Principles of Risk-Based Rock Engineering Design

In comparison with other types of construction, the development of rock engineering design codes has been slow. Codes must, however, be developed with relevant discipline-specific characteristics in mind. This paper, therefore, presents a generic design framework for rock engineering. The framework is based on the presumption that rock engineering design must be viewed as decision-making under uncertainty, which makes the design process subject to general risk management principles, as risk is defined as “effect of uncertainties on objectives” (ISO 31000). Thus, rock engineering design codes ultimately need to facilitate design processes that target the risk, to enable design of structures that not only are sufficiently safe and durable and cost-effectively constructed, but also imply safe and healthy work conditions during construction and an acceptably low environmental impact. The presented framework satisfies this fundamental requirement and the authors find codification of its principles to be rather straightforward, as long as the level of detail in the code is governed by a strict application of ISO’s general risk management principles. Further details on methods and practical recommendations can instead be supplemented in separate handbooks and application guidelines.


Challenges of Rock Engineering Design: Code Development and Practice
As with all structural systems, rock engineering structures need a satisfactory engineering design to withstand loads and deterioration processes caused by use and the surrounding environment. In general terms, the designing engineer's objective is to maximise the expected utility of the facility; though, given the large scale and complexity of many rock engineering structures, this objective can certainly be a challenge. Moreover, there are constraints that the designing engineer needs to consider, of which compliance with public safety requirements is possibly the most important, while others include, for example, aesthetic considerations and availability of construction material, machinery, and labour. In many countries, structural design codes have been established to provide the foundation of good engineering practice, based on past experience inherited from centuries of construction. A rather recent fundamental code improvement was the shift from allowable stress design to the limit state design concept, on which most modern structural design codes are built. Examples include the Eurocodes (CEN 2002), the American ACI 318 Building Code Requirements for Structural Concrete (American Concrete Institute 2014), and the Canadian Highway Bridge Design Code (Canadian Standards Association 2014; Fenton et al. 2015). The code development in rock engineering design has, however, been lagging behind. The introduction of the Eurocodes provides a striking example: although the EN-1997Eurocode 7 (CEN 2004 claims to include rock engineering structures in its scope, its practical applicability to rock engineering has been questioned (e.g., Ferrero et al. 2014;Harrison et al. 2014;Lamas et al. 2014;Spross et al. 2018b). In fact, even such a fundamental concept to the Eurocodes as limit state design has been found unsuitable or difficult to apply to some design issues in rock engineering, mainly because of the difficulty in defining analytical limit state functions and characterise the variability of involved variables. As a consequence, corresponding target failure probabilities for the analysed design problems are currently lacking (Bjureland et al. 2017a, b;Harrison 2017). Although some deficiencies in Eurocode 7 may be corrected in upcoming revisions, developing a functional design code for engineered rock structures has clearly proven a substantial challenge.
As it turns out, constructing rock engineering structures poses some specific challenges on the design that is not present for other types of structures. A fundamental difference is the origin of the construction material itself: while manufactured construction materials can be ordered with rather specific properties, rock is a natural material with considerably larger property variability. Moreover, the geological conditions not only vary in space physically, but also are more or less uncertain in terms of both magnitude and variability-this lack of knowledge is known as epistemic uncertainty (Der Kiureghian and Ditlevsen 2009). A key aspect of rock engineering design is, therefore, to increase the knowledge about the rock mass through geotechnical investigations or other observations, thereby reducing the epistemic uncertainty. Consequently, the rock engineer will often start the design process with rather limited information, possibly coming from a synoptic study of available geological maps and a few boreholes drilled at a considerable distance from each other. Thus, the rock engineer needs to be aware of that there may be unknown geological features with fundamentally different geotechnical properties in between the boreholes. This epistemic uncertainty will prevail until the rock mass is excavated; only then can the geotechnical properties be investigated in detail.
The other engineering challenge is caused by the excavation process required in underground construction projects. In contrast to excavations in soil, where the execution goes from safe conditions at the beginning towards less safe conditions as the excavation depth increases, the highest probability of structural collapse of an underground facility can be attributed to the temporary design situation right after the excavation, before the support prescribed by the design has been installed ( Fig. 1). Thus, a successful rock engineering design needs to consider not only the permanent design situation when the facility has been completed, but also the temporary design situation right after the rock excavation sequence. Note here the significant difference in available knowledge for the respective designs of the temporary and permanent situations: the design of the permanent structure can in principle take into account any information gained Fig. 1 Escalator shaft at the Odenplan commuter train station in Stockholm, Sweden. Temporary design situation during construction of the shaft (left) and permanent design situation when the station is in use (right) during the excavation, while that information was unavailable to the designer of the temporary structure.

Purpose and Structure of Paper
Given the expected increased use of the underground space, we find it crucial that future design codes for rock engineering are developed with its discipline-specific characteristics in mind. The purpose of this paper is, therefore, to present a generic design framework for rock engineering and, in light of this, discuss how a modern design code needs to be structured to be applicable in current rock engineering practice.
Unlike previous generic descriptions of the rock engineering design process (Bieniawski 1993;Feng and Hudson 2004;Hudson and Feng 2015), our framework is based on the presumption that a risk-based approach is fundamentalnot contributional-to the rock engineering design process. The need for this presumption was established and discussed in depth in our previous papers (Spross et al. 2018b;Stille andPalmström 2018, andStille 2017). Note that risk-based design principles naturally are applicable also to other engineering disciplines than rock engineering; however, the implementation of such principles may be different depending on the characteristics of the respective disciplines.

Risk: a Fundamental Concept in Rock Engineering Design
In general terms, engineering design is an iterative decisionmaking process of devising a system to meet desired needs, by optimal conversion of resources through the application of basic sciences, mathematics, and engineering sciences (ABET 2013). This definition highlights the key aspects of the design process: • It is iterative, • It is driven by needs, • It strives toward optimisation of the product, and • It requires decision-making regarding the adequacy of the design.
As rock engineering is inherently associated with significant epistemic uncertainty, the rock engineering design process can essentially be interpreted as decision-making under uncertainty. Consequently, the design process must also be recognised as a part of the project's risk management, seeing that risk is defined as the effect of uncertainties on objectives in ISO 31000 (ISO 2009). In a rock engineering context, objectives can be exemplified with the completion of an underground facility that corresponds to the client's needs and wishes, as well as to any societal requirements on, for example, structural safety and environmental impact; in other words, to leave the client with a product that provides sufficient quality during both excavation and operation. The word effect indicates that the prevailing uncertainties in any external factors may be linked to consequences, which makes ISO's definition well aligned with the possibly more well-known definition of risk as a measure of the combination of the probability of an event and the severity of its consequences (Spross et al. 2018b).
The standard ISO 31000 defines a general procedure for risk management that has been found applicable to geotechnical engineering projects (van Staveren 2006(van Staveren , 2009(van Staveren , 2013SGF 2017;Spross et al. 2018a). In a risk management context, key components of the design process are to identify risks associated with different design alternatives, and subsequently to analyse the probability of occurrence of their potential consequences (Fig. 2). Furthermore, risk management is an essential continuous process that is needed in all phases of the construction project, from the preliminary study until completion of the structure (Fig. 3). To clarify: design does not need assistance from risk management, but design is risk management! This is, therefore, discussed in depth in Sect. 4.6.3.
We note that in practice, strictly risk-based structural design is rarely performed in the sense of allowing tailored trade-offs between different types of consequences for individual structures (see Sect. 4.1). Instead, design codes often require facilities to satisfy some absolute requirements, such as allowable failure probabilities when it comes to hazards

Objectives External factors
Monitoring and review Risk assessment Fig. 2 The cyclic process of risk management in geotechnical engineering projects modified after ISO 31000 for the general public. This means that the decision to accept a developed design in the risk evaluation ( Fig. 2) also needs to take such absolute code requirements into consideration. While this may seem suboptimal at first glance, the purpose is clearly to ensure that the interests of the general public are protected. Risk management in rock engineering is by no means limited to ensuring satisfactory performance of the facility. Risk can also, for example, be the probability of having selected an unsuitable excavation method because of limited understanding of the geological conditions, combined with the associated cost increases and delays as the corresponding consequences-or with ISO terminology: how much can the present uncertainty regarding geological conditions affect our objective to not exceed the budget, given a certain choice of excavation method? In this paper, however, we only consider the design work.

Rock Engineering Design Issues
A satisfactory design of a rock engineering structure needs to consider many aspects. We denote these aspects design issues. Based on the client's needs in terms of design requirements such as size, shape, and restrictions regarding location, the design needs to address five fundamental categories of design issues: • Satisfactory structural safety with respect to societal requirements, • Satisfactory durability in relation to the client's requirements on life length and maintenance frequency, • Satisfactory serviceability with respect to the client's performance requirements, • Acceptable environmental impact with respect to societal requirements (and sometimes also client's stricter policy), and • Acceptable work environment with respect to societal requirements (and sometimes also client's stricter policy) on workers' safety and health.
Durability can be considered subordinate to the issues structural safety, serviceability and environmental impact. However, design issues related to durability are so important to account for in the design that a separate category is warranted.
For all five categories of design issues, geology (including any associated epistemic uncertainty and natural variability) has a major impact, as geology generally is the main source of uncertainty in the design work, and therefore contributes with significant hazard to rock engineering projects. This geological uncertainty can be attributed to several factors, where the most important is the difficulty to predict the large-scale behaviour of a jointed rock mass, based on limited pre-investigations, small-scale laboratory tests on intact rock, investigations during excavation, and empirical assessments. Predicting the right type of geological scenario, i.e., rock-mechanical behaviour, has, therefore, become a key task in the design work; three main categories are • Gravity-driven behaviour, • Stress-induced behaviour, and • Water-influenced behaviour.
Underlying factors include the rock mass composition, tectonic stress conditions, groundwater conditions, and influence from excavation features such as size, shape, and

Objectives External factors
Monitoring and review

Risk assessment
Excavation and work support rock-support interaction (Palmström and Stille 2007;Stille and Palmström 2018). In addition to geological factors, there are also others that may affect the risk related to the critical design issues of a project. Table 1 shows examples of design issues connected to such underlying factors in the five categories. Notably, identified design issues often need to be considered both for the permanent design situation of the completed structure and for the temporary design situation occurring during excavation.

Sources of Uncertainty and Types of Consequences
As established in the previous sections, the rock engineering design process needs to take into account several types of underlying uncertainty and variability. The larger the magnitude of the uncertainty, the larger is the probability of having negative consequences-i.e., the larger is the risk.
In addition to the previously discussed uncertainty in expected geological scenario and limited knowledge about the geotechnical properties, there are also uncertainties related to imperfect material models and imperfect calculation models. Model uncertainties reflect the engineer's inability to describe a complex phenomenon in adequate technical terms. Thus, model uncertainties can in fact also be characterised as epistemic, because they are caused by a lack of detail in the description of the material properties or the mechanical behaviour. In practical design work, there may also be uncertainty in whether the used model is applicable to the case at hand-and sometimes there is even erroneous use of inapplicable models because of a lack of competence in the design team. Moreover, there is sometimes also a temporal component to the uncertainty, for example, in terms of an uncertain rate of degradation of a structural component.
Consequences can generally be categorised based on the nature of the unwanted event: economic consequences imply a loss in monetary value and affect the project, the society, or both; social consequences imply a loss of human life (fatality) or a negative impact on health and well-being; and environmental consequences imply a negative environmental impact. Note the correspondence to the three dimensions of sustainable development: economic, social, and environmental sustainability.
The severity of economic loss can be expressed in both absolute terms and relative terms with respect to the project cost. The choice of view is always dependent on the circumstances, for example, in terms of whom the consequence affects: a certain cost could be perceived as a large consequence, if it were imposed on a third party; while the same cost could be perceived as a smaller consequence, if it were carried only by the client or the contractor and the potential gain or profit from the project were much larger than the cost. Time is another complicating factor. For example, how should the effect of potential future durability problems that may require repair and unplanned maintenance be assessed in terms of severity?
The severities of societal and environmental consequences are generally more difficult to assess.

Classification of Uncertainty Magnitude and Consequence Severity
The uncertainty magnitude and consequence severity can be grouped into classes to increase transparency regarding the made design decisions. Consequence classes can, for example, be used to adjust the required safety margin in structural design codes; an example from the Eurocodes is presented in Table 2. In essence, structures associated with large consequences at failure require higher safety against failure. Notably, the Eurocodes, for example, allow different consequence classes to be assigned to different structural components (clause B3.1(3) in EN-1990(CEN 2002). However, in rock engineering, one structural component can be subjected to different types of consequences, if it provides capacity for more than one design issue (see Table 1). Stille (2017), therefore, identifies a need to separate consequence severities with respect to design issues, so that the classification of consequence severity not necessarily is the same for all design issues of a structure or structural component. An example is provided in Table 3. The implications of separation with respect design issues are discussed in Sect. 4.6.1. Other types of consequence classification schemes are discussed in Eskesen et al. (2004). Similar to the classification of consequence severity, the uncertainties accounted for in a design can be of different magnitude. As discussed in Sect. 3, the largest sources of uncertainty are typically related to the expected type of geological scenario and the engineer's limited knowledge about the corresponding geotechnical parameters. The magnitude of the uncertainty may differ from case to case, depending typically on the level of difficulty to acquire information about the ground conditions. The largest uncertainty is normally encountered in the design of underground excavations, in particular in the temporary design situation, as much information about the geological scenario and geotechnical properties will be revealed upon excavation and therefore known for the design of the permanent structure. For surface structures such as rock slopes and rock foundations, geological uncertainties are generally smaller, but may still have a considerable impact on the design.
Model uncertainties are normally smaller in magnitude and can be interpreted as the ability to fine-tune the design calculations, once the correct geological scenario has been identified. Uncertainties related to the execution of the design are also normally small in comparison. The difference in magnitude of the respective uncertainty sources is important to recognise, so that uncertainty-reducing measures are directed to where they are most beneficial.
To facilitate the accounting of the present level of uncertainty in practical design work, we believe like Stille and Palmström (2018) that defining Uncertainty Classes, UC, can be convenient, similar to the already established concept of consequence classes. Noting the need to consider both the temporary and permanent situation in the design, two sets of uncertainty classes are required for design of  (Table 4). This effectively highlights that the epistemic uncertainty regarding the ground conditions constitutes the main challenge before excavation, while the difficulty to handle the revealed ground conditions constitutes the main challenge after excavation. In a general sense, both sets of classes address the present level of uncertainty and reflect the current level of understanding of the situation at hand. Similar concepts for uncertainty classification have been discussed in the currently ongoing revision work for Eurocode 7. Note that to manage the risk related to each design issue stringently, each design issue needs to be assigned an uncertainty class.

Design is Decision-Making Under Uncertainty
To successfully manage risks in a design process, it is fundamental to attain comprehensive understanding of the geotechnical and geological setting and its interaction with the potential technical solutions that are considered. In essence, this is achieved by systematic analyses of the identified design issues, with respect to how any associated uncertainties and potential consequences are affected by different design measures in the established setting. To facilitate well-justified decisions regarding the suitability of the analysed design options, clear criteria for risk acceptance are required, as the prevailing risks potentially are substantial (cf. risk evaluation in Fig. 2). If the prevailing risks with a certain design solution are found too high, measures are needed to reduce the risks, for example, through design changes or further geotechnical investigations-otherwise, the solution must be discarded. A key consideration is how to manage the project risk of not meeting the budget requirements in the project; as an effect, this generally facilitates cost-effectiveness in the proposed design alternatives. When the optimal design solution has been found, the construction phase may be initiated.
In this systematic management of design risks, the designing engineer has to consider how the following aspects affect the risk level associated with the planned structure: • Selected design solution • Design (limit state) verification method to ensure satisfactory performance, • Extent of geotechnical investigations, and • Extent of control and inspection during design and construction.
In the following subsections, we elaborate on the effect on the risk of these four aspects. In Sect. 4.5, we propose a generic risk-based framework for how to carry out this selection process in the design of rock engineering structures.

Effect of Adjustments to the Technical Design Solution
Adjustments to the technical design solution can affect the risk level in two ways. The design is either adjusted so that it becomes more or less conservative, which affects the calculated probability of unsatisfactory performance, or fundamentally changed so that the structure can be reclassified in terms of consequence severity. The latter include, for example, damage-limiting measures on existing nearby structures, relocation of the planned facility itself, as well as restrictions of access to and use of the facility and the surrounding area.
In the selection of a technical design solution, the robustness and resilience of the technical system are key aspects. Table 4 Separation of uncertainty classes into two sets: Ground uncertainty classes for the temporary situation and ground quality classes for the permanent situation Reprinted from Stille and Palmström (2018)

with permission from Elsevier
Classes of geological and ground uncertainty (before excavation) Low Clear and simple geology and ground conditions. Ground parameters can be easily found. Experience from construction in similar ground conditions Medium Clear geology and ground conditions. Methods exist both to assess ground conditions and for dimensioning. Experience from construction in similar ground conditions can be documented High Unclear geology and/or ground conditions with potential for problematic tunnel excavation. There are limited possibilities to assess the ground conditions before excavation starts Classes of ground quality (after the ground has been encountered in the tunnel, shaft or cavern) Good Good or very good ground conditions and stability as documented from tunnel mapping using, e.g., classification systems (RMR, Q, RMi, etc.) Fair Fair ground conditions and stability as found from tunnel mapping and, if found necessary, supported by investigations Poor Poor or very poor ground conditions and stability as found from tunnel mapping and description supported by investigations and tests Robustness implies that the structure does not suffer from disproportionately large failure in case of accidental loading-progressive structural failure through tunnel collapse into tunnel parts far from a fire-devastated area is, for example, not acceptable. Resilience, on the other hand, implies that the structure is able to absorb or avoid damage so that complete structural failure is avoided. Reinforced shotcrete can be regarded as more resilient than unreinforced, as the reinforcement can redistribute loads even if the shotcrete has cracked for some reason.

Effect of Choice of Design Verification Method
The performance of the design needs to be verified, to ensure satisfactory structural safety, durability, serviceability, work environment, and that the environmental impact is acceptable. Defining unsatisfactory performance as violation of a limit state, which is common in modern structural design codes, the design is verified with a limit state verification method. In selecting verification method, the designing engineer needs to consider that each method introduces different amount of model uncertainty and parameter uncertainty to the design. The most common methods in rock engineering include design by Note that all design issues may not be possible to describe with a quantifiable limit state function. This is typically the case for complex processes (Palmström and Stille 2007); examples of such design issues are degradation of cement grout or formation of icicles in Table 3.
As the different design verification methods allow the design issue to be modelled in different ways and account for different types of available knowledge, the selection of design verification method can be used to adjust the prevailing uncertainty in the design. Prescriptive measures, for example, are empirical rules of thumb that generally generate simple but conservative design solutions for some specific application. Conversely, the observational method allows the designing engineer to take into account not only knowledge gained from pre-investigations, but also observations of the structural behaviour during construction. The observational method is, therefore, often suggested for cases when the structural behaviour is difficult to predict. Uncertainty and errors can, however, also be introduced, for example, through inappropriately designed monitoring plans.

Effect of Extent of Geotechnical Investigations
By performing geotechnical investigations, knowledge is gained about the geotechnical conditions, which implies that the epistemic uncertainty is reduced, and so is also the present risk, as the prevailing geotechnical conditions are indicated with more certainty. Complete uncertainty elimination is, however, not possible; there is always a remaining possibility of encountering worse conditions than expected. Finding the optimal extent of geotechnical investigations is a decision-theoretical problem, which implies that such decisions in principle can be based solely from an economic standpoint, considering whether the potential gain of information is worth the cost (Einstein 1996;Zetterlund et al. 2011Zetterlund et al. , 2015. Note that the level of epistemic uncertainty is related to the knowledge of the project team. The involvement of an experienced engineering geologist is in many cases crucial. Generally, however, all projects need sufficient knowledge about the site conditions to identify which design issues that need to be considered in the design. From a risk management perspective, this is part of establishing the context (see Fig. 2).

Effect of Control and Inspection
Control and inspection during construction have multiple purposes: • To check that the design assumptions are valid and that the design requirements are fulfilled, • To detect construction errors, • To reduce the probability of human errors in design and construction.
Thereby, the probability of achieving sufficient quality in the product increases. As discussed by Stille et al. (1998) and Stille (2017), rock engineering requires a dualistic quality system: in addition to ensure that things are done right, the large epistemic uncertainties emphasise the need of the quality system to ensure also that the right things are done. The latter can entail, for example, external reviews of the design to check the validity of design assumptions and applied mechanical models. Extensive control of the design work is more relevant for complex or uncommon design issues, where erroneous assumptions are believed to be more likely to occur, and for structures associated with severe consequences at failure. Grouting is an example where the work should be controlled in both ways. The mixing and pumping procedure should be checked to be done right, but it should also be checked that the grouting is carried out where it is needed-and only there-i.e., that the right thing is done. Control and inspection during construction are performed to ensure that the structure is constructed in accordance with the design specifications (i.e., that things are done right). Important tools for active control during construction are the use of milestones and tollgates, which reduce the risk caused by malfunctioning communication between design team and production (Stille 2017).

Risk-Based Geotechnical Categorisation as a Tool
A straightforward method to manage in practice the complex interaction of the aforementioned four aspects (discussed in Sects. 4.3.2-4.3.5) is to assign a Geotechnical Category (GC). They are based on assessments of consequence severity and uncertainty magnitude. The purpose is to facilitate efficient and consistent decision-making with respect to all four aspects. Stille and Palmström (2018) argue that while the current Eurocode 7 (CEN 2004) introduces three Geotechnical Categories, they are not only vaguely formulated in terms of risk, but also unsatisfactorily defined, as most underground excavations in rock will fall within the highest category GC3. Stille and Palmström (2018) therefore propose that Geotechnical Categories for rock engineering should be strictly based on a combination of consequence severity and either the prevailing ground uncertainty (before excavation) or the established ground quality (after excavation). The outcome is illustrated in Table 5.
The Geotechnical Category can then be connected to recommendations and requirements regarding • Extent of documentation of the ground conditions, • Selection of design verification method, • Extent of geotechnical investigations • Extent of control and supervision of the design, and • Extent of control and inspection during construction.
Note that for selection of design verification method and extent of geotechnical investigations, the Geotechnical Category normally only provides guidelines; decisions regarding these aspects need to consider much more, such as access to the investigated rock mass, limitations in applicability of the verification method, and competence and organisation of the project.

Conceptualisation of the Rock Engineering Design Process
Managing risks by assigning Geotechnical Categories (Table 5) based on separately analysed consequences (Table 3) and uncertainties (Table 4) makes it possible to generalise and conceptualise the general rock engineering design process into a generic risk-based design framework. The framework highlights the need to have a stringent hierarchy between the concepts uncertainty, consequence, and risk. This allows the designing engineer to let all design decisions target the current level of risk, making this the cornerstone of the rock engineering design process. The generic design framework can be described by the following iterative algorithm and its key features are discussed in the next section. An overview is provided in Fig. 4. Note that the framework can be applied to the respective analyses of both the temporary and the permanent design situations. The analyses are then performed in two separate processes, as these design situations in practice are analysed at different times in the project execution. The reason for this separation in time is that information gained in the execution of the temporary structure can provide valuable input to the design of the permanent structure.
1. Establish the general context: -Clarify the objectives of the project and the external factors that can pose threats against the fulfilment of the objectives. -Interpret roughly the geotechnical conditions in light of the objectives and external factors, based on information gained from e.g., preliminary and feasibility studies. -Identify relevant design issues and design situations to address in the design work (see Sect. 3). Determine at what point in time that steps 2-9 are to be followed for each design situation.
Follow steps 2-9 for the design situation at hand. 2. For every design issue that is relevant to consider in the analysed design situation: -Determine the current Uncertainty Class based on the available knowledge (if there is a severe lack of knowledge about the ground conditions, assign UC3 to all design issues). -Determine the expected Consequence Class.
3. Based on the current Uncertainty Classes and Consequence Classes, establish the current Geotechnical Category (Table 5)  to possibly reduce its current uncertainty level (i.e., the UC); carry out these measures if so was decided. 6. Work on the design for the analysed design situation, but consider the following: (a) Add a new (or disregard a non-relevant) design issue, if the available knowledge indicates that this is necessary. For new design issues, start over from 2.
(b) Revise the current UC or CC, if the available knowledge indicates that this is necessary with respect to some design issue, and start over from 3. (c) Select another design verification method, if it is believed to be more suitable than current one, and start over from 5. (d) If it is found that the current uncertainty level is too high to facilitate efficient design work, start over from 5.
7. Perform a final risk evaluation by deciding that any remaining risks are acceptable in the current design solution. This implies showing that the safety margin of each considered design issue is satisfactory using a suitable design verification method (see Sect. 4.3.3), and also that any budget and time plan constraints are sufficiently likely to be met. Then document the following:  Stille and Palmström's (2018) term for Uncertainty Classes before excavation (see Table 4) b Stille and Palmström's (2018) term for Uncertainty Classes after excavation (see Table 4) -Required level of quality assurance during construction, as defined by the current Geotechnical Category, -Applied design verification method in the used design solution, -Plans for how to validate the made design assumptions, and -Monitoring and contingency action plans (if the observational method is applied).
8. Validate the design solution during construction and follow all prepared plans regarding monitoring and quality assurance, as well as predetermined tollgates.
-If alarm thresholds are violated, put prepared contingency actions into operation, as prescribed by the observational method. -If the design assumptions turn out not being valid, re-design based on revealed conditions. -If the performed control and inspection reveal insufficient quality, re-design or re-construct the defective component.
9. Complete the design process formally by confirming that the control has shown that all design issues have been accounted for satisfactorily, to ensure that the client is provided with a facility of high quality. Produce and archive as-built drawings to document any changes that were made in comparison to the planned design solution in step 7.

Design Issues in Focus-not Structural Members
Using the design issue as the feature of interest in the design framework allows the designing engineer to attend to each design issue in relation to what its accompanying risk warrants. This is facilitated by the fact that each design issue may be assigned a separate Geotechnical Category. This arrangement contrasts to, for example, the Eurocodes, which instead revolve around "structural members" as the feature of interest [see clause B3.  Fig. 4 Flowchart describing the risk-based rock engineering design process. The process is valid for both the temporary and the permanent design situation. UC = uncertainty class, CC = consequence class, GC = geotechnical category (UC3) regarding potential long-term deterioration effect on the lining, because of aggressive chemical compounds in the groundwater. Unless these design issues are treated separately, both design issues could be recommended to be subjected to external review during the design, even though such measures would only be relevant to manage the latter issue.

Design Verification Method Affects the Uncertainty-Reducing Efforts
Pre-investigations and other uncertainty-reducing measures play a key role in the rock engineering design. In our opinion, however, the amount of uncertainty-reducing effort that is made in a rock engineering project should be completely free for the designing engineers to decide themselves. As shown by Spross and Johansson (2017), this is a decision-theoretical problem that the engineer solves from an economic standpoint: what information can potentially be gained by performing further investigations and is it worth the cost, or is it more favourable to go with a more conservative design to account for the lack of knowledge? The optimal amount of uncertainty-reducing measures depends in fact largely on project-specific features, as well as on the selected design verification method. Consequently, design guidelines and codes must not put specific requirements on minimum amount of uncertainty-reducing measures based on the prevailing risk. In our opinion, such code regulations would at best be pointless recommendations without substance and at worst strict requirements that potentially increase project costs, owing to uncertainty-reducing measures that are not needed from a risk perspective. For example, if the observational method is selected as preliminary design verification method, the observations made during construction can be expected to provide a lot of information. Less uncertainty-reducing measures (pre-investigations) are then likely to be required during the design phase, than if the design was to be verified by calculation based only on what was known in the design phase. Though, the amount of investigations needed to identify the relevant design issues would depend on the geological conditions at the site as well as the scale of the project.
The favourability of reducing the prevailing uncertainties is reflected in the proposed design process by letting all design work start in the highest Uncertainty Class when there is a severe lack of knowledge, which drives up the Geotechnical Category. Performing uncertainty-reducing measures will, therefore, likely reduce the Uncertainty Class-and in the remaining cases highlight complexities that indeed warrant a high Uncertainty Class.
As the designing engineer can manage the prevailing risk with several different tools, we find it important that the designing engineer is allowed to choose freely between them. Thus, the proposed design framework is carefully defined to treat all design verification methods equally, without favouring or discriminating against any method. If it is not allowed to select design verification method and uncertainty-reducing effort independently, the designing engineer loses the opportunity to optimise the design with respect to the prevailing risk and expected project cost.

Risk Management with the Proposed Design Process
A key feature of the proposed risk-based rock engineering design process (Fig. 4) is that it is fully compatible with ISO's (2009) general risk management framework. This highlights how the design work is an integrated part of the project's risk management. Comparing the risk management framework in Fig. 2 with the steps in Fig. 4, the context is established by interpreting the geotechnical conditions in light of the project objectives and affecting external factors (step 1). The identification of relevant design issues and design situations (step 1) corresponds to the risk identification. The assessment of Uncertainty Classes and Consequence Classes (step 2), the establishment of Geotechnical Categories (step 3), the selection of a preliminary design verification method (step 4), the analysis of performed uncertainty-reducing measures (step 5), and the consideration of different technical solutions (step 6) all correspond to the risk analysis. The potential revisions that are listed in step 6a-d imply that the risk at some point has been found unacceptably large in a risk evaluation and that risk treatment is needed through any of the listed options. As noted in Sect. 4.3.1, a key risk to assess is the potential exceedance of the budget, which will drive the decisions toward cost-effective treatment options. The feedback loops highlight the cyclic nature of the risk management process. Note also the final risk evaluation in step 7, where it is decided that all remaining risks are acceptable and that no further risk treatment is needed with respect to the design.

Can the Rock Engineering Design Process be Codified?
To be of any practical use, the proposed design process must be allowable by the applicable design code. Consequently, the design process ought to conform to the common code formats used for rock engineering design. Noting the current ongoing revision of the Eurocodes, we discuss in this section specifically how the proposed design process can be codified in terms of the format used in Eurocode 7.
Regarding the definition of Uncertainty Classes, Consequence Classes, and Geotechnical Categories (steps 2 and 3 in the framework), we believe that implementation should be rather straightforward. Regarding the selection of preliminary design verification method (step 4) and uncertaintyreducing effort (step 5), the key issue lies in allowing these decisions to be made solely by the designing engineer. From a code-writing perspective, this should in fact ease the work, as there is no need to specify requirements or recommendations regarding, for example, minimum amount of preinvestigations for different design verification methods and geotechnical categories. The principle is clear: The role of the code is not to educate engineers, but civil engineers who use the code need to have the capacity to determine themselves what effort of pre-investigations is needed to ensure high quality in their designed structure. Note that accepting a design based on extremely little information regarding the geotechnical conditions, in our opinion, should be treated as serious negligence-a gross human error made by the decision maker-unless, of course, very large safety margins that correspond to all conceivable conditions have been applied. The absence of requirements and recommendations on these matters in the code does not, however, prevent the code writers from issuing separate handbooks and application guidelines, as, e.g., Frank et al. (2004), if they find relevant to do so.
Seeing that the main purpose of a structural design code is to protect health, safety and general welfare of the general public that occupy the constructed facilities after their completion, the main challenge in implementing risk-based design lies in how to make the code to facilitate-and not to obstruct-the required iterative process (step 6) through its set of clauses, as codes generally only regulate final design requirements and not the design process. In addition, code writers must not forget to regulate also the temporary situations that inevitably occur during construction, as they in rock engineering often are more critical than the permanent situations. One solution is once again to provide suggested design procedures and corresponding executions in handbooks and application guidelines. A key concept is the application of the observational method, as most underground work relies heavily on the possibility to gain information about geological conditions and structural behaviour during construction (Schubert 2008;Palmström and Stille 2015).
Lastly, we note that limit state design may be difficult to enforce to all rock engineering design issues. This needs to be recognised by the design code and alternative design approaches should be allowable in such cases.

Concluding Remarks
In conclusion, we find that design codes ultimately need to facilitate design processes that target the risk, to enable design of structures that not only are sufficiently safe and durable and cost-effectively constructed, but also imply safe and healthy work conditions during construction and an acceptably low environmental impact. The presented generic design process for rock engineering structures satisfies this fundamental requirement and agrees well with ISO's (2009) established risk management procedure. We believe that having a risk-based design code improves transparency of the decision-making in the design process and highlights that design and construction are interconnected in rock engineering. Moreover, by integrating the design work into the project's risk management, a common language is created, which we believe will reduce the risk for human errors. We find codification of the proposed generic process to be rather straightforward, as long as the level of detail in the code is governed by a strict application of ISO's general risk management principles. This allows the designing engineers fully to treat the design work as decision-making under uncertainty. Details on methods and practical recommendations should, in our opinion, instead be provided in separate handbooks and application guidelines.
Lastly, we hope that this article will inspire to other contributions on rock engineering design principles, in particular in light of the ongoing revision of Eurocode 7comments or replies to this article are most welcome.