Vick - Deviance To Diligence

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

Geo-Risk 2017 GSP 282 19

Dam Safety Risk—From Deviance to Diligence

Steven G. Vick1

1
Consulting Geotechnical Engineer, 42 Holmes Gulch Way, Bailey, CO 80421.

Abstract

The purpose of risk assessment for dam safety is to improve it. Three case histories of failure or
near-failure of dams and mine tailings dams that employed various risk-based procedures are
examined to evaluate the influence of these procedures on the outcome. In all three cases, the
operative failure mode was recognized but disregarded. Effective risk management was defeated
by an organizational process known as normalization of deviance whereby departures from
desirable conditions become expected and accepted, imparting a false sense of security and
complacency. Normalization of deviance can be controlled by embedding risk-based thinking
and processes in organizational culture and values.

INTRODUCTION

Risk-informed procedures have become a fundamental, if not mandatory, component of


dam safety programs for both water dams and mine tailings dams (FERC 2016; EU 2009; MAC
2011; BC 2016). The underlying premise is that risk-based methods improve dam safety, either
by enhancing diagnostic capabilities, allocating resources more effectively, or both (Vick 2002;
Bowles et al. 1998). This premise, however, has seldom been tested and its presumed validity
rests more on the attributes of the techniques themselves than on case-history demonstration.
This paper examines the role of risk-based procedures in several dam failures and near-failures to
determine whether and how they influenced the outcome.
The extent to which risk-based procedures actually improve dam safety depends on their
implementation, which necessarily involves organizational factors. In evaluating 600 major
failures and accidents, Bea (1996) isolated the elements of engineered systems where
breakdowns occurred. Organizational reliability was found to be at least as important for
geotechnical systems as the reliability of their physical components, with organizational
malfunctions operative in initiating or propagating the failure sequence in 80% of the cases
examined. Another observation was the importance of “near misses” in providing warning signs
of system degradation and the dangers in allowing this degradation to go uncorrected through the
organizational phenomenon known as normalization of deviance.

© ASCE
Geo-Risk 2017 GSP 282 20

NORMALIZATION OF DEVIANCE AND SPACE SHUTTLE CHALLENGER

Vaughan (1996) introduced the term normalization of deviance in her groundbreaking


analysis of the Space Shuttle Challenger disaster, the signature technological failure of its era.
Within NASA, normalization of deviance was the repeated acceptance of risks from known
failure modes until they became expected and routine. More generally, a potential failure
initiator happens enough times without adverse effect until a false sense of security develops and
a former anomaly becomes the new norm. Rather than being seen as moving closer to the edge,
these serial anomalies are taken to validate the view that they are inconsequential. With this, the
unexpected becomes the expected, which in turn becomes the accepted (Pinto 2014).
Challenger was propelled into orbit by the two solid-fuel rocket boosters (SRBs) shown
in Figure 1a, each fabricated in cylindrical segments. Connecting these segments required that
the joints be sealed to prevent escape of the hot gasses generated by fuel combustion. This was
accomplished with two 12m diameter rubber O-rings, a primary and a secondary for redundancy,
plus a sealing compound of zinc chromate putty. Later during the post-failure investigation,
physicist Richard Feynmann would famously demonstrate how O-rings lost their resiliency by
dipping one in a glass of icewater.
NASA had in place at the time a systematic design process using qualitative Failure
Modes and Effects Analysis (FMEA) and Hazard Analysis (HA) for identifying critical
components. Risk-based procedures continued during operations through a formal process. If a
performance anomaly was encountered in a critical item, it had to be corrected, or otherwise the
risk reduced to as low as reasonably possible (ALARP) with a documented engineering rationale
for retention. Only then would the item be designated an accepted risk and the shuttle be
approved to fly (Vaughan 1996; Vick 2002). The primary SRB O-rings had been designated a
critical component, but with the redundancy of the secondary O-rings as the rationale for
retention, they were designated an accepted risk.

a b c

Figure 1. Space Shuttle Challenger, flight STS 51-L. (a) orbiter with external fuel tank and SRBs
on either side; (b) flame from O-ring burn-through on right SRB (arrow); (c) external tank
explosion

© ASCE
Geo-Risk 2017 GSP 282 21

As flight experience was gained, there began to be anomalies in the condition of


recovered O-rings. Heat damage was observed on some early shuttle flights, indicating that hot
gasses had reached primary O-rings. This was attributed to unavoidable imperfections in the
sealing putty. With this rationalization, O-ring damage became a predictable, hence normal,
aspect of joint performance and a risk to be routinely accepted on future shuttle missions.
Subsequent flights revealed still more deviations. Soot found behind some primary O-
rings indicated that sealing had been delayed. Moreover, some incidents involved not only the
primary but the secondary O-ring as well, and one flight experienced not just damage but
complete burn-through of a primary O-ring and damage to the secondary. Although risk was
clearly escalating, the accepted risk designation continued to be retained.
The following flight was by any measure a near miss. Sealing of both a primary and
companion secondary O-ring was delayed, exactly the circumstance that their redundancy was
intended to prevent. Nevertheless, accepted risk continued to be rationalized by this redundancy.
But the question of temperature effects was raised for the first time. The launch had been
preceded by three nights of record-low Florida temperatures. Shuttle components for the most
part had been designed for extreme heat, not cold, and this was something that had never been
fully considered.
Now the accepted risk designation of the SRB joints became the subject of serious
debate. Although the effects of temperature on O-ring resiliency and sealing were intuitively
evident, it was considered extremely unlikely that such cold temperatures would recur. But they
did. And on January 28, 1986, Challenger went down in history. It had never been recognized
that cold temperature was a common-cause failure initiator that would equally affect both the
primary and secondary O-rings. Cold had made redundancy an illusion.
As the prototype for normalization of deviance, the Challenger case-history defines it.
The identified failure mode for O-ring sealing occurred repeatedly but was rationalized and thus
became normal and expected. And when failure finally resulted, it was under conditions that the
reduced performance expectations had not anticipated. Against this backdrop, normalization of
deviance can be seen to contain the following elements:
1. Intended performance is established from design or operating criteria, field experience, or
standard practices.
2. Repeated or sustained deviations from intended performance arise from anomalies,
unexpected events, or adopted modifications. These deviations cause reduced
performance and elevated risk.
3. Over time, reduced performance and increased risk become rationalized, expected, and
accepted as normal, often despite warning signs or near-misses.
4. Reduced performance allows unrecognized events or conditions to trigger failure mode
occurrence, making foreseeable failures unforeseen.
As the following case histories illustrate, normalization of deviance affects geotechnical, as well
as astronautical, failures and the responses to risk that accompanied them.

© ASCE
Geo-Risk 2017 GSP 282 22

MOUNT POLLEY TAILINGS DAM FAILURE

The Mount Polley tailings dam in central British Columbia failed on August 4, 2014 in a
portion designated the Perimeter Embankment, resulting in the loss of 24.4 Mm3 of tailings and
free water. The failure was determined to be the result of undrained shearing in a localized
deposit of foundation clay that became normally consolidated when the stresses imposed by the
embankment exceeded its preconsolidation pressure (Panel 2015).
As is customary, the Mount Polley tailings dam was constructed in stages to keep pace
with the rising elevation of the tailings behind it. As shown on Figure 2, there were nine such
stages, each incorporating predominantly rockfill-sized mine waste in the downstream shell.
Beginning with the Main Dam followed by its Perimeter and South embankment extensions, the
dam progressed incrementally up the gently-sloping abutments as its height increased to
eventually extend over a total length of 5 km.

Figure 2. Mount Polley raised dam alignment; inset (a): raised dam stages

The Main Dam foundation consisted of glacial till interlayered with a varved silt and clay
unit of glaciolacustrine origin designated GLU. In a crucial interpretation, the GLU was assumed
to be everywhere stiff and overconsolidated such that no load or shear-induced pore pressures
would develop. Corresponding effective-stress analysis (ESA) with a minimum factor of safety
(FS) of 1.3 resulted in downstream dam slopes of 2.0H:1.0V. With this, the design and its
intended performance were predicated on the absence of any softer GLU susceptible to
undrained shearing.

© ASCE
Geo-Risk 2017 GSP 282 23

By the time Stage 4 was constructed, the first warning sign appeared in a groundwater
well designated GW96-1 on Figure 2, where softer GLU was encountered. Nevertheless, this
material was dismissed as discontinuous and too far from the dam to affect its stability. In
keeping with this interpretation, a Potential Failure Mode (PFM) assessment identified slope
failure due to weak foundation materials as a failure mode, but the risk was dismissed as
inconsequential.
The Stage 5 raise incorporated two key changes. First, the downstream dam slope was
steepened to 1.4H:1.0V, an exceptionally steep inclination ordinarily reserved for rockfill dams
on sound rock foundations that was rationalized as only temporary. Second, an undrained
strength analysis (USA) for normally-consolidated GLU showed that such materials, if present,
would reduce FS to 1.1. Even so, such a marginal value was accepted despite the reduced
standard of performance and elevated risk it embodied.
Because by now, the absence of any softer GLU had become expected and normal—so
much so that the Perimeter Embankment was raised during the next four stages without any deep
borings within its footprint over its 2 km length. The elevated risk had become accepted and
normal as well, allowing the oversteepened slope to become a permanent, not temporary, fixture.
In the early hours of August 4, 2014 as Raise 9 was being completed, the Perimeter
Embankment failed, releasing tailings and water through the breach shown on Figure 3.
Subsequent investigations showed that a discontinuous deposit of softer GLU with OCR of about
4 had been present beneath the dam as indicated on Figure 2. The stresses imposed on the GLU
as the dam was raised had exceeded the clay’s preconsolidation pressure, and the GLU had
become normally consolidated with OCR=1.0 beneath much of the downstream slope. With this,
its permeability decreased and it became subject to undrained shearing.

Figure 3. Mount Polley tailings dam breach at location of arrow in Figure 2.

© ASCE
Geo-Risk 2017 GSP 282 24

FUNDÃO TAILINGS DAM FAILURE

The Fundão tailings dam in Minas Gerias, Brazil failed by static liquefaction on
November 5, 2015 with the loss of 32 Mm3 of tailings, 19 lives, and damages, reparations, and
contingent liabilities in excess of $60 billion (BHP 2016).
The Fundão tailings consisted of two separate materials: relatively free-draining silty
sands, and soft, clay-like slimes. The dam was originally conceived as a drained buttress of sand
to retain the slimes behind it, with the two materials physically separated. The central element
was a high-capacity drain at the base of the buttress to eliminate saturation of the loose,
contractive sands. This would eliminate the risk of static liquefaction, the central aspect of the
dam’s intended performance (Pimenta de Ávila 2011). The sand would be hydraulically
deposited behind an initial starter dam, then raised by the upstream method.
No sooner had the starter dam been placed into operation than internal erosion resulting
from construction defects in the base drain produced damage so severe that the original concept
could not be implemented. Instead, upstream raising would continue without the base drain,
resulting in saturation that deviated from the original design premise. As raising progressed,
increasing saturation of the sands, manifested by repeated breakout of seepage on the dam face,
introduced the potential for sand liquefaction (Morgenstern, et al. 2016). But by then, saturation
and the associated liquefaction risk had become an accepted, hence normal, aspect of dam
operation, notwithstanding the adoption of FMEA on a continuing basis (Samarco 2012, 2013,
2014).
Another deviation from intended performance occurred during operation. Instead of
being separated, the sands and slimes were repeatedly allowed to intermingle during deposition,
with the slimes encroaching on the dam crest where exclusively sands were intended.
Yet a third deviation supplied the means by which the first two interacted. A construction
defect in a concrete spillway conduit buried within the dam’s left abutment limited its structural
capacity. As a temporary solution, the dam alignment was set back from the crest until the
conduit could be filled with concrete and removed from service. Instead, this setback, as shown
on Figure 4, was maintained throughout subsequent raising, thus becoming an expected and
normal condition despite a near-miss involving the abrupt appearance of extensive cracking on
the slope.

© ASCE
Geo-Risk 2017 GSP 282 25

Figure 4. Fundão dam, left abutment setback


The effect of the setback was to put the embankment slope over the slimes layers, as
shown by the cross section on Figure 5. It was determined that deformation of the softer slimes
induced stresses in the loose, contractive, and saturated sands that triggered static liquefaction
(Morgenstern, et al. 2016). But because the contributing conditions had come to be accepted as
normal, the failure was completely unanticipated.

Figure 5. Cross section at left abutment setback

THE HERBERT HOOVER DIKE

South Florida’s Lake Okeechobee sits at the crossroads of hurricane tracks from both the
Atlantic and Gulf Coasts. Originally a natural lake, in the 1930s Congress authorized the U.S.
Army Corps of Engineers (USACE) to construct the Herbert Hoover Dike (HHD) around its
entire 140-mile perimeter following storm surges that had caused some 2500 fatalities. Figure 6
shows the dike itself along with satellite imagery of its location with Hurricane Wilma passing
over it.

© ASCE
Geo-Risk 2017 GSP 282 26

Figure 6. Herbert Hoover Dike (center). Lake Okeechobee (upper left), eye of Hurricane
Wilma over Lake Okeechobee (upper right).
Constructed with hydraulic fill on a porous limestone foundation, the HHD was never
designed to permanently retain water, so it was not considered a dam. Nevertheless, with
Florida’s rapid growth it was pressed into service in the 1980s as the region’s only major water
reservoir, with some 40,000 people in areas that might be inundated in the event of breach. In
addition to the increased water level from reservoir operation were hurricane storm surges as
high as 25 ft. that produced reservoir oscillations with dangerous reversal of foundation seepage
gradients.
Indications of internal erosion first became evident as early as 1983. In 1986, internal
erosion was recognized as a potential failure mode and highlighted again in 1993. These
assessments were confirmed in 1995 when internal erosion manifested as excessive and cloudy
seepage, sand boils, and sinkholes that nearly caused failure in nine separate areas. These near-
misses were followed in 1998 by similar incidents at both former and new locations, along with
signs of cumulative damage (USACE 1999). By this time, 24 distinct internal erosion
mechanisms had been identified, with a board of geotechnical consultants characterizing the risk
of catastrophic failure as “very serious.” Nevertheless, internal erosion had come to be a normal
and expected effect of hurricanes.
A reliability analysis by USACE the following year yielded an alarmingly high annual
probability of system failure by internal erosion on the order of 0.16 (USACE 1999, Bromwell et
al., 2006). But it was rationalized that the HHD’s original authorization as a navigation project
made no allowance for loss of life, and that economic cost-benefit analysis alone could not
justify major structural modifications. The risk would continue to be accepted, mitigated only by
sending out crews in hurricane conditions over the dike’s 140-mile perimeter to monitor and

© ASCE
Geo-Risk 2017 GSP 282 27

sandbag 94 separate problem sites, measures of questionable efficacy ((USACE 2005, Bromwell
et al., 2006).
In 2004 and 2005, Florida was struck by five separate hurricanes, one of which was
Hurricane Katrina en route to New Orleans. Following the destruction there, Florida’s governor
authorized a safety review of the HHD that made public the findings of the 1999 reliability
analysis and highlighted the need for structural modifications (Bromwell et al., 2006). At the
same time, USACE responded to Katrina by implementing 12 actions for organizational change,
including cornerstone risk-based practices and communication (USACE 2006). Since then, the
HHD has been reclassified as a dam, and risk-based methods using new USACE tolerable risk
guidelines have been applied (Bowles, et al. 2012). As a result, 21.4 miles of cutoff wall have
been constructed to date with another 6.6 miles to be completed in critical areas (USACE, 2016).
The Herbert Hoover Dike is unique among the preceding case histories in that failure did
not occur, which is attributable at least in some measure to incorporation of risk-informed
processes in USACE organizational values. But this did not occur on the first attempt. The initial
1999 reliability analysis failed to overcome longstanding normalization of deviance. It took an
exceptionally salient external event—Hurricane Katrina and its effects on New Orleans—to turn
deviance in risk acceptance into diligence in risk reduction.

DISCUSSION

The three cases examined here represent but a miniscule sample of dams to which risk-
based methods have been applied, and they do not reflect the undoubtedly much larger
population where these methods did have their intended effect. With these caveats, some
pertinent observations are as follows:

1. Risk-based methods successfully identified the operative failure mode in all three cases:
foundation failure for Mount Polley, static liquefaction for Fundão, and internal erosion
for the Herbert Hoover Dike.
2. The methods spanned a full range of sophistication and quantification, from rudimentary
PFMA for Mount Polley, to qualitative FMEA for Fundão, to quantitative reliability
analysis for the Herbert Hoover Dike. There is no indication that the type of method
employed affected the respective outcomes.
3. The identified risks were not acted upon, allowing failure to occur in two of the three
cases. For Mount Polley, there was insufficient foundation exploration to identify
conditions that led to undrained failure. For Fundão, saturation and the presence of slimes
allowed static liquefaction to occur. For the Herbert Hoover Dike, internal erosion was
eventually mitigated, but only after an external event intervened.

© ASCE
Geo-Risk 2017 GSP 282 28

Hence, these outcomes were not attributable to the methods themselves, but failure to
implement their findings. In all three cases, the operative failure modes were recognized but not
acted upon in ways to sufficiently mitigate their risks. In this sense, they represent less failures of
risk assessment than of risk management. The inherent safety objectives of risk-based methods
were defeated by normalization of deviance in the following ways:

1. Repeated deviations from intended performance became accepted as normal. The Mount
Polley dam was raised repeatedly without confirming the intended absence of soft
foundation clay, while accepting the risk associated with an operative FS only slightly
greater than unity. The Fundão dam continued to be raised despite increasing saturation
never anticipated in the original concept for mitigating liquefaction risk. And internal
erosion damage to the Herbert Hoover Dike with each successive hurricane became
routine.
2. Deviations were rationalized. Slope oversteepening for Mount Polley and the alignment
setback for Fundão were rationalized as temporary despite becoming permanent in both
cases. Operation of the Herbert Hoover Dike as a reservoir despite its intended use as a
storm surge barrier was rationalized administratively.
3. Warning signs and near-misses were ignored, including the discovery of nearby soft clay
at Mount Polley, slope cracking at Fundão, and near-failures of the Herbert Hoover Dike.
4. Accepted deviations allowed failure triggers to go unrecognized. At Mount Polley,
absence of soft foundation clay became normal, so the reduction in OCR with increasing
dam height was unforeseen. At Fundão, the alignment setback became normal, so the
effect of slimes beneath the slope was not recognized.

From a cognitive standpoint, normalization of deviance can be seen as the organizational


equivalent of insensitivity to sample size in individuals, the strong bias toward believing that
small samples closely resemble the population from which they are drawn (Kahneman 2011).
The occurrence of a limited number of performance anomalies without causing failure is taken to
indicate that these anomalies can continue indefinitely with the same result.
By presenting these examples here, the intent is to allow normalization of deviance to be
recognized and prevented from obstructing implementation of risk-based methods. But a final
and perhaps most important lesson for implementation can be gained from the Herbert Hoover
Dike. In the end, risk-reduction measures were not adopted in isolation, but as part of a larger
organizational commitment to risk-based measures and communication. This conforms to
observations by Sandman and Covello (2001) that the success of these measures for improving
dam safety can require fundamental change in organizational values and culture.

© ASCE
Geo-Risk 2017 GSP 282 29

CONCLUSIONS

Although the fundamental justification for risk-based methods in dam safety is to make
dams safer, they may not always achieve this objective. For the case histories examined here, the
problem was not with the methods but with their implementation. And the problem with
implementation was attributable to normalization of deviance. Normalization of deviance within
organizations inhibits risk management by allowing departures from desirable performance to
become expected, hence accepted, thereby imparting a false sense of security and complacency.
Normalization of deviance can be overcome, and diligence in risk management can be achieved,
if its operation and characteristics are recognized and if risk-based processes are embedded in
organizational culture.

REFERENCES

BC (2016). Guidance Document, Health, Safety and Reclamation Code for Mines in British
Columbia, Province of British Columbia, Victoria.
Bea, R. (2006). “Reliability and Human Factors in Geotechnical Engineering.” J. Geotech. Eng.
132(5).
BHP (2016). BHP Billiton Annual Report 2016.
Bowles, D., Anderson, L., Glover, T., and Chauhan, S. (1998). “Portfolio Risk Assessment: A
Tool for Dam Safety Risk Management.” Proc. 1998 USCOLD Annual Lecture, Buffalo,
New York, U.S. Society on Dams.
Bowles, D., Chauhan, S., Anderson, L., and Grove, R., (2012). “Baseline Risk Assessment for
Herbert Hoover Dike.” ANCOLD Conference on Dams, Perth, Australian Committee on
Large Dams.
Bromwell, L., Dean, R., and Vick, S. (2006). Report of Expert Review Panel, Technical
Evaluation of Herbert Hoover Dike, Lake Okeechobee, Florida, South Florida Water
Management District, South Palm Beach,
https://my.sfwmd.gov/portal/page/portal/common/newsr/hhd_report.pdf
EU (2009). Reference Document on Best Available Technologies for Management of Tailings
and Waste-Rock in Mining Activities, European Commission, Brussels.
FERC (2016). Risk Informed Decision Making (RIDM) Guidelines for Dam Safety, U.S. Federal
Energy Regulatory Commission, Washington DC.
Kahneman, D. (2011). Thinking, Fast and Slow, Farrar, Straus and Giroux, New York.
MAC (2011). A Guide to the Management of Tailings Facilities, Mining Assn. of Canada, Ottawa.
Morgenstern, N., Vick, S., Viotti, C., and Watts, B. (2016). Report on the Immediate Causes of
the Failure of the Fundão Dam, Fundão Tailings Dam Review Panel, http://fundao
investigation.com/the-report/

© ASCE
Geo-Risk 2017 GSP 282 30

Panel (2015). Report on Mount Polley Tailings Storage Facility Breach, Independent Expert
Investigation and Review Panel, Province of British Columbia, Victoria, https://www.
mountpolleyreviewpanel.ca/final-report
Pinto, J. (2014). “Project Management, Governance, and the Normalization of Deviance.” Int. J.
Project Mgmt., 32(3).
Pimenta de Ávila (2011). “The Drained Stacking of Granular Tailings: A Tailings Disposal
Method for a Low Degree of Saturation of the Tailings Mass.” Tailings and Mine Waste
2011, Proceedings of the 15th International Conference on Tailings and Mine Waste
Vancouver BC, Univ. of British Columbia, Vancouver.
Sandman, P. and Covello, V. (2001). “Risk Communication: Evolution and Revolution.” Solutions to
an Environment in Peril, A. Wolbarst (ed.), Johns Hopkins University Press, Baltimore.
Samarco (2012). Annual Sustainability Report 2012.
Samarco (2013). Annual Sustainability Report 2013.
Samarco (2014). Annual Sustainability Report 2014.
USACE (1999). Herbert Hoover Dike Major Rehabilitation Evaluation Report. March
USACE (2005). Emergency Action Plan, Herbert Hoover Dike Lake Okeechobee Structures,
July.
USACE (2006). 12 Actions for Change, News Release No. PA-06-11, August 24.
http://www.pnwa.net/new/Articles/12%20Actions%20for%20Change.pdf
USACE (2016). Hervert Hoover Dike Rehabilitation Project. http://evergladesrestoration.gov/
content/recover/2016_science_meeting/10-2016-03-02_HHD Update_RECOVER.pd
Vaughan, D (1996). The Challenger Launch Decision: Risky Technology, Culture, and Deviance
at NASA. University of Chicago Press, Chicago.
Vick, S. (2002). Degrees of Belief: Subjective Probability and Engineering Judgment. ASCE
Press, Reston, Va.

© ASCE

You might also like