SCHOOL OF CIVIL, ENVIRONMENTAL, AND GEOLOGICAL ENGINEERING

WATER RESOURCES AND ENVIRONMENT CLUSTER

NAME

VALERIO, STEVEN C.
STUDENT NO. COURSE & YEAR SUBJECT & SECTION

2016141805 CE / 3 CE175P-5W / B2
MODULE ASSESSMENT SIGNATURE

MODULE 3 CW7

• Part 1 Dam Systems and Modelling

o Chapter 02 Management, Control, and Operation
 System operation is the modus operandi of the organisation that owns and operates
the system.
 It is recognised that the ‘owner–operator model’ is not the only feasible
organisational arrangement, but the term is used as a convenient means of
conveying the notion that both ownership and operator decisions together constitute
the operation of the system.
 System Operation
• The issue of what we mean by system operation can be addressed in the
following two questions:
 Given the overall objectives of the system, how much water must be
released through each waterway at any time?
 Given the decision on how much water must be released, what needs
to be done and how, and when should the decision be implemented?
• The term waterway is used here to include each piece of flow-control or
discharge equipment, or path by which water can flow.
• In practice, treatment of part (i) of question 1 involves the development of
detailed inflow–outflow management rules.
• Question 2 presents the problem of conditioning the system such that it can
successfully respond to various and conflicting demands.
• Organisational Practices
 The matters of ‘how’ and ‘extent to which’ are complex matters that
reflect a wide range of organisational views over considerable
periods of time.
 Furthermore, political considerations concerning public perceptions
and expectations when they influence operational decisions may
provide the short-term objectives while concealing longer term
latent safety hazards (e.g., holding water behind a dam to alleviate
downstream flooding may put the system in an operational state that
renders it incapable of withstanding the effects of the as yet not
appreciated but imminent larger inflow).

1
  Similarly, maintenance and operational decisions long in the past,
and often forgotten, influence present-day assumptions and actions
concerning the operation of equipment in ways that can have
unexpected outcomes now and in the future.
 The complexity of the ‘whole-system’ operational process is
determined by operational arrangements within the dam-owning
organisation, and by the people who are responsible for
implementing the operational arrangements within the various parts
of the organisation.
• Management Practices
 The dam safety management practices that have emerged in recent
years (ICOLD, 2011) focus on physical and operational barriers
intended to prevent hazardous conditions from progressing to failed
states (Figure 2.1).
 The upper part of Figure 2.1 – according to the paradigm of Reason
– represents the barriers required to prevent hazardous conditions
from emerging within the physical system. These are the
components of the active failure.
 The lower part of the figure represents activities put in place by the
organisation to ensure the adequacy of the barriers. These are the
components of the latent conditions.

2
 Reason extended this thinking, as illustrated in Figure 2.2, to follow the
causal path that an organisational failure typically follows, and the
corresponding stages of the subsequent investigation into that failure.
 Reason makes two organisational factor distinctions between active
failures and latent conditions:
o Active failures usually have immediate and short-lived effects at
the point that they occur, while latent conditions may remain
dormant for a long time without discernible effects until they
interact with local circumstances in a way that results in a
failure. Active failures tend to be unique to a specific event.
o Active failures usually occur at the human–system interface,
whereas latent conditions develop at the upper levels of the
organisation and within the related design, production,
contracting, regulatory and governmental organisations. Latent
conditions can contribute to a number of different accidents if
they remain undiscovered and uncorrected.
 The contributions to latent conditions are many in the organisation, but
can be broadly outlined as including the following:
o licensing arrangements
o societal expectations (including political expectations in the past
and present)
o the organisation’s social responsibility (including corporate
values and principles)
o risk appetite (strategic and operational risk)
o the organisation’s strategies and policies
o organisational culture
o organisational arrangements
o management and procedural arrangements (including asset
management arrangements, and the maintenance and
replacement regime)
o human resourcing and competence (including compensation and
rewards)
o budgeting, financing and investment arrangements

3
 o system reliability and availability targets and measures
o human factors
o design of the operations regime
o implementation of the operations regime (including forecasting)
o operator error in real-time operations
o failures in the safety assurance process.
 Underlying every technology is at least one basic science, although the
technology may be well developed long before the science emerges
(e.g., glassmaking). Overlying every technical or civil system is a social
system that provides purpose, goals and decision criteria.
 As Leveson points out:
o Effectively preventing accidents in complex systems requires
using accident models that include that social system as well as
the technology and its underlying science. Without
understanding the purpose, goals and decision criteria used to
construct and operate systems, it is not possible to completely
understand and prevent accidents.
 In recognition of the social dimensions of systems safety, the matters of
o licensing arrangements
o societal expectations (including political expectations in the past
and present)
o the organisation’s social responsibility (including corporate
values and principles)
 Some elements of the system controls are more critical than others under
normal operational conditions.
 However, less critical elements can become critical to hydraulic control
if the system transitions to a state that renders them so.
 Thus, a decision to defer maintenance of a redundant feature may be the
final causal factor in loss of control if it is called into service.
• Legal regime and licensing
 The legal regime and licensing of the jurisdiction in which the dam is
located govern the modus operandi of the owner-operator.
 Legal regimes for the storage and release of water have existed since
ancient times (the Code of Hammurabi, c. 1780 BCE), although the
punishments for violations have changed.
 The legal regime varies from country to country, with two general
concepts being common: a prescriptive concept and an objectives-based
concept.
 The prescriptive concept sets out what is to be done and may include
precise instructions of how implementation is to occur, whereas the
objectives-based concepts set out what outcome should at least be
achieved, without specifying if this will be sufficient and without
defining how the objective should be achieved.

4
  These two concepts are formalised in the two generally known legal
systems:
o the Roman system, with its origins on the European mainland,
and
o the common law system, with its origins in England.
 There are a number of important differences between these regimes that
lead to different ways of determining what is ‘safe enough’.
 Of particular relevance is the difference between the Roman system,
where everything that is not explicitly forbidden is allowed, and the
common law system, where what is not explicitly allowed is forbidden,
unless it can be justified, where necessary in court (Ale, 2005).
 This leads to totally different interpretations between the two systems
as to the meaning of the terms ‘as low as reasonably achievable’
(ALARA) and ‘as low as reasonably practicable’ (ALARP).
 Within these regimes, licensing arrangements generally define
responsibilities and boundaries for the operation of dams and reservoirs.
 These licensing arrangements generally guide the focus of those
responsible for directing the dam-owning organisation.
 However, a factor such as social responsibility could determine that,
although perhaps not required, outflow modification of floods during a
flood event is appropriate.
• Societal expectations and owner’s social responsibility
 The societal expectations with respect to the development, ownership
and operation of dams have changed dramatically over the last 30 years.
 The most significant changes have occurred with respect to the design
of new dams.
 The outputs of this process provide the essence of the reservoir–river
objectives for the system and the requirements of the operational
regime.

5
  Essentially, this is that stage at which the different, and often competing,
engineering, economic, environmental and social parameters are
brought together to create the overall system objectives and constraints.
 Ideally, the objectives for the system are best cast in terms of a single
statement of user need if possible, and the system operational
requirements characterised in some type of hierarchical format with
what might be termed ‘key capability requirements’ (must-have
attributes) at the highest level, with capability requirements (should-
have attributes), elective attributes (should have if reasonably
achievable) and discretionary attributes (nice to have if reasonably
achievable) beneath.
 The operational challenge at this point is to transform these broadly
stated objectives, requirements and attributes, which can be considered
in light of three water management actions (‘store’, ‘pass’ and ‘divert’),
into dynamic hydraulic operations control functions.
 These dynamic hydraulic operations control functions are achieved
through management actions that themselves draw on various other
capabilities, such as engineering, environmental sciences,
manufacturing and production processes, etc., all of which are
integrated with a management system of some type.
 Operational Objectives
• The essence of operating objectives as embodied in a water-use plan is:
 How much water needs to be released?
 How is the water released?
 When is the water released?
• Dams and reservoirs are very significant assets built for a purpose. They are
best managed in terms of an asset management system with associated asset
management processes

6
• Rarely is there a single purpose of a reservoir, although there are numerous
examples of dams built with the only objective being to control and mitigate
the floods.
• Such flood-control reservoirs often remain empty for prolonged periods of time
and fill only during flood periods, attenuating flood waters.
• There are also reservoirs built strictly for irrigation, and in many countries, there
are thousands of small dams built and operated by famers to provide water for
crops.
• Some dams are built for recreation, with the only objective being to capture
water during freshet and maintain a water level during the rest of the year for
boating, swimming or fishing.
• Some dams are built strictly for hydroelectric generation, and their only purpose
is to maximise power output.
• What happens most often, however, is that a single-purpose dam changes in the
way it is operated over time because other goals are added due to growing
demands.
• In many cases the construction of the dam invites further development
downstream, and the expectations of riparian communities change.
• Where once there was no demand for flood control, now communities have
been built in the downstream floodplain which require protection.
• The dam could have been built with the only goal to generate power but now
the communities demand that the dam should also provide recreation.
• Reservoir storage
 In a typical reservoir the entire available storage might be divided in
three zones as illustrated in the figure.

 The exclusive-capacity zone is established for a single purpose. Most

often this space is dedicated to flood control, although one can find
many examples of reservoirs that have the exclusive-capacity zone
dedicated to navigation or hydroelectric generation.
 The multi-purpose capacity zone may serve a wide variety of other
purposes, as listed in Figure 2.7.

7
  For a single-purpose reservoir the two upper zones can be collapsed into
one to serve the single dedicated purpose.
 The purpose of the inactive zone (sometimes also called the ‘dead zone’)
is to maintain a minimum pool level and provide storage for
accumulating sediment.
• Water Use Plan
 The water use plan is a statement of the role of the dam and reservoir in
the regional water resource system. This plan states the objectives of the
facility and the constraints under which it operates.
 These constraints will include, for example, the necessary power it is
scheduled to generate, the qualities and quantities of downstream water
releases for other purposes (e.g., ecological, water supply or
recreational), and flood routing requirements.
 The water use plan typically summarises the hydrology and discharges
of the river system and reservoir, and categorises the schematic flow
configuration and waterways

• Operating concepts
 The operation of a single-purpose reservoir is much simpler than that of
a multi-purpose one. Consider a reservoir dedicated strictly to flood
control.

8
  The most effective operation of the reservoir is to keep it empty at all
times except for times of heavy inflows, which if released would cause
adverse impacts downstream.
 If inflow exceeds a threshold, excess inflow can be stored, and only the
amount up to the threshold would be released.
 However, even such a simple case gets more complicated in practice.
Every reservoir has a finite storage, and the inflows are uncertain.
 Therefore, following the simple rule explained above, inflows can lead
to damages that would be avoidable if the operating rule was constructed
in such a way that the purpose of the operation was to capture only the
highest inflows.
 Operational Strategies
• Dams and reservoirs are typically constructed to achieve one or more primary
objectives.
• The primary objective(s) may have secondary, tertiary or even lower order sub-
objectives, which together form the overall objectives for the reservoir–river
system.
• Alternatively, it may be that once the primary objective(s) have been defined
and the means of achieving them determined, other potential functions are
identified and incorporated as additional objectives.
• Once defined, the objectives, their interrelationships and interdependencies
together define the operational regime of the system.
• Reason for the system and its operational regime
 Water management systems differ from many other productive systems
in that they constitute human-altered natural systems that utilize a
naturally occurring resource without fundamentally altering the
physical properties of that resource (i.e., the water), although
characteristics of it, such as its potential energy, temperature, soluble
and suspended contents, and the like may be changed.
 In the modern context, the reservoir–river and the operational regime
for a water management system are determined in part by the owning
organisation and in part with the consent of society.
 The boundary between societal controls and the owner’s responsibilities
is broadly defined in licensing and regulatory arrangements.
 However, there is not a distinct separation between the influence of
external societal factors and the owner’s internal operational system.
 Rather, there are interdependencies and feedback paths between the
external influences and the internal controls.
 The conceptual flows and feedbacks in the reservoir–river system are
suggested in Figure 2.11.

9
  The main horizontal paths are the flows from upstream to downstream.
Some of these are through production waterways, some through
spillways, some through the dam, and so forth.
 Influencing these flows are a large number of considerations, shown as
bubbles and boxes with arrows suggesting lines of influence.
• Whole life-cycle water asset management
 The management of physical assets such as dams, hydraulic production
systems and supporting infrastructure has a long history, arguably
dating back to Egyptian and Mesopotamian times when water system
assets were managed by means of robust design.
 More formal methods of asset management emerged in the 1970s, and
systematic approaches to physical asset management have emerged over
the past 20 years or so.
 The activities within the dotted boundary represent in-service asset
operations, which from the perspective of a management system
hierarchy, is commonly considered.
 The culture and traditions of the organisation, together with the
prevailing engineering practices, operational arrangements and the
societal expectations of a dam–reservoir system, provide the
overarching framework for the functional performance and reliability of
the system.
 The ‘directing mind’ of the owning/operating organisation will typically
have some flexibility concerning operational choices within legally
binding parameters.
 Excursions outside the legally binding parameters are always possible
due to some breakdown of the physical or organisational control
process, which may have legal consequences depending on the outcome
and the legal enforcement regime.
 These latent conditions are an inevitable part of any organisation, and
they are not necessarily the result of bad decisions.

10
  Resources are rarely equitably distributed across organisational
activities, and the distribution of resources may be based on sound
commercial arguments.
 However, these inequities create quality, reliability or safety problems
for someone somewhere in the organisation at some later point in time.
 The ‘directing mind’ of an organisation can, and usually does, influence
the design, construction, operation and maintenance of the system over
the whole life cycle, as this is where the control of financial resources
and expectations of the organisation are determined.
 As judgements are made at all levels of the organisation, how
individuals at various levels interpret the organisational risk appetite
may also be an influencing factor.
 Individuals may introduce personal values into decision-making.
 Other factors are inappropriate reward and compensation structures, a
culture with characteristics that lead to unfavourable management
 and work practices (e.g. ‘blame and train’ safety management, poor
appreciation by non-technical executives of their role in ensuring the
integrity of the technological and built systems), etc.
 Qualitative modelling of dam safety management activities
• In the modern context, safe management of operational activities built on the
concept of control processes (feedback loops) is built into the human,
technology, organisational and, more recently, information systems to ensure
continued safe operation of the system as a whole.
• Barrier-based methods of safety management provide a useful means of
addressing the problem of loss of flow control in dam and reservoir systems.
• In a general sense, barriers can be characterised in different ways (Svenson,
1991), although the idea of barriers in the management of risk has earlier
origins.
• Barriers can be defined simply in terms of equipment, built entities or rules that
can stop the development of an accident.
• Alternatively, a distinction between three types of barriers – passive, active and
procedural barriers – may be made.
• One way is with regard to their temporal relation to an actual or hypothetical
accident. Typically, barriers may be considered to be preventive or protective.
• Barriers that are designed to work before a specific accident
• event takes place serve as preventive measures. Such barriers are supposed to
ensure that the accident does not happen, or at least to slow down the
development of conditions that may result in an accident.
• Barriers that are intended to work after a specific initiating event has taken place
serve as means of protection.
• These barriers are intended to shield the environment and the people in it, as
well as the system itself, from the adverse effects of the accident.
• Barriers may be either active or passive and are not necessarily physical in
nature.
11
  If a barrier is active, it involves one or more functions, the results of
which achieve the purpose of the barrier.
 If a barrier is passive or inactive, it means that it serves its purpose by
its presence rather than by actively doing something.
• Overall, for the purposes of this book, the process of engineering the system to
safely retain water and pass flows through and around the dam in a controlled
way benefits from the use of qualitative barrier analysis and the various other
related methods, of which two of several are briefly outlined below.
• In general, the full suite of barrier types and uses can be applied in various ways
and in various places to any flow-control system.
• The human–technology–organisation (MTO) process, which focuses on the
interaction between humans, technologies and organisations (Lundberg et al.,
2009), is one development related to the barrier concept.
• It was developed for accident and incident analysis, and further developed for
improving accident investigation, safety, quality and efficiency within
companies and organisations.
• MTO is associated with at least three different (but related) domains:
 MTO as a set of analytical techniques. In this domain the MTO concept
focuses on the methods that analyse the relationships between humans,
their activities and the organisational and technological context in which
these activities take place.
 MTO as a human factors specialist domain. In this domain the MTO
concept is foremostly perceived as a specialist domain, supported by
knowledge of human factors, psychology and other human-related
sciences.
 MTO as a metaphor for system thinking about safety. In this perspective
the MTO concept is viewed neither as a set of specialist domains nor as
a set of specific methods, but as a general attempt to develop a safety-
culture thinking that focuses on the entire socio-technical system
(including technology, human factors and organisational issues).
• Hollnagel’s FRAM (Hollnagel, 2012), which can be related to MTO, is used
here to illustrate the way in which the systemic approach can be applied in a
qualitative way to both physical assets and operational activities, as would be
set out in a management system.
• Qualitative modelling of spillway gate maintenance and testing activity
 Inspection, testing and maintenance of spillway gates is an essential
element of the operational management of dams and reservoirs, as it is
the means of assurance of the relevance and accuracy of spillway gate
reliability parameters used in a spillway system reliability analysis.
 The broader application is in the reliability of the totality of the
discharge function, and the example outlined below is just as applicable
to the maintenance, inspection and testing of the hydraulic production
systems.

12
 It is also applicable to any other function that relies on maintenance,
inspection and testing, including human competence.
 The four principal steps in a FRAM analysis (Figure 2.14) are:
o Identify essential system functions and characterise each
function by means of six basic parameters (based on the
structured analysis and design technique).
o Identifying essential system functions and characterising
each function by six basic parameters. The functions are
described through six aspects, in terms of their input (I,
that which the function uses or transforms), output (O,
that which the function produces), preconditions (P,
conditions that must be fulfilled to perform a function),
resources (R, that which the function needs or
consumes), time (T, that which affects time availability)
and control (C, that which supervises or adjusts the
function), and may be described in a table and
subsequently visualised in a hexagonal representation.
o The main result of this step is a FRAM ‘model’ with all
basic functions identified.
o Characterise the (context dependent) potential variability (using
a checklist).
o Characterisation of the (context dependent) potential
variability through common performance conditions.
Eleven common performance conditions (CPCs) are
identified in the FRAM method, and these are used to
elicit the potential variability:
 availability of personnel and equipment
 training, preparation and competence
 communication quality
 human–machine interaction and operational
support
 availability of procedures
 work conditions
 goals – number and conflicts
 available time
 circadian rhythm and stress
 team collaboration
 organisational quality
o These CPCs address the combined human, technological
and organisational aspects of each function.
o Define functional resonance based on possible dependencies
(couplings) between functions.
o The output of the functional description of step 1 is a list
of functions, each with its six aspects.
13
 o Step 3 identifies instantiations, which are sets of
couplings between functions for specified time intervals.
o The instantiations illustrate how different functions are
active in a defined context. The description of the aspects
defines the potential links between the functions.
o Identify barriers for variability (damping factors) and specify
required performance monitoring.
o Barriers are hindrances that may either prevent an
unwanted event taking place or protect against the
consequences of an unwanted event.
o Besides recommendations for barriers, FRAM is aimed
at specifying recommendations for the monitoring of
performance and variability, to be able to detect
undesired variability.

• Model of maintenance, inspection and testing

 In the modern context, all aspects of dam safety management in the
operational phase can be systematised in terms of an organisation’s
management system, which at the detailed level of maintenance,
inspection and testing could be of the form illustrated in Figure 2.15.

 Stable and unstable system states

14
• Normal operational conditions can be considered to be the stable system state
where the system transforms inflows into productive outflows in a controlled
manner in accordance with the design intent.
• Ideally, the stable system state is the state that the physical system, the public,
the environment, the organisation and its operational staff become attuned to.
• Hydraulic deviations from this stable system state should result in some form
of adjustment within the modus operandi of the various entities involved with
the system.
• Control over the reservoir volume and outflow must also be maintained for all
normal stable, deviant stable, abnormal and unstable system states.
• A (trial) distinction is made here in an effort to unravel some of the
considerations that a system may exist in and/or pass through during various
operating conditions that might occur during the life cycle of the system, which
can be described broadly as follows:
 Normal stable. The system and its subsystems, functions, processes,
products and services are functioning entirely as envisaged by the
design, the owner–operator and all stakeholders (including the
environmental elements that have achieved a new state of equilibrium
through adaptation).
 Deviant stable. The system overall, in terms of its functions, processes,
products and services, is functioning in a stable manner, but one or more
of the subsystems, subfunctions and/or processes are not in the ‘normal
state’. Such conditions have been broadly divided into ‘internal deviant
stable’ and ‘external deviant stable’
o Internal deviant stable system states include planned outages
due to maintenance activities or forced outages of the type for
which the system is fault tolerant.
o External deviant stable system states include high-flow
situations where the inflows and outflows are above the annual
average and even larger than recent memory, but within the
operational parameters as defined in terms of the licensing
arrangements.
 Abnormal. The system exhibits behaviour that requires a change in the
operational mode of the system. It may or may not involve an immediate
change in the outputs of the system but could result in a change in the
outputs over time.
 Unstable. The unstable system state is that where the owner–operator
has either partial control or has lost control of the performance and
functions of the system.
• Different parts of the system and the system as a whole can exist in different
states at the same time.
• For example, part of the system, such as the production facility, may transition
from stable to an abnormal state, as could occur under production fault
conditions, while the overall system state transitions to an internal deviant state.
15
• In some cases, an operator of a reservoir might be faced with having to deal
with the simultaneous occurrence of a production facility fault, a high inflow,
an external disturbance and a new performance expectation.
• Such conditions can arise during large floods, when the production facility
might be forced to shut down, the inflows bring an associated large quantity of
debris, and there is a need to condition the outflows to avoid exacerbating an
emergency condition downstream (e.g., a landslide that blocks the river channel
downstream causing flooding in the community between the dam and the
landslide).

16