Ross River Dam Spillway Gate Reliability and the Impact on the Design
ROSS RIVER DAM SPILLWAY GATE RELIABILITY AND THE IMPACT
ON THE DESIGN
Malcolm Barker 1, Barry Vivian2 and David S. Bowles3
ABSTRACT
Ross River Dam is located approximately 15 km upstream of the Townsville and provides a dual role of
water supply and flood mitigation. The dam comprises a 39.6m long concrete overflow spillway flanked by a
central core rockfill embankment of 300 m in length with a 7,620 m long left bank earth fill embankment,
which has inadequate internal filter zones for piping protection. Since completion, design rainfall
predictions for the area have doubled, technical data has changed and so, too, have dam safety standards.
Dam safety evaluations during 2000-2002 showed that the dam required upgrading in order to bring it up to
international standards. As an interim measure, the spillway was cut down by 3.6m.
Upgrade design works were then completed using risk-based design criteria to validate the design, and
construction is in progress. The upgrade works comprise spillway anchoring, installation of three radial
gates on the spillway, stilling basin modifications, embankment filter protection, and dam crest raising.
This paper presents the options considered, the method of reliability analysis, and how the results influenced
the spillway system design and overall risk evaluation for the upgrade design.
1
INTRODUCTION
Ross River Dam, which is located approximately
15 km upstream of Townsville in Queensland,
Australia, was constructed in the early 1970s for
water supply and flood mitigation. The dam
comprises the following:
needed to be brought into line with current
international standards. As the first step in the
upgrade works, the spillway was lowered. This
was completed at the end of 2003 by saw cutting
the spillway down by 3.6m to the Stage 1A level
of EL 34.656m AHD.
– A 39.6 m long gravity concrete spillway, with
concrete training walls;
– Outlet works on the left side of the spillway
with seven draw off levels;
– Approximately 300 m of central core rockfill
embankment up to 34 m high;
– 7.7 km of earth embankment up to 11 m high.
The spillway crest level was raised on two
separate occasions from the Stage 1 construction
level of EL 34.052m AHD to Stage 1A of EL
34.656 m AHD and the Stage 2A level of
EL 38.206m AHD.
Since the dam was completed, design rainfall
predictions for the area have doubled, technical
data has changed and so too have dam safety
standards. A dam safety review, risk assessment,
and upgrade option study completed between
2000 and 2003, therefore, showed that the dam
Photo 1 Ross River Dam Cut Down Spillway
and Upgrade Works in Progress
The aim of subsequent stages of the Ross River
Dam Upgrade Project was to ensure that the dam
has a standard of safety that satisfies the
requirements of the Owner, the relevant statutory
authorities and the community. Furthermore the
1
Principal Engineer, Dams, GHD, Brisbane
Principal Engineer, Mechanical & Electrical GHD, Brisbane
3
Professor and Director, Institute for Dam Safety Risk Assessment, Utah State University and Principal, RAC
Engineers & Economists
2
ANCOLD 2006 Conference
Page 1
Ross River Dam Spillway Gate Reliability and the Impact on the Design
Owner required that all aspects of the upgrade
project be cost-effective, rigorously undertaken
and highly defensible.
following spillway lowering design criteria were
established for the spillway temporary lowering
and for the decision on the timing of the
commencement of operation of the spillway gates
relative to completion of various stages of safety
upgrade works on the embankment:
– Any further lowering of the crest level below
the 1 in 100 AEP level would lead to an
unacceptably high decrease in downstream
flood control benefits;
Figure 1 Ross River Dam Artists Impression of
Gated Spillway
The standard of safety was evaluated using a riskbased design validation model with the application
of the “As Low As Reasonably Practicable”
(ALARP) principle (Bowles 2004) throughout the
design phase to provide a level of risk
substantially lower than the limit of tolerability for
existing dams, as described in ANCOLD
Guidelines for Risk Assessment, (ANCOLD
2003).
This paper describes the spillway lowering, some
of the background to the adopted option for the
spillway gate system, the options considered, the
method of reliability analysis, and how the results
influenced the spillway system design and overall
risk evaluation for the upgrade design.
– It was desirable to have comparable flood
discharge capacity for the existing lowered
broad crested weir and the future gated weir.
This would likely necessitate the use of an
ogee section for the future installation of the
gates;
– A significant increase in the risk of dam failure
due to the failure of the spillway gate system to
operate on demand with the lowered spillway
is unacceptable.
Based on the above, the following crest reduction
levels were considered for the flood routing
analysis to determine the AEP of various outflow
floods and the risk of piping and overtopping dam
failure for each option:
»
Ogee and Broad Crested Weir lowering by
2.0 m, 2.8 m, 3.55 m, 3.66 m, and 4 m with and
without gates.
»
Ogee and Broad Crested Weir lowering by 5 m
and 6 m with gates.
SPILLWAY LOWERING
The Stage 2 spillway was capable of passing about
355m3/s at the historical flood level of 41.5 m
AHD. Consultation with the relevant authorities
established that, on an interim basis while design
work proceeded on spillway and other safety
upgrades, they were willing to accept a spillway
capacity associated with a 1 in 100 Annual
Exceedance Probability (AEP) discharge flood
event for which the discharge is 653m3/s. The
spillway and retaining wall stability for the
lowered broad crested weir was found to be
adequate.
The rating curves were determined for each
option, as shown on Figure 2.
48
47
46
45
44
43
Water Level (m AHD)
2
– The lowered crest level was to provide about
an order of magnitude reduction in the
likelihood of dam failure.
42
Existing Crest
41
2.0m
40
2.8m
39
While reducing the risk of dam failure, the
temporary spillway lowering also reduced the full
supply level and therefore the available water
supply. The owner desired to restore the capacity
to store water by installing and commencing to
operate the spillway gates as soon as it was
sufficiently safe to do so.
Therefore, the
ANCOLD 2006 Conference
2.8m Ogee
3.55m
38
3.66m
37
4.0m
36
35
34
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
3
Discharge (m /s)
Figure 2 Spillway Ratings for Lowered Crest
Page 2
5500
Ross River Dam Spillway Gate Reliability and the Impact on the Design
The overall dam safety risk model was then used
to estimate the annual probability of dam failure
for piping and overtopping, which showed that:
(a) the total probability of failure was reduced by
nearly an order of magnitude for the broad crested
weir lowering of 3.55 m; and (b) remedial works
to the embankment would be required prior to
installation of the gates.
The construction was completed for lowering of
the spillway by 3.55 m to 34.656 m AHD in
December 2003.
3
3.3
The final gate selection was completed with
consideration of three or four gates for each of the
short-listed gate types and focused primarily on
the following factors:
»
Reliability (and failure rate) of operation
estimated using a fault tree analysis (see
Section 5);
»
Worldwide experience in use;
»
Upstream and downstream effects of gate
operation;
»
Discharge capability;
»
Overall cost.
SPILLWAY GATE OPTIONS
The spillway gate options study was carried out in
a number of stages as follows.
3.1
Gate Facility Inspections
Various gate facilities were inspected by the
owner and design team to evaluate gate types and
operational requirements.
3.2
Preliminary Evaluation of Viable
Gate Options
A short-list of viable gate solutions to reinstate the
FSL to RL 38.2 m AHD was developed including
the following:
»
Radial gate;
»
Vertical lift gate;
»
Hinged crest gate (steel gate with three
different locations for hydraulic cylinders);
»
Hinged crest gate (proprietary Obermeyer type
operated by inflatable rubber bladder);
»
Automatic flow gate (proprietary gate
manufactured by Flow Gates Projects);
»
Hydroplus fuse gate.
A matrix covering 24 parameters covering flood
control,
design,
operation,
maintenance,
environmental, financial, safety and life
expectancy was used in assessing the
appropriateness of each gate type after which the
following gate types were short-listed for further
analysis.
»
Radial gate
»
Hinged crest gate (steel gate) with overhead
cylinders
»
Obermeyer gate
ANCOLD 2006 Conference
Final Gate Selection
A review of these factors indicated that:
– All three gate types possess good operational
reliability;
– There was little difference in the upstream and
downstream affects of their operation;
– Operational experience favours radial gates
over the two other gate types;
– Radial and Obermeyer gates have higher
discharge capacities than the hinged crest
gates;
– The estimated overall cost for Obermeyer gates
was less than those estimated for the radial and
hinged crest gates.
Based on these outcomes it was not possible to
make a clear choice amongst the three short-listed
gate options. Therefore, a workshop was held at
which the gate designers, spillway civil designer,
fault tree and risk analysts and the Expert Review
Panel member with expertise in spillway gate
design evaluated the options. The reliability
analyses indicated that the radial gates provided
the most reliable system and the final decision was
made to adopt the option of radial gates due to
their reliability and three gates rather than four
due to reduced cost.
4
SPILLWAY SYSTEM
DESCRIPTION
The final spillway system was as follows.
Page 3
Ross River Dam Spillway Gate Reliability and the Impact on the Design
4.1
Gate Features
The three painted structural steel radial gates, each
12.192m wide with 1.524m wide piers.
The trunnion anchorages will be post-tensioned
using cables and the trunnions will have stainless
steel pins with self lubricating bearings.
The exposed surfaces of embedded parts, against
which the gate will seal and guide rollers will
make contact, will be of stainless steel. Due to
difficulty of replacement, both the bottom and side
seals will be mounted on the gate structure.
4.3
For designing the new intermediate piers, it was
assumed that one gate on one side of the pier is
fully open while the gate on the other side is fully
closed. Cross-valley and upstream-downstream
seismic loads were also considered.
A bridge deck will be necessary for installation
and maintenance of the gates. The 8 m wide deck
will extend upstream to allow for a mobile crane
to be located on the bridge during gate installation
and for subsequent maintenance.
4.4
4.2
Operating Equipment Features
Civil Works Features
Maintenance Requirements
The gates will be hydraulically operated, with two
hydraulic cylinders per gate. The two cylinders
will be hydraulically synchronized by being
connected to common hydraulic fluid supply and
return lines.
There will, however, be no
interconnection between the individual gate
systems.
The gates and their hydraulic operators will be
generally maintenance free (no lubrication will be
needed because of the use of self-lubricating
bearings), except for the periodic replacement of
filters in the hydraulic system and replacement (or
cleaning) of the hydraulic fluid. The frequency of
this replacement will depend on the frequency of
gate operation.
Each gate will have its own hydraulic power unit
(HPU). Each HPU will include two pumps,
including one standby powered by a diesel engine.
In the event of all power systems failing, a trailermounted hydraulic unit can be used for operation
of each gate.
The filters will be equipped with indicators to
signify the need for replacement. The hydraulic
fluid will need to be checked once every six
months and may need cleaning every three to five
years. The level of the hydraulic fluid will need to
be checked once a week.
Thy hydraulic system for each gate will include
directional control valves, flow control valves,
relief valves, filters, pressure gauges, pressure
transmitters, and a counterbalance valve for
controlled operation of the gate. Dual solenoid
valves will be provided for gate closure. A
separate line with a manual shut-off valve and a
flow control valve will be provided to enable
manual lowering of the gate in case of loss of
power.
A detailed annual inspection of the gates and
hydraulic equipment will be required. It is
expected that there may be a need for repair or
replacement of the gate seals and gate painting
every 15 years.
All hydraulic piping on the HPUs and between the
HPUs and the cylinders will be made of stainless
steel and all flexible hoses will be braided with
stainless steel wire.
The AC power system will be connected to the
local grid. Two standby generators, each rated to
meet the entire demand of the gate system, will be
provided. The DC power for the control system
will be provided with dual DC chargers and
batteries rated for three-days of operation.
ANCOLD 2006 Conference
4.5
Control Philosophy
The gates will be remotely monitored and
controlled from a central control room that is to be
manned continuously.
The four-tier control
philosophy is as follows:
»
Tier 1: Normal operation is automatic control
operating in the background
»
Tier 2: Manual override through the automatic
system:
– through remote links from the 24-hour manned
control room or local operator dial up. This
overrides the automatic system but relies on
the Programmable Logic Control (PLC)
network for communications
Page 4
Ross River Dam Spillway Gate Reliability and the Impact on the Design
– through local Human Machine Interface
(HMI). This overrides the automatic system
and remote manual control. This overrides the
automatic system but relies on the PLC
network for communications
»
Tier 3: Manual operation through push buttons
at gate control panels adjacent to the HPU.
This overrides the automatic system, remote
and local manual control through the HMI
»
Tier 4: A trailer-mounted hydraulic system,
which can be connected to each gate.
4.6
System Architecture
The control system architecture, shown in
Figure 3, is based on a distributed intelligence
design, with each gate being provided with a
process controller and associated inputs and
outputs (IO) to the respective gate control
facilities.
The main features of the control system are as
follows:
– The operators will be able to dial into the gates
at any time over the telephone lines;
– All inputs and outputs are duplicated;
– All processors are duplicated;
– All communication modules are duplicated;
– Each gate has a dedicated manual control
panel. This overrides the automatic system and
provides remote manual control through a
dedicated PLC, which contains all the
intelligence required to operate the gate
independently of any other inputs;
– All PLCs can communicate over a dual
ethernet link with each other and with the
water level sensors. The water level sensors
are field devices and communicate with each
of the PLCs directly;
– If the communication links are operating, the
individual gates will be able to compensate
immediately for the outage of another gate
automatically.
Communications
for remote data
Remote Dial In
Access
Internet Access
(Satellite)
Possible
HMI 1
Mobile PC
with radio link
HMI 2
Services
Duplicate Optical Ethernet
Gate 1
Gate Controllers, with duplicate
controller; IO modules and
communications
Gate 2
Lake Level Instruments
‘Remote IO” with redundant
communications
Gate 3
Gate Controllers, with duplicate
controller; IO modules and
communications
Figure 3 Control System Architecture (Ross River Dam Upgrade Stages 2 to 5 Spillway Gate Options)
4.7
Power Supply
The proposed power system arrangement for the
following equipment related to the gate control is
shown in Figure 4:
– The gate HPU main pump (the backup pump is
diesel powered).
– The DC systems (main and backup) for the
control, communications and monitoring
systems.
– General lighting and power.
ANCOLD 2006 Conference
Page 5
Ross River Dam Spillway Gate Reliability and the Impact on the Design
The DC systems will be provided with batteries to
allow extended operation in the event of a power
failure.
generators (main and standby) will be provided for
powering the facility. Each generator will be
sized to power the entire gate structure.
As the external AC system may be inoperative
during an extreme flood event two diesel
Main Switchboard
Mains
G1
G2
Change Over
(C/O) Panel
D
D
D
H Panel
#1
H Panel
#2
H Panel
#3
E
E
E
C/O
Panel
C/O
Panel
C/O
Panel
Supply B
Supply A
Figure 4 Power Supply Arrangement
4.8
Operational Alarms
The following control system alarms will be
provided:
– Lake level
– Instrument failure detection
– Equipment failure detection
– Communications failure detection
– I/O wiring failure detection
– Abnormal gate operation detection
These alarms will be displayed on the local
terminals and the remote monitoring facilities. If
required, a telepaging system will be used to alert
the Owner that a problem exists.
5
FAULT TREE ANALYSIS
(FTA)
The Fault Tree Analysis of system reliability for
mechanical and electrical systems is widely
applied in the nuclear and aerospace industry and
has been used on a number of spillway gate
installations in Australia and elsewhere.
ANCOLD 2006 Conference
Fault trees were developed for the various
spillway gate operating scenarios and analysed
using the ‘Fault Tree +’module of the Reliability
Workbench software supplied by Isograph.
5.1
Analysis Tools and Data
5.1 (a) Data
The basic input event probabilities were derived
from diverse sources, principally based on
interpretation of the USEPA technical report EPA600/2-82-044, and US Nuclear Regulatory
Commission Fault Tree Handbook NUREG-0492
(Fault Tree Handbook). Electrical and electronic
component reliability data was sourced from
typical supplier’s data for the generic type of
equipment proposed.
The basic event frequency was pre-processed
before use in the Fault Tree. Generally, the data
available is quoted for a continuously operating
component and modifications were made for the
data to be pertinent to operation in the spillway
gate system. Adjustments were made for the
following:
Page 6
Ross River Dam Spillway Gate Reliability and the Impact on the Design
– dormancy (where appropriate);
– testing frequency;
– mission time (flood duration);
– recovery from a failure with a repair cycle.
The repair cycle included the probability of
correct diagnosis, the availability of spares, and
the estimated time required for the repair
compared to the expected mission time. The
following probabilities were calculated for basic
events as appropriate to the components included
in the fault tree.
– Dormant failure of a component
– Failure of a continuous running component
– Running failure of a dormant component,
given a successful start
– Repair
As an example, the dormant failure of a
component was calculated using the following
formula.
P1 =
DF  TI
RT 
TD
+

+
1000  730 8760  24 * TI
in which:
DF = Dormant failure rate (failures per 1,000
years)
TI = Test interval (days)
RT = Restoration time (hours)
TD = Test duration (hours)
5.1 (b) Power Supply Reliability
The outage history of the 11 kV feeder to the dam
was provided by the local power authority, Ergon,
and showed an average of 4 unplanned outages
per year, which was considerably better than the
State averages. Of particular note was the “mean
time to repair”(MTTR), which was exceptionally
low at 1.2 hours. The outage rate was used in a
Chi-squared analysis with a 5% uncertainty limit,
and together with the MTTR and a 24-hour
mission time, yielded a repair unavailability of
0.000445 per demand. This value is much lower
than is customarily used for grid failure. Statewide averages using the same methodology yield
Repaired Unavailability of 0.080 per demand
because MTTR is considerably higher. Even this
figure was considered too optimistic for use
during a storm event. A dismal performance
would be a failure every 3 days with a 2 day
ANCOLD 2006 Conference
MTTR, which represents an estimate of Repaired
unavailability of 0.445 per demand. Sensitivity to
grid unavailability was, therefore, tested for the
design case redundancy by analysing cases for
grid unavailability of 0.080 and 0.445 per demand.
5.1 (c) Human Error Probability (HEP)
The HEP was adapted from the US Nuclear
Regulatory Commission Fault Tree Handbook
NUREG-0492 taking into account the expected
staffing numbers and levels of competence
together with the complexity of the tasks. The
analysis of HEP was based on the following
assumptions:
– Two people are required to operate the
spillway gate system, primarily for
occupational safety reasons.
– The ‘reserve’operator will check the actions of
the ‘principal’operator, and that this regime
will reduce the frequency of errors.
– Staffing of one fully trained operator, one
assistant operator familiar with the spillway
gate system but not necessarily fully trained,
and four back-up personnel who can assist
either the operator or the assistant operator in
an emergency.
– The operation of the spillway gate system for
an extended period will be on the basis of two
shifts. Operators who could not attend the first
shift will be available for call on the second
shift.
– The dam operating rules are clear and
unambiguous with no calculations required,
and no decision-making required.
– There is adequate time to carry out the required
operations.
– The operators act in a non-hostile environment.
– There is a SCADA-based callout system to
notify the operators of faults and of an
unexpected rise in water levels.
– A suitable and reliable four-wheel drive
vehicle is available to transport the operators to
the dam, with a 5% chance that the roads are
impassable for the first shift and a 30% chance
for the second shift, which starts 12 hours later
than the first shift. The operators are assumed
to live within 15 minutes drive from the dam.
Page 7
Ross River Dam Spillway Gate Reliability and the Impact on the Design
– The likelihood of any one operator getting to
the dam took into account the operator being
sick, on leave, out of town, or being under
pressure from family to alter priorities away
from operating the spillway gate system in an
emergency.
– There is a clear unequivocal mandate to
operate the spillway gate system in accordance
with the operating rules, without referral to
superiors, and there is no approval sequence
required or imposed.
Based on the above, the HEP was calculated using
the operator combinations shown in Table 1.
The overall HEP of 0.139 per demand is quite
high and was made up of a common HEP
component of 0.078 per demand attributable to not
getting to the dam, and an operator average HEP
of 0.066 per demand, which reflects the
combination of operator and assistant skills. The
two HEPs were treated separately in the fault tree,
with the common component as a common cause
failure, and the operation HEP as independent
events for each operator input. Faulty operation
due to maintenance defects, (e.g. switches left in
the wrong position) was estimated as a HEP of
0.01 per demand reflecting high levels of skill
attributable to maintenance operations and the
expectation that the equipment will be test run to
reveal defects after maintenance. The sensitivity
of the overall gate reliability to HEP was explored
as discussed in the following subsection.
Operators
Sensitivity Analyses
5.2 (a) Sensitivity to Grid Reliability
A summary of the FTA results using the overall
HEP of 0.139 per demand and the two grid
unavailabilities is shown on Table 2.
Description
Basic Mechanical &
Electrical (M&E)
1 gate fails
2 gates fail
3 gates fail
All gates OK
Grid
0.080
(per
demand)
0.0037
Grid
0.445
(per
demand)
0.0056
0.0104
0.0007
0.0006
0.9883
0.0128
0.0025
0.0024
0.9768
Table 2 Estimated Spillway Gate Failure Rate
Sensitivity to Grid Failure (per
demand)
In all cases, the most important event was
Operator Common HEP and the most important
Cut Set included, Operator Common HEP, Grid,
and Operator Auto-Manual Switch.
A cut set is a set of basic events whose occurrence
causes the top event to occur. A minimal cut set is
a cut set that would not remain a cut set if any of
its basic events were removed.
It is of interest to note that the second most
important cut set changed with the gate fail cases
as shown below:
– 1 gate fails: Valve 4, Operator average HEP,
and Mobile Hydraulic Pack.
First
Shift
Second
Shift
1
0
– 2 gates fail: Main switchboard, Operator
Common HEP, and Software.
0
1
– 3 gates fail: Main switchboard, Standby Diesel
mechanical, Grid, Operator Common HEP, and
Software.
2
2
5.2 (b) Sensitivity to No Operator
Number of principal operators,
fully trained, fully familiar, and
responsible for routine exercises.
Number of reserve operators, not
as fully trained, but familiar with
the spillway gate system
Number of back-up personnel,
not routinely involved in
spillway gate system operations.
Overall HEP (per demand)
Operator common HEP (per demand)
Operator average HEP (per demand)
0.139
0.078
0.066
Table 1 Estimated Spillway Gate Unavailability
HEP (per demand)
ANCOLD 2006 Conference
5.2
To test the contribution of the operators to the
overall spillway gate system reliability, a limiting
case of no operator present at the dam (i.e. no
manual control of any of the aspects of spillway
gate system operation) was considered with the
results shown on Table 3.
Page 8
Ross River Dam Spillway Gate Reliability and the Impact on the Design
Description
HEP 0.139 per
demand (Base)
No
Operator
Basic M+E
1 gate fails
0.0043
0.0104
0.0163
0.0464
Table 3 Estimated Spillway Gate Unavailability
Sensitivity to No Operator (per demand)
The no operator case resulted in a four-fold
reduction in gate availability and confirmed the
essential role of the operators.
5.2 (c) Sensitivity to Staffing Numbers and Skill
Level
The sensitivity to the number and skill levels of
the available operating staff was tested as shown
on Table 4, with the Fussell-Vesely4 event
importance. As expected, the results confirmed
that a larger number of operators at the site
improved the reliability as did the skill level of the
operators.
The recommendation was made to the Dam
Owner to provide the staffing in accordance with
the Case 3 with one Principal Operator, one
Reserve Operator and four Back-up Operators.
5.2 (d) Sensitivity of PLC to Component
Redundancy
Several sensitivity trial runs were undertaken for
less redundancy in the PLC system, as shown on
Table 5.
5.2 (e) Sensitivity of Reduced Redundancy for
Standby Diesel, Diesel Hydraulic and Mobile
Hydraulic
The redundancy of each of the standby diesel
generators, the diesel hydraulic pump in the
hydraulic power packs, and the trailer mounted
mobile hydraulic pack were evaluated as shown
on Table 6. Comparison with the base case
showed a small but useful improvement for the
stand-by diesel generator, a small improvement
for the diesel hydraulic units, and a very
significant three-fold improvement for the mobile
hydraulic unit. This result showed that the mobile
unit was very beneficial, but that the diesel
hydraulic units were less important to the spillway
gate reliability.
5.3
Fault Tree Analysis Conclusions
The Fault Tree Analysis was valuable in
supporting decisions on recommended staffing,
choice of power back-up and selecting levels of
redundancy for the spillway gate system. The
system proposed was generally in accordance with
good modern practice for radial gates, although it
is rare that reliability analysis is conducted in
support of the design of such gate systems. To
place the spillway gate reliability in the context of
its role in contributing to the risk of dam failure,
the reliability estimates were used in an overall
dam safety risk assessment, which is summarised
in Section 6.
The principal objective was to have a system
reliability with a Safety Integrity Level (SIL) of at
least SIL 2, which approximates to a failure rate of
less than 10-2 per demand. As can be seen from
Table 5, the trials that appear to achieve SIL 2 are
those with essentially full duplication of PLC
subcomponents, except the CPU. This result
shows that the PLC system should be fully
redundant.
4
This measure of event importance is the ratio of the
probability of the union of all minimal cut sets
containing the basic event A, divided by the probability
of the union of all minimal cut sets. In practice, the
sum of the probabilities of all minimal cut sets
containing the basic event being considered, and the
denominator is the probability of the top event.
ANCOLD 2006 Conference
Page 9
Ross River Dam Spillway Gate Reliability and the Impact on the Design
Staffing
Case 1
Day
Night
Principal Operator
Reserve Operator
Back-up Operator
1
0
1
Overall HEP
Operator Common
HEP Component
Operator average HEP
Component
One of three gates fail
Event Importance
Case 2
Day
Night
0
1
1
1
0
2
0
1
1
Case 3 (Base)
Day
Night
1
0
2
Case 4
Day
Night
0
1
2
1
0
2
1
0
2
0.216
0.182
0.147
0.119
0.139
0.078
0.120
0.078
0.041
0.031
0.066
0.045
0.0170
Operator 0.772
Common
HEP
Grid
0.112
Operator 0.081
HEP
0.0120
Operator 0.709
Common
HEP
Grid
0.102
Operator 0.085
HEP
0.0096
Operator 0.582
Common
HEP
Grid
0.088
Engine
Mech.
Engine
Mech.
0.0104
Operator 0.539
Common
HEP
Grid
0.087
Operator 0.221
HEP
Valve 4
0.032
0.035
0.032
Operator
HEP
0.158
Valve 4
0.029
Table 4 Estimated Spillway Gate Unavailability Sensitivity Analysis for Operator Staffing and
Skills (per demand)
PLC Sensitivity
Duplicate (indicated by shading)
Power
Supply
CPU
Digital
Input
Digital
Output
Analogue
Input
Analogue
Output
Potentially SIL 2
Potentially SIL 2
Commu
nications
Hardware
Failure
Rate (per
demand)
Failures
Per 1,000
demands
0.0028
3
0.0127
13
0.0301
30
0.0445
45
0.0612
61
0.0706
71
0.0755
76
0.1140
114
0.0442
44
0.0080
8
0.0127
13
0.0127
13
0.0303
30
0.0203
20
0.0128
13
Table 5 Estimated Spillway Gate Unavailability Sensitivity Analysis of PLC to Component
Redundancy (per demand)
ANCOLD 2006 Conference
Page 10
Ross River Dam Spillway Gate Reliability and the Impact on the Design
HEP 0.180 per demand and Grid 0.445 per demand
Standby
Diesel
Generator
Diesel
Hydraulic
Units
Mobile
Hydraulic
Unit
1 Gate
Unavailability
(per demand)
1 of 3 Gates
Unavailability
(per demand)
Most
Important
Event
Event
Importance
Yes
Yes
Yes
0.0062
0.0138
Operator
Common HEP
0.51
2
No
Yes
0.0045
0.0128
Operator
Average HEP
0.41
Yes
No
Yes
0.0079
0.0162
Operator
Common HEP
0.43
2
Yes
No
0.0131
0.0378
Operator
Common HEP
0.06
Yes
Yes
No
0.0165
0.040
Grid
0.12
2
No
No
0.0174
0.0499
Valve 4
0.04
Yes
No
No
0.0280
0.060
Grid
0.16
No
Yes
Yes
0.0462
0.0673
Grid
0.83
Table 6 Estimated Spillway Gate Failure Rate Sensitivity Analysis for Reduced Redundancy of
Standby Diesel, Diesel Hydraulic and Mobile Hydraulic (per demand)
6
6.1
DESIGN VALIDATION
AND GATE RELIABILITY
CONTRIBUTION TO
OVERALL DAM FAILURE
RISK
Section
Selection
The data mining required for all aspects of the
input for estimation of the system response
probability curves was extensive and the
subsequent development of the failure mode
characterisations and the representative
embankment cross sections for use in the risk
model was carried out during a two-week
“lockdown” workshop which involved the
design manager, risk analyst, geologist,
embankment designer and hydrogeologist.
ANCOLD 2006 Conference
Probability
Estimates
System Response Curves
Common Cause
Adjustment
Model Development
The development and application of the risk
model was ongoing as information was
obtained from data mining, geotechnical
investigations, and embankment and spillway
design analyses. The basic process for the risk
integration used in the model is shown on
Figure 5.
Data
Analysis
Gate
Failure
Analysis
Failure
Adjustments
Flood
Frequency
Data
Combined Gate and
Embankment Failure Frequency
Consequence
Data
Risk
Figure 5 Ross River Dam Design Validation
Model Risk Integration
The resulting design validation model included
38 failure mode combinations and their length
effects for the following dam sections with
representative cross section chainages shown
in parentheses:
Page 11
Ross River Dam Spillway Gate Reliability and the Impact on the Design
•
•
•
•
•
6.2
Spillway
Central Core Rockfill Embankment
Chg 200 –580 m (Chg 300 m and 500 m)
Transition Chg 580–689 m (Chg 625 m)
Embankment Chg 689 – 781m
(Chg 700 m)
Embankment Chg 781 m – 2,927 m
(Chg 800 m and Chg 2,550 m)
Embankment Chg 2,927 m – 6,343 m
(Chg 4,300 m, 4,600 m, 4,900 m and
5,800 m)
Embankment Chg 6,343 m – 8,200 m
(Chg. 7,000 m)
System Response Curves and
Common Cause Adjustment
A system response probability (SRP) curve
was developed for each failure mode to
represent the estimated conditional failure
probability as a function of an independent
variable; e.g. piping failure likelihood versus
the flood and normal hazard water level. The
SRPs for different failure modes associated
with the flood and normal loading are common
cause failure modes, which are not mutually
exclusive and therefore were adjusted using the
unimodal bounds theorem (Ang and Tang
1984). The calculated upper bound was then
used to adjust the branch failure probabilities
for each failure mode using the methodology
of Bowles et al (2001) and Hill et al (2004).
6.3
Flood Hydrology
The hydrological analyses for the study were
carried out using a joint probability approach
for the following scenarios:
•
•
•
Existing condition with lowered spillway
crest
Spillway with piers and ogee but no gates
Spillway with 0, 1, 2 and 3 gates
operational
The resulting flood frequency relationships are
shown on Figure 6.
ANCOLD 2006 Conference
52.0
3 Gates Operating
50.0
3 Gates Operating
2 Gates Operating
48.0
1 Gate Operating
No Gates Operating
Ogee No Gates
46.0
WL [m AHD]
•
•
Existing Broadcrested Weir
44.0
42.0
40.0
38.0
36.0
34.0
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
100,000,000
AEP (1 in Y) [years]
Figure 6 Flood Frequency Relationships
6.4
Combined Gate and Flood
Failure Frequency Analysis
The hydrological hazard frequency curves was
divided into 50 loading intervals and the
system response probability curves for each
failure mode were interpolated to derive
estimates of the failure likelihoods at each
interval for each spillway gate failure scenario.
The use of the unimodal bounds theorem and
the failure mode adjustments referred to above
allowed direct combination of the gate failure
probabilities with the conditional failure
probabilities in each loading interval. The
combined gate and flood failure probabilities in
each loading or peak reservoir level interval for
each failure mode were then used to develop
the F-N (i.e. Frequency of life loss vs.
estimated Number of lives lost) Societal Risk
curve for evaluation against the ANCOLD
societal risk guideline.
6.5
Risk Analysis
The following data was derived for each risk
analysis run to evaluate (a) the upgrade
requirements prior to commencement of
operation of the spillway gates and (b) the
requirements for the upgrade works to satisfy
the Dam Safety Regulator based on the
ANCOLD limit guidelines and the Client’s
requirements:
•
•
•
•
•
•
•
•
Piping through the Embankment
Piping through the Foundation
Overtopping
Spillway Failure
Societal Risk Total
Individual Risk
Financial Risk Cost
F-N Curve
Page 12
Ross River Dam Spillway Gate Reliability and the Impact on the Design
6.6
Results
Figure 7 shows some results from the design
validation model for the various stages of the
upgrade works together with the full upgrade
for dam crest levels ranging from 47.2 m to
48.5 m AHD. These results were used to
evaluate the dam crest level options against the
design criteria and the ANCOLD tolerable risk
guidelines.
1.0E-02
Piping
Embankmen
t
Annual probability of Failure - All Modes
1
Piping
Foundation
2
1.0E-03
3
Overtopping
1.0E-04
4
Spillway
1.0E-05
1.0E-06
1.0E-07
Spillway 38.2m
Lowered
Spillway
Broadcrest Weir
34.66m
Full Upgrade Dam
Crest Level 47.2m
Full Upgrade Dam
Crest Level 47.5m
Full Upgrade Dam
Crest Level 48.0m
Full Upgrade Dam
Full Upgrade Dam
Crest Level 48.0m & Crest Level 48.5m
Trench 3m deep Chg
6000m to 8400m
Figure 7 Estimated Total Probability of
Dam Failure for various Upgrade
Options and Dam Crest Levels
The ALARP evaluation indicated a “strong
justification”for raising the embankment only
to RL 48.0 m AHD during the present stage of
the works, with deferment of the final
construction stage to the PMF level of
RL 48.5m AHD.
The percentage contributions of the spillway
gate system reliability states to the probability
of dam failure were estimated to be as follows:
– All Gates Operational
94.6%
– 1 gate fails to operate
2.3%
– 2 gate fails to operate
0.9%
– 3 gate fails to operate
2.2%
Thus spillway gate failure to operate on
demand was estimated to contribute a total of
5.4% of the total probability of dam failure.
7
during flood events. The Fault Tree provided
useful information regarding redundancies and
system design requirements.
As a result of the iterative reliability analysis,
the overall dam safety risk assessment
procedure which was followed during the
design of the gate system and the other dam
safety upgrades an overall gate system failure
rate in the order of 1x10-2 per demand for a
single gate failure was found to be an
appropriate goal to meet the desired risk profile
and to be reasonably consistent with current
good practice for similar new spillway gate
systems. This was effectively achieved and is
reflected in the relatively small contribution of
the spillway gate failure to the overall risk of
dam failure. It should be noted that at a
different project with different reservoir
operating rules the relationship between
spillway gate failure rate and overall dam
failure probability might be very different as
demonstrated by Lewin et al (2003).
Design Validation resulted in a cost-effective,
rigorous and defensible design, which satisfied
all of the upgrade objectives and lowered the
existing risk to meet current ANCOLD
tolerable risk guidelines for existing dams.
8
REFERENCES
ANCOLD.
2003.
Guidelines on Risk
Assessment. Australian National Committee
on Large Dams, Brisbane, Queensland,
Australia.
Bowles, D.S., L.R. Anderson, and S.S.
Chauhan. 2001. Approaches to the Common
Cause Adjustment in Event Trees Used in Dam
Safety Risk Analysis.
An IDSRM-USU
Working Paper, May.
Bowles, D.S., 2004. ALARP Evaluation:
Using
Cost
Effectiveness
and
Disproportionality to Justify Risk Reduction.
ANCOLD Bulletin 127:89-106. August.
CONCLUSIONS
The spillway gate reliability analysis was
found to be a useful tool for development of
understanding and evaluation of various design
options for the spillway gate system for the
Ross River dam safety upgrade project and to
demonstrate that the desired risk profile should
be met by the final design. The analyses were
used to justify the required operator attendance
ANCOLD 2006 Conference
Fell R, C F Wan and M Foster, 2004, Methods
for estimating the probability of failure of
embankment dams by internal erosion and
piping – Piping through the embankment,
UNICIV Report No. R-428 May 2004, the
University of New South Wales, Sydney, ISBN
85841 395 7.
Page 13
Ross River Dam Spillway Gate Reliability and the Impact on the Design
Fell R and C F Wan, 2005, Methods for
estimating the probability of failure of
embankment dams by internal erosion and
piping in the foundation and from embankment
to foundation, UNICIV Report No. R-436,
January 2005, the University of New South
Wales, Sydney, ISBN 85841 403 1.
Graham, 1999, USBR, Dam Safety Office
Publication DSO-99-06 “A Procedure for
Estimating Loss of Life caused by Dam
failure”September 1999
Hill, P.I., D.S. Bowles, P. Jordan, and R.J.
Nathan, 2004. Estimating Overall Risk of
Dam Failure: Practical Considerations in
Combining Failure Probabilities. ANCOLD
Bulletin 127:63-72. August.
Lewin, J., G. Ballard and D.S. Bowles. 2003.
Spillway Gate Reliability in the Context of
Overall Dam Failure Risk. Presented at the
2003 USSD Annual Lecture, Charleston, South
Carolina.
http://www.engineering.usu.edu/
uwrl/www/faculty/bowles.html.
9
ACKNOWLEDGEMENTS
The authors acknowledge all of the parties
involved in the design of Ross River Dam
Upgrade including NQWater, and the Expert
Review Panel. The design was undertaken as
an integrated team involving GHD and MWH
personnel and other specialists including SKM.
The authors also wish to thank the US Society
of Dams for permission to adapt this paper,
which has in part been presented at the 2006
USSD Annual Conference.
ANCOLD 2006 Conference
Page 14