely events.
• Subjective Confidence - Unrecognized limits of professional skill can lead to
overconfidence in experts. The main obstacle is that subjective confidence is
determined by the coherence of the story one has constructed, not on the quality
and amount of information it supports. “A compelling narrative fosters an
illusion of inevitability.” “Organizations that take the word of overconfident
experts can expect costly consequences.”
• The ‘Law of Small Numbers’ – A general bias that favors certainty over doubt.
People are not adequately sensitive to sample size.

2.5.3 Software

Event tree analysis is a well-established method for risk analysis in the nuclear, chemical,
and aerospace industries (Srivastav, 2008). It has also become a common approach for
dam safety risk analysis. For more information on event tree construction, see Best
Practices for Dam and Levee Risk Analyses (BOR/USACE, 2015).

To facilitate event tree analysis, several risk software tools have been developed. In the
United States, two primary risk software tools have been used: DAMRAE and Palisade’s
Decision Tools Suite (that includes Precision Tree and @Risk). Each of these tools has
advantages as well as limitations. Internationally, other risk software tools have also
been used.

No single risk software tool is required by the FERC to perform the computational
functions of a risk analysis. Risk software tools need to be able to perform the required
calculations properly and inputs and outputs need to be clearly identified and
documented. It is highly recommended that the risk software being proposed for the risk
analysis be discussed with the FERC prior to initiating any risk analysis work.

2.5.4 Methodology

[Link] General

FERC is responsible for the development, dissemination, and interpretation of

methodology guidance for use in conducting dam safety risk analyses. As the state of the
practice for risk analysis continuously evolves and improves, the FERC should be
contacted for the most current risk analysis guidance. The Best Practices for Dam and

2-48 
 
Levee Risk Analyses has been developed jointly between the USACE and the BOR for the
purpose of summarizing the overall philosophy, methods, and approach to risk analysis
for dam safety (BOR/USACE, 2015). The BOR/USACE ‘Best Practices’ manual is
generally maintained and updated on an as needed basis. The current version of the ‘Best
Practices’ manual may be obtained from BOR (refer to web link in references) or from
the USACE. Unless otherwise directed by FERC, the risk teams should use the ‘Best
Practices’ manual to guide their efforts in determining the loads, the conditional
probability of failure associated with each failure mode, and the consequences associated
with each potential failure mode.

The methodology contained in the ‘Best Practices’ manual provides a suite of scalable
analysis approaches that provide information to promote critical thinking and guide a risk
analyst’s (facilitator or subject matter expert) judgment. These methods are scalable and
can be applied with varying degrees of effort (time and cost) to provide the appropriate
level of accuracy and rigor required to make credible risk estimates. It is important to
understand that every decision does not require a high level of rigor, detail, and accuracy
in the risk estimate in order to support a credible decision.

Risk teams and those that are responsible for conducting risk analyses are accountable for
understanding the methodology, making and documenting credible and transparent
decisions on key input parameters, explaining why the results either do or do not make
sense, and adjusting the risk estimate accordingly (USACE, 2014). This will require
some judgment and team elicitation to translate the results obtained from the risk
methodologies and other likelihood factors to a logical risk estimate. The risk analysis
team must apply an understanding of the potential failure modes, key factors,
uncertainties, and sensitivities to obtain a risk estimate that they are willing and able to
defend with a set of logical arguments.

All risk estimates must include due consideration for intervention. Intervention includes
those actions that can lead to preventing a breach from occurring or mitigating the
consequences of a breach (USACE, 2014). Successful intervention requires taking
actions to detect a developing potential failure mode and then taking actions to arrest
further development of the potential failure mode. Risk estimates should include with
and without intervention scenarios, as appropriate. It is important to understand the
potential benefits of intervention while at the same time not masking the potential
seriousness of a dam safety issue by using intervention to reduce the estimated risk.

[Link] Quantitative Risk Estimates

Risk estimates for significant potential failure modes (those potential failure modes that
contribute to the total risk, including those potential failure modes that have the ability to
result in intolerable risks) are to be portrayed in the form of the mean estimate of risk
(expected value), whether it is individual potential failure mode estimates or total risk,

2-49 
 
and the range (distribution) about the mean that includes due consideration of the
uncertainty of the estimate.

[Link] Uncertainty Framework

Uncertainty is the result of imperfect knowledge about the present or future state of a
system, event, situation, or population under consideration (FEMA, 2015). Uncertainty is
used to portray variability or a range of values for loads, consequences, conditional
response estimates, and risk estimates, rather than a single point estimate for those values.

At the simplest of levels, two main groups of uncertainty exist; these are aleatory (or
stochastic) and epistemic (or knowledge-based) uncertainty. The most important
distinction between these two types of uncertainty, at a practical level, is that the
knowledge-based uncertainty may be reduced by further study, should a reduction in the
overall uncertainty in the results from an analysis prove necessary. The aleatory
uncertainty, on the other hand, is by definition irreducible.

All risk estimates must give due consideration of uncertainty. This can be accomplished
either qualitatively or quantitatively depending on the needs of the risk assessment.

The quantification of risk estimates is dependent on available data and analyses regarding
the design, construction, performance and current condition of a dam. It also depends on
the identified loads that the dam could be subjected to over its operating life and
knowledge about how the downstream population would be affected by a flood resulting
from a dam breach. It is acknowledged that the quantification of risk estimates includes a
degree of subjectivity regardless of how the estimates are made, and is a function of
group dynamics, the experience and associated judgment of group members, models used
in the analyses, and the available information for a dam. Thus, uncertainty in the risk
estimates is expected. This uncertainty is typically captured by assigning ranges to
probability and consequences estimates.

Key areas of uncertainty are to be identified and their potential effect on the risk estimate
and resulting decisions presented.

[Link] Confidence

An assessment of the confidence the risk team has for each risk estimate should be
documented for each nodal probability or risk estimate made by the team. Confidence is
a qualitative measure of belief that the information, engineering analysis results, and risk
estimate is reasonable (BOR, 2011). Confidence is used to describe how sure the risk
analyst/team is about the risk estimate.

Factors that influence confidence include:

2-50 
 
  Quantity and quality of the information available
 Representiveness of the information
 Information/analysis results accurately capture the expected performance

When assigning confidence descriptors, the reasoning behind the descriptor, and the
information that could be gathered to improve the rating should also be captured in the
documentation. Examples of confidence statements include:

 “Given a known diverse and heterogeneous foundation material that is

characterized by limited borings of questionable quality, the risk team had a low
confidence in the probability of a foundation flaw estimate.”

 “The plethora of high quality test data indicated a wide range in unconfined
compressive strengths of the concrete. Although the range is large, there is high
confidence in the data and the resulting risk estimates.”

Care must be taken so as not to confuse confidence with uncertainty. One can be highly
confident that there is a small range of uncertainty.

[Link] Sensitivity

Sensitivity is a measure of how much risk estimates change when key input assumptions
(i.e. nodal risk estimates) are varied (BOR, 2011). This is characterized by performing
sensitivity analyses, varying the probability of variables that most affect the outcome of
the risk analysis, and examining the resulting effects on the risk estimates.

Sensitivity studies should be used to assist in defining ranges of uncertainty of risk

estimates. In addition, results from sensitivity studies should be used to judge the relative
“confidence” in risk estimates and/or resulting conclusions. For example, if parametric
studies indicate a relatively minor difference in estimated risks, there would be
confidence in the risk estimates. Conversely, if varying the parameter over a reasonable
range results in a significant change in potential risks or conclusions, there would be less
confidence.

Risk analysis results that include sensitivity studies should provide information on what
would happen if more information was gathered, and whether the information is
important (USACE, 2014). Plausible and reasonable upper and lower bound values for
variables in question should be chosen and processed. When this test causes the
perceived risk to change significantly and confidence in the expected value is not high,
action or additional studies may be warranted to obtain additional information. A change
is significant if it changes the risk tolerability or decision. Additional reasoning to show
why the upper or lower bound values are plausible and reasonable is necessary to support
2-51 
 
a recommendation for acquiring additional information and why the additional
information being requested is likely to reduce the uncertainty.

[Link] Combining Risks

After all potential failure modes have been identified, described, and evaluated relative to
the risk they pose, the results need to be combined so that the technical reviewers and
decision makers can understand and act upon them (FEMA, 2015). This requires some
attention to detail, which if not undertaken properly, can result in an improper portrayal
of the risk. During Level 4 risk analyses, estimates of risk are generated for individual
potential failure modes. These estimates include probability or risk values for different
loading conditions, loading ranges, potential failure modes, spatial segments, or other
situations. Not only do the individual estimates result from an aggregation of their own
constituents, but they themselves are often combined in some way to express their
collective effect. Independence is an important concept when evaluating and combining
risks. In practice, the most common problems encountered during risk analyses are
related to systems, correlations, common-cause loading, and combining risks. Although
the methods to evaluate these issues can be complex, some simplifications can be applied
to situations commonly seen when evaluating risks for dams. The ‘Best Practices’
manual provides the details on how to properly combine risks (BOR/USACE, 2015).

2.5.5 As-Low-As-Reasonably-Practicable (ALARP)

[Link] General

ALARP is a principle that states that risks, lower than the tolerable risk reference line, are
tolerable only if risk reduction is impracticable or if the next increment of risk reduction
is not cost effective compared to the improvement gained (USACE, 2014, revised from
ICOLD, 2005). The answers to the questions: “When are risks low enough?” “What
actions are reasonable?” and “What actions are practicable?” are key ALARP risk
considerations that require subjective judgment (USACE, 2014). These considerations
provide a way to address efficiency in reducing risks.

The general ALARP concept is that risk reduction beyond a certain level may not be
justified if further risk reduction is impracticable or if the cost is grossly disproportionate
to the benefits obtained by the risk reduction. This is graphically illustrated in Figure 2-
7. ALARP only has meaning in evaluating risk reduction measures – it cannot be applied
to an existing risk without considering the options to reduce that risk. Consideration of
ALARP is a matter of judgment.

Judgments are required to make an assessment regarding tolerable risk. Tolerable risk, as
defined by ICOLD (2005) and adapted from HSE (2001a) is, “a risk within a range that
society can live with (1) so as to secure certain net benefits. It is (2) a range of risk that

2-52 
 
we do not regard as negligible or as something we might ignore, but rather as something
we need to (3) keep under review and (4) reduce it still further if and as we can.” Each of
these conditions has implications for dam safety (Bowles, 2007).

Figure 2-9. Graphic Illustration of ALARP. (Talbot, 2015)

The ALARP principle is represented as condition (4) in the paragraph above.

ALARP requires a range of options for risk reduction to be considered. For a risk to be
ALARP it must be possible to demonstrate that the cost involved in reducing the risk
further would be grossly disproportionate to the benefit gained (Victoria DSE, 2012).

Unfortunately there is no mathematical formula or ‘seven-step process’ available to

determine ALARP. Instead, there are a number of factors that must be evaluated and
considered to judge ALARP. To make a judgment on whether risks are ALARP, the
following factors must be considered (adapted from NSW, 2010):

 The cost-effectiveness of the risk reduction measures;

 The level of risk in relation to the tolerable risk guidelines;
 The disproportion between the sacrifice (money, time, trouble and effort) in
implementing the risk reduction measures and the subsequent risk reduction
achieved;
 Any relevant recognized good practice; and
 Societal concerns as revealed by consultation with the community and other
stakeholders.

Each of these factors is discussed in the following sections.

2-53 
 
ALARP is a requirement of Level 4 risk analyses. ALARP, in a qualitative sense, can be
evaluated in Level 2 or 3 risk analyses when trying to build the case for why risk results
are ‘tolerable’. See Chapter 3 for more discussion on what constitutes ‘tolerable’ risk.

Additional background and guidance on ALARP can be found in HSE 2001a, HSE
2001b, HSE 2003, HSE 2006, HSE 2008a, HSE 2008b, and HSE 2008c.

[Link] Cost Effectiveness

The cost to save a statistical life (CSSL) is a measure of cost effectiveness in achieving
an increment of life safety risk reduction. CSSL is not a value placed on a human life.
Adjusted CSSL, or aCSSL, is a function of:

1. Cost of the alternative risk reduction plan ($/yr)

2. Economic consequences ($/yr)
3. O&M costs ($/yr)
4. Life loss (lives/yr)

The last three items in the list above are the difference between with and without
implementing the alternative risk reduction plan. The aCSSL formula is shown in
Appendix 2B.

A negative value of aCSSL is taken as zero.

aCSSL should be estimated for each risk reduction alternative that could reduce the risk
below the tolerable risk reference line, starting at or below the tolerable risk reference
line.

Assessment of aCSSL is included in Chapter 3, Risk Assessment.

[Link] Level of Risk

For individual risk and societal risks that fall below the tolerable risk reference line, the
higher the risk (closer to the tolerable risk reference line shown on Figures 3-3 and 3-4 in
Chapter 3), the less weight that is given to the cost of achieving risk reduction. In this
context, the level of risk does not refer to the four levels of risk analysis described in
these risk guidelines. Instead, the level of risk in this context refers to the value, either
qualitatively or quantitatively, of the risk estimate and how high or low that value is
relative to the tolerable risk reference line.

Assessment of level of risk is included in Chapter 3, Risk Assessment.

[Link] Disproportion

2-54 
 
Disproportion is a concept used to test whether an investment in risk reduction is grossly
disproportionate to the benefits that result from an avoided fatality.

Disproportionality is used as a justification to reduce the risk below the tolerable risk
reference line. The disproportion between the sacrifice (money, time, trouble and effort)
in implementing the risk reduction measure and the subsequent risk reduction achieved is
to be evaluated using the disproportionality between the sacrifice and the risk reduction
achieved. This entails the concept of "willingness-to-pay-to-prevent-a-statistical-fatality"
(WTP), commonly referred by the Office of Management and Budget (OMB, 2003) and
other federal agencies as the "value-of-statistical-life" (VSL) (USACE, 2014). VSL is
used by OMB, the United States Department of Transportation (USDOT) (USDOT,
2014), and other federal agencies to evaluate the case for regulating risk or investing in
life-saving risk reduction measures.

The risk measure for disproportionality is the ratio of the CSSL divided by WTP.

Disproportionality ratio = CSSL/WTP

The value to use for VSL is the current value used by US Department of Transportation
(USDOT) (USDOT, 2014). That information is available in the US DOT report titled,
“Guidance on Treatment of the Economic Value of a Statistical Life in U.S. Department
of Transportation Analyses” (USDOT, 2014). As of June 2014 USDOT uses a value for
VSL of US$9.2M. The USDOT provides annual updates of VSL.

Assessment of disproportionality is included in Chapter 3, Risk Assessment.

[Link] Good Practice

Relevant good practice is taken to be an industry consensus of what is ALARP (HSE,

2001a). Good practice is considered an upper bound to tolerable risk (HSE, 2003).

Examples of good practice (modified from Victoria, DSE, 2012) are:

 a comprehensive and robust dam safety surveillance and monitoring plan

(DSSMP), including instrumentation alarm and threshold levels and notification
protocols;
 a well-developed and exercised dam safety emergency action plan (EAP);
 a well-developed owners dam safety plan (ODSP) that includes:
o practices relating to building organizational dam safety management
capability and capacity through training of personnel and cross functional
resource sharing and benchmarking practices;
o routine and non-routine maintenance reviews and activities;
2-55 
 
 o leadership development and organizational resilience practices;
o adopting a “defense in depth” approach to critical operating systems;
o application of enterprise risk management, sound organizational
governance and associated quality assurance; and
o routine dam safety inspections.
 up-to-date, easily accessible documentation, including key drawings and other
figures/tables, on the dam and other critical structures; most recent Part 12D report
and other engineering documentation in the Supporting Technical Information
Document (STID);
 up-to-date engineering analyses and evaluations that provide documentation that
the dam and facility meet all current FERC Engineering Guidelines.

Assessment of good practice is included in Chapter 3, Risk Assessment.

[Link] Societal Concerns

Societal concerns are defined (HSE, 2001a) as:

“...risks or threats from hazards which impact on society and which, if realised, could
have adverse repercussions for the institutions responsible for putting in place the
provisions and arrangements for protecting people, e.g. Parliament or the Government of
the day. This type of concern is often associated with hazards that give rise to risks
which, were they to materialise, could provoke a socio-political response, e.g. risk of
events causing widespread or large scale detriment or the occurrence of multiple
fatalities in a single event”.

HSE (2001a) further notes that hazards giving rise to societal concerns generally share a
number of common features:

 They give rise to risks which could cause multiple fatalities;

 It is difficult for people to estimate intuitively the actual threat; and
 Exposure involves vulnerable groups, e.g. children, where the risks and benefits
tend to be unevenly distributed.

Assessment of societal factors is included in Chapter 3, Risk Assessment.

[Link] Other Factors

There are several other factors that can assist in the assessment of ALARP. These
include (from Victoria DSE, 2012):

2-56 
 
  Duration that the risk applies – a greater focus on risk reduction may be prudent
for potential failure modes associated with enduring risks compared to shorter
term risks, although ANCOLD stresses that this is not necessarily the case. Short
duration of risk here is not to be confused with rare events or low failure
probability. In principle though, risk is expressed as an intensity (that is, as
likelihood of consequences per annum) and intensity is not affected by duration.

 Availability of risk reduction options – in some situations, for some potential

failure modes, it may not be possible to identify additional viable risk reduction
options, thus justifying an ALARP determination. Owners will need to be mindful
of technological and other developments and review this assessment periodically.

 Creation of new risks – risk reduction can itself be risky. In some cases reducing
dam safety risks cannot be done without creating new and poorly understood risks.
In such a situation, evaluation of ALARP may conclude that it is better to leave
things as they are.

 Adequacy of the potential failure modes analysis – the determination of ALARP

should be based on no less than a contemporary, thorough and expert assessment
of potential failure modes. Owners will need to remain informed of any changes
to the body of knowledge regarding potential failure modes, which may result in
new potential failure modes being considered or modifications to event trees
associated with existing potential failure modes.

 Consideration of standards based approaches – satisfaction of contemporary

engineering standards may assist with justifying an ALARP determination.
Having met standards, there may be additional simple, low-cost risk reduction
measures that could also be considered by dam owners and managers to further
reduce risk.

 Benchmarking – Very little information is available in the U.S. on benchmarking

dam safety risks among dam owners. However, where benchmarking information
may be available, in the form of precedents set forth by other dam owners in the
literature, this information could provide helpful information about investment and
rate of risk reduction, particularly as risk diminishes over time with increasing
investment, and this feedback information could help inform owner investment
decisions.

At a minimum, the above ALARP factors must be evaluated and clearly presented in the
risk analysis report. Each ALARP factor must be considered and an overall assessment
of the ALARP factors for each potential failure mode must be presented. See Section
2.6.3 for more discussion on ‘Building the Case’.

2-57 
 
2.5.6 Documentation during the Risk Analysis

Documentation during the course of performing the risk analysis is essential. Important
information, results of engineering analyses, and key factors are weighed and discussed
during the course of the meeting. It is important to capture that information and
discussions and document what key pieces of information influenced the subject matter
experts in their risk estimates. Far too often this information is not adequately captured
and weeks or months later when the risk report is being prepared, this information is long
forgotten or imperfectly remembered. This contributes to weak justifications to support
the risk estimates and the subsequent decisions that are needed to be made from the risk
analysis.

In an effort to improve capturing this information during the risk analysis meeting and to
facilitate the transfer of this information into the risk analysis report, a template has been
developed that can be used by the note taker. This template and examples of its use are
included in Appendix 2C.

2-58 
 
2.6 DOCUMENTATION

2.6.1 General

The objective of the risk analysis report is to present clear, thorough, logical, and rational
documentation of the analysis and results that accurately portray the risk analysis and
recommended course of action in a manner and style that is to be read and understood by
both the dam owner and FERC. The three basic risk components, (i.e. load probability,
response probability, and consequences) should portray the dam's existing condition and
ability to withstand future loading, the risk estimates, and provide the basis for the
recommended actions. Since uncertainty is inherent in data, analysis, and conclusions/
interpretations, the documentation should also address whether confidence is high enough
for the recommendations to stand on the basis of existing evidence. The basis for the
recommended actions should be documented in an objective, transparent manner,
portraying the data, analysis, findings and any associated uncertainties in data or analysis
on a factual basis.

A general risk analysis report outline is provided in Appendix 2D. The report outline
should be revised to reflect the level of risk analysis, project-specific components, and
analyses performed for the risk analysis work.

2.6.2 Content

The risk analysis report should present information regarding two main issues. Firstly,
data, analysis, and conclusions should support the portrayal of risk, and secondly, the risk
analysis report must substantiate the uncertainty and confidence in the risk estimates, and
whether additional exploration, investigation, or analysis has a reasonable likelihood of
changing the perceived risk.

It is the factual information and associated interpretation presented in the risk analysis
report that determines whether the risk numbers generated and the actions recommended
make sense or 'feel right' in light of an understanding of the condition of the facility and
its recent history of structural behavior (USACE, 2014). For many dams, the volume of
available information can be substantial. The process of sorting through this information,
pulling out the most applicable data (instrument, geological, geotechnical, construction
and current condition photographs, drawings, etc.) and then assimilating it into a useful
and concise format is extremely important for understanding the dam and foundation
characteristics and how they relate to potential failure modes.

A risk analysis report built upon sensitivity studies should investigate what would happen
if more information was gathered, and whether the information is important (BOR,
2011). Plausible and reasonable upper and lower bound values for variables in question
can be chosen and processed through whatever assessment is being considered. When

2-59 
 
this test causes the perceived risk to move significantly, action may be warranted to
obtain additional information. A move is significant if it changes the risk tolerability.
Additional reasoning to show why the upper or lower bound values are plausible and
reasonable is necessary to support a recommendation for acquiring additional information
and why the additional information being requested is likely to reduce the uncertainty.

The risk report appendices are not to be a data dump. Only the pertinent information that
supports the risk estimates should be included in the appendices. Including hundreds or
thousands of pages of information that were not used in the risk analysis is not useful to
anyone.

2.6.3 Building the Case

The dam safety case is built from a number of arguments successively demonstrated to be
valid (BOR/USACE, 2015). A simple argument consists of a single claim, evidence to
support that claim, and reasoning to suggest how and why the evidence justifies the
claim. The dam safety case should be clearly and thoughtfully developed so that all
descriptions and terms are easy to understand by the prime audience, all arguments are
cogent and coherently developed, all references are easily accessible, and all conclusions
are fully supported and follow logically from the arguments.

Numerical risk estimates are based on judgments, are typically subjective, and include
varying degrees of uncertainty. Numerical risk estimates by themselves provide an
incomplete basis for dam safety decision making (FEMA, 2015). Understanding the
basis of the risk estimates is as important as or more important than the risk numbers
themselves. There are a number of factors that should also be considered, including the
uncertainty and confidence in the risk estimates. The dam safety case is a logical and
objective set of arguments that provides supporting justification for the numerical risk
estimates and is used to advocate a position that either additional safety-related action is
justified or that no additional safety-related action is justified (FEMA, 2015). A well-
constructed dam safety case should cite the most compelling information that supports
the risk estimates and the overall findings and also discuss the uncertainties that were
identified in the risk analysis.

The arguments combine together key evidence regarding the three basic risk components
(load probability, response likelihood, and consequences) in order to support decisions
related to a dam's existing condition or ability to withstand future loading (FEMA, 2015).
The risk analysis team is in the best position to provide the supporting arguments for the
risk analysis estimates. The risk analysis team should also identify a suite of options for
additional actions to better define or reduce risk, if there is justification for taking actions.

Further guidance on ‘Building the Case’ is included in the ‘Best Practices’ manual
(BOR/USACE, 2015).

2-60 
 
2.6.4 Portraying Risks

Risk analysis results can be presented in a number of forms, including tables, charts, and
figures. One common method includes the use of f-N or F-N charts. The usual format of
these charts features a frequency of dam failure, f (also known as annual probability of
failure) versus weighted average life loss, ̅N (f-N plot) or a cumulative frequency of N or
more incremental life loss, F versus incremental life loss, N (F-N). Both axes are
expressed using a log scale.

On the f-N plot, potential failure modes are usually deaggregated to provide a separate f-
N pair coordinate point for each potential failure mode. Results can be aggregated in
other ways to obtain estimates of the total risk, risk by load ranges, or for any other
combination that is needed by the decision maker(s). The “f” values are obtained by
summing the probabilities for the end branches of relevant event tree pathways. The “N”
values are obtained by first summing the product of the probability and incremental
consequences for the end branches of relevant event tree pathways. The resulting f*N
value is then divided by the corresponding f value to obtain the weighted average value
for ̅N.

On the F-N plot, the end branch probabilities are accumulated by consequence level
irrespective of potential failure mode. A cumulative curve is developed and plotted
showing the frequency of N or more lives lost.

Additional information is included in Risk Guidelines and Combining and Portraying

Risks in ‘Best Practices’ manual (BOR/USACE, 2015).

Example F-N and f-N templates are provided in Appendix 2E.

2.6.5 Presentation of Results

Risk analysis results can be difficult to summarize and portray. Risk analysis result
information can be presented in tables and on graphs depending on the type of
information needing to be portrayed. Many other tables and charts can be generated
depending on the type of information desired. Examples of some ways risk results and
supplemental information have been presented include:

 Tables that show the contribution to risk from each potential failure mode, as
shown in Table 2-3.
 Charts that show the contribution to risk from each load range.
 Charts that show the contribution to risk from reservoir elevation, as shown on
Figures 2-10 and 2-11.

2-61 
 
  Charts that show the contribution from different fault assumptions or flood
assumptions (showing the value of additional hazard studies).
 Tables that summarize the nodal estimates for each potential failure mode, as
shown in Tables 2-4 and 2-5.
 Charts that present the system response probabilities by reservoir elevation,
including uncertainty, as shown on Figures 2-12 and 2-13.
 Charts that show the portrayal of uncertainty, as shown on Figures 2-14 and 2-15.

It is this type of information that is essential to document and present in the risk analysis
report so that reviewers and decision makers can understand the results of the risk
analysis. However, it is just as important to justify the results by building an adequate
case.

Table 2-3. Example Summary of Annual Probability of Failure and

Average Annual Life Loss for each Potential Failure Mode

2-62 
 
 Figure 2-10. Example of Contributions to Annualized Probability of Failure
by Reservoir Elevation

2-63 
 
 Figure 2-11. Example of Contributions to Average Annual Life Loss
by Reservoir Elevation

Table 2-4. Example of Summarizing Nodal Probabilities

 

2-64 
 
 Table 2-5. Example of System Response Summaries by Reservoir Level
 

Figure 2-12. Example System Response Probability by Reservoir Elevation

2-65 
 
  

Figure 2-13. Example System Response Probability with Uncertainty

by Reservoir Elevation

2-66 
 
  

Figure 2-14. Example f-N Chart Portraying Uncertainty

2-67 
 
 Figure 2-15. Example f-N Chart Portraying Specific Nodal Uncertainty
for an Individual Potential Failure Mode

2-68 
 
2.7 REVIEWS

2.7.1 General

Review requirements are commensurate with the complexity, outcomes, and decisions of
the risk analysis. Five copies of the risk analysis reports and products shall be submitted
to the FERC Regional Engineer for review and acceptance.

FERC encourages the use of peer review throughout the duration of the risk analysis
work, including the development of the initial scope of work.

2.7.2 Level 2 – Periodic Risk Analysis Products

Review of Level 2 risk analysis products will be performed by FERC-D2SI staff. It is

anticipated that this review will be performed in conjunction with the review of the
associated Part 12D report. Review comments, if necessary, will be provided to the
Licensee for resolution and resubmittal, as appropriate. FERC acceptance of the Level 2
risk analysis products will be provided after resolution of all FERC comments.

2.7.3 Level 3 – Semi-Quantitative Risk Analysis Products

Review of Level 3 risk analysis products will be performed by FERC-D2SI staff.

Review comments, if necessary, will be provided to the Licensee for resolution and
resubmittal, as appropriate. FERC acceptance of the Level 3 risk analysis products will
be provided after resolution of all FERC comments.

2.7.4 Level 4 – Quantitative Risk Analysis Products

Review of Level 4 risk analysis products will be performed by FERC-D2SI staff and will
be supplemented with a Risk Review Board (RRB). A RRB will be comprised of select,
highly-qualified individuals in various dam safety specialties that also have significant
knowledge and expertise in risk analyses for dam safety projects and risk-informed
decision making.

[Link] Risk Review Board (RRB) Members

RRB members will be charged with reviewing the draft risk report, providing draft
review comments, attending a RRB meeting, and providing final review comments.

The FERC will develop and maintain a list of approved RRB members that licensees can
select from. In general, RRB panel members must meet the minimum qualifications of a
sublevel 4C risk facilitator shown in Table 2-2.

2-69 
 
Technical disciplines generally used to serve as RRB members may include, but not be
limited to, the following:

 Geotechnical engineer
 Structural engineer
 Hydrologist
 Seismologist
 Hydraulic engineer
 Civil engineer
 Engineering geologist
 Rock mechanics specialist
 Consequence specialist
 Economist
 Cost estimator/Constructability specialist
 Emergency management specialist
 Risk analysis specialist

RRB members are considered a specialist in their particular field of expertise. Many of
the technical disciplines listed above cover a broad range of subjects and associated
potential failure modes. For example, a geotechnical engineer may specialize (with
regards to dam safety) in internal erosion, seismic deformation/liquefaction, rock
mechanics, or other areas. Therefore, an approved RRB member who is a geotechnical
engineer that specializes in internal erosion may not have the requisite qualifications to
serve as a RRB member for risk analyses dominated by seismic or liquefaction potential
failure modes.

The estimated number of RRB members for each risk analysis report is included in Table
2-6. The actual number of RRB members and the associated technical disciplines will be
determined by the FERC and will be based on the complexity of the project and the
technical issues being evaluated by the risk analysis.

Table 2-6. Estimated Number of Risk Review Board (RRB) Members

Type of Risk Analysis
Existing Conditions Risk Reduction
Level of Risk Analysis Risk Analysis Risk Analysis
Sublevel 4A 2 to 3 3 to 4
Sublevel 4B 2 to 4 3 to 5
Sublevel 4C 2 to 4 3 to 5

The FERC will require the licensee to coordinate and contract for the RRB members.

2-70 
 
It is the stated expectation that RRB members will have sufficient time to review the draft
risk analysis report and the appropriate supplemental project documents. In an effort to
better define those expectations, general minimum review time guidance for each RRB
member is provided in Table 2-7.

Table 2-7 – Estimated Risk Review Board (RRB) Minimum Review Time
Estimated Minimum Review Time
Level of Risk Analysis for Each
Risk Review Board (RRB) Member
Sublevel 4A 24 hours
Sublevel 4B 30 hours
Sublevel 4C 36 hours

The estimated minimum review times included in Table 2-7 are for the review of the
draft risk analysis report and the supporting documentation. It is expected that the
estimated review times will vary depending on the complexity of the risk analysis,
number of potential failure modes carried forward in the risk analysis, and other factors.
The estimated review times in Table 2-7 do not include additional RRB efforts for other
project activities that include preparation of written draft and final review comments,
travel and attendance at the RRB meeting, contracting activities, etc.

[Link] Risk Product Review Process

The following is a general sequence of the Level 4 risk product review process:

 The Licensee submits the draft risk analysis report to the FERC and RRB
members a minimum of 60 days prior to the RRB meeting.

 The RRB members review the Licensee-submitted draft report and accompanying
project documents and submit written draft review comments directly to the FERC
and the Licensee a minimum of 30 days prior to the RRB meeting.

 The Licensee submits the draft RRB meeting presentation and proposed meeting
agenda to the FERC a minimum of 14 days prior to the RRB meeting. The FERC
reviews the draft risk presentation and proposed meeting agenda and provides
written comments to the Licensee no later than 5 days prior to the RRB meeting.
An example meeting agenda is included in Appendix 2F.

 RRB Meeting and Risk Presentation. The RRB Meeting and Risk Presentation is
held at the FERC Regional Office, FERC Headquarters Office, or mutually agreed
upon office location. The meeting is attended by the Licensee, the risk analysis
facilitator, and other significant risk team members as needed, the FERC

2-71 
 
 representatives, and the RRB members. A representative from the FERC, or their
designated alternate, will facilitate the RRB meeting.

 Final comments from the RRB members are submitted directly to the FERC and
the Licensee within 14 days from the date of the RRB meeting.

 The FERC will compile internal and RRB final review comments into a letter and
transmit the overall review comment letter to the Licensee.

 The Licensee will review the FERC’s review comment letter and address the
review comments in a revised report. The revised report shall include an appendix
that lists each comment included in the FERC review letter and how and where in
the report the Licensee (or consultant) addressed each comment.

 The Licensee submits the revised report to the FERC for further review.

 The FERC reviews the final report and transmits an acceptance letter to the
Licensee.

The charge questions for the RRB for both existing conditions risk analyses (issue
evaluation studies) and risk reduction risk analyses (dam safety modification studies) are
included in Appendix 2G. The RRB members are required to submit their individual
draft and final report review comments directly to the FERC and the Licensee. The
Licensees contract(s) with the RRB members should explicitly include this provision.
The RRB members may or may not choose to collaborate during their review of the risk
products prior to the RRB meeting. As the RRB members generally serve in different
technical disciplines and each have unique experiences, the RRB members do not have to
reach consensus. As such, the RRB members draft and final comments are considered
advisory (non-binding) to the FERC and the Licensee.

In highly complex, innovative approaches, technically challenging, or politically sensitive

projects, the FERC may require a separate RRB for the loadings (seismic and hydrologic)
and consequences, particularly if these factors have greater significant influence on the
overall results of the risk analysis and potential decision from the risk assessment.
Review of the loadings is strongly encouraged to take place well in advance of the risk
analysis.

2-72 
 
2.8 REFERENCES

ANCOLD (2003). Australian National Committee on Large Dams, “Guidelines on Risk

Assessment,” Sydney, New South Wales, Australia, October 2003.

BOR (2011). Bureau of Reclamation, “Dam Safety Pubic Protection Guidelines”, Dam
Safety Office, Denver, Colorado, August 2011. Available at:
[Link]

BOR (2015). Bureau of Reclamation and U.S. Army Corps of Engineers, “Best
Practices in Dam and Levee Safety Risk Analysis”, Denver, Colorado, July 2015.
Available at: [Link]

Bowles (2007). Bowles, D.S., “Tolerable Risk for Dams: How Safe is Safe Enough?”
US Society on Dams Annual Conference, Philadelphia, Pennsylvania, March 2007.

Bundtiz [Link]. (1997). Budnitz, R.J., G, Apostolakis, D.M. Boore, L.S. Cluff, K.J.
Coppersmith, C.A. Cornell and P.A. Morris, “Recommendations for probabilistic seismic
hazard analysis: guidance on uncertainty and the use of experts”, NUREG/CR-6372, two
volumes, US Nuclear Regulatory Commission, Washington, D.C., 1997. Available at:
[Link]

FEMA (1979). Federal Emergency Management Agency, “Federal Guidelines for Dam
Safety”, prepared by the ad hoc Interagency Committee on Dam Safety, Federal
Coordinating Council for Science Engineering and Technology, Washington, DC, June
25, 1979. Available at: [Link]

FEMA (2015). Federal Emergency Management Agency, “Federal Guidelines for Dam
Safety Risk Management”, FEMA P-1025, Washington, DC, January 2015. Available at:
[Link]
58dfcecc8d8d18b7e9b2a79ce1e83c96/[Link]

HSE (2001a). Health and Safety Executive, “Reducing Risks, Protecting People,” Her
Majesty’s Stationery Office, London, UK, 2001. Available at:
[Link]/risk/theory/[Link]

HSE (2001b). Health and Safety Executive, “Principles and Guidelines to Assist HSE in
its Judgements that Duty-Holders Have Reduced Risk As Low As Reasonably
Practicable,” Interim Guide, December 2001. Available at:
[Link]/risk/theory/[Link]

2-73 
 
HSE (2003). Health and Safety Executive, “Assessing Compliance with the Law in
Individual Cases and the Use of Good Practice,” Interim Guide, May 2003. Available at:
[Link]/risk/theory/[Link]

HSE (2006). Health and Safety Executive, “Technical Assessment Guide:

Demonstration of ALARP”, T/AST/005, prepared by Nuclear Safety Directorate-
Business Management System, December 2006. Available at:
[Link]/foi/internalops/nsd/tech_asst_guides/[Link]

HSE (2008a). Health and Safety Executive, “ALARP at a glance”, April 2008.
Available at: [Link]/risk/theory/[Link]

HSE (2008b). Health and Safety Executive, “HSE Principles for Cost Benefit Analysis
(CBA) in Support of ALARP Decisions”, April 2008. Available at:
[Link]/risk/theory/[Link]

HSE (2008c). Health and Safety Executive, “Cost Benefit Analysis (CBA) Checklist”,
April 2008. Available at: [Link]/risk/theory/[Link]

ICOLD (2005). International Commission on Large Dams, “Risk Assessment in Dam

Safety Management. A Reconnaissance of Benefits, Methods and Current Applications,”
Bulletin 130, 2005.

Kahnman (2011). Kahneman, D., Thinking, Fast and Slow, Farrar, Straus and Giroux
Publishers, New York, NY, 499 pp., 2011.

Kammerer and Ake (2012). Kammerer, A.M, and J.P. Ake, Practical Implementation
Guidelines for SSHAC Level 3 and 4 Hazard Studies, NUREG-2117, US Nuclear
Regulatory Commission, Washington, D.C., April 2012. Available at:
[Link]

NSW (2010). New South Wales Dam Safety Committee, “Demonstration of Safety of
Dams,” DSC2D, June 2010.

OMB (2003). Office of Management and Budget, Regulatory Analysis, Circular A-4,
September 17, 2003. Available at:
[Link]

Srivastav (2008). Srivastav, Anurag, “Generalized Event Tree Algorithm and Software
for Dam Safety Risk Analysis”, ProQuest, 2008.

2-74 
 
Talbot (2015), Talbot, Julian, “ALARP (As Low As Reasonably Practicable)”, Jakeman
Business Solutions, Knowledge Bank Publications.
[Link]

USACE (2014). U.S. Army Corps of Engineers, “Safety of Dams – Policy and
Procedures”, ER 1110-2-1156, Washington, DC, March 2014. Available at:
[Link]
_1110-[Link]

USDOT (2014). US Department of Transportation, “Guidance on Treatment of the

Economic Value of a Statistical Life (VSL) in US Department of Transportation
Analyses – 2014 Adjustment”, Washington, DC, June 13, 2014. Available at:
[Link]

Vick (2002). Vick, S.G., Degrees of Belief, ASCE Press, Reston, Virginia, 455 pp.,
2002.

Victoria (2012). Victoria Department of Sustainability and Environment, “Guidance

Note on Dam Safety Decision Principles,” Melbourne, Australia, May 2012.

Other References

O’Hagan, A. and C.E. Buck, Uncertain Judgments: Eliciting Experts’ Probabilities,

2006.

Meyer, M.A. and Booker, J.M., Eliciting and Analyzing Expert Judgment: A Practical
Guide, 2001.

Vose, D., Risk Analysis – A Quantitative Guide, John Wiley & Sons, West Sussex,
England, 735 pp., September 2009.

Hartford, D.N.D., and G. Baecher, Risk and Uncertainty in Dam Safety, Thomas Telford
Publishing, London, England, 391 pp., 2004.

2-75 
 
 2-76 
 
 APPENDICES

2-77 
 
 2-78 
 
 APPENDIX 2A

EXAMPLE RISK ANALYSIS MEETING AGENDA

2-79 
 
 2-80 
 
 Typical Risk Analysis Meeting Agenda

1. Introduction of team members and their responsibilities

2. Quick reviews of:
a. Dam
b. Geology
c. Appurtenant structures
d. Instrumentation data
e. Operations of the reservoir and dam
f. Flood routings
g. Seismicity
h. What’s downstream
i. Existing known dam safety deficiencies
3. Discuss and identify potential failure modes
4. Develop event trees for credible potential failure modes, as appropriate
a. Develop load ranges, where applicable
b. Develop probability estimate distributions for each node
c. Review team’s estimates
5. Develop or review loss of life estimates
a. Population at risk
b. Warning time estimates
c. Loss of life
6. Review risk analysis calculations and results
7. Discuss presentation of the results, the conclusions reached, and the recommended
actions, as available. As part of this discussion consider the following questions:
a. What potential failure modes create the highest risk?
b. What load range increments are associated with the highest estimates?
c. What are the uncertainties for the highest risk?
d. What data or analysis would reduce the uncertainly?
e. What is the anticipated range of results from gathering more
data/performing more analysis?
f. How would these outcomes impact risk?
g. Where do we go? What will it cost?
8. Discuss ‘building the case’ for the risk estimates and the path forward
9. Set future schedules
a. Draft report sections written
b. Review
c. Next meeting to discuss final results
d. Draft report
e. Report review
f. Final report

2-81 
 
 2-82 
 
 APPENDIX 2B

CALCULATION OF THE ADJUSTED COST TO SAVE A STATISTICAL LIFE

(aCSSL)

2-83 
 
 2-84 
 
 CALCULATION OF THE ADJUSTED COST TO SAVE A STATISTICAL LIFE
(aCSSL)

The aCSSL is calculated as follows:

AC – (ECw/o – ECw ) – OMw/o – OMw

aCSSL =
AALLw/o – AALLw
Where,

aCSSL = cost to save a statistical life ($/life), where a negative value is taken as zero

AC = average annual cost of the alternative risk management plan ($/yr)

ECw/o = average annual economic consequences ($/yr) without alternative risk

management plan.

ECw = average annual economic consequences ($/yr) with alternative risk management
plan.

OMw/o = average annual O&M cost ($/yr) without alternative risk management plan.

OMw = average annual O&M cost ($/yr) with alternative risk management plan.

AALLw/o = average annual life loss (lives/yr) without alternative risk management plan.

AALLw = average annual life loss (lives/yr) with alternative risk management plan.

Notes:

1. Evaluations of alternative risk management plans should be based on values (lives

lost, costs, benefits, etc.) that are representative of the time frame that is taken as the
economic life of the project or feature under study.

2-85 
 
 2-86 
 
 APPENDIX 2C

RISK ANALYSIS MEETING TEMPLATE AND EXAMPLE

2-87 
 
 2-88 
 
 Project Information
Project Name:
Project Number:
Date:
Facilitator:
Event Information
Loading Condition:
Potential Failure Mode:
Location:
Event:
Event Tree Node:
Estimates and Distribution
Elevation Low Most Likely High Distribution

Key Statement
Confidence
Influence Factors
Likely Unlikely

Notes

2-89 
 
 2-90 
 
 EXAMPLES

2-91 
 
 2-92 
 
 2-93 
 
 2-94 
 
 2-95 
 
 2-96 
 
 APPENDIX 2D

RISK ANALYSIS REPORT TEMPLATE

2-97 
 
 2-98 
 
 GENERIC TABLE OF CONTENTS

Executive Summary
General
Purpose of Report
Risk Driving Potential Failure Modes
Summary of Results
Incremental Risk
Individual Risk
Non-Breach Risk
Other Consequences
ALARP Considerations
Justification of Risk Results
Major Findings and Understandings from the Risk Analysis
Recommendations

Chapter 1: Introduction
Purpose
Project Location
Project Description
Pertinent Project Data

Chapter 2: Background Information

Summary of Dam Features and Components
Regional and Site Geology
Summary of Design and Construction
Summary of Engineering Studies
Post Construction Remediation
Performance History
Dam Operations

Chapter 3: Previous Engineering Evaluations

Chapter 4: Hydrologic Loading and Hydraulic Analyses

Overview
Basin Description
Summary of Significant Floods
Reservoir Operations Considerations
Previous Hydrologic/Hydraulic Analyses
Inflow Design Flood (IDF)
Hydrologic Analyses
Inputs
Assumptions

2-99 
 
 Stage-Frequency Curve
Considerations/Limitations
Hydraulic Modeling/Analyses
Structure Rating Curves
Tailwater Rating Curve
Dam Break Analysis
Breach Location(s) and Breach Parameters
Hydraulic Modeling
Sensitivity Analyses
Results
Limitations/Considerations

Chapter 5: Seismic Loading

Background
Previous Studies
Current Maximum Credible Earthquake
Current Seismic Hazard Assessment
Seismic Source Characterization
Ground Motion Estimates
Seismic Hazard Curve
Deaggregation
Additional Seismic Hazard Information
Uniform Hazard Response Spectra
Time Histories
Vertical Accelerations

Chapter 6: Potential Failure Modes

Summary of Previous Potential Failure Modes Analysis
Current Potential Failure Modes Analysis
Approach
Team
Potential Failure Modes
Summary
Excluded Potential Failure Modes

Chapter 7: Consequences
Study Area
Approach
Inundation Scenarios
Structure Inventory
Life Loss
Population at Risk
Warning Assumptions

2-100 
 
 Mobilization Assumptions
Life Loss Estimates
Sensitivity Analyses
Economic Consequences
Other Consequences

Chapter 8: Risk Analysis

Summary of Risk Driving Potential Failure Modes
Methodology/Approach
Team
Risk Estimates with Justification (the case)
Uncertainty
Sensitivity
ALARP
Tolerable Risk Guidelines
Summary of Results
Individual Risk
Societal Risk
Non-Breach Risk
Economic Considerations
Other Considerations

Chapter 9: Conclusions and Recommendations

Major Findings and Understandings
Dam Safety Case
Interim Risk Reduction Opportunities
Recommendations
Risk Communication Actions

List of Appendices

Appendix A: Pertinent Project Drawings

Appendix B: Site Characterization
Appendix C: Construction and Project Photographs
Appendix D: Previous Engineering Analysis Results
Appendix E: Hydraulics and Hydrology
Appendix F: PSHA Report
Appendix G: PFMA Notes and Excluded Potential Failure Modes
Appendix H: Consequences
Appendix I: Risk Team Elicitation Notes
Appendix J: Risk Software Inputs
Appendix K: ALARP Considerations/Calculations
Appendix L: Review Documentation

2-101 
 
 2-102 
 
 APPENDIX 2E

F-N AND f-N TEMPLATES

2-103 
 
 2-104 
 
 1.0E‐01

1.0E‐02
F, Cumulative Frequency of N or More Incremental Life Loss (/yr)

Risks are unacceptable, 
1.0E‐03
except in extraordinary 
circumstances

1.0E‐04

Tolerable Risk 
Reference LIne
1.0E‐05
Risks are  
intolerable
unless ALARP 
conditions are 
satisfied
1.0E‐06

Special 
Risks are generally  Considerations 
1.0E‐07
tolerable, however  Low Probability/ 
ALARP considerations  High 
should be employed Consequences

1.0E‐08
1 10 100 1000 10000
N, Incremental Life Loss

Figure 2E-1. Example F-N Plot

2-105 
 
 2-106 
 
 1.0E‐01

1.0E‐02

Risks are unacceptable, 
1.0E‐03
except in extraordinary 
circumstances
f, Frequency of Dam Failure (/yr)

1.0E‐04

Tolerable Risk 
Reference Line

1.0E‐05
Risks are  
intolerable
unless ALARP 
conditions are 
satisfied
1.0E‐06

Special 
Considerations 
Risks are generally  Low 
1.0E‐07
tolerable, however  Probability/ 
ALARP considerations  High 
should be employed Consequences

1.0E‐08
1 10 100 1000 10000
N, Weighted Average Life Loss

Figure 2E-2. Example f-N Plot

2-107 
 
 2-108 
 
 APPENDIX 2F

EXAMPLE RISK REVIEW BOARD (RRB) MEETING AGENDAS

2-109 
 
 2-110 
 
Example Risk Review Board (RRB) Meeting Agenda – Existing Conditions Risk
Analysis (Approximately 6 Hours)
Introduction and Project Background – 15 minutes
 General description of the facility
 Design and construction history
Regional and Project Geology – 20 minutes
Loading – 20 to 30 minutes
 Seismology
 Hydrology
 Project Operations
Potential Failure Modes – 15 minutes
 Critical (very detailed)
 Significant (detailed)
 Excluded from risk analysis (list)
Break – 15 minutes
Consequences – 15 minutes
Analysis of Risk – 60 to 75 minutes
 Critical potential failure modes
 Significant potential failure modes
 ALARP considerations
Preliminary Path Forward – 15 minutes
Discussion – 15 minutes
RRB members sequestered for internal discussions – 60 minutes
Follow up Discussions – 30 minutes
Recommended Path Forward – 10 minutes
Concluding Comments/Remarks – 10 minutes

Suggestions:
 Limit presentation to no more than 100 slides
 Bring full-size (D- or E-size) drawings
 For critical potential failure modes, provide cross-sections including:
o Embankment zoning
o Geology
o Instrumentation readings with corresponding water surface
 Present inundation maps and consequences both for normal pool and extreme
flood loading

2-111 
 
 2-112 
 
Example Risk Review Board (RRB) Meeting Agenda – Risk Reduction Risk
Analysis (Approximately 8 Hours)
Introduction and Project Background – 15 minutes
 General description of the facility
 Design and construction history
Regional and Project Geology – 20 minutes
Loading – 20 to 30 minutes
 Seismology
 Hydrology
 Project Operations
Potential Failure Modes – 15 minutes
 Critical (very detailed)
 Significant (detailed)
 Excluded from risk analysis (list)
Break – 15 minutes
Consequences – 15 minutes
Analysis of Risk – 60 to 75 minutes
 Critical potential failure modes
 Significant potential failure modes
 ALARP considerations (if needed)
Identification and Analysis of Risk Reduction Alternatives – 30 minutes
Evaluation of Alternatives and Selection of Preferred Alternative – 30 minutes
Preliminary Path Forward and Schedule – 20 minutes
Discussion – 30 minutes
RRB members sequestered for internal discussions – 60 minutes
Follow up Discussions – 30 minutes
Recommended Path Forward – 10 minutes
Concluding Comments/Remarks – 10 minutes

Suggestions:
 Limit presentation to no more than 125 slides
 Bring full-size (D- or E-size) drawings
 For critical potential failure modes, provide cross-sections including:
o Embankment zoning
o Geology
o Instrumentation readings with corresponding water surface
 Present inundation maps and consequences both for normal pool and extreme
flood loading

2-113 
 
 2-114 
 
 APPENDIX 2G

RISK REVIEW BOARD (RRB) CHARGE QUESTIONS

2-115 
 
 2-116 
 
Risk Review Board (RRB) Charge Questions for Level 4 Existing Condition Risk
Analyses (Issue Evaluation Studies):

1. Are the background, design, construction, and performance adequately explained?

2. Are the hydrologic and seismic loads adequately characterized? Was the
uncertainty appropriately considered and portrayed?
3. Are potential failure modes adequately described and evaluated? Are there other
potential failure modes that should be considered? Are there any potential failure
modes that were excluded that should not have been? Has enough information
been included for potential failure modes that were excluded from the report?
4. Are consequence estimates well supported and reasonable? Was the uncertainty
appropriately considered and portrayed?
5. Are interim risk reduction measures (IRRM) reasonable? Do you suggest
consideration of other IRRMs?
6. Do the portrayal and level of risks agree with your understanding of the facility’s
current condition and its ability to withstand potential loads, based on your review
of information provided? Are risk analyses well supported and reasonable? Was
the uncertainty appropriately considered and portrayed? Are there branches in risk
event trees that require further evaluation, reassessment or investigation before
being judged as a reasonable representation of the risk?
7. Has the team identified aspects of the load, potential failure modes, or
consequences that influence the results and have they identified which items they
are least confident in?
8. Have ALARP considerations been adequately evaluated? Do you suggest any
other risk reduction measures be considered to evaluate ALARP? Are the
estimated costs associated with the ALARP risk reduction measures appropriate
and generally within current industry estimates?
9. Has the case been built for the risk estimates and recommendations? Are the risk
estimates and recommendations coherent?
10. Do the recommended actions agree with the risks as they are portrayed in the
documents provided for your review? If not, what actions would you recommend?
11. Do you have any other comments?

2-117 
 
 2-118 
 
Risk Review Board (RRB) Charge Questions for Level 4 Risk Reduction Risk
Analyses (Dam Safety Modification Studies):
1. Are the background, design, construction, and performance adequately explained?
2. Are the hydrologic and seismic loads adequately characterized? Was the
uncertainty appropriately considered and portrayed?
3. Are potential failure modes adequately described and evaluated? Are there other
potential failure modes that should be considered? Are there any potential failure
modes that were excluded that should not have been? Has enough information
been included for potential failure modes that were excluded from the report?
4. Are consequence estimates well supported and reasonable? Was the uncertainty
appropriately considered and portrayed?
5. Are interim risk reduction measures (IRRM) reasonable? Do you suggest
consideration of other IRRMs?
6. Do the portrayal and level of risks agree with your understanding of the facility’s
current condition and its ability to withstand potential loads, based on your review
of information provided? Are risk analyses well supported and reasonable? Was
the uncertainty appropriately considered and portrayed? Are there branches in risk
event trees that require further evaluation, reassessment or investigation before
being judged as a reasonable representation of the risk?
7. Has the team identified aspects of the load, potential failure modes, or
consequences that influence the results and have they identified which items they
are least confident of?
8. Has the case been built for the risk estimates and recommendations? Are the risk
estimates and recommendations coherent?
9. Have reasonable alternatives to reduce the identified risks been identified and
evaluated? Do you suggest consideration of other alternatives?
10. Is the selected alternative appropriate to reduce risks to tolerable levels?
11. Do you have any other comments?

2-119