In the previous lesson you learned about the potential risks associated with the Dams Sector. Crisis management consists of planning for and responding to any emergency incidents that might occur.

Objectives: Describe the purpose and elements of:

• Emergency action plans.
• Recovery plans.
• Continuity plans.
• Pandemic preparedness.
• Computer incident response.

This lesson should take approximately 45 minutes to complete. You must complete this lesson in its entirety to receive credit.

[Narrator]
Recent failures of the I-35 bridge in Minneapolis and the Taum Sauk Reservoir in Missouri are reminders that aging infrastructure is always at risk for unexpected failures. Incidents affecting the Dams Sector in particular have the potential for serious consequences, including loss of life.

[Alfred J. Hancock]
People don’t understand the power of water. You’re not going to stop it.

[Narrator]
When the upper reservoir at Taum Sauk failed in 2005, it took only 12 minutes for a billion gallons of water to rush down the Black River, creating a crest approximately 20 feet high. Though no one died in the incident, a family, including three children, was swept away in the flood and required treatment for injuries and exposure.

Despite sound design, proper operation, and excellent emergency planning, a full or partial facility failure remains a real possibility. Therefore, it’s critical that facility owners and operators develop, maintain, and exercise plans for responding to a crisis.

[Alfred J. Hancock]
Any organization or hydro project needs to have the plan available in case there is either a natural disaster or a terrorist act that would destroy a portion of the facility and put it out of commission.

[Narrator]
In a broad sense, crisis management consists of planning for and responding to any emergency incidents that might occur. Security plans, emergency action plans, and dam safety programs are intended to reduce the chances of damage and to limit the immediate consequences if failure does occur.

[Frank Calcagno]
Most people think that it’s much more complicated than it needs to be. What you have to do is just think out what you have to do, write it down, make sure that all the people that are in your organization know what to do, and simply get the job done. So it’s all common sense really.

[Narrator]
Dam safety programs have long relied on emergency action plans to mobilize a response, prevent uncontrolled release of water from the dam, and maintain public safety.

[Richard Myers]
In order to have an appropriate response to any type of an emergency or crisis, you have to have some sort of organized response to an unorganized event.

[Narrator]
In addition to the immediate safety issues addressed in the emergency action plan, damage to or failure of a facility can have long-term economic impacts for the wider community. Recovery plans help minimize such impacts, by addressing both short- and long-term repairs.

[Yazmin Seda-Sanabria]
We have to find a way to prioritize our limited resources and make smart investments with those limited resources. Risk-informed decisions help us prioritize those resources and focus them on those facilities that are critical.

[Narrator]
In some types of incidents, such as pandemic influenza, it might be necessary to continue dam operations during the absence of several key personnel. Continuity planning can be used to identify personnel with necessary skill sets and to define shifts of roles and responsibilities to respond to the major absence of personnel.

[Frank Calcagno]
Be prepared is the number one message I would like to say. Think about what could occur. Think about what you could do to stop anything, any potential event. Education is the best thing you can come up with. Know what you are facing—a lot of times you are not going to know what the threat is. But just being aware of what could be done will help you plan for the eventuality.

Preparedness is essential for effective incident response and recovery. The preparedness cycle begins with planning. Planning:

• Can influence events before they occur.
• May shorten the time required to gain control of an incident.
• Provides a methodical way to think through the entire lifecycle of a potential crisis.
• Facilitates the rapid exchange of information about a situation.
• Helps stakeholders learn and practice their roles.

As the preparedness cycle indicates, plans must be exercised and continually evaluated and improved.

Experience and lessons learned indicate that planning is best performed by a team. Using a team or group approach helps organizations define their perception of the role they will play during an operation.

One goal of using a planning team is to build and expand relationships that help bring creativity and innovation to planning during an event. This approach helps establish a planning routine, so that processes followed before an event occurs are the same as those used during an event.

Plans often receive wide distribution, and it might be necessary to exclude sensitive information from some copies.

Necessary but sensitive information could be included in planning documents as a supplement or as another appendix. For example, development of a recovery plan might require use of sensitive information such as specific vulnerabilities and potential consequences.

Distribution of this portion could be limited to those individuals or agencies with a specific need to know.

Since the terrorist attacks on September 11, 2001, infrastructure security has received much greater attention. The Department of Homeland Security (DHS) has issued a National Infrastructure Protection Plan and a Dams Sector-Specific Plan.

Most larger dams now have some type of security plan in place, and these plans should be coordinated with the plans developed as part of your Crisis Management Program. Because of the areas of potential overlap between the security plans and crisis management plans, an appropriate security representative should be involved in developing and exercising the crisis management plans.

Additional information about security plans is presented in the Dams Sector Protective Measures Handbook and overview course.

The Interagency Committee on Dam Safety has established Federal Guidelines for Dam Safety. One component of these guidelines is Emergency Action Planning for Dam Owners (FEMA 64), published by the Federal Emergency Management Agency (FEMA).

Much of the content and plan template presented in this section of the lesson parallels the FEMA 64 guidelines.

Dick Robert

The people you serve, the people in your community, the people who are affected by your facility—they just inherently believe that you have some process in place, if you have a catastrophic failure you’re going to protect them, you’re going to warn them, you’re going to save them. And the emergency action plan, maintained at a current level, gives you all those tools.

Yazmin Seda-Sanabria

An emergency action plan helps you set the stage for the preparedness portion, to know how to be better prepared prior to the event happening, and then immediately respond after the event happens. It allows us to have a one-stop source of information on how to be better prepared to face a crisis. It has key elements such as an alert notification chart, know who needs to be called first on our calling tree, when the emergency arises and how to reach out to all the potential elements that can be adversely affected, so we can move forward faster. One of the key benefits of emergency action plans is that it assists first responders to get people fast out of harm’s way, during a catastrophic event or an emergency.

Herbert Nakasone

The value is in being able to react in an orderly and rapid manner. If one didn’t have a plan, you wouldn’t know whether you’re doing the best thing possible or the right thing and you wouldn’t have made the contacts of the various organizations you need to contact in a crisis. One organization can’t do it alone. It doesn’t matter whether it’s a levee crisis or a dam crisis, any kind of crisis really amounts to doing the same kind of thing: Informing people, letting them know whether they’re in harm’s way and then what to do.

Alfred J. Hancock

The emergency action plan is a notification of the people downstream and the businesses downstream to let them know that there is an imminent danger or that it has occurred and get the evacuations going. It’s notification of the emergency management folks, to get their plans and put them into place and start evacuating people. It’s basically saving lives, saving injuries, but also on the other side you have the economic impact, you’ve got to make sure the businesses get notified, and if possible, remove as much stuff as they can. It comes down to trying to get the people out of the danger zone.

Emergency action plans must be site-specific because conditions are unique at each facility and watershed, but they typically include the following elements:

The next screens present a brief review of each element.

A Notification Flowchart identifies who is to be notified of a dam safety incident, by whom, and in what order. The information on the flowchart is critical for the timely notification of those responsible for taking emergency actions.

For example, within the dam owner’s organization, the notification list should include at least representatives from project operations, engineering, and management. In addition to the internal list, the notification flowchart should include external agencies such as the State dam safety official, the local emergency management agency, and local law enforcement.

Click on this link to view sample notification flowchart for potential or imminent failure. 

Click on this link to view sample notification flowchart for non-failure concern.

There are generally four steps that should be followed when an unusual or emergency incident is detected at a dam. These steps constitute the EAP response process. These steps are:

• Step 1: Incident detection, evaluation, and emergency level determination
• Step 2: Notification and communication
• Step 3: Emergency actions
• Step 4: Termination and follow-up

Early detection and evaluation of condition(s) or triggering event (s) that initiate or require an emergency response action are crucial. It is important to develop procedures for reliable and timely determination of an emergency level to ensure that the appropriate response actions are taken based on the urgency of the situation.

In your emergency action plan you should include emergency detection and evaluation procedures. Listed below are some of the events that can lead to the failure of the facility and a brief outline of steps to take to address the situation:

• Flooding
• Erosion, Slumping/Sloughing, or Cracking of the Dam or Abutment
• New Springs, Seeps, Bogs, Sandboils, Increased Leakage, or Sinkholes
• Abnormal Instrumentation Readings
• Malicious Human Actions (Sabotage, Vandalism, or Terrorism)

Additional information about the actions to be considered for various situations is included in the Preparedness Section.

Flooding

The _________ Dam is designed to safely convey the expected runoff from a _________ (____inches in ____ hours).

However, if during a major flood event, the reservoir level rises to within 1 foot of the top of the dam (elevation _______), conduct periodic (at least daily) inspections of the dam to check for and record the following:

• Reservoir elevation;
• Rate the reservoir is rising;
• Weather conditions—past, present, predicted;
• Discharge conditions of creeks and rivers downstream;
• Downstream toe and abutments for any new seepage or abnormal (muddy flow) toe drain leakage;
• Increased seepage rate as reservoir level rises; and
• Cracks, slumping, sloughing, sliding, or other distress signals near the dam abutment or crest.

If any of the above conditions occurs, implement the Notification Flowchart for Potential or Imminent Failure.

Erosion, Slumping/Sloughing, or Cracking of the Dam or Abutment

Determine the location, size of the affected area(s) (height, width, and depth), severity, estimated seepage discharge, clear or cloudy seepage, and the reservoir and tail water elevations. If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

New Springs, Seeps, Bogs, Sandboils, Increased Leakage, or Sinkholes

If there is a rapid increase in previously existing seep areas, an increase in toe drain flow, or if new springs, seeps, or bogs appear, determine the location, size of the affected area, estimated discharge, nature of the discharge (clear or cloudy), and reservoir and tail water elevations (a map of the area may be helpful to illustrate where the problem is located). If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

Abnormal Instrumentation Readings

After taking instrumentation readings, compare the current readings to previous readings at the same reservoir level. If the readings appear abnormal, determine reservoir and tail water elevations, and contact the State Dam Safety Officer.

Malicious Human Actions (Sabotage, Vandalism, or Terrorism)

If malicious activity on or around the dam has been identified, immediately make an assessment of the existing conditions and determine the potential for dam failure. If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

Erosion, Slumping/Sloughing, or Cracking of the Dam or Abutment

Determine the location, size of the affected area(s) (height, width, and depth), severity, estimated seepage discharge, clear or cloudy seepage, and the reservoir and tail water elevations. If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure..

New Springs, Seeps, Bogs, Sandboils, Increased Leakage, or Sinkholes

If there is a rapid increase in previously existing seep areas, an increase in toe drain flow, or if new springs, seeps, or bogs appear, determine the location, size of the affected area, estimated discharge, nature of the discharge (clear or cloudy), and reservoir and tail water elevations (a map of the area may be helpful to illustrate where the problem is located). If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

Abnormal Instrumentation Readings

After taking instrumentation readings, compare the current readings to previous readings at the same reservoir level. If the readings appear abnormal, determine reservoir and tail water elevations, and contact the State Dam Safety Officer.

Malicious Human Actions (Sabotage, Vandalism, or Terrorism)

If malicious activity on or around the dam has been identified, immediately make an assessment of the existing conditions and determine the potential for dam failure. If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

High flow. The High Flow emergency level indicates that flooding is occurring on the river system, but there is no apparent threat to the integrity of the dam. The High Flow emergency level is used by the dam owner to convey to outside agencies that downstream areas may be affected by the dam's release.

Potential Failure. The Potential Failure emergency level indicates that conditions are developing at the dam that could lead to a dam failure. Examples are (1) rising reservoir levels that are approaching the top of the non-overflow section of the dam, (2) transverse cracking of an embankment, and (3) verified bomb threat. Potential Failure should convey that time is available for analyses, decisions, and actions before the dam could fail. A Failure may occur, but predetermined response actions may moderate or alleviate failure.

When developing notification and communication procedures, dam owners should coordinate closely with emergency management authorities. All parties must understand that the formal declaration of public emergency by emergency management authorities can be a very difficult decision. During this step, the dam owner should provide any information that will assist in that decision. An early decision and declaration are critical to maximizing available response time.

After initial notification, the dam owner should make periodic status reports to the affected emergency authorities and other stakeholders in accordance with the Notification Flowcharts and associated procedures.

Termination
Generally, the dam owner, or the dam owner's dam safety expert, is responsible for notifying the authorities that the condition of the dam has been stabilized. Government officials are responsible for declaring an end to the public emergency response.

Click on this link for an example of guidelines for dams on declaring an emergency and taking immediate actions.

Below are sample sections from the emergency action plan template:

• Emergency Level 1: Nonemergency, Unusual Event; Slowly Developing
• Emergency Level 2: Potential Dam Failure Situation; Rapidly Developing
• Emergency Level 3: Urgent; Dam Failure Is in Progress or Appears To Be Imminent
• End of Emergency Situation and Followup Actions
• Malicious Human Actions (Sabotage, Vandalism, or Terrorism)

Emergency Level 1: Nonemergency, Unusual Event; Slowly Developing

Contact the State Dam Safety Officer. Describe the situation and discuss the next steps that should be taken.

 Emergency Level 2: Potential Dam Failure Situation; Rapidly Developing

The following message may be used to help describe the emergency situation to local law enforcement and emergency management personnel:

“This is ___[your name and position]___. We have an emergency condition at ___[dam name and location]___. We have activated the emergency action plan and are currently under emergency level 2. We are responding to a rapidly developing situation that could result in dam failure. Please prepare to evacuate low-lying areas along ___[name of stream]___, per the evacuation map in your copy of the emergency action plan. I can be contacted at ___[phone number[___. If you cannot reach me, please call ___[name of alternate contact and phone number]___.”

End of Emergency Situation and Followup Actions

Once conditions indicate that there is no longer an emergency at the dam site, __________ will contact the county emergency management agency, which will then terminate the emergency situation.

Malicious Human Actions (Sabotage, Vandalism, or Terrorism)

If malicious activity on or around the dam has been identified, immediately make an assessment of the existing conditions and determine the potential for dam failure. If the integrity of the dam appears to be threatened, immediately implement the Notification Flowchart for Potential or Imminent Failure.

A determination of responsibility for EAP-related tasks must be made during the development of the plan. Dam owners are responsible for developing and maintaining the EAP. Dam owners in coordination with emergency management authorities are responsible for implementing the EAP. Emergency management authorities with statutory obligations are responsible for warning and evacuation within affected areas. All entities involved with EAP implementation should document incident-related events.

The EAP must clearly specify the responsibilities of all involved entities to ensure that effective and timely action is taken if an emergency at the dam occurs. The EAP must be site-specific because conditions at the dam and upstream and downstream of the dam are unique to every dam.

Preparedness, as it relates to an EAP for a dam, typically consists of activities and actions taken before the development of an incident.

Preparedness activities attempt to facilitate response to an incident as well as prevent, moderate, or alleviate the effects of the incident.

This section of the EAP should describe preparedness actions already completed, as well as established preplanned actions that can be taken after development of emergency conditions.

Click on this link to review examples of preparedness actions at dams for different types of events.

The following actions describe some of the steps that could be taken at the dam to prevent or delay failure after an emergency is first discovered:

• Overtopping by Floodwaters
• A Slide on the Upstream or Downstream Slope of the Embankment
• Erosional Seepage or Leakage (Piping) through the Embankment, Foundation, or Abutments
• Failure of an Appurtenant Structure such as an Inlet/Outlet of Spillway
• Mass Movement of the Dam on its Foundation (Spreading or Mass Sliding Failure)
• Spillway Erosion Threatening Reservoir Evacuation
• Excessive Settlement of the Embankment
• Malicious Human Activity (Sabotage, Vandalism, or Terrorism)

These actions should only be performed under the direction of the dam safety office or other qualified professional engineers.

Overtopping by Floodwaters

• Provide erosion-resistant protection to the downstream slope by placing plastic sheets or other materials over eroding areas.
• Divert floodwaters around the reservoir basin, if possible.

A Slide on the Upstream or Downstream Slope of the Embankment

• Lower the water level in the reservoir at a rate, and to an elevation, that is considered safe given the slide condition. If the outlet is damaged or blocked, pumping, siphoning, or a controlled breach may be required.
• Stabilize slides on the downstream slope by weighting the toe area below the slide with additional soil, rock, or gravel.

Erosional Seepage or Leakage (Piping) Through the Embankment, Foundation, or Abutments

• Plug the flow with whatever material is available (hay bales, bentonite, or plastic sheeting, if the entrance to the leak is in the reservoir).
• Lower the water level in the reservoir until the flow decreases to a nonerosive velocity or until it stops.
• Place an inverted filter (a protective sand and gravel filter) over the exit area to hold materials in place.
• Continue lowering the water level until a safe elevation is reached; continue operating at a reduced level until repairs are made.

Failure of an Appurtenant Structure Such as an Inlet/Outlet of Spillway

• Implement temporary measures to protect the damaged structure, such as closing the inlet or providing temporary protection for a damaged spillway.
• Employ experienced, professional divers, if necessary, to assess the problem and possibly implement repair.
• Lower the water level in the reservoir to a safe elevation. If the inlet is inoperable, pumping, siphoning, or a controlled breach may be required.

Mass Movement of the Dam on its Foundation (Spreading or Mass Sliding Failure)

• Immediately lower the water level until excessive movement stops.
• Continue lowering the water level until a safe level is reached; continue operation at a reduced level until repairs are made.

Spillway Erosion Threatening Reservoir Evacuation

• Provide temporary protection at the point of erosion by placing sandbags, riprap materials, or plastic sheets weighted with sandbags. Consider pumps and siphons to help reduce the water level in the reservoir.
• When inflow subsides, lower the water level in the reservoir to a safe level; continue operating at a lower water level in order to minimize spillway flow.

Excessive Settlement of the Embankment

• Lower the water level by releasing it through the outlet or by pumping or siphoning.
• If necessary, restore freeboard, preferably by placing sandbags.
• Lower water level in the reservoir to a safe level; continue operating at a reduced level until repairs can be made.

Malicious Human Activity (Sabotage, Vandalism, or Terrorism)

• If malicious human activity that could endanger public safety is suspected, contact law enforcement to help evaluate the situation.
• If the principal spillway has been damaged or plugged, implement temporary measures to protect the damaged structure. Employ experienced, professional divers, if necessary, to assess the problem and possibly implement repair.
• If the embankment or spillway has been damaged or partially removed, provide temporary protection in the damaged area by placing sandbags, riprap materials, or plastic sheets weighted with sandbags. Use pumps and siphons to help reduce the water level in the reservoir.
• If the water supply has been contaminated, immediately close all inlets to the water supply system and notify appropriate authorities.

The primary purpose of an inundation map is to show the areas that would be flooded and travel times for wave front and flood peaks at critical locations if a dam failure occurs or there are operational releases during flooding conditions. Inundation maps are a necessary component of the EAP and are used both by the dam owner and emergency management authorities to facilitate timely notification and evacuation of areas potentially affected by a dam failure or flood condition.

Appendixes follow the main body of the EAP and contain information that supports and supplements the material used in the development and maintenance of the EAP.
Some of the topics that should, at a minimum, be contained in the appendices are:

• Investigation and analyses of dambreak floods
• Plans for updating and distributing the EAP
• Plans for posting the Notification Flowcharts
• Forms and Log Sheets
• Site-specific concerns
• Sources of equipment or materials
• Names of contact information for technical support personnel
• Copies of contingency agreements with other organizations or service providers

Security Concerns

One area of interest in both the security plan and the emergency action plan is that a security incident could result in damage to a facility, possibly even facility failure. In such a case, the law enforcement agencies would have the added responsibility of investigating the incident to identify and apprehend the perpetrators. This could complicate the incident command authorities among local responders and potentially interfere with emergency actions planned by the facility owner.

One possibility of attack is on the cyber systems that are used to operate many dam projects. An aggressor could attempt to disable such systems or even hijack them to intentionally operate the facility improperly, in order to cause damage. Facility safety incidents caused by cyber attack should be considered during development of the emergency action plan.

Remember . . . Because emergency action plans often receive wide distribution, it might be necessary to exclude sensitive information from some copies. Necessary but sensitive information could be included in the emergency action plan as a supplement or as another appendix. Distribution of this portion could be limited to those individuals or agencies with a specific need to know.

Communications Procedures

Reliable communications are essential during emergency situations to quickly exchange critical information among key individuals and organizations. The possibility of unreliable primary communications systems in times of emergency should be addressed during development of the emergency action plan. Previous catastrophes have demonstrated that normal communications systems are unreliable during such events. It might be necessary to provide backup communications systems for use during emergencies. Such systems should be developed and regularly tested prior to an emergency.

Evacuation Planning and Implementation

Evacuation planning and implementation is typically the responsibility of State or local emergency management authorities. Although an EAP does not need to include an evacuation plan, it should indicate who is responsible for evacuation and whose plan will be followed. There may be situations where recreational facilities, campgrounds, residences are located below a dam where the dam owner could provide a more timely warning.

Inundation maps developed by the dam owner must be shared with emergency management authorities and included in the EAP. These maps may help in the development of warning and evacuation plans. It is important for dam owners to coordinate with the appropriate emergency management authorities and provide information from dam inundation studies that can assist with evacuation planning.

Dam owners should also include procedures in the EAP for ensuring that emergency management authorities are provided with timely and accurate information on dam conditions during an incident.
This information will help agencies make the appropriate decisions on evacuations.

Post-Emergency Evaluation

Following an emergency, all participants should participate in a review that identifies:

• Events occurring before, during, and following the emergency;
• Significant actions taken by each participant, and possible improvements for future emergencies, and
• Strengths and deficiencies found in procedures, materials, equipment, staffing levels, and leadership.

Maintaining an Emergency Action Plan

After the EAP has been developed, approved, and distributed, continual reviews and updates must be performed. Without periodic maintenance, the EAP will become outdated and ineffective.
The EAP should be updated promptly to address changes in personnel and contact information, significant changes to the facility, or emergency procedures. The EAP should be reviewed at least annually for adequacy and updated as needed. Even if no revisions are necessary, the review should be documented.

The review should include an evaluation of any changes in flood inundation areas, downstream developments, or in the reservoir and a determination of whether any revisions, including updates to inundation maps, are necessary.

The EAP should be updated promptly with the outcome of any exercises, including periodic reviews and verifications of personnel and contact information from Notification Flowcharts and contact lists. Any changes to the dam and/or inundation zone should be reviewed because the changes may affect the inundation maps. Maps should be changed as soon as practicable and noted in the EAP.

Once the EAP has been revised, the updated version (or only the affected pages in minor updates) should be promptly distributed to those on the distribution list.

Coordinating and Exercising the Plan

Effective exercises are an essential element of the preparedness cycle.  FEMA publication 64, Federal Guidelines for Dam Safety:  Emergency Action Planning for Dams, emphasizes that facility owners should exercise their emergency action plans.  The Federal Energy Regulatory Commission (FERC) recommends an annual face-to-face meeting between the facility owner and primary emergency management agency, and an annual drill, as well as periodic higher level exercises. In the next lesson, you’ll learn more about the different types of exercises.

Instructions: Complete the following self-assessment on a separate note or paper to assess your organization’s emergency action plan.

In addition to the immediate safety issues addressed in the emergency action plan, damage to or failure of a facility can have long-term economic impacts, not only for the owner, but also for the community, other industries, and even regional or national economies.

Recovery plans serve to:

• Minimize the extent of damage progression.
• Restore project function, beginning just after initial response.
• Minimize economic losses through quick restoration of functions.
• Address all types of potential hazards (natural, accidental, intentional).

The recovery phase includes both an “initial” period following the incident (within one week) and “longer term” activities.

Recovery from a dam incident for example, could continue for months or years, depending upon the magnitude of impact on facility operations, including dams, powerhouses, and water conveyance. Recovery from a levee incident could also take a considerable length of time depending on availability of materials and equipment.

The goal of the recovery is to restore the facility and its operations. During the recovery phase, it is important to identify lessons learned, complete postincident reporting, and develop initiatives to mitigate the effects of future incidents.

Richard Myers

The recovery plan is the types of things that you are going to do after the fact to put your business back in business or back on line in the case of an electricity producer like we are. So it is all the events that are going to happen after the initial emergency is taken care of and you are back to restoring your business.

Yazmin Seda-Sanabria

A recovery plan assists the owner and operator get those key pieces in place to set back the operations of the facility, drive the attention to what elements need to be restored and be the main focus of attention right after the event occurs, so the critical functions can be restored in the facility.

Dick Robert

The recovery plan is after the event has happened how quickly do you come back online, how quickly do you return whatever you’ve potentially damaged back to the state that it was in before hand. You look at the worst-case scenario, and you say, “How are we going to come back and make everybody whole again?”

Frank Calcagno

The recovery plan is how to get the plant back in operation, whatever that dam provides, whatever services it provides, to get those services back as quickly as you can. So the emergency action plan responds to the emergency and helps save lives; the recovery plan brings the services back as quickly as they can.

The planning team should:

• Consider the probable damage and determine the magnitude estimate of the direct and indirect consequences.
• Develop a list of options to minimize consequences by either reducing:
  • The initial damage and limiting the progression of the damage, or
  • The time needed to recover from the damage.

The process of making recommendations can be fairly simple; it does not necessarily require lengthy evaluations.

Recovery plans may include the following types of information:

• Preparedness Activities
• Organizational Structure, Communications, and Logistics
• Authorities and Coordination
• Automated Systems
• Information Access
• Training and Exercises
• Plan Maintenance

Click this link to access all information presented.

Preparedness Activities: The recovery plan should specify preparedness activities, including procurement, stockpiling, on-the-shelf designs, or general preparedness actions such as identifying local equipment repair contractors, suppliers of key materials or equipment, providers of rental equipment or heavy transport, etc.

Organizational Structure, Communications, and Logistics: Physical repair/replacement/reconstruction actions require a clear chain of command, effective communications, and the logistics support. The recovery plan should describe the roles and organizational structures to ensure effective communications and logistics support.

Authorities and Coordination: Recovery and reconstruction might require coordination with local authorities and regulatory agencies. To facilitate a quick response, it might be necessary to streamline internal authorities for procurement or contracting. Having these agreements established in advance will facilitate the recovery process.

Automated Systems: Many projects are becoming more highly automated, relying on automatic computerized control systems, or on remote operation and monitoring via communications links. The recovery plan should address possible loss of project function caused by interruption of communications links or by cyber attacks that render the automated control system inoperable.

Information Access: Recovery will also likely require rapid access to key information such as maps, drawings and specifications, and original design documents; this information or references to where it can be found should be included in the recovery plan.

Training and Exercises: Just as for other types of plans, such as emergency action plans, the recovery plan should address training of appropriate personnel, and periodic exercises simulating the plan implementation.

Plan Maintenance: The recovery plan should specify the requirement for periodic updating.

The Federal Energy Regulatory Commission (FERC) and the U.S. Army Corps of Engineers have developed guidelines for the content of recovery plans.

Remember, plans must conform to any applicable State or Federal requirements.

The next couple of slides will show you two sample recovery plan table of contents.

 Purpose

• Recovery Organization
• Description of Projects
• Coordination Responsibilities
• Response and Recovery Operations
  • Incident Command and Management
  • Procurement Procedures          
  • Resource Coordination
  • Mutual Aid
  • Public Information Dissemination
• Response and Recovery Actions
  • Site Security
  • Continuity of Operations
  • Restoration of Critical Infrastructure
• Training and Exercises
  • Training
  • Exercises
  • Evaluation and Corrective Action
• Plan Maintenance

1.  Purpose of Internal Plan
2. Applicable Emergency Scenarios
   1. Overtopping (including excessive inflow or reservoir displacement)
   2. Earthquake Damage
   3. Loss of Dam Crest Length
   4. Slide on Upstream or Downstream Slope of Embankment
   5. Slide on Underlying Potential Failure Plane
   6. Excessive Settlement
   7. Sinkhole Activity
   8. Loss of Foundation or Abutment Material (such as landslide/rockfall)
   9. Excessive Seepage/Piping Through Embankment, Foundation, or Abutments
   10. Failure of Appurtenant Structure Such as a Spillway Gate
   11. Excessive Cracking in Concrete Section
   12. Penstock Rupture/Failure
   13. Turbine or Other Equipment Failure
   14. Vandalism/Bomb Threat/Terrorism
   15. Other
3. Incident Command System (ICS) & Company Internal Assignments/Responsibilities
   1. Incident Command System (ICS)
   2. ICS Chart: Company Personnel Assignments
   3. Incident Command Post and Alternate Command Post
   4. Personnel at Onsite Incident Command Post
   5. Main Headquarters Emergency Personnel
   6. Media Contact (Public Information Officer)
4. Coordination With Local Authorities
   1. Multiple-Jurisdiction Incident (Unified Command)
   2. Safety/Clearance Issues & Authorization
5. Communications, Maps, and Drawings
   1. Communications Center
   2. Alternate Communications Methods (cell phone, radios)
   3. Drawings, Maps, Photographs
6. Vehicles, Equipment, Materials (e.g., sandbags, concrete, rip rap) & Contractors
   1. Plant Onsite Inventory
   2. Other Available Company Vehicles, Equipment, Materials & Supplies
   3. Noncompany Supplies/Materials (including helicopters if necessary)
   4. Outside Contractors and Consultants
7. Response Times & Geographical Limitations
   1. Callout Procedure
   2. Estimated Response Times
   3. Primary & Secondary Access Roads & Alternatives
   4. Staging Areas for Personnel & Equipment
8. Meals & Lodging
   1. Company Living Facilities
   2. Local Restaurants & Motels
9. Internal Maintenance of Plan

Appendixes

1. List of Company Response Personnel (internal callout list of phone numbers)
2. List of Contractors/Consultants (addresses and phone numbers)
3. List of Equipment Suppliers (addresses and phone numbers)
4. Local Restaurants & Motels (addresses and phone numbers)
5. Other Utilities/Mutual Aid (phone numbers of key contacts)
6. Federal/Governmental Assistance (phone numbers of key contacts)
7. Engineering Key Drawing List (drawings are located in two secure, noninundated areas near the facility)
8. Highway Maps and Photos of Dam
9. Emergency Helicopter Rescue Numbers
10. Bomb Threat Procedures
11. Emergency Action Plan Flowcharts A and B (identical to those in the regular emergency action plan)

In the event of any major damage to a dam or to other infrastructure, multiple agencies could have significant roles in the initial response to the incident. This involvement might extend into the recovery phase for restoring project function.

When developing your recovery plan, make sure to:

• Include all organizations that would be affected by an incident.
• Clarify responsibilities among various responders.
• Resolve conflicting priorities among agencies (e.g., when law enforcement needs to preserve a site for forensic investigation while environmental and health safety agencies need to clean up hazardous materials) in advance of an incident.

For more information on effective coordination between various entities, jurisdictions, and agencies, refer to the National Incident Management System (NIMS) website.

Instructions: Complete the following self-assessment on a separate note or paper to assess your organization’s recovery plan.

Does your recovery plan. . .		Yes	No
Address each critical component of the facility?
Identify likely hazards and predict the type and magnitude of damage from those hazards?
Include an estimate of direct and indirect consequences?
List options to minimize consequences?
List recommended actions, such as procurement, stockpiling, on-the-shelf designs, or general preparedness actions such as identifying available resources?
Address issues such as communications and basic response logistics?
Refer to key information such as maps, drawings and specifications, and original design documents?
Address possible loss of function caused by interruption of communications or by cyber attacks?
Address training of appropriate personnel, and periodic exercises simulating recovery plan implementation?
Specify how and when the plan is to be maintained and updated?

Herbert Nakasone

It’s important to determine what is impacted by a particular emergency and how you are going to continue your operation after a serious event.

Dick Robert

Continuity of operations brings in every element of your business from the economic side to the operations side to the administrative side. It defines what people will do in a catastrophic event. If your basic service is generation of electricity like ours, how do we continue to keep that electric power going into the grid or into the community? If it means we failed completely and we can’t bill our clients, how do we fund ourselves? How do you pay salaries? How do you know what crews to maintain on alert or on duty or what people to stay home and work from their house? The continuity of operations is again a smart best business practice.

Richard Myers

It’s pretty straightforward that if you don’t have a plan and process in place, you put your whole business at risk. You’re responsible to everybody and everything that’s outside of your perimeter, and the only way to take care of that is to take care of what’s inside your own perimeter first.

Identification of essential functions

Essential functions and the essential personnel to carry out the functions are primarily those related to the safe storage or release of water. These functions and personnel might include:

• Controls and systems that open or close gates and valves;
• Personnel who manipulate those systems and controls;
• Personnel who decide when and how much to adjust release of water;
• Dam safety engineers authorized to make decisions on the safety of the dam;
• Collection of data that forms the basis of such decisions; and
• Communication between those operating the controls and those deciding on releases.

Interoperable communications

Continuity of communications could become an issue during a crisis for a number of reasons. Phone systems (land line and cell) have occasionally experienced various degrees of disruption and disruptions have been even more prevalent during certain emergency situations. The crisis-related relocation of certain functions to alternate facilities can contribute to disruptions in communications systems and computer networks at a time when reliable communication is most needed. Continuity plans should focus on maintaining critical communications capabilities and what to do when that is not possible.

Delegations of authority

Certain types of emergency situations might result in the temporary or permanent loss or incapacitation of key personnel. This could also result in loss of communications between key personnel and others in the organization. Continuity plans should clarify what decisionmaking authority will be transferred in various circumstances. For example, if communications with the chief hydrologist are disrupted, will an onsite supervisor be expected to open gates after a heavy rain? It is also necessary to clarify, prior to an actual event, who has authority to commit resources or to sign emergency contracts.

Alternate facilities

Some continuity plans address relocation of essential functions if the primary location has been disrupted. In the Dams Sector, there is no possibility of relocation of the actual dam infrastructure, but relocation might apply to some of the functions that support onsite operations.

Vital records

At a minimum, vital records might consist of reservoir levels, stream-flow data upstream and downstream of a dam, expected near-term inflows, and release rates for various gate positions. All of this information is critical to maintaining safe water levels in the reservoir and downstream. There are a number of ways such data might become unavailable: computer network malfunctions, loss of communications, sensor failures, and disruption in National Weather Service systems. Continuity plans should focus on methods to maintain access to such information and alternatives when information is not available.

Human capital

Any organization is dependent upon its staff for successful operation. Continuity plans should describe how to maintain essential functions in case of serious disruption to staff. Planning should identify the staff needed to support essential functions, including the number of people and the skills required. These requirements should be matched against potential availability of others within the organization who might be able to fill in during emergency situations. It might even be necessary to develop plans for use of temporary staff from outside the organization, such as mutual aid agreements or contracts for line crews after extensive electrical power outages due to severe storms.

Computer disruptions

In the modern automated workplace, disruption of an organization’s information technology (IT) system could bring operations to a standstill or lead to a dangerous lack of control over sensitive records or over physical processes (e.g., operational control over dam releases or power generation). Considering the potential serious consequences of an IT disruption, it is important that this topic be specifically addressed during continuity planning. While plans for disruption of an organization’s IT systems might be considered to belong in discussions on interoperable communications, alternate facilities, or vital records, it might also be appropriate to include an additional, separate category.

Pandemic preparedness planning has been a focus area for many governments and organizations. The following table identifies generic types of planning actions that might be taken by a typical organization for the inter-pandemic, pandemic alert, and pandemic periods. The actions are keyed to pandemic phases defined by the U.S. Government. The generic actions in the table should be expanded into more detailed lists of specific actions applicable to a specific organization. An expanded version of the table is available on the HSIN Dams Portal.

A continuity and response plan for a Computer Incident Response Team (CIRT) should address:

Types of Threats: Threat categories include:

• Automated, including software attacks such as viruses, worms, and Trojan horses.
• External, such as an outside individual attempting to gain unauthorized access.
• Internal, such as employees or contractors attempting unauthorized access to information or Internet sites.

Alert Categories: Identify organization alert levels. These might be correlated with the five-level, color-coded Homeland Security cyber alert levels:

• Cyber - Green (Low)
• Cyber - Blue (Guarded)
• Cyber - Yellow (Elevated)
• Cyber - Orange (High)
• Cyber - Red (Severe)

Escalation Criteria: Provide guidelines for identifying the current organization alert level and for activating the response team. Identify who has the authority to make these decisions.

Response Guidelines: Provide lists of expected actions by various teams/members for various types of incidents. This will not be an all-inclusive list and some measures might not be applicable against a specific threat; however, the lists will provide a convenient checklist to help guide response actions. Implementation of these measures will be at the discretion of the teams. The list should include useful information such as command post locations, and instructions for obtaining information updates during the response.

Status Reports: The response team should provide periodic status reports during response to an incident. These reports should be forwarded to management and to affected portions of the organization. This section should identify intervals for meetings and status reports, and suggested distribution lists for the reports.

Plan Maintenance: The plan should be reviewed/updated at least annually.

Exercises: The response process should be tested twice annually and include tests of the notification lists and a simulation of some type of incident. This simulation might be considered a tabletop exercise. The objective should be to identify any hardware, system software, or applications that may need to be changed to better ensure computer security.

Response Process Overview: This section should outline the response process. The principle objective of an incident response plan is to ensure business continuity and to support recovery efforts. The initial response should include a rapid assessment of the situation and the execution of a number of “immediate action” steps designed to contain the problem and limit further damage.

Call Lists: Provide contact information for key personnel. This list should include incident response team members, management, IT organizations, and persons in potentially affected operational areas.

Technical Impact Assessment: This section should provide guidelines for a thorough assessment of the potential impact of a specific threat. It should address items such as:

• Type of threat.
• Source of the threat.
• Actions that can be taken to mitigate the threat.
• The prevalence of the target of the threat.

Business Impact Assessment: This section should identify the types of information needed to determine the impact on critical business systems. This might include:

• What type of technology is affected by the incident?
• Is the incident limitable by location? Can it be contained?
• Who is the person on call for the application? Have they been contacted? How quick can the response be?
• Will company revenues be impacted?
• Is the external customer impacted?

Communications Process: This section should identify:

• Key communications contacts, roles, and responsibilities.
• Target audiences and the most effective means to reach these audiences.
• Steps in the communications process.
• Sample messages.

Postincident Evaluation: Include guidelines for:

• Collecting information.
• Determining the cause of the incident.
• Determining the effects of the incident.
• Making recommendations for improvements to the systems.
• Making recommendations for improvements to the incident response.

Instructions: Complete the following self-assessment on a separate note or paper to assess your organization’s continuity plan. When you are done,

Does your organization’s continuity plan . . .		Yes	No
Identify essential functions and the essential personnel to carry out the functions, which are primarily those related to the safe storage or release of water?
Focus on maintaining critical communications capabilities and what to do when that is not possible?
Clarify what decisionmaking authority will be transferred in various circumstances?
Address relocation of essential functions that support onsite operations if the primary location has been disrupted?
Focus on methods to maintain access to vital records (e.g., reservoir levels, stream-flow data upstream and downstream of a dam, expected near-term inflows, and release rates for various gate positions) and alternatives when information is not available?
Describe how to maintain essential functions in case of serious disruption to staff (including pandemic influenza incident)?
Address the potential for disruption of the information technology (IT) system and its effects (e.g., operational control over dam releases or power generation)?

• Emergency action plans
• Recovery plans
• Continuity plans

The next lesson focuses on Dams Sector exercises.