system engineering & risk-informed management of civil...
TRANSCRIPT
System Engineering &System Engineering &RiskRisk--Informed ManagementInformed Management
of Civil Infrastructureof Civil Infrastructure
Martin W. McCann, Jr.Martin W. McCann, Jr.Jack R. Benjamin & Associates, Inc.Jack R. Benjamin & Associates, Inc.
&&Stanford UniversityStanford University
Interesting TimesInteresting Times
The concept of riskThe concept of risk--informed management for systems informed management for systems has been around for some time.has been around for some time.
In some fields within civil engineering, it is practiced In some fields within civil engineering, it is practiced more than others.more than others.
What is new is the present day context:What is new is the present day context:Events of the last 5Events of the last 5--7 years (let alone the last 207 years (let alone the last 20--40 years) have 40 years) have dictated a change, and dictated a change, and There is a sense of urgency (costs, public pressure (a reaction There is a sense of urgency (costs, public pressure (a reaction to to disaster), regulatory oversight, etc.)disaster), regulatory oversight, etc.)
Previously (CurrentlyPreviously (Currently………….).)
For the most part, design and safety evaluation of civil For the most part, design and safety evaluation of civil infrastructure systems was carried out using a infrastructure systems was carried out using a standardsstandards--based approach (still in use today)based approach (still in use today)
The mindset was The mindset was ““we design it to meet the standard; we design it to meet the standard; therefore it will perform adequatelytherefore it will perform adequately””..
PostPost--construction some systems were largely forgotten construction some systems were largely forgotten (i.e., dam gate systems for instance)(i.e., dam gate systems for instance)
NowNow…………
There is a broader scope (need) to understanding how a There is a broader scope (need) to understanding how a system will perform, deciding what is reasonable, system will perform, deciding what is reasonable, appropriate (tolerable).appropriate (tolerable).
There is an important business case to be addressed There is an important business case to be addressed regarding the reliable and safe performance of regarding the reliable and safe performance of infrastructure systems.infrastructure systems.
At present, there are gaps to be addressed:At present, there are gaps to be addressed:Toolbox (intellectual, methods, software, etc.),Toolbox (intellectual, methods, software, etc.),Research needs, and Research needs, and Steps needed to make it a standard of practiceSteps needed to make it a standard of practice
My Starting Point My Starting Point -- Working HypothesisWorking Hypothesis
The importance of civil infrastructure systems (CI) to our dailyThe importance of civil infrastructure systems (CI) to our daily lives lives (quality of life) is more and more important (CI houses the inte(quality of life) is more and more important (CI houses the internet, rnet, homes, businesses, schools, provides transportation, etc.)homes, businesses, schools, provides transportation, etc.)
Another way to this is; failure of CI has greater impact, even oAnother way to this is; failure of CI has greater impact, even of f course catastrophic impactcourse catastrophic impact
To varying degrees and at multiple levels, these are all To varying degrees and at multiple levels, these are all ‘‘systemssystems’’
Managing CI requires an understanding of risks through their lifManaging CI requires an understanding of risks through their life e cycle.cycle.
By implication, there are a broad range of needs within the By implication, there are a broad range of needs within the profession and within the overall policy making infrastructure tprofession and within the overall policy making infrastructure to o make this happen.make this happen.
Events Tend to Shape & ReEvents Tend to Shape & Re--shapeshape
FukashimaFukashima NPP (2011)NPP (2011)
Fort Peck Dam (2011)Fort Peck Dam (2011) The USACE has revealed that planned repairs to the Fort Peck Dam in Montana are expected to cost more than $225M, more than four times the amount it has available to spend on the project.Spillway Capacity = 275,000 cfsMax. Release 2011 = 65,000 cfs
PG&E PG&E –– San Bruno San Bruno gas line explosion gas line explosion and fire (Sept. 2010)and fire (Sept. 2010)
Hurricane Katrina Hurricane Katrina –– Lower Ninth Lower Ninth Ward (2005)Ward (2005)
TaumTaum Salk Dam Failure (2005)Salk Dam Failure (2005)
Folsom Gate Failure (1995)Folsom Gate Failure (1995)
Teton Dam (1976)Teton Dam (1976)
Buffalo Creek (1972)Buffalo Creek (1972) Location of Three Impoundments
PostPost--Disaster: Findings, Insights, Disaster: Findings, Insights, ReflectionsReflections
Teton DamTeton Dam““Design branches in Reclamation in the 60’s and 70’s did not have good communication and did not share information to learn corporate lessons. ……. . Conflicts existed Reclamation-wide between construction offices, geologists and designers. It was a dual failure on the part of the organization. ……..” (Snortland, 2009)
Hurricane Katrina Hurricane Katrina “The System did not perform as a system: the hurricane protection in New Orleans and Southeast Louisiana was a system in name only. ….. (USACE, General Strock)
PG&E Gas Explosion““Quality (risk) analysis could both facilitate two-way communicationbetween top management and individuals with substantial knowledgbetween top management and individuals with substantial knowledge about each e about each of the relevant aspects of utility operations and provide a cleaof the relevant aspects of utility operations and provide a clear understanding of r understanding of all the information available to make a key risk management deciall the information available to make a key risk management decision.sion.””““There is no evidence top management has taken the steps necessarThere is no evidence top management has taken the steps necessary to be welly to be well--informed about the key aspects of decisions selected to manage minformed about the key aspects of decisions selected to manage major risks that ajor risks that concern PG&E.concern PG&E.”” (Independent Review Panel, San Bruno Gas Explosion)(Independent Review Panel, San Bruno Gas Explosion)
Other Lessons & MotivatorsOther Lessons & Motivators
A Business and Liability Case for Corporations:A Business and Liability Case for Corporations:““. . . it is the job of the CEO and senior management to assess . . . it is the job of the CEO and senior management to assess and manage the companyand manage the company’’s exposure to risk.s exposure to risk.””
““The audit committee should discuss the companyThe audit committee should discuss the company’’s major s major financial risk exposures and the steps management has taken to financial risk exposures and the steps management has taken to monitor and control such exposures.monitor and control such exposures.””
NYSE Listing Standards Part 7dNYSE Listing Standards Part 7d
Common Contributors to Failure – Issues Related to CI Management
Focus on Financial Performance
Focus on Not System Safety
Fixing Symptoms not Problems
Complacency, Arrogance, Ignorance
Changes in Process or Procedures
Poor Communications
Focus on Regulatory Requirements (standards)
Lack of Corporate Safety CultureCourtesy; Pat Regan (2012) FERC
Civil Infrastructures SystemsCivil Infrastructures Systems
In light of some of the findings of these past events In light of some of the findings of these past events -- what do we what do we mean?mean?
There are other There are other ““systemssystems”” within which the civil infrastructure within which the civil infrastructure system is designed, constructed, operated, appropriated, etc.system is designed, constructed, operated, appropriated, etc.
Intellectual InfrastructureIntellectual Infrastructure
The brain trust of professionals that deems a concept, The brain trust of professionals that deems a concept, approach, standard of practice acceptable or adequate.approach, standard of practice acceptable or adequate.
This infrastructure This infrastructure ““failsfails”” when the when the ““informed technical informed technical communitycommunity”” is aware and capable of providing insight is aware and capable of providing insight and guidance that would offer an alternative to the and guidance that would offer an alternative to the status quo status quo –– and it goes unnoticed; ignored, etc.and it goes unnoticed; ignored, etc.
A failure to act on the part of management; policy A failure to act on the part of management; policy makers (Congress, parliament, etc.) makers (Congress, parliament, etc.)
Consider the FollowingConsider the Following
Consider the following relative to the 9/11 Terrorist Attacks:Consider the following relative to the 9/11 Terrorist Attacks:
““FAA Needs PreFAA Needs Pre--board Passenger Screening Performance Standardsboard Passenger Screening Performance Standards””
““Development of New Security Technology Has Not Met ExpectationsDevelopment of New Security Technology Has Not Met Expectations””
““Aviation Security: Urgent Issues Need to Be AddressedAviation Security: Urgent Issues Need to Be Addressed””
““Vulnerabilities Still Exist in the Aviation Security SystemVulnerabilities Still Exist in the Aviation Security System””
Reference: Bazerman, M. and M. Watkins “Predictable Surprises”, 2004.Source: Titles of GAO reports written prior to 9/11/2001 written from 1987 to 2000.
A Hierarchical System for Managing A Hierarchical System for Managing Critical Infrastructure RisksCritical Infrastructure Risks
Government / Elected Officials
Engineering Bureaucracy
Informed Technical Community
Cei
lings
Action / ChangeHPSNew
Orleans
X
X
X
Take Away ThoughtsTake Away Thoughts
Major system failures are not particularly rare.Major system failures are not particularly rare.
There is a gap that exists in the professionThere is a gap that exists in the profession’’s s understanding and management of risks and the understanding and management of risks and the management of CI.management of CI.
The broader The broader ““SystemSystem”” (engineering, management, and (engineering, management, and policy) requires repolicy) requires re--thinking.thinking.
Seismic Safety Evaluation of DamsSeismic Safety Evaluation of Dams
BackgroundBackgroundPFMAPFMA’’ss performed for projects according the performed for projects according the ‘‘standardstandard’’ practice practice (FERC, USBR)(FERC, USBR)FERC is moving to riskFERC is moving to risk--informed approach to regulationinformed approach to regulationTolerable risk criterion for public safetyTolerable risk criterion for public safety
IssueIssueHow to conduct seismic evaluations of damsHow to conduct seismic evaluations of dams
Systems approach (multiple system level failure modes)Systems approach (multiple system level failure modes)Considerations of uncertainty (aleatory and epistemic)Considerations of uncertainty (aleatory and epistemic)Pragmatic (cost and time efficient)Pragmatic (cost and time efficient)
Straightforward SolutionStraightforward Solution
All utilities conduct risk analyses for all FERC licensed All utilities conduct risk analyses for all FERC licensed projects!projects!
Doable (in time); not very pragmaticDoable (in time); not very pragmaticResource issuesResource issuesCost (licensee cost)Cost (licensee cost)Not very realistic in many cases (e.g., Low Hazard dams)Not very realistic in many cases (e.g., Low Hazard dams)
Find a pragmatic alternative; require a risk analysis in Find a pragmatic alternative; require a risk analysis in special casesspecial cases
Seismic Risk & Tolerability Seismic Risk & Tolerability
SR = H * SF
Seismic Risk = Hazard * Seismic Fragility(Known) (Known) (Unknown)
We have one equation and one unknown; we can do the math.
In this case, the SR is really a tolerable risk level (an upper-bound), in which case the SF corresponds to a minimum seismic capacity that has to be demonstrated.
Site 3
1.E-05
1.E-04
1.E-03
1.E-02
1.E-01
0.01 0.1 1 10
PGA (g)
Exc
eeda
nce
Freq
uenc
y
.
Mean 5th% 16th%
50th% 84th% 95th%
Seismic Hazard For a Site Tolerable Risk Criterion
Seismic Risk & Tolerability Seismic Risk & Tolerability
Seismic Safety
Seismic Hazard Seismic Fragility
*
Tolerable Risk
Known
Known
Seismic Risk for a Facility
Key Features of the ProcessKey Features of the Process
Evaluating the dam system as a Evaluating the dam system as a ““system”” –– considering considering system; structure, component interactions, etc. system; structure, component interactions, etc.
Uncertainty; aleatory and epistemic; aleatory and epistemic
Assessing the Impact to the Public Assessing the Impact to the Public -- Potential Loss of Potential Loss of LifeLife
Defining, for now, a tolerable risk criterion for the publicDefining, for now, a tolerable risk criterion for the public
Risk-Informed Seismic Evaluation of Hydro Projects
Viewing the Dam System as a SystemViewing the Dam System as a SystemURR
Failure ModeE1
Given an earthquake (ground shaking at the dam site), URR occurs if E1 or E2 or E3 or O1 or O2 occurs.
EmbankmentFails
Overflow Section Fails
or
Failure ModeE2
Failure ModeE3
or
Failure ModeO1
Failure ModeO2
or
Hydrologic
or
Seismic Operational Intrinsic
Seismic FragilitySeismic Fragility
A seismic fragility curve defines the chance of failure as a funA seismic fragility curve defines the chance of failure as a function ction of ground motion.of ground motion.
Ground Motion, a
Con
ditio
nal P
roba
bilit
y of
Fa
ilure
, P(f|
a)
1.0
0.5
0a = 0.3g
Failure is Certain
No Chance of Failure
50/50 Chance of Failure
Seismic Fragility Seismic Fragility (cont.)(cont.)
Ground Motion, a
Con
ditio
nal P
roba
bilit
y of
Fa
ilure
, P(f|
a)
1.0
0.5
0
E1
E3
E2 O2
O1
For structure failure mode we can determine a seismic fragility For structure failure mode we can determine a seismic fragility curve.curve.Note, some failure modes are weaker/stronger than others.Note, some failure modes are weaker/stronger than others.
Seismic Fragility Seismic Fragility (cont.)(cont.)
Given an earthquake (ground shaking at the dam site), URR occursGiven an earthquake (ground shaking at the dam site), URR occursif E1, or E2 or E3 or O1 or O2 occurs.if E1, or E2 or E3 or O1 or O2 occurs.The fragility curve tells us for a give structure failure mode wThe fragility curve tells us for a give structure failure mode what hat the chance of URR is the chance of URR is –– simple read it off the curvesimple read it off the curve
Ground Motion, a
Con
ditio
nal P
roba
bilit
y of
Fa
ilure
, P(f|
a)
1.0
0.5
0
E2
a = 0.3g
P(E2|a) = 0.20
Seismic Fragility Seismic Fragility (cont.)(cont.)
We can repeat this for each failure model.We can repeat this for each failure model.Now we need to estimate the chance the URR occurs due to any Now we need to estimate the chance the URR occurs due to any failure modefailure mode
Ground Motion, a
Con
ditio
nal P
roba
bilit
y of
Fa
ilure
, P(f|
a)
1.0
0.5
0a = 0.3g
P(E1|a) = 0.20
E1
E3
E2 O2
O1
P(E3|a) = 0.60
P(E2|a) = 0.20
Seismic System Level FragilitySeismic System Level Fragility
We consider all failure models and repeat this exercise for all We consider all failure models and repeat this exercise for all ground motion levelsground motion levels
Ground Motion, a
Con
ditio
nal P
roba
bilit
y of
Fa
ilure
, P(f|
a)
1.0
0.5
0a = 0.3g
P(E1|a) = 0.20
E1
E3E2 O2
O1
P(E3|a) = 0.60
P(E2|a) = 0.20
URR Fragility CurveP(URR|a) ~ 1.0
Seismic Evaluation Process FigureSeismic Evaluation Process Figure
Seismic Evaluation ProcessSeismic Evaluation Process
High Level System Model
Estimates ofUncertainty
Seismic Methodology
Tolerable RiskCriterion
Site-SpecificPSHA
Seismic Evaluation GM
Seismic Calculations OK?
Seismic Risk Analysis
Options?
NoMore Detailed Analysis
Public SafetyImpact
PerformanceCriteria &Best/Non-
Conservative Analysis
Yes
DONE
Key Elements of the Seismic EvaluationKey Elements of the Seismic Evaluation
SeismicSeismic--Systems PFMA WorkshopSystems PFMA WorkshopDespite the preDespite the pre--existence of a PFMA (per FERC current practice), a existence of a PFMA (per FERC current practice), a focused seismic & systemsfocused seismic & systems--based evaluation was requiredbased evaluation was requiredResults Results –– multiple, new failure modes identified.multiple, new failure modes identified.
Emphasis that best/nonEmphasis that best/non--conservative evaluations be conservative evaluations be conductedconducted
DamDam--break and inundation estimatesbreak and inundation estimatesLossLoss--ofof--life estimateslife estimatesSeismic engineering estimatesSeismic engineering estimates
Develop a high level systems modelDevelop a high level systems modelIdentify system level failure modesIdentify system level failure modes
Direct consideration of the uncertainty in the seismic Direct consideration of the uncertainty in the seismic hazard and seismic fragility of structures and hazard and seismic fragility of structures and componentscomponents
ASCE Guidelines for Critical ASCE Guidelines for Critical Infrastructure (2009)Infrastructure (2009)
Hurricane Katrina, the levee failures, and the findings of Hurricane Katrina, the levee failures, and the findings of the USACE own investigation had a profound impact on the USACE own investigation had a profound impact on the agency and the profession.the agency and the profession.
The consequences of the levee failures in New Orleans The consequences of the levee failures in New Orleans focused the nationfocused the nation’’s and the civil engineering s and the civil engineering professionprofession’’s attention on the root causes of what is s attention on the root causes of what is considered one of the worst infrastructure disasters in considered one of the worst infrastructure disasters in our nationour nation’’s history. s history.
They established four guiding principles:They established four guiding principles:
Quantify, communicate, and manage Quantify, communicate, and manage risk..Employ an integrated Employ an integrated systems approach.approach.Exercise sound leadership, Exercise sound leadership, management, and , and stewardship in decisionstewardship in decision--making processes.making processes.Adapt critical infrastructure in response to dynamic critical infrastructure in response to dynamic conditions and practice.conditions and practice.
Nothing that ASCE concluded/recommended was Nothing that ASCE concluded/recommended was technically infeasible before Katrina!technically infeasible before Katrina!
ASCE GuidelinesASCE Guidelines
RiskRisk--Informed Elements for the PresentInformed Elements for the Present
A profession, ownership (all levels of management), and A profession, ownership (all levels of management), and as applicable regulators, and policy makers who as applicable regulators, and policy makers who understand infrastructure risksunderstand infrastructure risks
Risks Risks -- business and public safety risksbusiness and public safety risksRiskRisk--informed business decisions support a businessinformed business decisions support a business’’s viability s viability and public safetyand public safety
Understanding of risks that is systemsUnderstanding of risks that is systems--basedbased
RiskRisk--Informed Elements for the PresentInformed Elements for the Present
All levels of CI management should be guided by an understandingAll levels of CI management should be guided by an understandingof risks; system performance and consequencesof risks; system performance and consequences
DesignDesignInspectionInspectionMaintenance and operationMaintenance and operationReplacementReplacement
CI owners/operators and regulators (as the case might be) shouldCI owners/operators and regulators (as the case might be) shouldsupport and contribute to community resiliencesupport and contribute to community resilience
Engaged, contributing participantsEngaged, contributing participants
Establish sound, clear means to communicate risks and risk Establish sound, clear means to communicate risks and risk management program status to upper management (e.g., OPG management program status to upper management (e.g., OPG maturity matrix approach). maturity matrix approach).
BowBow--Tie LifeTie Life--Cycle View of Risk ManagementCycle View of Risk ManagementH
azar
ds/T
hrea
ts
Undesirable Events
Con
sequ
ence
s
Sequences of Events
LifeLife--Cycle View of Infrastructure ManagementCycle View of Infrastructure Management
Sequences Leading to Undesirable Events/Consequences
Courtesy: Des Hartford
Engineering DesignEngineering Design
Courtesy: Des Hartford
Full Risk Management ProgramFull Risk Management Program
Courtesy: Des Hartford
Something We DonSomething We Don’’t Want!t Want!
Thank YouThank You