You are on page 1of 75

IRFAN A.

ALVI, PE ASDSO WEBINAR


Alvi Associates, Inc. NOVEMBER 2015
BACKGROUND

Joined ASDSO Dam Failures & Incidents Committee (DFIC) in 2010

Early DFIC discussions about role of human factors in dam failures and
incidents

Broad research into role of human factors in failure and safety, drawing on
diverse fields
Aviation, health care, nuclear power, motorsports
Management, social sciences, philosophy
Work by others in the dam safety community

Development of an evolving human factors framework for dams, aiming to


keep it practical

Papers and presentations starting in 2013, leading to this 2015 webinar

Future webinars possible

Human Factors in Dam Failure and Safety 2


ACKNOWLEDGEMENTS

Mark Baker Edwin Matsuda Neil Schwanz


Dusty Myers Andrew Mattox Paul Schweiger
Denis Binder Lee Mauney Nate Snorteland
Colin Brown Sarah McCubbin- Susan Sorrell
Cain
Bob Clay Bruce Tschantz
Mark Ogden
Kim de Rubertis Hal van Aller
Jim Pawlowski
Alon Dominitz Karl Weick
Michael Quinn
Keith Ferguson Jon Wilkman
Jeffrey Racicot
Robert Godbey Lee Wooten
Greg Richards
Wayne King Many colleagues at
Tom Roberts Alvi Associates
Nancy Leveson

Human Factors in Dam Failure and Safety 3


GENERAL OUTLINE

General Failure Patterns

Why Human Factors?

Failure vs. Safety

Contributors to Failure

Contributors to Safety

Links to PFMA and Risk Analysis

Implications for Failure Investigation

Case Studies Big Bay, Ka Loko, and Prettyboy Dams

Conclusions

Human Factors in Dam Failure and Safety 4


GENERAL FAILURE PATTERNS

Physical and human factors continuously interact as dynamic systems

We can choose to identify discrete steps (often small) leading to failure

These steps form timelines which may precede failure by years or even decades

Eventually, enough factors accumulate and line up to become jointly sufficient to


produce failure

Linear sequential narrative timelines are easier, but interactions between factors
may be complex
Nonlinear relationships
Feedback loops
Causes having multiple effects
Effects having multiple causes
Root causes or dominant contributing factors may not be readily identifiable

Human Factors in Dam Failure and Safety 5


WHY HUMAN FACTORS?

Engineering is about people intentionally changing the world, so we


always have interacting physical and human factors

Natural tendency is increasing disorder (entropy) and drift into failure

So human effort is needed to create/maintain order and achieve safety

Physical systems follow deterministic physical laws nature cant make


errors

So failure, in terms of unmet expectations, is fundamentally due to


human factors

Human effort is normally good enough, but sometimes falls short

So humans are both the problem (error) and solution (success), two
sides of the same coin

Human Factors in Dam Failure and Safety 6


FAILURE VS. SAFETY

CONTRIBUTORS TO FAILURE CONTRIBUTORS TO SAFETY


(DEMAND) (CAPACITY)

Primary drivers Safety culture


Pressures from non-safety goals
Best practices
Human fallibility and limitations
General design features
Complexity
Organizational and
professional practices
Human errors

Compromised risk management

Demand > Capacity Capacity > Demand


Failure Safety

Human Factors in Dam Failure and Safety 7


CONTRIBUTORS TO FAILURE

PRESSURE FROM NON-SAFETY GOALS

Functional goals
Water supply, irrigation, flood control, hydropower, recreation
Safety is more a constraint than a goal

Cost and profit pressure inherent tradeoff of cost versus risk

Schedule pressure

Personal agendas

Social pressures (eg, from relationships)

Political pressure

Competition

Human Factors in Dam Failure and Safety 8


CONTRIBUTORS TO FAILURE

HUMAN FALLIBILITY AND LIMITATIONS

Category Examples
Bounded rationality Finite cognitive processing capacity satisficing
Misperception Not seeing soil particles in seepage, misclassification of soil or rock
IGNORANCE/UNCERTAINTY Inadequate subsurface investigation
incomplete or inaccurate
information & knowledge Immature engineering state-of-the-art, insufficient relevant experience

Misapplied heuristics Use of an engineering rule of thumb outside its traditional context
Unreliable intuition Atypical, unprecedented, or complex design situation
Inaccurate memory Misremembering or forgetting to document an inspection observation
Fatigue effects Long work shifts, compressed schedules
Emotional effects Apathy, indifference, frustration, pride
INACCURATE MODELS Significant 3D behavior missed by using a 2D model
Dunning-Kruger effect: very unskilled individuals greatly overestimate their ability,
COGNITIVE BIASES
highly skilled individuals somewhat underestimate their ability

Human Factors in Dam Failure and Safety 9


CONTRIBUTORS TO FAILURE
IGNORANCE/UNCERTAINTY

Category Description

Known knowns Known, and were aware that we know it

Unknown knowns Known, but were not aware that we know it (eg, intuition and tacit knowledge)

Denied knowns Known to some degree, but we repress it because of psychological or social reasons

Errors Believed to be known, but actually incorrect

Taboo unknowns Potentially knowable, but not explored because of psychological or social reasons

Known unknowns Partly unknown, but the uncertainty can be modeled (eg, probability distributions)

Unknown unknowns Unknown and entirely missing from our models (eg, unknown dam defect)

Vagueness Fuzziness in defining something (eg, significant seepage)

Human Factors in Dam Failure and Safety 10


CONTRIBUTORS TO FAILURE

INACCURATE MODELS
Difficulty in Validating Models
Necessity of Models
Computational models have a black box aspect,
Our interactions with the world are always which inhibits intuition and checking
mediated by models
Safety factors can prevent models from truly being
Models may be subconscious, conceptual, tested
mathematical, computational, or physical
Subjectivity and Biases in Modeling
Uncertainty of Models
Models are developed by people, for various goals,
All models are incomplete and inaccurate, to and thus have a subjective aspect
varying and usually unknown degrees
Modeling is subject to various cognitive biases
Model inaccuracy may be both qualitative and
quantitative

Model uncertainties include known unknowns


(can be estimated), unknown unknowns
(missing from the model), and other types

Making models more complex doesnt always


make them more accurate

Human Factors in Dam Failure and Safety 11


CONTRIBUTORS TO FAILURE
COGNITIVE BIASES
Studied extensively over the past several decades, with dozens of biases identified

Biases result from subconscious cognitive processes which systematically distort thinking
relative to reality

Biases often have detrimental effects on decision-making, but may be beneficial in some
contexts

Bias Description Modeling Example

Confirmation Favoring confirming over Unreasonably continuing with a model for


disconfirming evidence reasons unrelated to accuracy (eg, sunk-cost bias)

Recency Giving greater weight to recent Using a model because it was used recently,
events over prior events, without despite overall experience suggesting a different
justification model

Outcome Focus on outcomes without Using a computational model as a black box


consideration of process because it has worked so far

Human Factors in Dam Failure and Safety 12


CONTRIBUTORS TO FAILURE
COMPLEXITY

System Features Implications Examples

Components Sensitivity (large effects from small 3D unsteady seepage


causes)
Multiple Seepage/piping feedback,
Thresholds (tipping points) causing irreversible nonlinear
Physical & growth in internal erosion
human Irreversibility & path dependence
Complex rock formations
Interactions
Difficult to model
Multiple 3D time-dependent differential
Difficult to predict settlement and cracking
Nonlinear
Difficult to control, with potential for Complex ownership
Feedback loops unanticipated adverse interactions arrangements

Dynamic In general, complexity exacerbates Hydropower systems with


human fallibility and limitations many components and
significant human/physical
interactions

Human Factors in Dam Failure and Safety 13


CONTRIBUTORS TO FAILURE COMPLEXITY

Source: Dams as Systems A Holistic Approach to Dam Safety by Pat Regan (2010)

Human Factors in Dam Failure and Safety 14


CONTRIBUTORS TO FAILURE

Human Factors in Dam Failure and Safety 15


CONTRIBUTORS TO FAILURE

HUMAN ERROR
Humans must adaptively cope with diverse, complex, and uncertain
situations with conflicting goals and time pressure
Error is usually judged based on outcomes, after the fact
The same action may have a good or bad outcome, depending on circumstances
beyond someones control
Good actions may have bad outcomes, and bad actions may have good outcomes

We arguably have a degree of free will but it can never be entirely free, due
to external and subconscious influences beyond our control and possibly
beyond our awareness
So its tricky to (a) determine what behavior is reasonable versus negligent,
and (b) assign blame and liability pragmatically focus on desired outcomes
Fundamental attribution bias bad outcome of others is due to them, whereas your
bad outcome is due to the situation

Various error classification systems are available

Human Factors in Dam Failure and Safety 16


CONTRIBUTORS TO FAILURE

TYPES OF HUMAN ERROR

Category Error Type Comments

Inadvertent error Slip (commission) May be due to diverted attention


due to action not as
planned Lapse (omission) May be due to short-term memory lapse

Action as planned, Rule-based mistake Misapplied good rule, or applied bad rule
but inadvertent
error in thinking Knowledge-based mistake Inaccurate knowledge or judgment

Deliberate non- Routine violation Rule or procedure viewed as inapplicable


compliance with
rules, procedures, Non-compliance viewed as appropriate
etc. Situational violation
or necessary for the specific situation

Human Factors in Dam Failure and Safety 17


CONTRIBUTORS TO FAILURE

COMPROMISED RISK MANAGEMENT

Vulnerability Description Contributing Factors

Ignorance Insufficiently aware of risks Human fallibility and limitations


Complexity
Denial bias

Complacency Aware of risks, Fatigue, emotions, indifference


but overly risk tolerant Pressure from non-safety goals
Optimism bias (it wont happen to me)

Overconfidence Aware of risks, Human fallibility and limitations


but overestimate ability to Complexity
manage them Overconfidence bias

Caution Successful track records may foster ignorance, complacency, and overconfidence!

Human Factors in Dam Failure and Safety 18


FAILURE VS. SAFETY (RECAP & QUESTIONS)

CONTRIBUTORS TO FAILURE CONTRIBUTORS TO SAFETY


(DEMAND) (CAPACITY)

Primary drivers Safety culture


Pressures from non-safety goals Best practices
Human fallibility and limitations General design features
Complexity Organizational and
professional practices
Human errors

Compromised risk management

Demand > Capacity Capacity > Demand


Failure Safety

Human Factors in Dam Failure and Safety 19


CONTRIBUTORS TO SAFETY

SAFETY CULTURE

To a large extent, contributors to failure (demands) are


givens, so our efforts should emphasize the safety (capacity)
side

Good safety culture means that everyone in the organization,


at all levels including top management, sincerely and visibly
places high value on safety

A central trait is an attitude of being concerned with avoiding


failure and achieving safety how concerned?

Aware Alert Vigilant Worried Paranoid Panicking

Humility (awareness of fallibility and limitations) is also an


essential trait of safety culture

Human Factors in Dam Failure and Safety 20


CONTRIBUTORS TO SAFETY

SAFETY CULTURE BEST PRACTICES

Safety culture typically leads to implementing best practices, and is typical in dam
engineering

Best practices safety (Grossly) neglect best practices failure

Maxims

Failure results from not doing whats necessary to succeed,


not from doing special things to fail
Trying to succeed is at least as important as trying not to fail
Focus on what to do, instead of what not to do

Human Factors in Dam Failure and Safety 21


CONTRIBUTORS TO SAFETY BEST PRACTICES
General Design Features Organizational & Professional Practices

Conservative safety margins Sufficient resources

Customization to project sites, Open and effective information sharing, including allowing dissent and documenting
thoroughly, to connect the dots among dispersed and fragmentary information
including scenario planning
during design and SAFETY-ORIENTED PERSONNEL SELECTION
testing/adaptation during
construction (observational DIVERSE TEAMS, but with leadership, continuity, and avoiding diffusion of
method) responsibility

Generally-accepted current Recognizing knowledge limitations and deferring to expertise


best practices for design
features and construction Peer review and cross-checking
methods USE OF CHECKLISTS
ROBUSTNESS, REDUNDANCY, AND Appropriate system models (possibly explicitly including human factors for actively-
RESILIENCE operated dams) and careful software use

Progressive and controllable Appropriate failure modes, including operational failure modes and failure modes in
failure modes which produce the proximity of dam sites
warning signs
Professional, ethical, and legal/regulatory standards
Accurate hazard classification Learning from failures and incidents (www.damfailures.org, Decade Dam Failures)
and good emergency action
planning WARNING SIGNS VIGILANT MONITORING, THOROUGH INVESTIGATION, AND EFFECTIVE RESPONSE

Human Factors in Dam Failure and Safety 22


CONTRIBUTORS TO SAFETY
ROBUSTNESS, REDUNDANCY, AND RESILIENCE (3R)

Type Description Examples

Robustness Ability of the system to Combined arch-gravity


maintain function despite design, emergency
diverse and heavy demands, spillways
possibly not fully anticipated
during design
Redundancy Backup provided by having Multiple measures to
more than one component or control seepage,
system to perform the same piping, and uplift
function

Resilience Ability of the system to adapt Fuse plugs,


and/or recover in order to fuse gates
maintain function

Caution Redundancy can increase system complexity, so use with care.

Human Factors in Dam Failure and Safety 23


CONTRIBUTORS TO SAFETY

SAFETY-ORIENTED PERSONNEL SELECTION


Emphasis should be on shaping culture, practices, and work situations at
group and organizational levels, thus shaping behavior of individuals

But everyone is not the same on an individual level


Experience matters, and is essential for judgment
Also look at personality and character attributes
Vigilant and cautious
Humble, inquiring, and skeptical
Disciplined and meticulous
Effective communicator and interpersonally assertive

Human Factors in Dam Failure and Safety 24


CONTRIBUTORS TO SAFETY

DIVERSE TEAMS
Desired type of diversity is cognitive diversity, which brings in diversity of
perspectives, education, training, experience, information, knowledge, models,
skills, problem-solving methods, heuristics, biases, etc.

Diversity trumps ability for difficult problems, a team of diverse people with
relevant abilities will often outperform a homogenous team of the best people,
since a diverse team covers more bases (additivity), provides checks and balances,
and may also have synergy (superadditivity)

Diversity prediction theorem the averaged predictions from a diverse group of


models will usually be more accurate than the predictions of a single good model,
due to cancellation of errors when averaging multiple models

To benefit from diversity and prevent groupthink


Encourage open sharing of information
Bring in outsiders
Accept dissent and some dissonance, but groups should be aligned (not diverse) in their
fundamental goals

Human Factors in Dam Failure and Safety 25


CONTRIBUTORS TO SAFETY
CHECKLISTS
Used extensively and proven highly effective in aviation, health care, etc.

Most effective for preventing slips, lapses, and violations

Less effective for preventing mistakes

Checklists are not fun to use, but they foster discipline and vigilance

Traits of good checklists


Customized for the situation
Clear and unambiguous
Focused on items which are important but prone to being missed
Shorter checklist is usually better for situations involving acute time pressure, but
in dam safety we usually dont have that level of time pressure (except
emergencies)
Should be regularly updated based on experience

Human Factors in Dam Failure and Safety 26


CONTRIBUTORS TO SAFETY

EFFECTIVELY ADDRESSING WARNING SIGNS


Failures are typically preceded by detectable warning signs
Warning signs may be subtle try simulated hindsight by imagining that failure has already
occurred and then judge whether ignoring a particular potential warning sign can be justified
False alarm warning signs are possible
Sensitivity > selectivity (better safe than sorry)

Best practices for warning signs


Be vigilant and continuously monitor for
warning signs, including after atypical events
and during quiet periods dont let your
guard down
Investigate potential warning signs
thoroughly
Be prompt with communications and
remedial actions
Document thoroughly, so that emerging
patterns can be discerned

Human Factors in Dam Failure and Safety 27


LINKS TO PFMA AND RISK ANALYSIS
Potential Failure Mode Analysis (PFMA) uses a diverse team to qualitatively
but thoroughly evaluate the ways in which a dam may fail, accounting for factors
which make failure more or less likely for each potential failure mode

Risk analysis adds some quantification by developing subjective estimates


of probability of failure and probable consequences

PFMA and risk analysis focus on what may happen in the future, whereas
failure investigation focuses on what likely happened in the past

Aside from the time dimension, they have much in common: gathering and
weighing information, performing mechanistic analysis, formulating hypotheses
for failure scenarios, evaluating the hypotheses, and dealing with uncertainty by
subjectively estimating the likelihood of the hypotheses
PFMA/risk analysis can be applied as a best practice during dam design to help
ensure that all failure modes have been adequately addressed less unknown
unknowns
Specialists in PFMA/risk analysis and failure investigation may consider working in
both fields
Challenge: How do we explicitly incorporate human factors into PFMA/risk analysis?

Human Factors in Dam Failure and Safety 28


FAILURE VS. SAFETY (RECAP & QUESTIONS)

CONTRIBUTORS TO FAILURE CONTRIBUTORS TO SAFETY


(DEMAND) (CAPACITY)

Primary drivers Safety culture


Pressures from non-safety goals Best practices
Human fallibility and limitations General design features
Complexity Organizational and
professional practices
Human errors

Compromised risk management

Demand > Capacity Capacity > Demand


Failure Safety

Human Factors in Dam Failure and Safety 29


IMPLICATIONS FOR DAM FAILURE INVESTIGATION

Like historians, failure investigators create narrative stories

Evidence is always incomplete and sometimes contradictory or unreliable, so different


investigators may tell different stories have diverse teams and consider multiple teams

Failure investigations have traditionally focused on physical factors, but human factors
are often an important part of the story of failure

Extent of human factors to be considered is indefinite and subjective who is the


audience and what are the goals?

Searching for one or a few root causes may be oversimplified may need to tell a
complex story

Hindsight bias and fundamental attribution bias distort our understanding of why people
did what they did put yourself in their shoes, and try the substitution test

Its just as important to ask what people didnt do (neglecting best practices) as what they
did do (errors)

Definitive conclusions may not be reached, so the case may remain open

Human Factors in Dam Failure and Safety 30


CASE STUDIES

Human Factors in Dam Failure and Safety 31


CASE STUDY

BIG BAY DAM FAILURE


(2004)

Human Factors in Dam Failure and Safety 32


BIG BAY DAM FAILURE EMBANKMENT SECTION

Over 50 high, 42 normal pool Drains at downstream face and toe

360 wide, 3:1 slopes with berms No chimney or blanket filter/drain

Core/cutoff wall silty sand mixed with No filter or anti-seep collars for conduit
bentonite clay

Human Factors in Dam Failure and Safety 33


BIG BAY DAM FAILURE PLAN VIEW

East-west axis, 2000 long, downstream is to south


Outlet: concrete riser, 8 x 8 box culvert conduit, concrete apron, riprap basin
Normal pool of 900 acres, over 11,000 acre-feet
Located in Mississippi, privately owned

Human Factors in Dam Failure and Safety 34


BIG BAY DAM FAILURE BREACH

Breach was centered on outlet

2 hours to empty reservoir

Core wall not visible

Consequences
Over 100 structures impacted
No fatalities (EAP activated)
$1.1 million legal settlement

Human Factors in Dam Failure and Safety 35


BIG BAY DAM FAILURE PHYSICAL FACTORS

6. Highly erodible silty sands used for embankment

7. Lack of chimney, blanket, or conduit filters/drains

8. Core/cutoff comprised mostly of clayey sands with


heterogeneous and excessive permeabilities, and core wall
not visible in photos

9. Cutoff not extended down to older impervious cohesive


stratum, resulting in permeable window and downstream
mounding of phreatic surface

10. Silt observed in outlet basin


Courtesy of Keith Ferguson, HDR

Human Factors in Dam Failure and Safety 36


BIG BAY DAM FAILURE PHYSICAL FACTORS TIMELINE

Mid to late 1980s Design with lack of filters/drains and inadequate depth of
cutoff

1990 and 1991 Construction using erodible soils for embankment, and
permeable soils for core and cutoff

1993 Normal pool reached, wet spots on downstream face, and responded
with remedial installation of drains at downstream face and toe

1993 onward Leakage into conduit at multiple and changing locations

1999 Seepage around conduit outlet and silt in outlet basin; responded with
remedial excavation/backfilling around outlet, but no flow in drains after 2
months (likely due to clogging of filter fabric)

Pre-2002 Sinkhole(s) in downstream face backfilled

2004 Piping failure 13 years after construction, sinkhole found in upstream face

Human Factors in Dam Failure and Safety 37


BIG BAY DAM FAILURE EXPANDED TIMELINE (1)

Mid to late 1980s Design was apparently led by a young Engineer with little
or no prior dam design experience, apparently with little or no peer review
Geotechnical modeling was apparently not performed for seepage and piping
The design had unconservative and non-redundant seepage/piping controls,
including lack of filters, drains, and sufficient cutoff depth, and lacked monitoring
systems to detect piping as found in similar dams
The plans were of poor quality and had no PE seal, thus not meeting professional
standards

1990 and 1991 Construction using erodible and permeable soils (test results
did indicate excessive permeability, but this warning sign was missed)
Apparently the first major project of the contractor, raising questions about
expertise
Construction inspection was inadequate, as evidenced by missed warning signs
such as conduit defects

1993 Normal pool reached, wet spots on downstream face


1993 onward Leakage into conduit at multiple and changing locations

Human Factors in Dam Failure and Safety 38


BIG BAY DAM FAILURE EXPANDED TIMELINE (2)
1993 Remedial installation of drains at downstream face performed promptly
(apparently designed by same Engineer, without peer review), but he missed
leakage into conduit as a warning sign of piping

1993 to 1999 Some inspections were performed by Mississippi Dam Safety


Division, but they faced cost pressure and schedule pressure due to being
underfunded and understaffed, they missed the warning signs of piping, and
there was not much information sharing with the Owner and Engineer

1999 Seepage around conduit outlet, silt in outlet basin

1999 Remedial excavation/backfilling around conduit outlet to address seepage


performed promptly but apparently without a permit
Designed by same Engineer, apparently without peer review
Missed seepage and piping warning signs, including leakage into the conduit,
sediment in the basin, and discontinuation of flow in the drains (indicating clogging of
filter fabric and inadvertently redirecting seepage, due to not understanding the
complex seepage/piping behavior)

Human Factors in Dam Failure and Safety 39


BIG BAY DAM FAILURE EXPANDED TIMELINE (3)

Pre-2002 Sinkhole(s) in downstream face backfilled, but significance as a


piping warning sign missed

2002 Same Engineer was authorized by owner to inspect annually and study
seepage, and the Maintenance Person was directed to inspect weekly
Seepage analysis apparently was not performed
Maintenance Person lacked expertise

2004 Piping failure 13 years after construction


Failure was investigated by the same Engineer
Sinkhole found in upstream face which could have been detected by underwater
inspection, but was a missed warning sign of piping

Human Factors in Dam Failure and Safety 40


BIG BAY DAM FAILURE HUMAN FACTORS SUMMARY (A)

Interaction of human and physical factors was fairly intense from design until
failure, and the Engineer is a lead character in the story

Nearly all best practices were neglected

Reliance on a single relatively inexperienced Engineer, possibly due to favoring


local relationships in that part of the rural US, resulted in:
Lack of expertise, lack of a diverse team, lack of peer review, and poor quality of plans
Lack of appropriate dam modeling, an unconservative and flawed dam design, and
remedial actions which may have made the situation worse overall

Inspections by Engineer and others showed warning signs of piping, but they
werent interpreted as warning signs denial due to confirmation bias?

Human Factors in Dam Failure and Safety 41


HUMAN FACTORS FRAMEWORK

Human Factors in Dam Failure and Safety 42


BIG BAY DAM FAILURE HUMAN FACTORS SUMMARY (B)

For human factors, safety demand was high, and safety capacity was low
Primary drivers of failure were substantial
Pressures from non-safety goals included social pressure related to relationship
between owner and engineer, and possibly also personal agenda of the engineer
Human fallibility and limitations were evident with respect to misperception,
ignorance, unreliable intuition, inaccuracy of models, and cognitive biases
There was substantial physical complexity related to seepage and piping processes

There were many human errors, particularly mistakes


Risk management was compromised primarily due to ignorance, and possibly
also due to overconfidence
Owner showed concern for safety, but Mississippi Dam Safety Division lacked
funding for safety culture
Nearly all best practices were neglected, including safety margins, design
redundancy, information sharing, diverse teams, deference to expertise, peer
review, appropriate modeling, professional/legal standards, and addressing
warning signs

Human Factors in Dam Failure and Safety 43


QUESTIONS?

Human Factors in Dam Failure and Safety 44


CASE STUDY
KA LOKO DAM FAILURE
(2006)

Human Factors in Dam Failure and Safety 45


KA LOKO DAM FAILURE DAM DESCRIPTION

Over 1200 acre-feet, part of water supply


system for sugarcane industry in Hawaii

Embankment dam, relatively homogenous,


mostly clayey silt, partly or entirely hydraulic
fill

Originally 30 high in 1890, raised to 42 in


1912

770 crest length

Primary outlet: multi-pipe riser, 18 pipe


conduit in tunnel with valve at mid-length

Spillway: 1.5 x 15 channel

Human Factors in Dam Failure and Safety 46


KA LOKO DAM FAILURE BREACH IN 2006

Human Factors in Dam Failure and Safety 47


KA LOKO DAM FAILURE PHYSICAL FACTORS TIMELINE

1890 and 1912 Dam built and raised

1940 to 1953 Reservoir reached spillway at least 20 times, for periods up to


1 month, but no evidence of dam distress

1950s Spillway lined with concrete

1997 Grading performed, including filling spillway

February/March 2006 42 days of heavy rain, which was the 2nd or 3rd wettest
such period over the past 50 years

March 14, 2006, 5:00 am 24 days into the period of heavy rain, the dam
breached, apparently due to about 2 maximum overtopping near the former
spillway (no spillway was found after breach), with flood depth of 10 to 30

Human Factors in Dam Failure and Safety 48


KA LOKO DAM FAILURE EXPANDED TIMELINE (1)

1890 and 1912 Dam built and raised


1940 to 1953 Reservoir reached spillway at least 20 times, for periods up to
1 month, but no evidence of dam distress
1950s Spillway lined with concrete
1971 Sugarcane operations ceased, and facilities maintenance was reduced
1973 Portion of reservoir deeded to Mary Lucas Trust, with James Pflueger
as beneficiary and trustee
1978 to 1981 Corps inspected high-hazard dams, but Ka Loko was classified
as low-hazard
1987 Pflueger (Owner) bought remaining portion of reservoir, taking overall
control of reservoir and dam
1987 Dept. of Land & Natural Resources (DLNR) became lead state agency
for dam safety

Human Factors in Dam Failure and Safety 49


KA LOKO DAM FAILURE EXPANDED TIMELINE (2)

1993 to 1998 Consultants assisted DLNR with high-hazard dam inspections,


but Ka Loko was still classified as low-hazard

1997 Grading at reservoir was performed without a permit, and County


ordered stop work, but Mayor had County back off

1997 Further grading, including filling spillway; Owner was cautioned by a


subcontractor that the spillway is a safety feature which needs to be restored,
but Owner apparently took no remedial action

1998 Owner was cautioned by a local real estate agent (by fax) that the
spillway had been filled, which will result in overtopping, and recommended
restoring the spillway, but there was apparently no response from Owner and
no remedial action

Human Factors in Dam Failure and Safety 50


KA LOKO DAM FAILURE EXPANDED TIMELINE (3)

1999 to 2001 DLNR sent three letters to Owner to schedule dam inspection,
and a letter recommending review or development of EAP; there were no
responses from Owner, no inspections, and no EAP developed (Ka Loko still
had low-hazard classification, but regulations required inspection every 5
years)

1999 to 2006 DLNR lost funding in 1999 for consultant inspections, lost
more funding in coming years, and supervisor retired in 2005 (leaving 1.5 FTE
for dam safety versus about 6.5 FTE desirable), so no inspections were
performed in 2005 nor early 2006

2002 to 2006 2002 inspection of grading violations was performed by


federal and state agencies, lack of spillway was not noted, and felony counts
and large fines were imposed on Owner in 2006 for environmental damages
(days before the failure)

Human Factors in Dam Failure and Safety 51


KA LOKO DAM FAILURE EXPANDED TIMELINE (4)

February/March 2006 42 days of heavy rain, which was the 2nd or 3rd wettest
such period over the past 50 years

Late February 2006 Small bridge was destroyed by flooding near the
reservoir, so several people (none from DLNR) inspected the dam but the lack
of a spillway was not noted

March 14, 2006, 5:00 am 24 days into the period of heavy rain, the dam
breached, apparently due to about 2 maximum overtopping near the former
spillway (no spillway was found after the breach)
Flood depth of 10 to 30
7 fatalities (including a pregnant woman) about 16 minutes after breach
Prison time for Owner due to reckless endangerment, and a civil settlement of
many millions of dollars

Human Factors in Dam Failure and Safety 52


KA LOKO DAM FAILURE LINKS TO HUMAN FACTORS (1)

Many parties were involved in reservoir and dam ownership, operation,


maintenance, water use, and regulation, leading to unclear
roles/responsibilities and many conflicts (complexity)

Owner had grading done, despite lacking dam expertise and permits (possible
overconfidence bias, and lack of deference to expertise, peer review,
diverse team, information documentation and sharing, and
professional/ethical/legal standards)

Grading was reportedly done to increase property value and create a scenic
location for a home for the Owner (profit pressure and personal agenda)

Mayor blocked Countys effort to stop grading (political pressure and


possible personal agenda)

Human Factors in Dam Failure and Safety 53


KA LOKO DAM FAILURE LINKS TO HUMAN FACTORS (2)

Owner and many others appeared to not understand the need for a spillway (lack
of expertise and unreliable intuition), which greatly reduced the design safety
margin and redundancy, and contributed to rapid failure (compromised general
design)

The two people who did understand the risk of filling the spillway expressed their
concern only to Owner (personal relationship), but Owner didnt act on their
warnings (missed warning sign and possible denial bias)

DLNR had funding cuts and was very understaffed, hence no inspection of Ka Loko
Dam despite the required 5-year interval (cost and schedule pressure and falling
short of legal standard), and such inspection would very likely have identified the
lack of spillway (missed warning sign)

Government agencies (other than DLNR) inspected grading violations, but focused
on environmental damage rather than dam safety (missed warning sign)

DLNR and Owner were apparently unaware of downstream development


warranting high-hazard classification (lack of information sharing and
complexity)

Human Factors in Dam Failure and Safety 54


KA LOKO DAM FAILURE HUMAN FACTORS SUMMARY (A)

Human factors and physical factors interacted, but human factors dominate
the story, and the Owner is the lead character in the story

Nearly all best practices were neglected

Involvement of many parties resulted in complexity, poor coordination, and


lack of information sharing, which further resulted in incorrectly classifying
the dam as low-hazard

DLNR likely would have inspected the dam and addressed the lack of spillway
even with low-hazard classification if funding cuts hadnt created major
cost and schedule pressures

Owner made grading decisions despite lacking expertise related to dams,


didnt secure permits, and didnt heed warnings that lack of a spillway would
result in overtopping (probably due to multiple contributing factors)

Those warnings may not have been conveyed to DLNR because of social
pressures, and political pressure also contributed to missing warning signs

Human Factors in Dam Failure and Safety 55


HUMAN FACTORS FRAMEWORK

Human Factors in Dam Failure and Safety 56


KA LOKO DAM FAILURE HUMAN FACTORS SUMMARY (B)
For human factors, safety demand was high, and safety capacity was low

Primary drivers of failure were substantial


Pressures from non-safety goals were heavy: cost, profit, schedule, personal agenda, social, and
political
Human fallibility and limitations were very evident with respect to ignorance, unreliable
intuition, inaccuracy of models, and cognitive biases
There was substantial human complexity, due to involvement of many parties in dam and
reservoir ownership, operation, maintenance, water use, and regulation

There were many human errors, particularly mistakes and violations

Risk management was compromised in all three ways: ignorance, complacency, and
overconfidence

Owners approach didnt reflect safety culture, and DLNR lacked funding for safety
culture

Nearly all best practices were neglected, including safety margins, accurate hazard
classification, information sharing, diverse teams, deference to expertise, peer review,
professional/legal standards, and addressing warning signs

Human Factors in Dam Failure and Safety 57


QUESTIONS?

Human Factors in Dam Failure and Safety 58


CASE STUDY
PRETTYBOY DAM
REHABILITATION
(2010)

Human Factors in Dam Failure and Safety 59


PRETTYBOY DAM DESCRIPTION

Example of a successful project despite high risks best practices enable success
even in highly difficult circumstances

2010 ASDSO National Rehabilitation Project of the Year

Rehabilitation of the extensively cracked gatehouse of a concrete gravity dam


Built in 1930s
Owned by City of Baltimore
150 feet high, 700 feet long
58,000 acre-feet, part of water supply for 2.7 million people
Monolithic unreinforced concrete gatehouse at upstream face (38 feet wide)

Scope for Alvi Associates included inspection, forensic investigation, design, and
construction management (15-year project)

Human Factors in Dam Failure and Safety 60


PRETTYBOY DAM GATEHOUSE

Human Factors in Dam Failure and Safety 61


PRETTYBOY DAM DOWNSTREAM FACE

Human Factors in Dam Failure and Safety 62


PRETTYBOY DAM CROSS-SECTION AT GATEHOUSE

Human Factors in Dam Failure and Safety 63


PRETTYBOY DAM GATEHOUSE CRACKING

Human Factors in Dam Failure and Safety 64


PRETTYBOY DAM CAUSE/EFFECT MATRIX

Human Factors in Dam Failure and Safety 65


PRETTYBOY DAM REHABILITATION DESIGN

Stability analysis was performed for gatehouse, with parametric sensitivity study
to address uncertainties, and revealed many scenarios with factor of safety < 1.0

Due to failure consequences on the order of $100 million, risk was judged high
enough to warrant spending $6 million on rehabilitation
38 post-tensioned steel threadbar anchors
Anchor lengths from 48 to 70 feet
Anchor slopes of 6 and 15
Core-drilling for anchors
Underwater construction at water depths reaching over 100 feet
Many features to avoid

Human Factors in Dam Failure and Safety 66


PRETTYBOY DAM GATEHOUSE ANCHORAGE

Human Factors in Dam Failure and Safety 67


PRETTYBOY DAM GATEHOUSE ANCHORAGE

Human Factors in Dam Failure and Safety 68


HUMAN FACTORS FRAMEWORK

Human Factors in Dam Failure and Safety 69


PRETTYBOY DAM REHABILITATION

HUMAN FACTORS WITH POTENTIAL TO CONTRIBUTE TO FAILURE (DEMANDS)

Pressure from non-safety goals


No specific construction budget, though we strived to keep cost down
No significant schedule pressure
No major social or political pressures, other than the need to preserve relationships
while still being assertive with the owner and contractor when necessary

Human fallibility/limitations + complexity


Information regarding dam existing condition was incomplete
Modeling 3D behavior of the dam, accounting for cracking and anchor forces, was very
challenging during both forensic analysis and rehabilitation design
Installation of post-tensioned anchors of these lengths in deep water was
unprecedented, resulting in substantial uncertainties related to construction
All of the above created a high level of complexity for both design and construction

Human Factors in Dam Failure and Safety 70


BEST PRACTICES

Human Factors in Dam Failure and Safety 71


PRETTYBOY DAM REHABILITATION
HUMAN FACTORS CONTRIBUTING TO SAFETY (CAPACITY)
Safety culture
Recognizing the high potential for things to go wrong, the team was very vigilant about
avoiding failure and achieving success, and humble about the limitations of our information
and knowledge

Best practices related to general design features


Conservative safety margins The design capacity of the anchor system was maximized, given
the physical constraints related to anchor installation, to provide as large a safety margin as
feasible
Design customization The anchor system configuration (anchor lengths, slopes, lateral
location, etc.) was completely customized for this dam, accounting for the physical
constraints
Testing and adaptation during construction Four pre-production test anchors were used,
and post-tensioning of production anchors provided a further means to test and verify
capacity of each anchor
Current best practices for design and construction Anchor drilling and grouting methods
were researched extensively, and the selected methods were identified as best practices at
the time
Robustness, redundancy and resilience Use of 38 anchors and 6 cross-beams provided
robustness, redundancy, and resilience (due to alternate load paths)

Human Factors in Dam Failure and Safety 72


PRETTYBOY DAM REHABILITATION
HUMAN FACTORS CONTRIBUTING TO SAFETY (CAPACITY)

Best practices related to organizational and professional practices


Diversity and deference to expertise Consulted with numerous engineers and contractors
around the world during the design phase, in order to bring in diverse perspectives and
outside expertise
Diversity and information sharing Closely partnered with the contractor and owner to have
a diverse team and effectively share information; this included development of a single
coordinated shop drawing submittal before mobilization in order to connect the dots and
prevent construction issues
Safety-oriented personnel selection Contractors were rigorously prequalified before bidding
Continuity of leadership Lead Engineer was involved continuously for the 15 years of the
project
Peer review and checklists Extensive peer review and cross-checking within the design
team, with numerous checklists developed and used during design and construction
Appropriate system models, failure modes, and software use Wide range of failure
modes/scenarios was considered, and modeled using custom spreadsheets
Detecting and addressing warning signs Construction inspection was continuous, including
in-depth underwater inspections at several milestones, to detect and enable prompt
response to any warning signs or problems

Human Factors in Dam Failure and Safety 73


CONCLUSIONS
Dam failures are fundamentally due to human factors, which interact with
physical factors over time, often in complex ways
Contributors to failure place demands on the system, and include pressures
from non-safety goals, human fallibility and limitations, and complexity
Demands on the system are largely a given, so our focus should be on
fostering system capacity for safety
The foundation of safety is safety culture, in which everyone has a humble
and vigilant attitude towards avoiding failure and achieving safety
Safety culture typically leads to implementation of best practices related to
(a) general design features of dams and (b) organizational and professional
practices
Fortunately, implementation of best practices is the norm for dams
Failures are typically preceded by gross neglect of best practices
Effective regulation, supported by sufficient funding, is needed to ensure
implementation of best practices

Human Factors in Dam Failure and Safety 74


FOLLOW-UP QUESTIONS & COMMENTS?

Irfan A. Alvi, PE

Alvi Associates, Inc.

ialvi@alviassociates.com

Human Factors in Dam Failure and Safety 75