Content uploaded by David S Bowles
Author content
All content in this area was uploaded by David S Bowles on Apr 21, 2017
Content may be subject to copyright.
1 INTRODUCTION
1.1 Risk evaluation
Tolerable risk guidelines are used to guide the process of examining and judging the signifi-
cance of estimated risks. The outcomes of risk evaluation should be considered to be inputs to
the decision process along with other considerations. ICOLD (2005) provides the following in-
sight on risk evaluation for dam safety:
The topic of risk evaluation is not an easy one, especially for a technically-minded person
who may be looking for straightforward and purely quantitative approaches. … To grapple
with this topic requires that we cross the boundary from the technical world of dam safety
engineering into the far more subjective world of values and value judgments. Yet this is the
reality. All technological systems, dams included, exist within that broader world and today,
in many countries, society expects that it will dictate to the technological community the
safety and other goals that should be met by technological systems, rather than the opposite,
as has often been the case in the past.
As explained in Section 3.1, the terms tolerable risk and acceptable risk are not interchange-
able and have distinctly different meanings.
1.2 Definition of risk
Risk can be defined as the probability of undesirable consequences. ICOLD (2005) defines risk
as a “Measure of the probability and severity of an adverse effect to life, health, property, or
the environment.” The primary form of the results obtained from a dam safety risk analysis is a
set of probability-consequences or (f,N) pairs. They are commonly estimated as the end
branches of an event tree, which should cover the entire range of the loading-failure mode-
consequences exposure scenarios for a particular dam. In dam safety risk analysis, f is an esti-
mate of the probability that N fatalities would occur for a particular loading-failure mode-
consequences exposure scenario or combination. Similarly, the probability of the economic
Tolerable risk guidelines for dams: principles and applications
D.S. Bowles
RAC Engineers & Economists, Providence, Utah, U.S.A. and Utah State University, Logan, Utah, U.S.A.
ABSTRACT: Tolerable risk guidelines are used to guide the process of examining and judging
the significance of estimated risks. Some principles for risk evaluation are summarized, includ-
ing the topics of risk perception, individual and societal concerns, equity and efficiency, and
pure and applied criteria. The U.K. Health and Safety Executive’s general Tolerability of Risk
(TOR) framework is presented and interpreted for project-specific application. Some important
ways in which differences in the legal system affect the implementation of tolerable or accepta-
ble risk guidelines are discussed. The US Army Corps of Engineers' tolerable risk guidelines
are summarized as an example of the application of TOR to dam safety. Some variations in tol-
erable of acceptable risk guidelines in use for dams in other countries and some practical con-
siderations that affect their implementation are discussed.
consequences, E, associated with each scenario can be estimated resulting in a set of (f,E) pairs.
The focus of this paper is on life-loss consequences. The symbol “f” often corresponds to “fre-
quency” in probability and statistics textbooks. In the context of dam safety risk analysis, f is
not limited to an observed frequency, since it typically incorporate “subjective” or “degree of
belief” probability.
An empirical probability distribution can be developed from the (f,N) pairs and hence vari-
ous statistics of N can be calculated, such as the mean (average), standard deviation or variance
of the number of fatalities. The mean value of N is the average annual life loss, and is also re-
ferred to as the annualized life loss (ALL). The mathematical term for the mean of N is the
“expected value” of N. It is estimated as the sum of the products of f and N for all (f.N) pairs.
As such, the expected value is a mathematical construct, which will never actually occur. In-
stead, the actual magnitude of N is either zero for the case that a dam failure does not occur, or
it is a magnitude of N for a particular failure scenario. As such, the mean number of fatalities,
or ALL, should be used with caution since it typically masks an understanding of the gravity of
potential dam failure life loss. For example, ALL has equal values of 0.01 lives/year for the
cases of a 1 in 10,000/year probability of 100 fatalities and a 1 in 100/year probability of one
fatality, but the scale of life loss and the urgency that would be given to addressing these differ-
ent cases would likely be quite different.
2 PRINCIPLES FOR RISK EVALUATION
2.1 Risk perception
Decisions about the adequacy of dam safety are fundamentally judgments about public safety.
Such decisions are intrinsically value judgments rather than technical decisions, but they should
be informed by sound technical information. The way that people perceive risks and apply val-
ue judgments is complex but is an important basis for decision-making about risks and for es-
tablishing risk-evaluation criteria. The characteristics of risks affect the perception of risk.
There are many important risk characteristics, such as the following from Lowrance (1976):
• effect immediate – effect delayed
• no alternatives available – many alternatives available
• risk known with certainty – risk not known
• exposure is an essential – exposure is a luxury
• encountered occupationally – encountered non-occupationally
• common hazard – “dread” hazard
• affects average people – affects especially sensitive people
• will be used as intended – likely to be misused
• consequences reversible – consequences irreversible
2.2 Individual and societal concerns
From studies on perceived risk, people’s concerns have been grouped into two broad categories
by HSE (2001), as summarized in ICOLD (2005):
1) Individual concerns – “how individuals see the risk from a particular hazard affecting
them and things they value personally …they may be willing to live with a risk that they
do not regard as negligible, if it secures them or society certain benefits” provided that
such risks are “kept low and clearly controlled” (HSE 2001).
2) Societal concerns – “the risks or threats from hazards which impact on society and
which, if realized, could have adverse repercussions for the institutions responsible for
putting in place the provisions and arrangements for protecting people … .” Societal
concerns include multiple fatalities, exposure of especially sensitive groups, and the
uneven distribution of risks and benefits. The occurrence of multiple fatalities in a sin-
gle event is referred to as “societal risk”, which is “therefore a subset of societal con-
cerns.” (HSE 2001).
For dams in remote locations with small populations at risk, or for cases in which there is ade-
quate opportunity to evacuate to a safe setting, individual risk generally controls the tolerable
risk evaluation and therefore the safety decision. In contrast, for dams where there is a poten-
tial for more than a few fatalities, societal risk guidelines generally control the safety decision.
2.3 Equity and efficiency
Two fundamental principles, from which tolerability of risk guidelines are derived, are de-
scribed as follows in ICOLD (2005):
• Equity – the right of individuals and society to be protected, and the right that the in-
terests of all are treated with fairness; and
• Efficiency – the need for society to distribute and use available resources so as to
achieve the greatest benefit.
There can be conflict in achieving equity and efficiency. Achieving equity justifies the estab-
lishment of tolerable risk limits for individual and societal risk. Efficiency is defined by the
risk level where marginal benefits equal or exceed the marginal cost. Equity requires that a tol-
erable risk limit should be met regardless of the lack of economic justification or the magnitude
of the cost.
2.4 Pure and applied criteria
Morgan and Henrion (1990) have classified risk-evaluation criteria into three groups, as fol-
lows: 1) rights-based or equity-based criteria); 2) utility-based or efficiency-based criteria; and
technology-based criteria. The HSE (2001) adopted these categories referring to them as
“pure” criteria. As will be seen in Section 5, applied risk evaluation criteria or guidelines typi-
cally are a hybrid of the pure criteria groups.
In this paper, the term “risk informed” refers to decision making based on many types of in-
puts and considerations, including traditional engineering analysis, standards and good practice
in addition to the outcomes of a risk assessment. In contrast, the term “risk based” refers to de-
cision making based solely on the outcomes of a risk assessment.
Vrijling (2001) provides an example of an approach to translating the findings of sociologi-
cal research on risk acceptance by the community into criteria on risk to the individual in de-
veloped countries. An individual risk criterion, expressed as a probability of loss of life for the
most exposed individual, is based on the degree of voluntariness with which an activity is un-
dertaken and the perceived direct benefits of the activity. It varies over several orders of mag-
nitude about a base value for situations in which there is complete freedom of choice to partici-
pate in the activity, such as mountaineering, to the case of an imposed risk without any direct
benefit. A base value of 1 in 10,000/year is selected, which is about the lowest value of aver-
age annual background risk of death for any gender/age group in developed countries.
Applying Vrijling’s approach to dams, it might be argued that the degree of voluntariness
with which people are exposed to dam failure risks, and the direct benefits of dams, vary with
the purpose for which a dam is used. A flood control dam protects a community from frequent
flooding and therefore provides a direct benefit to the same community that is at risk from the
dam failing. In contrast, a private hydropower dam, which provides power to a distant region
and only a few jobs in the community that is situated below it, may not provide any significant
direct benefits to that community. On this basis it might be argued that a lower level of risk is
justified in the case of the hydropower dam than for the flood control dam.
3 TOLERABILITY OF RISK FRAMEWORK
3.1 General Framework
The U.K. Health and Safety Executive (HSE) regulates the safety of all workplace activities
in the UK but it only regulates small dams since other regulations cover most UK dams. The
general Tolerability of Risk (TOR) framework developed by the HSE (2001) is intended to cap-
italize on the advantages of each of the types of “pure criteria” listed in Section 2.4, while
avoiding their disadvantages. It is also designed to resemble the decision process that people
use in everyday life. Figure 1 is adapted from HSE (2001) by Munger et al (2009) to illustrate
general and project-specific aspects of TOR on the left and right sides, respectively. The width
of the triangle in Figure 1 represents the magnitude of risk for a type of hazard (e.g. dams)
Figure 1. General and project-specific tolerability of risk framework (Adapted from HSE 2001 by Munger
et al 2009)
measured by individual risk and societal concerns. Under the general TOR framework, risks
are assigned to one of three categories of risk shown as regions on the left side of Figure 1:
a) At the bottom is the “broadly acceptable” region in which risks compare with those that
people live with everyday, and that they regard as insignificant and not worth worrying
about (e.g., mobile phones).
b) At the top is the “unacceptable” region in which risks are generally believed by indi-
viduals and society to be not worth taking regardless of the benefits (e.g., locating resi-
dential areas on toxic landfills); unless they can be reduced to fall in a lower region or
“there are exceptional reasons for the activity or practice to be retained”.
c) The middle region is the “range of tolerability” in which individuals and society are
willing to live with (i.e. tolerate) the risks so as to secure certain benefits, provided that
they are confident that they are being properly managed, kept under review, and re-
duced still further if and as reasonably practicable (e.g., vehicular and airline travel).
The important distinction between the concepts of acceptable and tolerable risk is clearly de-
scribed above. The concepts of “exceptional reasons” for tolerating risks that fall in the unac-
ceptable risk region is elaborated on in Section 5.6 and the concept of reducing risks “as practi-
cable” is further discussed in Section 3.2.
In applying the general TOR on the left side of Figure 1 to the regulation and management of
risks two types of limits have been used. A “tolerable risk limit” is defined between the un-
acceptable and range of tolerability of risk regions. This limit is typically considered to be de-
termined by equity considerations as defined in Section 2.3. An “objective limit” or “broadly
acceptable risk level” is sometimes defined between the range of tolerability and broadly ac-
ceptable regions. In Section 4 the writer argues that the tolerable risk limit has applicability in
common law countries, whereas the objective limit has applicability in countries with a civil
code legal system, unless legal provisions are made to support the use of an objective limit.
3.2 Project-specific application and ALARP
On the right side of Figure 1 the dashed line illustrates the level of residual risk for a specific
dam below which the risk is tolerable. This level can fall anywhere within the general range of
tolerability region provided that all conditions for a risk to be considered tolerable are met, as
summarized in c) in Section 3.1, including a demonstration that the residual risk is as-low-as-
reasonably-practicable (ALARP).
The ALARP principle is founded on the legal obligation of duty holders (dam owners) to re-
duce risks to the point that additional risk reduction would cost disproportionately more than
the risk-reduction benefit achieved, which is the inverse of economic efficiency. A key UK le-
gal finding is Edwards v. The National Coal Board (1949 1 All ER 743):
“… established that a computation must be made in which the quantum of risk is placed on
one scale and the sacrifice, whether in money, time or trouble, involved in the measures nec-
essary to avert the risk is placed in the other; and that, if it be shown that there is a gross
disproportion between them, the risk being significant in relation to the sacrifice, the person
upon whom the duty (of care) is laid discharges the burden by proving that compliance was
not reasonably practicable.”
The use of tolerable risk guidelines (TRG) will sometimes expose a poor justification for re-
ducing risk to sully meet traditional engineering standards, but in other cases they will show
justification for more stringent risk-reduction measures than would normally be considered us-
ing the traditional approach. This incongruence between established dam-safety practice and
TRG is one of the justifications for the additional effort involved in using risk assessment
(Bowles and Anderson 2003). However, this incongruence also presents a challenge to the reli-
ance on “good established practice” to demonstrate that ALARP has been satisfied, as is done
by HSE in some cases (see discussion on Approved Codes of Practice in Section 4). Further-
more, a general relationship between good established practice and satisfying ALARP may be
illusive because of the uniqueness of dams and the factors that determine failure consequences,
unlike many process industries.
The requirements for a risk to be tolerable under c) in Section 3.1, including ALARP, should
be clearly recognized to include on-going management. As such, there is an on-going obliga-
tion of the hazard (dam) owner to assess, review and reduce risks as reasonably practicable
Such obligations include the routine dam safety activities of monitoring and surveillance, and
inspections and design reviews, in addition to taking measures to “prevent” dam failure through
satisfying good engineering design and construction practice. They should also include main-
taining on-site emergency procedures, with the goal of bringing initiated failure sequences un-
der “control” and off-site emergency preparedness and response planning, to “mitigate” the
magnitude of life loss in the event of dam failure.
3.3 Proposed UK regulatory implementation of TOR for reservoirs
In the UK, following the passage of the Flood and Water Management Act 2010 to replace the
prescriptive 1975 Reservoirs Act, the Department for Environment Food and Rural Affairs (De-
fra 2010) commissioned a project to outline a new risk-informed approach to reservoir regula-
tion. A key principle was that there will be differential requirements for reservoir safety, where
the regulatory effort and the extent of risk-reduction measures by the undertaker (owner) will
be proportional to the risk. Based on TOR, two categories of reservoirs were defined in the
broadly acceptable risk region to determine the need for registration, as follows:
• Low hazard - The physical characteristics of the dam, the reservoir it retains, and the
potential flooded area are such that any breach wave would not pose a significant haz-
ard to people or property regardless of the present or future downstream land use.
These reservoirs would be excluded from regulation, and thus there would be no need
to register with the Enforcement Authority because they should always remain in the
broadly acceptable risk region.
• Low consequence - The absence of people and property etc in the potential flooded ar-
ea implies that no-one is likely to be harmed in the event of failure. Thus any reservoir
(including a large reservoir capable of producing a large breach wave) could be
classed as a low consequence reservoir, if no vulnerable receptors are in the potential
floodplain. Low consequence reservoirs must be registered with the Enforcement Au-
thority because future downstream development may move them out of the broadly ac-
ceptable risk region.
4 SOME LEGAL SYSTEM CONSIDERATIONS
It is important to recognize the significance that the type of legal system has for establishing a
framework for risk evaluation in a particular country. The TOR framework is developed for the
common law legal system that originated in the UK and underlies the legal systems in the US
and Australia. However, many other countries, including The Netherlands, operate under a Na-
poleonic civil code system. Ale (2005) makes the following important comparison:
The risk criteria adopted in the United Kingdom and the Netherlands look very similar.
Both countries have upper limits for ‘allowable’ individual risk and both countries use crite-
ria lines in FN curves. Even their numerical values do not differ a great deal. However, the
interpretation differs greatly. Whereas the criteria in The Netherlands are the end of the
discussion, in the United Kingdom they are the starting point.
Thus, if in The Netherlands the owner of a hazard reduces its risk to barely meet an objective
limit and convinces the appropriate regulator that he has done so, he can have confidence that
he has met his legal obligations to reduce and appropriately manage the risk. In contrast, the
tolerable risk limit is a necessary but not a sufficient condition that the owner of the hazard
must meet in a Common Law country because the owner must reduce the risk to be ALARP,
and that level of risk is at least equal to the tolerability risk limit but generally lower. Further-
more, this requirement can only be defined with confidence retroactively as the result of a court
judgment that considers whether or not the owner acted reasonably in all respects in a particular
situation, and typically after a failure has occurred. Thus, under a common law legal system, a
“sign off” by the regulator that provides the hazard owner with the confidence that he has met
his legal obligations to reduce and adequately manage the risk, typically does not exist. In con-
trast, such an assurance is understood to exist under a civil code legal system.
Hence, in civil code countries the concept of tolerable risk is not strictly applicable and in
common law countries the broadly acceptable risk and objective limit concepts provide no as-
surance that legal obligations to reduce and mange the risk have been met. Thus, tolerable risk,
rather than acceptable risk, is becoming generally recognized as a goal for risk management in
countries with a common law legal system, including a requirement for reducing risk to be
ALARP as part of the definition of tolerable risk.
Under a common law legal system, there is an incentive for the private owner of a hazard to
reduce their risk to a lower level than the tolerable risk limit because it would be expected to
provide a higher level of legal defensibility (Marsden et al 2007). This incentive may not be as
strong for government dam owners, although the particular legal situation should be considered.
An important and not always well recognized aspect of the regulation of workplaces risks in
the UK, is that the Health and Safety Commission (HSC) is constituted in such a way that once
it approves a safety case under the Control of Major Accident Hazards (COMAH) Regulations
the courts have so far chosen not to challenge that decision (Le Guen 2010). This appears to
provide a high level of protection against legal liability for the hazard owner. In fact, in this
situation there is considered to be a co-responsibility between the owner of the hazard and the
HSC as the regulator that has approved the safety case. Clearly this is a desirable situation for
the hazard owner. However, this is a situation that does not exist under the present arrange-
ments for regulating dam safety in the UK. This important aspect of regulation under the HSC
should be considered by others when emulating aspects of the HSE TOR framework.
Another feature of regulation by the HSC, which has particular legal significance for satisfy-
ing ALARP, is the HSC’s Approved Codes of Practice (ACOPs). According to Le Guen (2010)
these ACOPs clarify particular aspects of the general duties and regulations, and are HSC’s
way of spelling out their implications. ACOPs have a special guidance status. If employers
are prosecuted for a breach of health and safety law, and it is proved that they have not fol-
lowed the relevant provisions of the Approved Code of Practice, a court can find them at fault
unless they can show that they have complied with the law in some other way. Accordingly, the
HSE agreed in 1996, following consultation, that it would limit the use of guidance having the
status of an ACOP to cases where five [four] conditions were met. These are when:
• there is clear evidence of a significant or widespread problem;
• the overall approach being taken to an area of risk is by amplifying general duties in
the HSW Act or preparing goal-setting regulations … ;
• there is a strong presumption in favour of a particular method or particular methods
that can be amplified in an ACOP in support of the general duties or goal setting regu-
lations to give authoritative practical guidance;
• the alternative is likely to be more prescriptive regulation;
• guidance, which is not law but gives advice on measures available and what is good
practice.
HSE (2001) also states that risk in the broadly acceptable region “would not usually require
further action to reduce risks unless reasonably practicable measures are available.” The writ-
er interprets this statement, and a broader understanding of the legal requirement for ALARP,
to mean that the ALARP principle still applies in the broadly acceptable region of the TOR
(Bowles 2004). Therefore the writer considers that a regulatory objective limit cannot be relied
on to provide assurance of having satisfied legal obligations to reduce and manage the risk. On
this basis an objective limit is not incorporated in ANCOLD (2003) and USACE (2010) TRG.
5 EXAMPLES OF TOLERABLE RISK GUIDELINES
5.1 Overview
The US Army Corps of Engineers (USACE) interim TRG (Munger et al 2009 and USACE
2010) are summarized in Section 5.2. These are being applied to the evaluation of over 600
reservoirs and 1,000 separate structures throughout the US. These projects are primarily flood
control and navigation dams, but include significant hydropower generation, water supply and
recreation benefits. In subsequent subsections reference is made to other examples of TRG, in-
cluding the following:
• Australian National Committee on Large Dams (ANCOLD 2003) guidelines are widely
used in Australia as a supplement to traditional standards. ANCOLD is a professional
body, which has taken a lead role in developing dam safety risk assessment.
• New South Wales Dam Safety Committee’s (NSW DSC 2006) guidelines are an adap-
tation of the ANCOLD (2003) guidelines. The DSC is the regulator for dam safety in
the Australian state of New South Wales. It obtained cabinet approval for its TRG,
which included harmonization with existing land-use planning guidelines.
• Bureau of Reclamation’s Public Protection Guidelines (Reclamation 2003), which are
routinely used in decision-making on the priority and degree of risk reduction for ap-
proximately 350 reservoir projects throughout the western US. Reclamation has devel-
oped and used risk assessment as a supplement to engineering standards since 1995.
5.2 US Army Corps of Engineers
The USACE (2010) TRG are based on TOR and Reclamation (2003), ANCOLD (2003) and
NSW DSC (2006) guidelines. They comprise a two-part evaluation process. In the first part to-
tal estimated risk is compared against the following “limit values” for existing dams:
1) An annual probability of failure (APF) limit value of 1 in 10,000 /year as a measure of
the dam performance.
2) An individual risk limit value 1 in 10,000 /year as a measure of life-safety risk ex-
pressed as the probability of life loss for the identifiable person(s) most at risk (see the
point labeled on Figure 2a).
3) A societal risk expressed as a tolerable risk limit on a cumulative probability distribu-
tion (F-N chart) for exceeding various magnitudes of life loss (N) as a measure of life-
safety risk to non-identifiable or random persons (see the sloping and vertical limit
lines on Figure 2b).
4) An annualized life loss (ALL) of 0.001 lives/year as the average magnitude of life loss
from the probability distribution of life loss in 3) as measure of societal life-safety risk.
Consistent with tolerable risk definition in Section 3.1c USACE defines a dam to be “ade-
quately safe” when the residual risk is considered tolerable, the dam meets all essential USACE
guidelines, and there are no unconfirmed dam safety issues.
In the second part of the of the tolerable risk evaluation a determination is made of whether
risks have been reduced to be ALARP. This evaluation applies only to alterative risk manage-
ment plans. USACE (2010) guidance specifically describes the following factors that USACE
a) b)
Figure 2. .a) USACE individual risk guideline for existing dams and b) USACE societal risk guideline for
existing dams (USACE 2010)
is to take into account in making a judgment on whether risks are ALARP: the level of risk in
relation to the tolerable risk limit; the disproportion between the sacrifice (money, time, trouble
and effort) in implementing the risk-reduction measures and the subsequent risk reduction
achieved; the cost-effectiveness of the risk-reduction measures; compliance with essential
USACE guidelines; and societal concerns as revealed by consultation with the community and
other stakeholders. Thus, the ALARP evaluation is both qualitative and quantitative in nature.
Consideration of the cost effectiveness of achieving life-safety risk reduction relative to life-
safety benefit achieved is a quantitative aspect; but it introduces the consideration of cost only
to justify further risk reduction below tolerable risk limits, and not to justify achieving those
limits in the first place.
5.3 Individual risk
HSE (2001), ANCOLD (2003), NSW DSC (2006) and USACE (2010) all have the same indi-
vidual tolerable risk limit of 1 in 10,000/year. The USACE depicts individual risk graphically
as shown in Figure 2a. Reclamation (2003) does not have an individual risk guideline but does
have a “maximum combined (i.e. totaled over all loading types and failure modes) annual prob-
ability of failure” (APF) guideline. Reclamation justified this guideline based on their desire to
limit the probability of one or more failures of a dam in their portfolio over a time horizon.
In dam safety, individual risk is typically estimated as the probability of life loss as a result
of dam failure for the most exposed individual. Approaches to estimating individual risk vary
in the way that the consider the probability that a person would be exposed (i.e. is present in a
particular location), that they would successfully evacuate either laterally or vertically to safety
or a safer zone, and their vulnerability (i.e. the chance that they would lose their life if they
were exposed and did not successfully evacuate). The probability of dam failure should be cal-
culated by considering all modes of failure. Individual risk should be evaluated below the main
dam and any auxiliary dams or at multiple locations in the case of a long dam or a levee.
1.E-08
1.E-07
1.E-06
1.E-05
1.E-04
1.E-03
110 100 1000 10000
N, number of potential fatalities due to dam failure
F, prob ability per year of poten tial loss of life ≥ N
Societal Tolerable Risk Limit
Risks are unacceptable,
except in exceptional
circumstances.
Risks are tolerable
only if they satisfy
the AL ARP
requirements.
1.E-08
1.E-07
1.E-06
1.E-05
1.E-04
1.E-03
Probability of Life Loss for the Individual Most At Risk (Per Year)
Risks are
tolerab le only if
they satisfy the
ALARP
requirements.
Risks are
unacceptable,
except in
exceptional
circumstances.
Individ ual
Tolerable
Risk L imit
5.4 Societal risk
Societal risk is displayed as an F-N chart, which is a plot of F, the annual probability of exceed-
ance (greater than or equal to) of potential life loss versus N, the estimated incremental life loss
due to failure. Thus, the F-N chart displays the entire estimated probability distribution of life
loss for a reservoir encompassing all failure modes over the entire range of loading and all pop-
ulation exposure scenarios. In probability textbooks a cumulative (probability) distribution
function (CDF) is defined to have probability “less than or equal to” on the vertical axis and a
complementary cumulative (probability) distribution function (CCDF) is defined to have prob-
ability “greater than” on the vertical axis. Although similar to a CCDF, an F-N chart is subtly,
but in some cases importantly, different because it has probability “greater than or equal to” on
the vertical axis rather than “greater than” as in the CCDF.
Societal risk guidelines in an F-N chart can vary in several ways, as summarized below:
• Anchor point – the value of F at which the societal risk guideline intersects the F-axis
(i.e. at N = 1 fatality). A value of 1 in 1,000/year is commonly used based on the back-
ground mortality rate for people in the prime years of their life. This is an order of
magnitude above the value commonly used for an individual risk limit.
• Slope – the steeper the slope of the sloping line on an F-N chart, such as in Figure 2b,
the greater the societal risk aversion to large scale accidents. ANCOLD (2003) , NSW
DSC (2006) and USACE (2010) all use a slope of 1:1 on a log scale. The Netherlands
uses a slope of 2:1.
• Horizontal limit on F – ANCOLD (2003) and NSW DSC (2006) truncate the sloping
societal risk limit guideline at F = 1 in 100,000/year with a justification that current risk
estimation procedures cannot support lower defensible estimates of failure probabili-
ties.
• Vertical limit on N – NSW DSC (2006) and USACE (2010) include a vertical cutoff at
N = 1,000 fatalities.
5.5 ALARP and disproportionality
The HSE, ANCOLD, NSW DSC and USACE guidelines specifically require that risks must be
further reduced below tolerable risk limits to meet ALARP considerations. However, the Rec-
lamation guidelines do not specifically refer to ALARP. Instead, for a dam with an estimated
APF exceeding 1 in 10,000/year, there is said to be an “increasing justification” for reducing
the probability of failure; and for a dam with a probability of failure less than 1 in 10,000/year,
there is said to be a “diminishing justification” for reducing the probability of failure.
NWS DSC (2006) states that if individual and societal risk are two orders of magnitude be-
low their tolerable risk limits, the risk is considered negligible, and there is no need to pursue
further risk reduction. This invokes the concept of an objective limit. However, this concept is
not included in the ANCOLD guidelines and it is USACE policy to consider ALARP for even
low risks, even though it is unlikely to justify further risk reduction except in unusual cases.
This is consistent with the writer’s conclusion that ALARP considerations continue to apply
even at a very low level of risk and that there is likely no legal justification in a common law
country for waiving the evaluation of ALARP below an objective limit.
5.6 Exceptional circumstances
The qualifier “except in exceptional circumstances” refers to a situation in which government,
acting on behalf of society, determines that risks exceeding tolerable risk limits may be tolerat-
ed based on special benefits that “the dam brings to society at large” (ANCOLD 2003). This
exception might be made where the residual potential life loss and economic consequences are
large, but where the probability of failure is very low and state-of-the-practice risk-reduction
measures have been implemented, or perhaps for a short time while long-term risk-reduction
measures are being implemented and no other options exist for reducing the risk.
McDonald (2006) states that examples of such exceptions include an expansion of the Syd-
ney Airport in Australia and the siting of the new Schipol airport outside Amsterdam in The
Netherlands. In both cases locations close to major populations could not be demonstrated to
meet tolerable or acceptable risk guidelines, but the benefits of proximity to the population that
these airports serve were deemed by government to outweigh lower risk but more distant loca-
tions. A similar conflict can exist for major flood control projects located above large commu-
nities that they are designed to protect from frequent flooding, but on which they pose a rare but
very high-consequences residual risk of dam failure.
5.7 New reservoirs or major augmentations
In some cases more stringent TRG are placed on new dams than for existing ones. Examples
include ANCOLD (2003), NSW DSC (2006) and USACE (2010) where individual and societal
risk guidelines are one order of magnitude stricter for new dams or major augmentations.
6 CONCLUDING THOUGHTS
Tolerable risk guidelines provide a means of evaluating dam failure risks provides for compari-
sons with other types of technological risks. By specifically evaluating life-safety risk associat-
ed with dam failure, the options for mitigating the severity of life loss as well as for reducing
the likelihood of dam failure can be identified and evaluated. While challenges exist in estimat-
ing both the probability of dam failure and the magnitude of life loss, the value of the improved
understanding that is gained about dam safety risk assessment is proving to be a valuable sup-
plement to the traditional approach that relies on engineering analysis and standards.
REFERENCES
Ale, B.J.M. 2005. Tolerable or acceptable: A Comparison of Risk Regulation in the United Kingdom
and in the Netherlands, Risk Analysis, Vol. 25, No. 2.
ANCOLD (2003), Australian National Committee on Large Dams, "Guidelines on Risk Assessment," Oc-
tober 2003. http://www.ancold.org.au/publications.asp
Bowles, D. S. and L. R. Anderson (2003), "Risk-informed Dam Safety Decision-making," ANCOLD Bul-
letin 123:91-103, April 2003.
Bowles, D.S. 2004. ALARP evaluation: Using cost effectiveness and disproportionality to justify risk re-
duction. ANCOLD Bulletin 127:89-106. August.
Defra. 2010. Scoping the Process for Determining Acceptable Levels of Risk in Reservoir Design. R&D
Technical Report FD2641/TR. October. www.defra.gov.uk/environ/fcd/research
HSE (Health and Safety Executive). 2001. Reducing risks, protecting people: HSE’s decision-making
process. Risk Assessment Policy Unit. HSE Books, London, England.
ICOLD (2005), "Risk Assessment in Dam Safety Management: A Reconnaissance of Benefits, Methods
and Current Applications," International Commission on Large Dams (ICOLD) Bulletin 130, 2005.
Le Guen, J. 2010. Legislation applying to reservoirs and their enforcement. Unpublished Document.
Lowrance, W.W. 1976. Of Acceptable Risk: Science and the Determination of Safety, William Kauf-
mann, Inc., Los Altos, California.
Marsden, J., L. McDonald, D.S. Bowles, R. Davidson and R. Nathan. 2007. Dam safety, economic regu-
lation and society’s need to prioritise health and safety expenditures. Proceedings of the
NZSOLD/ANCOLD Workshop on Dams, Queenstown, New Zealand. November.
McDonald, L. 2006. Personal communication, November.
Morgan, M. Granger and M. Henrion. 1990. Uncertainty: A Guide to Dealing with Risk and Uncertainty
in Quantitative Risk and Policy Analysis, Cambridge University Press.
Munger, D.F., D.S. Bowles, D.D. Boyer, D.W. Davis, D.A. Margo, D.A. Moser, P.J. Regan, and N.
Snorteland. 2009. Interim Tolerable Risk Guidelines for US Army Corps of Engineers Dams. Pro-
ceedings of US Society on Dams 2009 Annual Lecture, Nashville, Tennessee. April.
NSW DSC (2006), "Risk Management Policy Framework for Dam Safety," New South Wales Govern-
ment, Dam Safety Committee, 22 August 2006.
Planning NSW (2002), Risk Criteria for Land Use Safety Planning, Hazardous Industry Planning Adviso-
ry Paper No. 4, Reprint of Second Edition, March.
Reclamation (Bureau of Reclamation), (2003), Guidelines for Achieving Public Protection in Dam Safety
Decisionmaking, Dam Safety Office, Department of the Interior, Denver, Colorado, 15 June.
USACE (U.S. Army Corps of Engineers) (2010), Dam safety regulation, Draft, EC 1110-2-1156.
Vrijling, J.K. (2001), Probabilistic Design of Water Defense Systems in the Netherlands, Reliability Engi-
neering and System Safety, 74, pp. 337-344.
