SAFETY OF DAMS AND DOWNSTREAM COMMUNITIES T E C H N I C A L N OT E 5 POTENTIAL FAILURE MODE ANALYSIS GOOD PRACTICE NOTE ON DAM SAFETY About the Water Global Practice Launched in 2014, the World Bank Group’s Water Global Practice brings together financing, knowledge, and implementation in one platform. By combining the Bank’s global knowledge with country investments, this model generates more firepower for transformational solutions to help countries grow sustainably. Please visit us at www.worldbank.org/water or follow us on Twitter at @WorldBankWater. About GWSP This publication received the support of the Global Water Security & Sanitation Partnership (GWSP). GWSP is a multidonor trust fund administered by the World Bank’s Water Global Practice and supported by Austria’s Federal Ministry of Finance, the Bill & Melinda Gates Foundation, Denmark’s Ministry of Foreign Affairs, the Netherlands’ Ministry of Foreign Affairs, the Swedish International Development Cooperation Agency, Switzerland’s State Secretariat for Economic Affairs, the Swiss Agency for Development and Cooperation, and the U.S. Agency for International Development. Please visit us at www.worldbank.org/gwsp or follow us on Twitter #gwsp. GOOD PRACTICE NOTE ON DAM SAFETY T E C H N I C A L N OT E 5 POTENTIAL FAILURE MODE ANALYSIS © 2021 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington, DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. This Technical Note on Potential Failure Mode Analysis is a supplementary document to the Good Practice Note on Dam Safety. Please cite the work as follows: World Bank. 2021. “Good Practice Note on Dam Safety – Technical Note 5: Potential Failure Mode Analysis.” World Bank, Washington, DC. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights​ @­worldbank.org. Cover photo: Victoria multipurpose dam (Sri Lanka) © Satoru Ueda/World Bank. Cover design: Bill Pragluski, Critical Stages LLC. Technical Note 5: Potential Failure Mode Analysis Contents Definitions and Origin of the PFMA 1 Objectives and Applications of the PFMA 2 Critical Assessment of the PFMA after the Oroville Incident 3 Annex A: Contributing Factors to PFM Development 15 Annex B: An Example of PFMA (Qualitative Analyses)–Individual Dam 16 Annex C: An Example of PFMA (Semi-Quantitative Analyses)–Individual Dam 18 References 20 Additional Sources 20 Definitions and Origin of the PFMA Potential failure modes analysis (PFMA) is a process to systematically identify, describe, and evaluate the ways in which a dam and its appurtenant structures could fail under postulated loading conditions. Since 2002, PFMA has been introduced as part of five-year inspections under the U.S. Federal Energy Regulatory Commission (FERC) regulations1 for nonfederal hydropower dams in the United States. Chapter 14 of the FERC Guidelines2 provides a detailed description of the PFMA process, including key goals and typical outcomes; background information review; site inspection; and facilitated workshops involving “brainstorming” sessions to identify and evaluate potential failure modes, consequences, and mitigation measures. The PFMA requires dam owners to perform a qualitative risk assessment to identify potential failure modes (PFMs) and assess required remedial works, monitoring instrumentation systems, and others for risk mitigation and safety improvement. The PFMA has established a basis for dam safety performance assessment and provides an opportunity for targeted dam safety enhancements that might be over- looked by traditional standards-based approaches. Monitoring instruments can be installed and dam safety inspections targeted to specifically address failure modes. PFMA can be carried out at several levels. Several useful guidelines (see References) have been ­ prepared, including the PFMA and other similar type of risk assessment techniques.3 As an adjunct to the standards-based engineering design, a screening or preliminary level, qualitative, or semiquantita- tive PFMA is a valuable risk-informed dam safety tool. 1 PFMA is defined under Part 12: Safety of Water Power Projects and Project Works—Subpart D: Inspection by Independent Consultant under the Code of Federal Regulations—Title 18: Conservation of Power and Water Resources—Chapter I: Federal Energy Regulatory Commission, Department of Energy—Subchapter B: Regulations Under the Federal Power Act. 2 See https://www.ferc.gov/industries/hydropower/safety/guidelines/eng-guide/chap14.pdf. 3 Other similar and equally useful qualitative and semiquantitative risk analyses techniques include failure modes and effect analysis and failure modes, effect, and criticality analyses. Technical Note 5: Potential Failure Mode Analysis 1 Objectives and Applications of the PFMA The PFMA is intended to provide an understanding of how and why dams fail by looking at how dams behave normally, learning to identify early signs that something is wrong, understanding the hazards and risks imposed by the dam, and being prepared for the unexpected behavior that leads to failure. PFMA can be used during both design and operation of dams to: •• Identify applicable PFMs •• Identify where additional defensive measures could reduce the likelihood of failure •• Identify key parameters and provide instrumentation to monitor them •• Prepare operating, surveillance, maintenance, and emergency preparedness plans that take account of PFMs During the implementation of large water infrastructure projects, such as dams and hydropower schemes, the transition between construction and operation is often a challenging phase. In many ­ cases, the entity that takes over the operation of a project is different from the one that supervised ­ construction activities. The handing-over process entails the transfer of a significant amount of infor- mation, including elements pertaining to risk management, as emerged during construction and first reservoir filling. A PFMA workshop is particularly useful in the transition between the construction and operation phase of a dam project. the ­ The World Bank has assisted some countries in applying the PFMA for safety review of major existing remedial dams4 and found that the tool is useful in prioritizing additional investigations needs and ­ works in coordination with key stakeholders, including owners, operators, and designers. This Technical Note contains guidance for preparing PFMA terms of reference for: (a) the FERC-based standard approach to PFMA and (b) a simplified PFMA approach. The latter may be appropriate to optimize time and resources or when there is limited knowledge of the dam, which is a frequent problem at smaller and older dams. Depending on results, the simplified approach may or may not be followed by a full-fledged PFMA. Guidance on application of the simplified PFMA to an individual dam and a portfolio of dams is also presented. Figure 1 provides an example of how a PFM for overtopping of an embankment dam would be develo- ped. A severe flood, inadequate spillway capacity, or inability to open the gates of the spillways causes the water level to rise over the crest of the dam. Flow over the crest washes out the downstream slope materials of the embankment and causes massive erosion that progresses, leading to slope instability, breach, and dam failure. 4 Legadadi and Dire Dams in Ethiopia; Tuyamuyun Dam in Uzbekistan and Turkmenistan; Valdesia, Jiguey, Aguacate, and Las Barias in the Dominican Republic; Nurek Dam in Tajikistan; Jatiluhur Dam in Indonesia; Swa Chaung Dam in Myanmar; and Poechos in Peru. PFMA trainings were also provided under the Nile Basin Initiative/Eastern Nile Technical Regional Office dam safety program for the then four riparian countries. 2 Technical Note 5: Potential Failure Mode Analysis FIGURE 1. Failure Mode–Overtopping of an Embankment Dam 2. Washing out of the slope materials 1. Water level over the crest of the embankment 3. Massive erosion 4. Breach and dam failure Source: CWC (2019). FIGURE 2. Failure Mode—Sliding of a Concrete Gravity Dam on Foundation Joint {W} {W} {G} {G} {Fs} {Fs} {Fu} {Fu} Source: Wittke (2014) Note: Fs = Sliding Force; Fu = Uplift Force; G = Gravity Force; W = Water Pressure. Figure 2 provides another example of a PFM for sliding of a concrete gravity dam along unfavorably oriented joints in the foundations. Gravity dams are particularly sensitive to uplift pressures, and the presence of structural features in the foundation must be checked carefully. Small deformations may be enough to trigger failure if foundation discontinuities are unfavorably oriented. Foundation weathering and undetected uplift pressure buildup are concomitant issues to be carefully considered. Critical Assessment of the PFMA after the Oroville Incident After the Oroville Dam spillway incident in February 2017, FERC required the California Department of Water Resources to engage an Independent Forensic Team (IFT) to develop findings and opinions on the causes of the incident. The IFT concluded that: … although PFMA is a very useful tool, which is likely quite adequate for a majority of dams, the current PFMA process can have difficulties in properly characterizing risks for large or complex sys- tems, including accounting for human and operational aspects in failures. By defining failure modes as a linear chain of events, there can be a tendency to oversimplify complex failure modes involving Technical Note 5: Potential Failure Mode Analysis 3 multiple interactions of system components. Knowledge of the full range of dam safety risks resulting from all operational aspects is required for an organization’s managers to decide on appropriate actions to manage those risks. In addition, the current PFMA process does not explicitly consider how broader organizational fac- tors, such as culture and decision-making authority and practices, can contribute to failure. For such situations, it may be necessary to supplement the typical PFMA process with other approaches as used in other industries, which can possibly better address these complexities and operational aspects. The PFMA process described in this Technical Note is based on the process as defined by FERC, but it is also supplemented by recommendations put forward by the IFT aimed at elimination or moderation of shortcomings of the original PFMA. Standard Potential Failure Mode Analysis Scope of work The PFMA exercise aims to identify PFMs relating to dam(s), spillway, foundations, abutments, and so  on and to assess those failure modes of enough significance to warrant continued awareness and  attention to visual observation, monitoring, and remediation as appropriate. This process will provide opportunities for risk reduction, possible investigations or analyses, means for monitoring and inspecting for the development of PFMs. The specific purpose of the exercise is to: •• Enhance the dam safety inspection process by helping to focus on the most critical areas of concern unique to the dam under consideration •• Identify operational related PFMs such as failure of discharge equipment to operate •• Consider hazards that might indirectly affect the dam, such as landslides into the reservoir •• Identify structural related PFMs (for example, piping) not addressed by the commonly used (standards-based) analytic methods (for example, slope stability or seismic analysis) •• Enhance and focus the visual surveillance and instrumented monitoring program •• Identify shortcomings or oversights in data, presentation of data, information, or analyses necessary to evaluate dam safety and each PFM •• Help identify the most effective risk reduction measures, including emergency preparedness The requirements of the PFMA exercise are to: Collect all data, studies, and information on the investigation, design, construction, previous dam safety assessments and analyses, performance, and operation of the project, history of repairs, and their perfor- mance. All studies and investigation reports that relate to the ongoing safety of the dam must be 4 Technical Note 5: Potential Failure Mode Analysis included, reviewed, and evaluated. A listing should be made of the data and information available for review and considered in the PFMA and included in the subsequent PFMA report. It is extremely bene- ficial if all documents are made available before the workshop and adequate lead time to review docu- mentation is available. That approach allows the participants to request additional information if documentation is incomplete, and it also shortens the duration of the workshop. Have technical experts visit the project site with an eye out for PFMs, structural, and geologic conditions; identify instrumentation; review operations; and interview owners and operators for their input on PFMs. Review all the background information for general understanding and with these specific questions in mind: •• How could this dam fail? (site-specific consideration of geology, loadings, structure condition, and project past and anticipated operations) •• What would happen if the dam fails? What would be the consequences of failure, considering the number of people at risk, environmental damage, and economic impacts? •• How could a large unplanned discharge occur even if the dam does not fail (for example, uncontrolled gate opening or overtopping wave from a landslide into the reservoir)? •• Are any other reservoirs present in the upstream river basin that could pose a risk to the subject dam? •• Are the identified PFMs recognized and appropriately monitored by visual surveillance or instrumen- tal monitoring? •• What actions (immediate or in the long term) can be taken to reduce dam failure likelihood or unplanned discharge or to mitigate failure consequences? These actions could include data collection, analyses or investigations, operational changes, communication enhancement, monito- ring enhancement, or structural remediation measures. A core team of four, five, ore more people (table 1) is recommended to conduct the PFMA exercise for a high-risk or hazard/consequence dam. In addition to the technical experts, attendance of the PFMA workshop should also include: •• Dam operators (main actors) •• Operators of other dams that can affect the operation of the dam undergoing PFMA •• Representatives of stakeholder institutions Methodology of the PFMA Workshop •• The site visit is intended to provide: (a) a general orientation on the dam and related facilities, and (b) an understanding of the conditions of the dam. Digital photos should be taken for use in the workshop. Technical Note 5: Potential Failure Mode Analysis 5 TABLE 1. Composition of PFMA Team PFMA core team member Main tasks Facilitator—international expert familiar with the PFMA process Site inspection, facilitation of the PFMA session Independent dam safety specialist—international expert in dam Site inspection; delivery of expert input to PFMA safety evaluation who is familiar with dam failure mechanisms Engineer geologist/geotechnical engineer—national expert Site inspection, providing site-specific knowledge during PFMA Hydrologist/hydraulic engineer—national expert Site inspection, providing site-specific knowledge during PFMA Hydro mechanical engineer—national expert Site inspection, testing, and expert review of discharge gates and valves, their controls, and backup systems Source: Original table for this publication Note: PFMA = potential failure mode analysis. •• The data review sessions should involve the definition by the facilitator of key data required. •• The PFMA team should be diverse and adequately cover all relevant technical disciplines involved in the analysis and with sufficient specialized expertise. •• The PFMA workshop sessions should involve the systematic identification of PFMs for normal, flood, and earthquake conditions. The dam site(s) are considered as several discrete components and analyzed one at a time. For complex dam systems, the PFMA team should be divided into specialized groups for different components of the system, but the coordination among the groups should be established to ensure that the interactions among components are adequately addressed. •• PFMs and failure scenarios are brainstormed within a team of people most familiar with design, analysis, performance, and operation of the dam. Records will include the identified PFMs, the rea- sons each PFM is likely to occur, and any possible actions related to each mode of failure that could help reduce risk (monitoring enhancement, investigation, analysis, and remediation). •• If a voting process is used, qualifications should be included that are needed to be able to cast a vote for particular PFMs, and silent voting could be used so that participants are not influenced by the votes of others. Alternatively, PFMs can be assigned to categories based on consensus, with outlying opinions recorded appropriately if a full consensus is not achieved. •• It is important to specifically identify possible performance monitoring enhancements for each PFM for consideration of the owner and periodic inspectors. •• The PFM should be expressed as a sentence easily interpreted by others (for example, “excessive sett- lement resulting in transverse cracking across the dam and, with no compatible filters, leading to internal erosion developing into piping failure through the dam core”). •• It is important to document the analysis by recording the major findings and understandings from the brainstorming session. An interim report is prepared, containing results as collected directly from the workshops and addressing these items. 6 Technical Note 5: Potential Failure Mode Analysis The core team prepares summary tables as the discussions progresses. These tables include key para- meters pertaining to the following elements: •• PFM •• Scenario/initiating events/sequence/consequences •• Negative factors affecting the likelihood of the PFM •• Positive factors that could reduce the likelihood of the PFM •• Monitoring/risk reduction opportunities/data and analysis •• Gaps/emergency plans •• Action items •• Categorization of the PFM PFM categorization is carried out according to the FERC system (table 2). The resulting tables are attached as Appendixes to the PFMA report. On completion of the tables, a round table review is held with all participants identifying key findings and understandings that were recorded. Findings are then prioritized by the group. The final report should include a recommended action plan on the identified remedial measures, along with specific inputs for the preparation and upgrading of dam safety plans, including instrumentation plans and Emergency Preparedness Plans (EPPs). The EPP should include updating or preparing the Response Level Matrix (see Sample terms of reference for EPPs in the Good Practice Note [GPN], Appendix 4). TABLE 2. Potential Failure Mode Categorization According to the U.S. Federal Energy Regulatory Commission Category Characterization Description I Highlighted PFM Considers potential for occurrence, magnitude of consequence, and likelihood of adverse response (physically possible, fundamental flaw or weakness identified, conditions reasonable and credible) II Potential PFM considered, Of lesser significance and likelihood than category I not highlighted III More information or analyses Lacked information for confident judgment and because action may be required, needed to classify these may be highlighted IV PFM ruled out May be that physical possibility does not exist, information eliminated concern, or so remote a possibility as to be noncredible or not reasonable Source: FERC (2005) Note: In many cases, it is a single person, or maybe two, who makes such a judgment, but the responsibility is hidden behind the PFMA team. In such cases, the report should state who exactly ruled out the failure mode and on what basis. PFM = potential failure mode; PFMA = PFM analysis. Technical Note 5: Potential Failure Mode Analysis 7 Follow-up actions after PFMA The intent of PFMA is to provide guidance for the future operation and maintenance (O&M) plan, inclu- ding surveillance and monitoring of the dam, and help the owners and operators make informed deci- sion on required remedial measures in structural and nonstructural items. The following provides some general guidance on the required follow-up actions. Additional investigations and enhanced monitoring Category III PFMs may require more information based on additional survey, investigations, and analy- ses to assess the potential risks and potential required measures. The owner may also need to enhance regular surveillance and introduce some additional monitoring instruments for some targeted areas that have exhibited some potential safety issues. Maintenance and repairs priorities Category II PFMs may require the owner to consider undertaking prioritized maintenance and repair works and enhanced inspection and monitoring instrumentation of the dam. This requirement could also involve changes in the O&M plan of the dam, including possible drawdown of the maximum water supply level of the reservoirs. Guidance for rehabilitation decisions Category I PFMs may require the owner to assess the urgency of remedial works and prioritize rehabili- tation decisions to use limited funds for most critical remedial works. The owner may need to commu- nicate with an emergency office and other stakeholders to ensure the EPP, in particular the Response Level Matrix (see a sample in GPN Appendix 4) in place and update it as needed including training/dis- semination works, and so on. Also, a more detailed risk assessment may be needed to allow the decision makers to make an informed decision. Table 3 also provides a general matrix of risk categories and potentially required actions. Although the four categories of urgency of action do not directly correspond to categories I through IV, the table would give some general idea of required actions to address identified risks according to their urgencies. Duration and deliverables The following are approximate indicators of time required for each activity; however, these are specific to the project under consideration: •• Data collection and study: one week •• Site visit: one day •• PFMA workshop: two days (highly complex cases may require longer time) •• Summary findings: one day 8 Technical Note 5: Potential Failure Mode Analysis TABLE 3. Risk Categories and Potentially Required Actions Urgency of action Characteristics Potentially required measures Very high urgency Critically near failure under normal operating Undertake immediate risk reduction measures to conditions within a few years or under floods less avoid failure, communicate risk to affected people, than 10 years return period enhance monitoring, ensure EPP is in place, and so on High priority High risk (failure could occur under normal Undertake interim risk reduction measures, expedite operations or initiated by an unusual event (for investigation enhance monitoring, ensure EPP is in example, earthquake or flood) less than design place, and so on standard, and so on) Priority Moderate risk (significant and unacceptable dam Prioritize detailed investigations, risk assessment, safety issues) and proposed phased remedial measures, and so on Normal No significant dam safety issues identified Ensure regular surveillance, monitoring, and periodic safety inspection program in place, and so on Source: Original table for this publication Note: EPP = Emergency Preparedness Plan. •• Draft report: three days to one week (or longer depending on the volume of information relevant to the PFMs that should be assembled) •• Final report: two days Deliverables include: •• Technical archive, preliminary version stating contents and identified gaps •• PFMA workshop draft report documenting the analysis and the major findings and understandings from the brainstorming session •• Final report, including an action plan, input to dam safety plans (Response Level Matrix in the EPP in particular), and recommendations on training needs for dam operators and other relevant stakeholders Annex B contains an example of PFMA for an individual dam, including a list of identified PFMs and category I PFMs that required more-detailed analyses, investigations, and remedial works. Simplified PFMA In several cases, it is necessary or appropriate to undertake a quick assessment of PFMs in a way that follows the general principles of FERC’s PFMA process, but optimizes time and resources. This assess- ment leads to simplified processes, which may find their legitimacy in the quantity and quality of infor- mation available. A simplified PFMA may be used in combination with a risk index system to assess risk and prioritize action for a portfolio of dams. Two simplified PFMA procedures5 are described in the following for application to: •• Individual dam 5 The methodology described here is based on Dam Rapid Assessment and Prioritization Tool (DRAPT) User Guide – Issue 2, a report prepared by Damwatch Engineering Ltd (2018). Technical Note 5: Potential Failure Mode Analysis 9 •• Portfolio of dams Individual dam A simplified application of PFMA entails three essential steps: •• Site visit and scoping meeting with dam operators and designers to identify PFMs and the condition of the dam relevant to them •• Consideration of the most likely failure modes for the type of dam and applications of scores for each PFM. These findings can be used as a component of a risk index system. •• Presentation of assumptions and results to the dam operator or designer to critically review and revise results as necessary For an embankment dam made of earthfill, clay core/rockfill, or upstream-faced rockfill dams, the com- mon failure modes (based on historical dam failures) are: •• Overtopping of dam crest eroding slope of dam (resulting from insufficient spillway capacity) •• Internal erosion or foundation piping •• Slope instability or cracking of the dam face •• Operational issues that can lead to failure (for example, poor maintenance or low capability of dam operators) •• Geological hazards (earthquake shaking and landslide instability) This information is overall in line with the analysis of 232 embankment dam failure cases (figure 3). For a concrete dam, the common failure modes are: •• Flood overtopping eroding toe of dam •• Sliding on a plane of weakness in the foundation or at the dam/foundation interface •• Structural failure of the dam body •• Operational issues that can lead to failure (for example, poor maintenance or low capability of dam operators) •• Geological issues (abutment slope failure, earthquake shaking, and landslide instability) This information is also overall in line with the statistical analyses result of 59 concrete and masonry dam failure cases (figure 4). Also, the assessment team needs to realize that a specific dam may have an important but unusual failure mode and the process should be able to accommodate such a variation. It should be noted that ­ 10 Technical Note 5: Potential Failure Mode Analysis FIGURE 3. Failure Causes of Embankment Dams 2% 20% 34% 44% Internal erosion Overtopping/external erosion Structural failure Unknown Source: ICOLD (2019). FIGURE 4. Failure Causes of Concrete/Masonry Dams 7% 17% 27% 25% 24% Foundation failure Internal erosion (in foundation) Overtopping Structural failure Unknown Source: ICOLD (2019). flood overtopping requires some understanding of catchment characteristics and dam spillway dimen- sions to route the flood through the dam reservoir and understand its effects on the structure. Furthermore, it is important to identify and assess “hidden” failure modes beyond just the extreme flood event. For example, failure of electrical-mechanical system, gate jamming, and so on under flood Technical Note 5: Potential Failure Mode Analysis 11 flows significantly less than the design flow can cause far greater risk than flood flows exceeding the design flood. As discussed for Question 97 - Spillway6 (ICOLD 2015), BC Hydro undertook an assessment of their discharge facilities and identified a number of deficiencies that could lead to single-point failu- res including: i) aging and obsolete equipment which increases the risk of failure, ii) lack of consistent maintenance in the past, iii) limited scope and frequency of testing and inadequate testing procedures, and iv) limited staff operating familiarity and knowledge of standby arrangements. It also raised a con- cern over the safety issue of jammed gates. The report further introduced the root cause analyses of gate failure cases as shown in Table 4. Had these operational deficiencies occurred during even a moderate flood event, there could have been a risk of overtopping. However, many of these operational deficien- cies and causes of gate failures are difficult to be identified by traditional standard-based approach, and the likelihood of such situations may be more prevalent in the borrowing countries of World Bank– funded projects. PFMs can be rated with a scoring system such as the one shown in table 5. Higher scores indicate priori- ties for undertaking remedial actions. For those who are interested in more details of PFMs and contri- buting factors, refer to Annex A: Contributing Factors to PFM Development based on the most common five failure modes for embankment dams. With engineering judgment being necessary to make these assessments, the process requires a highly experienced dam expert, preferably supported by one or more experts in the disciplines required (struc- tural engineering, hydrology, hydraulics, geotechnical engineering, and electrical-mechanical enginee- ring). The process can be completed in two to three days. Using event or fault tree techniques to estimate probability of failure As mentioned, the objectives of a PFMA are to: (a) identify the site-specific credible PFMs, and (b) pro- vide a complete description of the PFMs and the progression of steps leading to an uncontrolled release of the reservoir. The risk assessment achieves the latter objective using an event tree analysis to deter- mine the probability of failure. The perspective of local office personnel, including dam operators and inspectors, is of fundamental importance in conducting the exercise. TABLE 4. Root Cause of Gate Failures Number of reviewed Share (percentage) Root cause of gate failures failure cases of failure cause Debris 10 27 Hoist failure 10 27 Failure to operate on demand (typically power failure) 9 24 Structural failure 5 14 Jammed gate 3 8 Total 37 100 Source: Lewin et al 2003 6 ICOLD 25th Congress in Stavanger, Norway 2015 12 Technical Note 5: Potential Failure Mode Analysis TABLE 5. Contributing Factor Score Contributing factor score Description 10 Contributing factor means that the potential failure mode has been initiated, is in progress, or is 9 expected to progress under normal operating or design loading conditions. 8 7 Contributing factor indicates that the potential failure mode is likely to develop or progress under 6 normal operating or design loading conditions. 5 4 Contributing factor indicates that the potential failure mode is unlikely to develop or progress 3 under normal operating or design loading conditions. 2 Contributing factor indicates that the potential failure mode is very unlikely to develop or progress 1 under normal operating or design loading conditions. 0 Contributing factor is not relevant to potential failure mode development Source: Damwatch Engineering Ltd. (2018) Annex C contains an example of a simplified PFMA for an individual dam that uses the event (of fault) tree technique to estimate probabilities of failure. Portfolio of dams PFMs for a portfolio of dams can also be assessed with a rapid method as described earlier for individual dams. This assessment provides the opportunity to identify common problems across the portfolio and therefore prioritize the most urgent remediation and avoid unnecessary interventions. Costs to reme- diate can potentially be more efficient. If possible, the same team of experts is recommended to carry out the portfolio assessment to achieve consistency and reduce the potential for bias. There is also an opportunity to build local capacity by utilizing the experts in mentoring and training roles over multiple dams. As mentioned, this portfolio approach (under simplified PFMA) focuses on the most common failure modes. The assessment is carried out by a team of experts, in consultation with dam operators and designers. The process involves assigning scoring contributing factors to each PFM on a scale of 1 to 10. The score for each contributing factor is assigned based on the dam site inspection and the user’s experience and judgment. This system is most useful as a contribution to a risk index method of prioritization, in which the results of a portfolio of dams can be shown (table 6). The figure can also be used in a manner that each dam can be represented by more than one dot corresponding to various failure modes. The magni- tude of downstream consequences should be adjusted to local context using population at risk or poten- tial loss of life and possibly considering other economic, environmental, and social factors. The eventual results may be categorized as in four groups from red (highest risk) to green (lowest risk) as an example. Technical Note 5: Potential Failure Mode Analysis 13 TABLE 6. Risk Classification Matrix Magnitude of downstream consequences Population at risk Substantial High None Low Moderate Extreme Potential failure modes Dams with PFM(s) initiated greatest risk: High priority Dam A Dam B to upgrade PFM(s) very likely to develop or Dam E Increasing likelihood of dam failure progress PFM(s) very likely Dam F to develop or progress k g ris Dam C sin PFM(s) unlikely to rea develop or progress Inc Dam D PFM(s) Very unlikely to develop or progress Dams with lowest risk: lower priority to upgrade Source: Damwatch Engineering Ltd. (2018) Note: PFM = potential failure mode. Accuracy of probability estimates is less critical than for an individual dam because relative values are used for portfolio risk assessment and management. Key components of the PFMA scope of work are: •• Organize the “dam archive” containing as built design documents, quality control tests during cons- truction, instrumentation and monitoring records, independent safety reviews, and so on •• Define PFMs and complete the required follow-up actions (see the previous section for Follow-Up Actions after PFMA) including the review and update of the Response Level Matrix (RLM) (see a sam- ple EPP framework and RLM in GPN Appendix 4). •• Provide guidance on how to update the dam safety plans including instrumentation, O&M, and EPPs. •• Identify the date for conducting the next PFMA workshop, which will depend on the importance of the project and the associated hazard level; it may be about five years, but sometimes 10 years. 14 Technical Note 5: Potential Failure Mode Analysis Annex A: Contributing Factors to PFM Development TABLE A .1. An Example List of Contributing Factors to Potential Failure Mode Development PFM Contributing factor to PFM development in embankment dams Maximum contributing factor score Flood Insufficient spillway capacity 10 Overtopping Dam freeboard reduced due to excessive settlement or modification of the 10 embankment Spillway blockage 8 Spillway condition 8 Spillway gate reliability (if applicable) 8 Internal Seepage carrying fines 10 Erosion Uncontrolled seepage 10 Sinkholes and depressions 10 Surface cracking on crest or upstream face 10 Sand boils in channel downstream of embankment 5 Animal burrows 5 Decaying tree roots 5 Slope Vertical displacement (settlement) leading to zero freeboard 10 Stability Horizontal displacement (lateral deformation) 5 Slope movement upstream face (slips, cracking) 8 Slope movement downstream face (slips, cracking) 8 Erosion or failure of upstream slope protection 6 Operational Poor ability to inspect dam 6 Poor access to dam for machinery 6 Physical modifications to dam that could reduce dam safety or stability 8 Frequency of visual dam inspections 4 Operation and maintenance systems (including 4 Emergency Preparedness Plan) Geological Strong seismic ground motions lead to dam instability 5 Fault rupture through the dam 4 Fault rupture through the reservoir 3 Landslides that enter reservoir followed by seiche wave with potential for 8 dam overtopping Landslides and slope failures in dam or spillway vicinity with potential to 6 disrupt structure or lead to failure Geological feature In dam foundations, presence of which could lead to 6 dam failure Landslides or slope failures that could prevent access to dam 4 Source: Damwatch Engineering Ltd. (2018) Notes: PFM = potential failure mode. Technical Note 5: Potential Failure Mode Analysis 15 Annex B: An Example of PFMA (Qualitative Analyses)–Individual Dam In this example, a team of experts, a professional facilitator, dam’s owner and operator, and so on parti- cipated conducted a joint site visit and a PFMA workshop. They have identified and classified PFMs, first in a long list as in table B.1 and then a short list as in table B.2 considering the following: Identification and Classification of PFMs: •• Normal conditions and operation events (normal water level, structural instability, and so on) •• Aging or deterioration of initiated events (concrete alkali-aggregate reactions, corrosion, internal erosion, and so on) TABLE B.1. A Long List of PFMs Based on Brainstorming Events/categories I II III IV Total Normal conditions 1 1 6 1 9 Aging initiations — 1 7 — 8 Flood conditions 3 — 2 — 5 Earthquake initiation 2 1 4 — 7 Other conditions 2 — 2 Total 6 3 21 1 31 Note: — = not available. TABLE B.2. A Short List of Identified Category IPFMs Events Structure Potential failure mode Potential Consequences Normal Bottom Abutment landslide shearing the Tailwater level rises, machine hall floods, and condition spillway bottom spillway tunnel and filling the hydropower generation stops tailrace under normal conditions Significant reduction in spillway discharge capacity Overtopping of the dam during normal inflow Flood Surface Inability to open one or more spillway Overtopping of the dam leading to dam failure condition spillway gates during flood discharge conditions less than inflow design flood resulting from electrical or mechanical failure Flood Surface Overtopping with all gates available Cannot pass the probable maximum flood condition spillway for flood exceeding the design flood Earthquake Tailrace Earthquake-triggered landslide Tailwater level rises, machine hall floods, and initiated channel blocking the tailrace channel hydropower generation stops Inability to discharge water because of a total loss of spillway capacity and overtopping of the dam Earthquake Surface and Loss of operation of the spillway gates Spillway not available for a long time during which initiated bottom because of a loss of hydropower supply the core can be overtopped and eroded by floods spillways or damage to the gate equipment less than design flood, possibly leading to dam failure 16 Technical Note 5: Potential Failure Mode Analysis •• Flood conditions events (high water levels, spillway discharge, overtopping, and so on) •• Earthquake-initiated events (during and after an earthquake event) •• Other significant conditions (for example, debris accumulation, siltation, human factors, and so on) Categories of Identified PFMs: •• Category I–Highlighted as of greatest significance and which are reasonable and credible •• Category II–Credible PFMs considered but not highlighted •• Category III–More information and analyses are required to classify these PFMs •• Category IV – PFM ruled out if it is not physically possible or so remote a possibility as to not be credible Technical Note 5: Potential Failure Mode Analysis 17 Annex C: An Example of PFMA (Semi-Quantitative Analyses)–Individual Dam In this example, a team of experts, a professional facilitator, and dam owner and operator, and so on conducted a joint site visit and a PFMA workshop. Each PFM was subject to an event tree analysis to assess relative probabilities and, based on those, to define priorities and actions. The following conven- tions were used to associate descriptive risk categories to probability values (table C.1). The following event tree analyzes the failure mode of highest probability (figure C.1). Results for the other failure modes are summarized in table C.2. Comparison of failure modes clearly indicates that PFM1 (piping through spillway-core contact) entails the highest risk level. PFM1 is followed by PFM3, PFM4, and, to a lesser extent, PFM2. PFM5 and PFM6 have negligible risk levels compared with the others. In dam safety terms, the findings in table C.2 have the following implications: •• Immediate actions should be directed at reducing the risk associated with PFM1. •• Measures to mitigate risks associated with PFM3 and PFM4 should be urgently implemented. •• Further studies are necessary to define preventive and remedial actions pertaining to PFM2, 5, and 6. TABLE C .1. Risk Categories and Probability Values Category Probability range (per year) Negligible Indistinguishable from 0 Very low < 10–4, except 0 Low 10–3 to 10–4 Medium 10–2 to 10–3 High 10–1 to 10–2 Very high > 10–1, not 1 Certain 1 18 Technical Note 5: Potential Failure Mode Analysis FIGURE C .1. Event tree analysis for piping through spillway-core contact Descriptor Associated probability Virtually certain 0.999 Very likely 0.99 Likely 0.9 Neutral 0.5 Unlikely 0.1 Very unlikely 0.01 Virtually impossible 0.001 Failure mechanisms piping enlarges through the core, causing The leakage is subsidence and chimney The exit area The upstream not detected. caving in the upstream Seepage initiates through has no filter filter is not Reservoir level is shell, water gushes in the crack at the core- protection effective in not reduced timely. and dam is breached. spillway contact when filling the crack reservoir level exceeds Probability the elevation of the Breach of failure contact zone with cracks Intervention fails Progression Yes 0,9 4E-03 Continuation Yes 0,1 Yes 0,1 No 0,1 Initiation Continuing 0,99 No 0,9 erosion Yes 0,5 No 0,9 No erosion 0,01 No 0,5 TABLE C .2. Event Tree for Highest PFM Potential failure modes Probability of failure Risk level PFM1 Piping through spillway-core contact 4E-03 Medium-high PFM2 Progressive erosion of core or foundations 9E-06 Very low PFM3 Impulse wave caused by right bank mass movement 2E-04 Low PFM4 Foundation erosion in the chemically grouted fault IE-04 Low area PFM5 Right bank mass movement obstructs outlet works 5E-07 Negligible PFM6 Large rockfall obstructs spillway chute 5E-07 Negligible Note: The inverse of failure probability may be convenient in some cases when non-experts participate in the exercise. Technical Note 5: Potential Failure Mode Analysis 19 References Central Water Commission (CWC), Ministry of Water Resources, Government of India. 2019. Guidelines for Assessing and Managing Risks Associated with Dams. GOI Central Water Commission (February). Damwatch Engineering Ltd. 2018. Dam Rapid Assessment and Prioritisation Tool (draft) User Guide–Issue 2. Wellington: Damwatch Engineering Ltd. FERC (U.S. Federal Energy Regulatory Commission). 2005. “Chapter 14: Dam Safety Performance Monitoring Program,” Engineering Guidelines for the Evaluation of Hydropower Projects. Washington, DC: FERC. ICOLD (International Commission on Large Dams). 2019. Bulletin 188 (Preprint). Incident Database—Bulletin 99 Update: Statistical Analysis of Dam Failures (Final Draft, December). Paris: ICOLD. ICOLD 25th Congress Proceeding. Stavanger. 2015. Question 97 – Spillways. Donnelly, R., General Reporter. Paris: ICOLD. Lewin, J., G. Ballard, D. Bowles. Spillway Gate Reliability in the Context of Overall Dam Failure Risk, USSD Annual Guest Lecture, Charleston, South Carolina, 2003. USBR-USACE (U.S. Bureau of Reclamation; U.S. Army Corps of Engineers). 2018. 2018 Best Practices in Dam and Levee Safety Risk Analysis. Washington, DC: USBR-USACE. Wittke, W., Rock mechanics based on an anisotropic jointed rock model. Berlin: Ernst & Sohn; 2014. Additional Sources ANCOLD (Australian National Committee on Large Dams). 2003. Guidelines on Risk Assessment 2003. Hobart, Australia: ANCOLD. FEMA (U.S. Federal Emergency Management Agency). 2015. Federal Guidelines for Dam Safety Risk Management. Washington, DC: FEMA. ICOLD (International Commission on Large Dams). 2015. Bulletin 130: Risk Assessment in Dam Safety Management. Paris: ICOLD. Montana Department of Natural Resources and Conservation. 2011. Dam Safety Program Technical Note 7: Guidelines for Conducting a Simplified Failure Mode Analysis for Montana Dams. Prepared by Hydrometrics, Inc. for Montana Department of Natural Resources and Conservation SPANCOLD (Spanish National Committee on Large Dams). 2012. Risk Analysis as Applied to Management of Dam Safety. Technical Guide on Operation of Dams and Reservoirs. Vol. 1. Madrid: Professional Association of Civil Engineers. SPANCOLD. 20 Technical Note 5: Potential Failure Mode Analysis SKU W20085