System Engineering &System Engineering &RiskRisk--Informed ManagementInformed Management

of Civil Infrastructureof Civil Infrastructure

Martin W. McCann, Jr.Martin W. McCann, Jr.Jack R. Benjamin & Associates, Inc.Jack R. Benjamin & Associates, Inc.

&&Stanford UniversityStanford University

Interesting TimesInteresting Times

The concept of riskThe concept of risk--informed management for systems informed management for systems has been around for some time.has been around for some time.

In some fields within civil engineering, it is practiced In some fields within civil engineering, it is practiced more than others.more than others.

What is new is the present day context:What is new is the present day context:Events of the last 5Events of the last 5--7 years (let alone the last 207 years (let alone the last 20--40 years) have 40 years) have dictated a change, and dictated a change, and There is a sense of urgency (costs, public pressure (a reaction There is a sense of urgency (costs, public pressure (a reaction to to disaster), regulatory oversight, etc.)disaster), regulatory oversight, etc.)

Previously (CurrentlyPreviously (Currently………….).)

For the most part, design and safety evaluation of civil For the most part, design and safety evaluation of civil infrastructure systems was carried out using a infrastructure systems was carried out using a standardsstandards--based approach (still in use today)based approach (still in use today)

The mindset was The mindset was ““we design it to meet the standard; we design it to meet the standard; therefore it will perform adequatelytherefore it will perform adequately””..

PostPost--construction some systems were largely forgotten construction some systems were largely forgotten (i.e., dam gate systems for instance)(i.e., dam gate systems for instance)

NowNow…………

There is a broader scope (need) to understanding how a There is a broader scope (need) to understanding how a system will perform, deciding what is reasonable, system will perform, deciding what is reasonable, appropriate (tolerable).appropriate (tolerable).

There is an important business case to be addressed There is an important business case to be addressed regarding the reliable and safe performance of regarding the reliable and safe performance of infrastructure systems.infrastructure systems.

At present, there are gaps to be addressed:At present, there are gaps to be addressed:Toolbox (intellectual, methods, software, etc.),Toolbox (intellectual, methods, software, etc.),Research needs, and Research needs, and Steps needed to make it a standard of practiceSteps needed to make it a standard of practice

My Starting Point My Starting Point -- Working HypothesisWorking Hypothesis

The importance of civil infrastructure systems (CI) to our dailyThe importance of civil infrastructure systems (CI) to our daily lives lives (quality of life) is more and more important (CI houses the inte(quality of life) is more and more important (CI houses the internet, rnet, homes, businesses, schools, provides transportation, etc.)homes, businesses, schools, provides transportation, etc.)

Another way to this is; failure of CI has greater impact, even oAnother way to this is; failure of CI has greater impact, even of f course catastrophic impactcourse catastrophic impact

To varying degrees and at multiple levels, these are all To varying degrees and at multiple levels, these are all ‘‘systemssystems’’

Managing CI requires an understanding of risks through their lifManaging CI requires an understanding of risks through their life e cycle.cycle.

By implication, there are a broad range of needs within the By implication, there are a broad range of needs within the profession and within the overall policy making infrastructure tprofession and within the overall policy making infrastructure to o make this happen.make this happen.

Events Tend to Shape & ReEvents Tend to Shape & Re--shapeshape

FukashimaFukashima NPP (2011)NPP (2011)

Fort Peck Dam (2011)Fort Peck Dam (2011) The USACE has revealed that planned repairs to the Fort Peck Dam in Montana are expected to cost more than $225M, more than four times the amount it has available to spend on the project.Spillway Capacity = 275,000 cfsMax. Release 2011 = 65,000 cfs

PG&E PG&E –– San Bruno San Bruno gas line explosion gas line explosion and fire (Sept. 2010)and fire (Sept. 2010)

Hurricane Katrina Hurricane Katrina –– Lower Ninth Lower Ninth Ward (2005)Ward (2005)

TaumTaum Salk Dam Failure (2005)Salk Dam Failure (2005)

Folsom Gate Failure (1995)Folsom Gate Failure (1995)

Teton Dam (1976)Teton Dam (1976)

Buffalo Creek (1972)Buffalo Creek (1972) Location of Three Impoundments

PostPost--Disaster: Findings, Insights, Disaster: Findings, Insights, ReflectionsReflections

Teton DamTeton Dam““Design branches in Reclamation in the 60’s and 70’s did not have good communication and did not share information to learn corporate lessons. ……. . Conflicts existed Reclamation-wide between construction offices, geologists and designers. It was a dual failure on the part of the organization. ……..” (Snortland, 2009)

Hurricane Katrina Hurricane Katrina “The System did not perform as a system: the hurricane protection in New Orleans and Southeast Louisiana was a system in name only. ….. (USACE, General Strock)

PG&E Gas Explosion““Quality (risk) analysis could both facilitate two-way communicationbetween top management and individuals with substantial knowledgbetween top management and individuals with substantial knowledge about each e about each of the relevant aspects of utility operations and provide a cleaof the relevant aspects of utility operations and provide a clear understanding of r understanding of all the information available to make a key risk management deciall the information available to make a key risk management decision.sion.””““There is no evidence top management has taken the steps necessarThere is no evidence top management has taken the steps necessary to be welly to be well--informed about the key aspects of decisions selected to manage minformed about the key aspects of decisions selected to manage major risks that ajor risks that concern PG&E.concern PG&E.”” (Independent Review Panel, San Bruno Gas Explosion)(Independent Review Panel, San Bruno Gas Explosion)

Other Lessons & MotivatorsOther Lessons & Motivators

A Business and Liability Case for Corporations:A Business and Liability Case for Corporations:““. . . it is the job of the CEO and senior management to assess . . . it is the job of the CEO and senior management to assess and manage the companyand manage the company’’s exposure to risk.s exposure to risk.””

““The audit committee should discuss the companyThe audit committee should discuss the company’’s major s major financial risk exposures and the steps management has taken to financial risk exposures and the steps management has taken to monitor and control such exposures.monitor and control such exposures.””

NYSE Listing Standards Part 7dNYSE Listing Standards Part 7d

Common Contributors to Failure – Issues Related to CI Management

Focus on Financial Performance

Focus on Not System Safety

Fixing Symptoms not Problems

Complacency, Arrogance, Ignorance

Changes in Process or Procedures

Poor Communications

Focus on Regulatory Requirements (standards)

Lack of Corporate Safety CultureCourtesy; Pat Regan (2012) FERC

Civil Infrastructures SystemsCivil Infrastructures Systems

In light of some of the findings of these past events In light of some of the findings of these past events -- what do we what do we mean?mean?

There are other There are other ““systemssystems”” within which the civil infrastructure within which the civil infrastructure system is designed, constructed, operated, appropriated, etc.system is designed, constructed, operated, appropriated, etc.

Intellectual InfrastructureIntellectual Infrastructure

The brain trust of professionals that deems a concept, The brain trust of professionals that deems a concept, approach, standard of practice acceptable or adequate.approach, standard of practice acceptable or adequate.

This infrastructure This infrastructure ““failsfails”” when the when the ““informed technical informed technical communitycommunity”” is aware and capable of providing insight is aware and capable of providing insight and guidance that would offer an alternative to the and guidance that would offer an alternative to the status quo status quo –– and it goes unnoticed; ignored, etc.and it goes unnoticed; ignored, etc.

A failure to act on the part of management; policy A failure to act on the part of management; policy makers (Congress, parliament, etc.) makers (Congress, parliament, etc.)

Consider the FollowingConsider the Following

Consider the following relative to the 9/11 Terrorist Attacks:Consider the following relative to the 9/11 Terrorist Attacks:

““FAA Needs PreFAA Needs Pre--board Passenger Screening Performance Standardsboard Passenger Screening Performance Standards””

““Development of New Security Technology Has Not Met ExpectationsDevelopment of New Security Technology Has Not Met Expectations””

““Aviation Security: Urgent Issues Need to Be AddressedAviation Security: Urgent Issues Need to Be Addressed””

““Vulnerabilities Still Exist in the Aviation Security SystemVulnerabilities Still Exist in the Aviation Security System””

Reference: Bazerman, M. and M. Watkins “Predictable Surprises”, 2004.Source: Titles of GAO reports written prior to 9/11/2001 written from 1987 to 2000.

A Hierarchical System for Managing A Hierarchical System for Managing Critical Infrastructure RisksCritical Infrastructure Risks

Government / Elected Officials

Engineering Bureaucracy

Informed Technical Community

Cei

lings

Action / ChangeHPSNew

Orleans

X

X

X

Take Away ThoughtsTake Away Thoughts

Major system failures are not particularly rare.Major system failures are not particularly rare.

There is a gap that exists in the professionThere is a gap that exists in the profession’’s s understanding and management of risks and the understanding and management of risks and the management of CI.management of CI.

The broader The broader ““SystemSystem”” (engineering, management, and (engineering, management, and policy) requires repolicy) requires re--thinking.thinking.

Seismic Safety Evaluation of DamsSeismic Safety Evaluation of Dams

BackgroundBackgroundPFMAPFMA’’ss performed for projects according the performed for projects according the ‘‘standardstandard’’ practice practice (FERC, USBR)(FERC, USBR)FERC is moving to riskFERC is moving to risk--informed approach to regulationinformed approach to regulationTolerable risk criterion for public safetyTolerable risk criterion for public safety

IssueIssueHow to conduct seismic evaluations of damsHow to conduct seismic evaluations of dams

Systems approach (multiple system level failure modes)Systems approach (multiple system level failure modes)Considerations of uncertainty (aleatory and epistemic)Considerations of uncertainty (aleatory and epistemic)Pragmatic (cost and time efficient)Pragmatic (cost and time efficient)

Straightforward SolutionStraightforward Solution

All utilities conduct risk analyses for all FERC licensed All utilities conduct risk analyses for all FERC licensed projects!projects!

Doable (in time); not very pragmaticDoable (in time); not very pragmaticResource issuesResource issuesCost (licensee cost)Cost (licensee cost)Not very realistic in many cases (e.g., Low Hazard dams)Not very realistic in many cases (e.g., Low Hazard dams)

Find a pragmatic alternative; require a risk analysis in Find a pragmatic alternative; require a risk analysis in special casesspecial cases

Seismic Risk & Tolerability Seismic Risk & Tolerability

SR = H * SF

Seismic Risk = Hazard * Seismic Fragility(Known) (Known) (Unknown)

We have one equation and one unknown; we can do the math.

In this case, the SR is really a tolerable risk level (an upper-bound), in which case the SF corresponds to a minimum seismic capacity that has to be demonstrated.

Site 3

1.E-05

1.E-04

1.E-03

1.E-02

1.E-01

0.01 0.1 1 10

PGA (g)

Exc

eeda

nce

Freq

uenc

y

.

Mean 5th% 16th%

50th% 84th% 95th%

Seismic Hazard For a Site Tolerable Risk Criterion

Seismic Risk & Tolerability Seismic Risk & Tolerability

Seismic Safety

Seismic Hazard Seismic Fragility

*

Tolerable Risk

Known

Known

Seismic Risk for a Facility

Key Features of the ProcessKey Features of the Process

Evaluating the dam system as a Evaluating the dam system as a ““system”” –– considering considering system; structure, component interactions, etc. system; structure, component interactions, etc.

Uncertainty; aleatory and epistemic; aleatory and epistemic

Assessing the Impact to the Public Assessing the Impact to the Public -- Potential Loss of Potential Loss of LifeLife

Defining, for now, a tolerable risk criterion for the publicDefining, for now, a tolerable risk criterion for the public

Risk-Informed Seismic Evaluation of Hydro Projects

Viewing the Dam System as a SystemViewing the Dam System as a SystemURR

Failure ModeE1

Given an earthquake (ground shaking at the dam site), URR occurs if E1 or E2 or E3 or O1 or O2 occurs.

EmbankmentFails

Overflow Section Fails

or

Failure ModeE2

Failure ModeE3

or

Failure ModeO1

Failure ModeO2

or

Hydrologic

or

Seismic Operational Intrinsic

Seismic FragilitySeismic Fragility

A seismic fragility curve defines the chance of failure as a funA seismic fragility curve defines the chance of failure as a function ction of ground motion.of ground motion.

Ground Motion, a

Con

ditio

nal P

roba

bilit

y of

Fa

ilure

, P(f|

a)

1.0

0.5

0a = 0.3g

Failure is Certain

No Chance of Failure

50/50 Chance of Failure

Seismic Fragility Seismic Fragility (cont.)(cont.)

Ground Motion, a

Con

ditio

nal P

roba

bilit

y of

Fa

ilure

, P(f|

a)

1.0

0.5

0

E1

E3

E2 O2

O1

For structure failure mode we can determine a seismic fragility For structure failure mode we can determine a seismic fragility curve.curve.Note, some failure modes are weaker/stronger than others.Note, some failure modes are weaker/stronger than others.

Seismic Fragility Seismic Fragility (cont.)(cont.)

Given an earthquake (ground shaking at the dam site), URR occursGiven an earthquake (ground shaking at the dam site), URR occursif E1, or E2 or E3 or O1 or O2 occurs.if E1, or E2 or E3 or O1 or O2 occurs.The fragility curve tells us for a give structure failure mode wThe fragility curve tells us for a give structure failure mode what hat the chance of URR is the chance of URR is –– simple read it off the curvesimple read it off the curve

Ground Motion, a

Con

ditio

nal P

roba

bilit

y of

Fa

ilure

, P(f|

a)

1.0

0.5

0

E2

a = 0.3g

P(E2|a) = 0.20

Seismic Fragility Seismic Fragility (cont.)(cont.)

We can repeat this for each failure model.We can repeat this for each failure model.Now we need to estimate the chance the URR occurs due to any Now we need to estimate the chance the URR occurs due to any failure modefailure mode

Ground Motion, a

Con

ditio

nal P

roba

bilit

y of

Fa

ilure

, P(f|

a)

1.0

0.5

0a = 0.3g

P(E1|a) = 0.20

E1

E3

E2 O2

O1

P(E3|a) = 0.60

P(E2|a) = 0.20

Seismic System Level FragilitySeismic System Level Fragility

We consider all failure models and repeat this exercise for all We consider all failure models and repeat this exercise for all ground motion levelsground motion levels

Ground Motion, a

Con

ditio

nal P

roba

bilit

y of

Fa

ilure

, P(f|

a)

1.0

0.5

0a = 0.3g

P(E1|a) = 0.20

E1

E3E2 O2

O1

P(E3|a) = 0.60

P(E2|a) = 0.20

URR Fragility CurveP(URR|a) ~ 1.0

Seismic Evaluation Process FigureSeismic Evaluation Process Figure

Seismic Evaluation ProcessSeismic Evaluation Process

High Level System Model

Estimates ofUncertainty

Seismic Methodology

Tolerable RiskCriterion

Site-SpecificPSHA

Seismic Evaluation GM

Seismic Calculations OK?

Seismic Risk Analysis

Options?

NoMore Detailed Analysis

Public SafetyImpact

PerformanceCriteria &Best/Non-

Conservative Analysis

Yes

DONE

Key Elements of the Seismic EvaluationKey Elements of the Seismic Evaluation

SeismicSeismic--Systems PFMA WorkshopSystems PFMA WorkshopDespite the preDespite the pre--existence of a PFMA (per FERC current practice), a existence of a PFMA (per FERC current practice), a focused seismic & systemsfocused seismic & systems--based evaluation was requiredbased evaluation was requiredResults Results –– multiple, new failure modes identified.multiple, new failure modes identified.

Emphasis that best/nonEmphasis that best/non--conservative evaluations be conservative evaluations be conductedconducted

DamDam--break and inundation estimatesbreak and inundation estimatesLossLoss--ofof--life estimateslife estimatesSeismic engineering estimatesSeismic engineering estimates

Develop a high level systems modelDevelop a high level systems modelIdentify system level failure modesIdentify system level failure modes

Direct consideration of the uncertainty in the seismic Direct consideration of the uncertainty in the seismic hazard and seismic fragility of structures and hazard and seismic fragility of structures and componentscomponents

ASCE Guidelines for Critical ASCE Guidelines for Critical Infrastructure (2009)Infrastructure (2009)

Hurricane Katrina, the levee failures, and the findings of Hurricane Katrina, the levee failures, and the findings of the USACE own investigation had a profound impact on the USACE own investigation had a profound impact on the agency and the profession.the agency and the profession.

The consequences of the levee failures in New Orleans The consequences of the levee failures in New Orleans focused the nationfocused the nation’’s and the civil engineering s and the civil engineering professionprofession’’s attention on the root causes of what is s attention on the root causes of what is considered one of the worst infrastructure disasters in considered one of the worst infrastructure disasters in our nationour nation’’s history. s history.

They established four guiding principles:They established four guiding principles:

Quantify, communicate, and manage Quantify, communicate, and manage risk..Employ an integrated Employ an integrated systems approach.approach.Exercise sound leadership, Exercise sound leadership, management, and , and stewardship in decisionstewardship in decision--making processes.making processes.Adapt critical infrastructure in response to dynamic critical infrastructure in response to dynamic conditions and practice.conditions and practice.

Nothing that ASCE concluded/recommended was Nothing that ASCE concluded/recommended was technically infeasible before Katrina!technically infeasible before Katrina!

ASCE GuidelinesASCE Guidelines

RiskRisk--Informed Elements for the PresentInformed Elements for the Present

A profession, ownership (all levels of management), and A profession, ownership (all levels of management), and as applicable regulators, and policy makers who as applicable regulators, and policy makers who understand infrastructure risksunderstand infrastructure risks

Risks Risks -- business and public safety risksbusiness and public safety risksRiskRisk--informed business decisions support a businessinformed business decisions support a business’’s viability s viability and public safetyand public safety

Understanding of risks that is systemsUnderstanding of risks that is systems--basedbased

RiskRisk--Informed Elements for the PresentInformed Elements for the Present

All levels of CI management should be guided by an understandingAll levels of CI management should be guided by an understandingof risks; system performance and consequencesof risks; system performance and consequences

DesignDesignInspectionInspectionMaintenance and operationMaintenance and operationReplacementReplacement

CI owners/operators and regulators (as the case might be) shouldCI owners/operators and regulators (as the case might be) shouldsupport and contribute to community resiliencesupport and contribute to community resilience

Engaged, contributing participantsEngaged, contributing participants

Establish sound, clear means to communicate risks and risk Establish sound, clear means to communicate risks and risk management program status to upper management (e.g., OPG management program status to upper management (e.g., OPG maturity matrix approach). maturity matrix approach).

BowBow--Tie LifeTie Life--Cycle View of Risk ManagementCycle View of Risk ManagementH

azar

ds/T

hrea

ts

Undesirable Events

Con

sequ

ence

s

Sequences of Events

LifeLife--Cycle View of Infrastructure ManagementCycle View of Infrastructure Management

Sequences Leading to Undesirable Events/Consequences

Courtesy: Des Hartford

Engineering DesignEngineering Design

Courtesy: Des Hartford

Full Risk Management ProgramFull Risk Management Program

Courtesy: Des Hartford

Something We DonSomething We Don’’t Want!t Want!

Thank YouThank You