designing dam safety using failure modes analysis

7/31/2019 Designing Dam Safety Using Failure Modes Analysis

1/19

DESIGNING DAM SAFETY MONITORING AND EARLY WARNINGSYSTEMS USING FAILURE MODES ANALYSIS

Barry K. Myers, P.E. 1

Abstract

The key to a successful dam safety monitoring or early warning system isthe advanced detection of a developing condition of concern. Early detection ofa developing condition allows time to properly evaluate the on-going safety of thedam and to take corrective action, if necessary. To accomplish this objective, themonitoring system must be focused on detecting the events that are precursorsto a developing failure condition. A failure modes analysis is a good tool fordeveloping an understanding of the events that could lead to failure of the dam.

Two case studies are presented to illustrate the use of failure modesanalyses in designing dam safety monitoring and early warning systems. Thefirst case study involves the design of improvements to an existing dam safetymonitoring program for 17 earth dike structures with a total crest length of almost3 miles. The results of the failure modes analysis were a better understanding ofhow the individual dikes would likely fail. A relative risk assessment was thenperformed to identify system improvements that will be implemented to focus themonitoring efforts on the higher risk structures. The second case study involvesthe design of an early warning system for a zoned earth embankment dam where

the flood wave from a dam breach would cause loss of life and significantproperty damage within 15 minutes. Because of the short warning time, failuremodes analysis was used to identify the developing conditions that could lead tofailure. The detection of these developing conditions was then used to identifywhen a critical condition is reached, allowing enough time for evacuation beforethe dam fails. The results were used to design the detection portion of the earlywarning system and to develop a response plan for making decisions during adeveloping condition, including when to activate the notification system forevacuation.

1Principal Engineer, Squier Associates Inc., 4260 Galewood Street, LakeOswego, Oregon 97035


2/19

Introduction

A successful dam safety monitoring system consists of the following fourcomponents: 1) instrumentation, 2) data collection, 3) data evaluation andmanagement, and 4) a response plan. The instrumentation component includes

the measurement of key parameters that can be used to monitor the ongoingperformance of the dam. These parameters could be seepage flow, groundwater levels, deformations, or other physical measurements on the dam. Theinstrumentation also includes loading conditions and background informationsuch as reservoir level, seismic shaking, and weather conditions (i.e. rainfall,temperature, and barometric pressure). A thorough understanding of theimportant parameters to be measured, the likely range of values, and thepurpose for measurement establish the design criteria that are used to implementa successful instrumentation system.

How the data is collected from the instrumentation defines the second

component of the monitoring system. Data collection can vary from manuallyread instruments to fully automated data acquisition systems (ADAS).Intermediate systems include the used of handheld computers andpreprogrammed dataloggers. The most appropriate data collection systemdepends upon the dam safety monitoring objectives. For example, if themonitoring objectives include the detection of a rapidly (less than 24 hours)developing condition then an ADAS may be the only practical method ofmonitoring. With an ADAS, the instrumentation can be monitored on a near realtime basis by comparing measured values with predetermined alarm thresholdsto warn of a potential developing condition.

The third critical component is often overlooked. The ongoing dataevaluation, data management, and presentation of the results require forethoughtand planning. If the data cannot be readily reduced and evaluated, then its usein monitoring the on going performance of the dam is limited. In addition, theusefulness of the data in evaluating the monitoring objective is based on theability to compare the results with other instruments monitoring similarparameters and with historical data so that trends can be identified. Without agood procedure for data management, this is difficult to accomplish. Datapresentation is key to interpretation of the results. The significance of themeasured data must be conveyed to allow meaningful interpretation by theintended audience. To accomplish this, it requires designing and implementing a

data management and presentation system that is focused on providing theaudience with a readily interpreted result.

The most critical component of a dam safety monitoring system is acomprehensive plan for responding to the monitoring results. A detailed decisionprocess should be prepared for evaluating what the monitoring results mean andif a condition of concern is developing. Specific action items should also beidentified for the most likely outcomes from the monitoring. For early warning


3/19

systems, this component is especially critical to assure that the appropriateactions and notification are initiated in a timely manner.

Based on the definition of a successful dam safety monitoring system asdefined herein, it is apparent that the first step in designing and implementing a

successful system is developing an understanding of the events that could leadto a safety condition of concern in the future. With this understanding themonitoring objectives can then be clearly defined and design criteria can bedetermined to guide the development of the four system components asdiscussed above. Failure Modes Analysis (FMA) can be a powerful tool foridentifying the potential performance problems that should be anticipated for aparticular dam.

Using FMA in Designing Monitoring Systems

Failure Modes Analysis has been used extensively in performing risk

assessments. For a risk assessment the probability of failure and theconsequences of failure are used to calculate the risk of loss of life or propertydamage for a particular dam or project. In order to evaluate the probability offailure for a dam, the failure modes must first be identified. Identifying the failuremodes is typically performed by a team of experts who brain storm on differentways that the dam could fail. This brain storming includes identifying the eventsthat would occur leading to failure. The results are usually presented as eventtrees. The event tree is an organization of the different possible chain of events,or scenarios, that could occur leading to the mode of failure. Probabilities(likelihood) of occurrence are then assigned to the different responses in theevent trees and the probability of the scenario is calculated as the product of the

responses. The probability of failure for each tree is then calculated as the sumof the different scenarios. In addition to a calculated probability of occurrence,the analysis approach provides significant insight into the different ways that thedam could fail and the events that would likely lead to the development of failure.

It is this second product of the FMA that is particularly useful in designingmonitoring systems. The process of developing the failure mode event trees andthe resulting event trees allow for a comprehensive evaluation of the dam. Withthis more comprehensive understanding, design of the instrumentation and datacollection systems can be focused on detecting the events that would indicatethe development of these potential failure modes. The data evaluation and

response planning can also be more comprehensive with the knowledge of thefailure scenarios and how they will likely develop.

Case Studies

The following case studies are presented to illustrate the use of FMA indesigning dam safety monitoring and early warning systems. The first projectinvolves the use of FMA and a relative risk assessment to design improvements


4/19

to an existing dam safety monitoring program. The second project involves thedesign of an early warning system. For this project, FMA was used to design adetection system and response plan for evacuating the downstream communityin the event of an imminent failure condition at the dam.

White River Dam Safety Monitoring

The White River Project is owned and operated by Puget Sound Energy(PSE) primarily for hydropower production. However, the project has alsobecome a significant recreational amenity for the residential community thatsurrounds the lake. The project diverts water from the White River near Buckley,Washington into a canal that conveys the water from the diversion dam to LakeTapps. Water from Lake Tapps is then diverted for hydropower productionthrough a penstock and powerhouse that discharges the water back to the WhiteRiver near Sumner, Washington. Sumner is located approximately 40 milessouth of Seattle, Washington. Lake Tapps is approximately 2,700 acres in size

and has a storage capacity of 46,700 acre-feet. It is formed by a series of 15earth dikes that were used to combine four pre-existing lakes by raising the waterlevel by 35 feet. Two additional dikes, Dikes 14 and 15, form the final sedimentbasin for the flowline canal, Printz Basin. This basin is connected to the lake byan excavated section of canal. The general project layout is shown on Figure 1.

KING COUNTY

PIERCE COUNTY

SCALE IN MILES

0 1 2

Wh

iteR

iver

Printz

Basin

H

a

w

k

s

N

.

Bonney

Lake

Sumner-BuckleyHwy.(Hwy.410)

Old Sumner-Buckley

Hw

y.

162

Sumner

Buckley

E

.

Highw

ay410

Enumclaw

164

DIKES 2A-2B

DIKE 1DIKE 3DIKE 4DIKE 4A

DIKE 5DIKE 6

DIKE 7DIKE 9

DIKE 13

DIKE 14

DIKE 15

DIKE 12

DIKE 11

DIKE 8

DIKE 10

WHITE RIVER

POWER HOUSE

PENSTOCK

TUNNEL

DISCHARGE CANAL

FLOWLINE

DIVERSION DAM

LAKE

TAPPS

Figure 1 White River Project Layout

The dikes were constructed in 1910 and 1911 using fill from nearbyexcavations transported to the site by rail dump cars on wooden trestles. Largescrapers and donkey engines were used for fill placement and the wooden


5/19

trestles were left in place and filled around. Horse-drawn slip scrapers andwheelers were used to finish the dikes. As shown on Figure 1, the individualdikes vary in crest length and have a combined length of almost 3 miles. Thedikes also vary significantly in crest width and hydraulic height from 20 feet to 60feet wide and 8 feet to 45 feet in height, respectively. The downstream hazards

range from high with loss of life potential to low with minimal property damageexpected. Because of these differences in geometry and downstream hazard,the risk (probability of failure times consequences of failure) associated with eachdike varies significantly.

Monitoring Objectives

Monitoring the safety of nearly 3 miles of earth embankment structures isa formidable task for PSE. The existing dam safety monitoring program for thedikes consists of weekly visual inspections and manual readings of piezometersand weirs when the reservoir is near full pool level. The frequency of the

inspections and instrument readings are reduced to monthly when the reservoiris at low pool level. Piezometers have been installed in 8 of the 17 dikes andweirs are being used to measure seepage from the downstream toe areas for 10dikes. The dikes that have instrumentation are generally the more significantearth structures with hydraulic heights greater than 20 feet. Because the projectincludes hydropower it is under the regulatory jurisdiction of the Federal EnergyRegulatory Commission (FERC). Therefore, the FERC staff also performsannual safety inspections, and an Independent Consultant conducts acomprehensive review of the project safety every 5 years as part of the FERCPart 12D inspections.

PSEs objective for the dam safety monitoring program was to improvetheir ability to detect and respond to conditions that could lead to potentiallyunsafe performance of the dikes in the future. The desire was to reduce the riskby focusing the dam safety monitoring efforts and not by increasing the laboreffort required to perform the ongoing monitoring.

Failure Modes Analysis

A FMA was performed for the dikes to develop a better understanding ofthe potential modes of failure, and more importantly the events that lead to thefailure. The objective of the FMA was to focus the efforts and attention of PSEs

dam safety monitoring personnel on the important items that will provide the firstindication of a developing condition of concern. The resulting event trees wereused to illustrate the potential failure modes and identify the precursor eventsthat the dam safety monitoring personnel should be looking for.

Failure Mode Event Trees

A number of different modes were considered that could lead to a breachfailure of the dikes. Of these modes, the two that appeared to be the most likelyand worthy of further evaluation included: 1) the static loading/seepage failure


6/19

condition, and 2) failure during or immediately following an earthquake event.Overtopping of the dikes as a result of the probable maximum flood (PMF) wasnot considered likely based on the results of the hydrologic evaluations that havebeen performed on the project. The results of these evaluations indicate that thePMF is not likely to produce a rise in the reservoir level that would exceed the

available freeboard. This is primarily due to the small natural drainage area thatsupplies Lake Tapps, and the ability to shut off the flow line, which is the mainsupply of water to the lake.

The mode that was conceived for a potential breach failure under staticloading conditions includes: 1) the hydraulic gradient due to steady stateseepage increases in the downstream toe area; then 2) an unstable conditiondevelops on the downstream face; then 3) the unstable condition leads to abreach failure. An example showing one branch of the resulting event trees forthe static loading/seepage condition is presented as Figure 2.

Figure 2 Example Branch of the Event Tree for Static Loading Failure Mode

The first response on the event tree is the location of the seepage face onthe downstream slope. The three categories that were used include: 1) theseepage face is limited to the toe area; 2) the seepage face incorporates up toone-third of the downstream slope; and 3) the seepage face is exceptionallylarge and incorporates greater than one-third of the downstream slope. The treethen branches into possible scenarios for the development of an unstablecondition on the downstream slope. These include slope instability, piping (i.e.,migration of soil particles due to seepage) initiating, or no unstable condition


7/19

develops. If slope instability develops, then the instability can either progress inan upstream direction until a breach failure develops or remain localized withenough embankment left unharmed to prevent a breach failure. If piping initiates,then the pipe (cavity) can either progressively develop to the upstream facecausing an erosion failure, or only progress a portion of the way through the

embankment. If the pipe does not develop through the embankment, anincrease in seepage to the downstream portion of the embankment as a result ofthe pipe could lead to slope instability and progressive slumping of thedownstream slope. This slumping could also lead to overtopping and a breachfailure of the dike.

For the seismic loading condition, the failure mode that was developedincludes: 1) the design earthquake ground motions occur at the site and result inpermanent deformations of the embankment; 2) the crest deformations exceedthe available freeboard (i.e., the distance between the top of the embankmentand the reservoir level); and then 3) the dikes are overtopped which leads to a

breach failure. Figure 3 presents an example of one branch of the resultingevent trees for the seismic loading failure mode.

Figure 3 Example Branch of the Event Tree for Seismic Loading Failure Mode

The first response on the event tree is that either the design groundmotions for a Maximum Credible Earthquake (MCE) event occur at the site orthat ground motions with half the magnitude of the MCE ground motions occur atthe site. Since the purpose of this study was to evaluate the risk of failurerelative to each dike, it was considered acceptable to only use the two generalearthquake load responses.


8/19

If the ground motions mentioned above occur at the site, the dike fill willeither liquefy or experience limited or no liquefaction. If the dike fill liquefies, theneither a flow slide could occur on the downstream slope, or only minor slopedeformations. Progressive slumping of the remaining portion of the dike crest

following a flow slide event could then lead to a breach failure. The remainingportion of the crest could also remain intact and a breach failure could occur as aresult of piping and internal erosion through cracks in the embankment.

If a flow slide does not occur, then the settlement that results from a voidratio change due to liquefaction could allow overtopping if settlements are greaterthan the available freeboard, or failure due to piping through the formation ofsettlement cracks in the embankment.

For the scenario where the dike fill does not liquefy, a slide mass coulddevelop on the downstream slope that experiences deformation during shaking

which exceeds the available freeboard. Progressive slumping of the remainingintact portion of the dike could then lead to a breach failure. The deformationscould also produce cracking in the embankment that allows for piping andinternal erosion leading to a breach failure of the remaining intact portion.

Relative Risk Assessment

The results of the FMA were also used to perform a relative risk of failureassessment between the 17 dikes that are monitored. The purpose of therelative risk assessment was to appropriately allocate the level of effort for thedam safety monitoring to the dikes based on their relative risk of failure.

The relative risk assessment was performed by assigning probabilities tothe responses in the FMA event trees. The response probabilities were assignedbased on engineering judgement regarding how likely or unlikely it is that theevent will occur. Because the purpose of the assessment was to evaluate therelative risk between the dikes rather than the absolute risk of failure, theapproach to assigning response probabilities was considered reasonable andadequate.

Information that was used to judge the likelihood of occurrence for thestatic loading failure mode included the: 1) location of the existing seepage faceon the downstream slope, 2) the location of the existing phreatic surface withinthe embankment, 3) the width and hydraulic height properties of the dike, 4) thepiping resistance of the fill and foundation materials based on grain-sizedistribution, plasticity, and level of compaction, 5) the length of seepage andcritical water head based on the line of creep theory, and 6) calculated factorsof safety from slope stability analyses.

For the seismic loading failure mode the estimated response probabilitieswere based the results of: 1) seismic hazard evaluations, 2) liquefactionanalyses, and 3) slope stability and deformation analyses. The relative


9/19

probabilities of occurrence for the different failure scenarios within the event treeswere then calculated as the product of the response probabilities. The relativeprobability of failure for the event tree was calculated as the sum of the differentfailure scenario probabilities. The results were an estimated probability ofoccurrence for the static and seismic loading failure modes for each of the dikes.

The calculated probability of failure values were presented as a relativeprobability of failure index to emphasize that they are intended solely as a meansto evaluate the relative risk of failure between the project dikes. A hazard indexwas also created to represent the varying downstream hazard classifications thathave been assigned to each dike by the FERC. The FERC hazard classificationsystem (FERC Engineering Guidelines, 1991) is based on three categories.High hazard for structures where a breach failure could result in loss of life,significant hazard where there is no loss of life potential but significant propertyand environmental damages, and low hazard for no loss of life and minorproperty damage.

Based on the range of consequences associated with each of the hazardclassifications, a logarithmic scale was selected to assign the following indexvalues to the categories.

High Hazard = 100

Significant Hazard = 10

Low Hazard = 1

A relative risk index was then calculated for each of the failure modes asthe product of the probability of failure index times the hazard index. The resultsare shown on Table 1 for the static loading failure mode. A similar evaluationwas performed for the seismic loading failure mode as shown on Table 2.

The relative risk index values were used to group the dikes into fourrelative risk categories for the static loading conditions, and three relative riskcategories for the seismic loading conditions. Recommendations for futuremonitoring and response planning were based on these relative risk categories.


10/19

Table 1 Relative Risk Evaluation - Static Loading Failure ModeRelative Risk

Category

Dike

No.

Relative Probability

of Failure Index

FERC Hazard

Classification

Hazard

Index

Relative

Risk Index

1 4 0.270 High 100 27

1 11 0.160 High 100 16

1 4A 0.130 High 100 13

1 5 0.110 High 100 11

1 6 0.110 High 100 11

1 15 0.110 High 100 11

2 14 0.440 Significant 10 4.4

3 3 0.098 Significant 10 1

3 2B 0.094 Significant 10 0.9

3 9 0.080 Significant 10 0.8

3 2A 0.057 Significant 10 0.6

3 8 0.063 Significant 10 0.6

3 10 0.063 Significant 10 0.6

4 12 0.012 Significant 10 0.1

4 1 0.0018 Low 1 0

4 7 0.0007 Low 1 0

4 13 0.011 Low 1 0

Table 2 Relative Risk Evaluation - Seismic Loading Failure Mode

Relative Risk

Category

Dike

No.

Relative Probability

of Failure Index

FERC Hazard

Classification

Hazard

Index

Relative

Risk Index

1 15 0.150 High 100 151 14 0.530 Significant 10 5.3

1 4A 0.052 High 100 5.2

1 5 0.052 High 100 5.2

1 6 0.052 High 100 5.2

1 11 0.052 High 100 5.2

1 4 0.043 High 100 4.3

2 3 0.073 Significant 10 .7

2 10 0.037 Significant 10 .4

2 2A 0.031 Significant 10 .3

2 2B 0.031 Significant 10 .3



2 12 0.024 Significant 10 2

3 1 0.015 Low 1 0

3 7 .003 Low 1 0

3 13 0.019 Low 1 0


11/19

Recommended Monitoring System Improvements

The recommendations for the dam safety monitoring program based onthe relative risk categories were subdivided into three general groups:

1) monitoring of instrumentation;

2) performing visual inspections; and

3) responding to emergency conditions or developing conditions ofconcern.

The results are presented on Tables 3 and 4 for the static and seismicloading conditions, respectively.

Table 3 Recommended Monitoring for Static Loading Conditions

RelativeRisk

Category

Recommended SeepageMonitoring

Recommended VisualInspection

RecommendedEmergency Response

Plan

1 and 2Piezometers monitoredmonthly to determine thelocation of the phreaticsurface. Piezometers installedat multiple cross sectionlocations along the crestlength.

Flow from seepage collection

trenches along the toe of thedike monitored weekly todetect changes in seepageand leakage.

Also monitor reservoir leveland rainfall for comparisonwith the piezometer and flowdata.

Perform weekly visualinspections of the crest,downstream slope,downstream toe area,and exposed portion ofthe upstream slope.Observe deformations,sinkholes, soft spots,slumps, sags, seepage,

and leakage.

Maintain localstockpiles of filterblanket material neareach dike for use inremediating areas thatexhibit signs of pipingor significant leakage.

Maintain control

measures for loweringthe reservoir andclosing the flowlinecanal, if needed.

3Same as Categories 1 and 2,except piezometers areinstalled only at the location ofthe maximum cross section.

Same as Categories 1and 2

Same as Categories 1and 2

4No seepage monitoringrecommended

Perform periodic visualinspections asdescribed above,weekly for Dike 12, andmonthly for Dikes 1, 7,and 13.

Maintain a localstockpile of filter blanketmaterial for Dike 12.


12/19

Table 4 Recommended Monitoring for Seismic Loading Conditions

RelativeRisk

Category

RecommendedMonitoring

Recommended VisualInspection

RecommendedEmergency Response

Plan

1

Strong motion

accelerographs should beinstalled on Dikes 4A and15 to measure the level ofshaking that occurs duringan earthquake event.

Monitoring of thepiezometers and seepageflows should be increasedto daily for three weeksfollowing the earthquakeevent to evaluate ifseepage conditions have

changed.

Perform a visual

inspection of the crest,downstream slope,downstream toe area, andexposed portion of theupstream slopeimmediately following theearthquake event. Makeobservations daily forthree weeks regardingdeformations, sinkholes,soft spots, sags, slumps,seepage, and leakage.

Maintain local

stockpiles of dike fillmaterial near each dikefor use in remediatinglocalized areas on thedike crest that havesettled or deformed dueto ground shaking.

Maintain controlmeasures for loweringthe reservoir andclosing the flowlinecanal, if needed.

2Monitoring should beincreased to daily for theseepage flows and weeklyfor the piezometers forthree weeks following theearthquake event.

Same as Category 1,except that the visualinspection immediatelyfollowing the earthquakeevent should occur as-soon-as-possible after theCategory 1 dikes havebeen inspected.

Same as Category 1

3No monitoringrecommended

Perform a visualinspection after all of theCategory 1 and 2 dikeshave been inspected. Forthree weeks following theearthquake event, performperiodic visual inspectionson a weekly basis.

Implementation of the recommendations presented in Tables 3 and 4 willinvolve the installation of 20 new piezometers (2 piezometers per cross sectionlocation); seepage collection trenches along the toe of all Risk Category 1, 2 and3 dikes; and strong motion accelerographs on Dikes 4A and 15. For the 10 dikesthat already have seepage measurement instrumentation, improvements will bemade to provide for seepage collection and a corridor for regular visualinspections along the entire toe of the embankment. This work will primarily

consist of vegetation clearing and minor grading improvements. Collectiontrenches were also recommended for the dikes where seepage is not currentlyobserved. The purpose of maintaining a corridor along the toe of these dikes isto allow for detection of seepage by visual inspection if it occurs in the future. Ifseepage is observed in the future, then weirs will be added to measure the flowrates. The purpose of the strong motion accelerographs is to measure the levelof shaking that occurs at the site during an earthquake event. The results will beused in evaluating ground performance during the event and predictingperformance of the dikes under future events. Dike 4A was selected because it


13/19

is the tallest dike and Dike 15 is founded on mudflow material that is expected toliquefy during a design earthquake.

Silver Creek Dam Warning System

The Silver Creek Dam is located roughly two miles upstream fromdowntown Silverton, Oregon. Silverton is located approximately 55 milessoutheast of Portland, Oregon. The dam and reservoir are owned and operatedby the City of Silverton and were constructed in the late 1970s to provide rawwater storage and recreational uses for the City. The crest length of the dam is680 feet, and it has a maximum height of 65 feet. A 120-foot wide rectangularreinforced concrete chute spillway is located on the right abutment. Theregulating outlet is a 42-inch inside diameter cast-in-place concrete pipe which islocated on rock near the maximum embankment cross section. The dam isconstructed as a zoned earth embankment dam with a 3H:1V upstream slope, a2H:1V downstream slope and a central core.

Soon after the first filling, horizontal drains were installed from thedownstream toe area and a buttress was added to the lower portion of the slopeto remediate higher than expected seepage on the downstream face. A total of10 piezometers were added to monitor the long-term seepage performance ofthe dam. The existing dam safety monitoring also consists of manual flowmeasurements from the drains using a timed bucket approach, survey ofsettlement monuments on the crest of the dam, and visual inspections. Theresults of the monitoring performed to date, have not indicated any degradingtrends in the seepage performance of the dam.

Monitoring Objectives

The results of Dam Break Analyses performed in 2000 indicated that aflood wave in excess of 10 feet would travel down the Silver Creek channel andinundate downtown Silverton within 15 minutes following a breach failure of thedam. Based on these results, the City of Silverton decided to implement an earlywarning system for the dam. The purpose of the early warning system is toprovide advanced notice so that the inhabitants can be safely evacuated from theflood inundation area.

Because of the short warning time of 15 minutes, providing warning that

the dam has failed would not allow enough time to safely evacuate thedownstream inhabitants. The only feasible approach was to detect a developingcondition and initiate the notification to evacuate based on a failure is imminentcondition. Therefore, the performance criteria and design of the early warningsystem was focused on detecting an imminent failure condition.


14/19

Failure Modes Analysis

In order to provide early warning of an imminent failure condition, thepotential modes of failure, and more importantly the events that lead to the

failure, had to be understood. Therefore, FMA was used to identify the eventsthat could be detected by the early warning system to provide notification of adeveloping condition, and to develop a plan for responding to these events.

A number of different failure modes were considered that could lead to anuncontrolled release of the reservoir. Of these modes, the three that appeared tobe most likely and worthy of further evaluation included: 1) a seepage failureunder normal operating conditions, 2) failure following an earthquake event, and3) failure under a high reservoir level condition that results from largeinflows/flooding. The following is a discussion of the three failure modes.

Normal Operating ConditionsThe mode that was conceived for a potential seepage failure of the dam

under normal operating conditions includes: 1) an increase in seepage throughthe embankment core; then 2) this increase results in an unstable conditiondeveloping within the embankment or on the downstream face; then 3) theunstable condition leads to a breach failure of the dam. To further understandthis failure mode an event tree was developed.

The first response on the event tree is that seepage increases through theembankment. The three categories that were used to describe where theseepage increases could occur include: 1) increased seepage along the

abutment contacts; 2) increased seepage through a flaw in the embankmentcore; and 3) increased seepage along the foundation contact. The tree thenbranches into possible scenarios for the development of an unstable conditiongiven that an increase in seepage occurs at the different locations. The possibleunstable conditions include downstream slope instability, and piping of the corematerial. If slope instability develops, then the instability can either progress inan upstream direction until a breach failure develops or remain localized withenough embankment left unharmed to prevent a breach failure. If piping of thecore material occurs, then the loss of material could lead to the development of asinkhole on the upstream face or further instability on the downstream slope dueto the increasing rate of seepage. The size and location of the sinkhole would

determine if the dam is in danger of being breached. The sinkhole could alsogrow in size as the piping progresses. The affect of the increasing seepage rateon the downstream slope stability would also depend on how the pipingprogresses. Both scenarios could lead to a breach failure or could remainlocalized with enough of the embankment left unharmed to prevent a breachfailure.


15/19

Earthquake Loading

For the seismic loading condition, the failure mode that was developedincludes: 1) an earthquake occurs producing ground motions at the site that arelarge enough to cause permanent deformations; then 2) an unstable condition inthe embankment develops as a result of the deformations; then 3) the unstable

condition progresses leading to a breach failure of the dam.

The first response on the event tree is that an earthquake occurs thatresults in permanent deformations of either the embankment upstream slope orthe downstream slope, or the spillway structure on the right abutment. On theupstream slope, the result of these deformations could include: 1) cracking of thecore; 2) increased seepage along the outlet conduit; or 3) a slide massdeveloping on the upstream slope. If these unstable conditions progress, theycould lead to a developing seepage failure or a progressive slumping failure ofthe upstream face. For the scenario where a slide mass develops on theupstream slope, a freeboard of less than 4.5 feet is significant because the upper

4.5 feet of the dam does not include the core zone. Therefore, the upper 4.5 feetdoes not have a seepage control zone. The possible failure scenario resultingfrom deformations on the downstream slope is progressive slumping that leads toovertopping and a breach failure. The third possible developing condition ofconcern would be permanent deformation of the spillway structure. If a structuralfailure occurs, then uncontrolled seepage around or through the structure couldlead to progressive erosion and slumping of the downstream slope andeventually a breach failure. The second scenario is that the concrete structuredoes not fail but the permanent deformation creates a preferential path foruncontrolled seepage. The uncontrolled seepage could then lead to a seepagefailure.

Flooding Conditions

The third failure mode that was evaluated includes: 1) large inflows occurfrom rain fall and snow melt that cause a rise in the reservoir level; then 2) thehigher than normal reservoir levels result in the development of an unstablecondition; then 3) the unstable condition leads to a breach failure. The initialresponse in the event tree is the level of inflow and the corresponding amount offreeboard that would remain assuming that the reservoir was at a full poolelevation of 424 feet before the flooding event occurred. However, the keyparameter for the developing failure mode is the reservoir level and not theinflow. Three flooding scenarios were considered that resulted in reservoir

elevations with freeboard amounts of greater than 6 feet, between 6 and 3 feet,and less than 3 feet. If the reservoir level continued to rise to within 2 feet of thedam crest, then overtopping would be considered likely. Erosion caused by theovertopping could then lead to a progressive breach failure. An unstableseepage condition could also develop through the upper 4.5 feet of theembankment that does not include the core zone for seepage control. Aseepage failure condition through the embankment as described under theNormal Operating Condition is also a possibility under these significantly higherthan normal reservoir levels. For the inflow events that result in a freeboard of


16/19

greater than 6 feet, the possibility of overtopping still exists if the spillwaybecomes blocked by debris. The debris could reduce the capacity of the spillwayresulting in a rising reservoir level.

Alarm Response Plan

The results of the FMA were used to develop a response plan that dividesthe developing failure modes into three alarm categories and provides specificactions that should be performed to respond to the alarm levels. The AlarmResponse Plan is presented as Table 5. The purpose of the plan is to provide aframework that can be used by City operations personnel to make decisionsregarding the condition of the dam and the appropriate level of response during adeveloping failure mode.

Table 5 Alarm Response Plan

Alarm Level Safety Condition Response

Alert

Developing Condition of Concern

Piezometer level exceeds highthreshold values

Weir flow exceeds high thresholdvalues

Reservoir level within 8 feet of crest

Earthquake occurs

Network communication error

Operator on duty notifiedimmediately by cell phone anduses the Monitoring Station PC toevaluate the alarm condition

Operator conducts a site visit toobserve the conditions thatcaused the alarm

If the alarm is not the result of anequipment malfunction, then the

operator remains on site tomonitor for a developing unstablecondition

Developing

Unstable Condition Develops

Instability develops on thedownstream or downstream slope

Sinkhole develops on the upstreamslope

Uncontrolled seepage exiting at thedownstream toe or abutmentcontacts

Structural failure allows un-controlled seepage around spillway

High reservoir level results inseepage through the upper 4.5 feetof the embankment

Debris in the spillway reducescapacity and causes a sudden risein reservoir level

Operator initiates the emergencycall out list to issue a warning ofan unstable condition

Operator continues to monitor thesituation from the On-SiteMonitoring Station

Engineering evaluation is

immediately conducted Warning condition is removed

when the alarm conditions returnto a normal level, or actions havebeen taken to successfullystabilize the situation


17/19

Table 5 Alarm Response Plan (continued)

Critical

Imminent Failure Condition

Instability incorporates half of thedownstream slope

Instability or sinkhole on theupstream slope reduces thefreeboard to less than 4.5 feet

Whirlpool develops in the reservoir

Turbid flow is exiting thedownstream toe or abutment areasat an increasing rate

Reservoir level rises to within 2 feetof the crest

Erosion/slumping occurs in theupper 4.5 feet of the embankmentunder high reservoir levels

Operator activates the notificationsystem from the On-Site

Monitoring Station Silver CreekDam Emergency. Evacuate theArea Immediately

Evacuation Plan is initiated

All clear notification It is Safe toReturn. Silver Creek Dam isSecure is activated when thecondition has been stabilized orthe flood wave has passed

The three alarm levels shown on the Alarm Response Plan are directlyrelated to the failure mode event trees. The first alarm level Alert correspondsto a developing condition of concern, or the initiation of one of the failure modesin the event trees. As the failure mode progresses in the event trees, anunstable condition would develop. This unstable condition corresponds to theDeveloping alarm level. Between the initiation of an unstable condition andfailure of the dam is a condition where failure would be considered to be verylikely or imminent. A determination that failure is imminent is made based onan observation of one of the safety conditions listed in Table 5 under the Criticalalarm level. If any of these conditions are observed, then the failure mode has

developed to a situation where failure would be considered likely and theevacuation plan for the early warning system would be initiated.

Early Warning System Design

The results of the FMA were also used to design the detection portion ofthe early warning system. The warning system consists of both a detectionsystem that is used to identify a developing safety condition, and a sirennotification system that is used to notify the downstream community of the needto evacuate.

Both systems are integrated with the decision process that is outlined inthe Alarm Response Plan and used to make the decision regarding when animminent failure condition exists and the need to evacuate. A data flow diagramillustrating the connectivity of the systems is presented as Figure 4.


18/19

ENGINEERING/OPERATIONS

(City Hall)

SILVER CREEK DAM

Dam Crest(south)

P10

P4

P6

ReservoirLevel

Weir 1

Weir 2 Weir 3

Weir 4

RF Radio

On-Site MonitoringStation

RF Radio

LaptopPC

DirectRS232

Connection

MCU1

P1AP1B

Dam Crest(north)

MCU2

P2AP2B

P3

P5

P9

SirenNotification

Network

SirenControlStation

NOTIFICATION SYSTEM

SirenActivation

Panel

ManualNotificationProcedures

RadioTransmission

Notification of developing condition via cellphone and/or telephone to on-call personnelto inspect dam.

Photo Records

VisualInspections Paper File

ArchivePlots

Damsmart Output

Engineering/Operations PC

MCU3

RF Radio

Autodialer

TelephoneModem Connection

RadioTransmission

Manual activation of Siren Network andInitiation of the Emergency Action Plan

based on a condition of imminent failure ofthe Dam.

Radio

Transmission

RadioTransmissions

RadioTransmission

VisualReservoir

Level Gauge(for visual monitoringof reservoir level)

Figure 4 Silver Creek Dam Early Warning System Data Flow Diagram

The recommended detection system consists of improving the monitoringcapability for both existing and new instruments installed at various locations onthe dam. The improvements will include:

Installing a reservoir level monitoring instrument that includes the use of a

vibrating wire pressure transducer to monitor the reservoir water level, anddetect a high or rapidly rising reservoir level condition. Outfitting the existing piezometers with vibrating wire pressure transducers

to detect changes in the seepage performance of the dam and abutments. Installing new weir box instruments to collect and measure seepage at the

toe of the dam, the contact with the left abutment, and from the horizontaldrains. Vibrating wire sensors will be installed in the weir boxes to monitorchanges in the seepage performance of the dam.

Installing an On Site Monitoring Station to provide a base station at thedam for on-site monitoring during a Developing alarm condition.

Installing a new Reservoir Level Site Gauge to provide a back-up point of

reference for visual monitoring during a flooding condition.

All of the electronic sensors will be connected to Measurement ControlUnits (MCUs). The MCUs are microprocessor controlled data acquisition unitsthat will be programmed to collect the data from the sensors and compare thereadings to predetermined threshold values every 15 minutes. If a thresholdvalue is exceeded, then the MCU network will initiate a phone call to theassigned city personnel to alert of a developing condition of concern. City


19/19

personnel will then respond according to the Alert alarm level as described inTable 4.

The MCU network will also be programmed to collect and store readingson a daily basis for use in long term performance and trending evaluations. As

part of the on going dam safety monitoring activities, the City personnel will beusing a database tool to reduce and evaluate the instrument data. The City willalso be performing regularly scheduled visual inspections of the dam.

Conclusions

Two case studies have been presented to illustrate the use of FMA indesigning monitoring systems. The White River Project is a good example of amonitoring program that requires significant labor effort due to the nearly 3 milesof earth embankment structure. By gaining a better understanding of the eventsthat could lead to failure of the dikes and the relative risk between the dikes, a

more refined dam safety monitoring program was developed. The refinementsare intended to improve the owners ability to detect and respond to conditionsthat could lead to potentially unsafe performance of the dikes in the future. Theimprovements are directed at reducing the risk by focusing the dam safetymonitoring efforts and not by increasing the labor effort required to perform theongoing monitoring.

For the second case study, the use of FMA was essential in identifying theevents that could indicate a developing failure mode, and in developing adecision process for evacuating the downstream community. Because of theshort warning time of 15 minutes, evacuation of the community needs to be

initiated before the dam fails. An imminent failure condition was defined usingFMA and used as the condition under which the notification for evacuation will beissued. The design of the automated detection system to notify the City of adeveloping safety condition at the dam, and the plan for responding todeveloping failure modes were both based on the results of the FMA.

As demonstrated by these two case studies, FMA is an effective tool foruse in designing safety monitoring and early warning systems for dams. Theauthor is also currently using this tool to design performance monitoring andwarning systems for other critical civil structures such as bridges, buildings, andlandslides. Failure modes analysis provides an approach to identify and

understand the critical parameters that are needed to effectively monitor theperformance of a structure.

designing dam safety using failure modes analysis

Documents