Certain Uncertainty - Demonstrating Safety in Fire Engineering Design & the Need for Safety Targets

By Danny Hopkin, Ruben Van Coile, and David Lange


In his 2008 IAFSS plenary, Andy Buchannan1 provided a timely reminder that fire safety designs are ultimately limited by the crudest idealization made in the process of arriving at solutions. He was referring to structural design for fire safety, where often highly sophisticated tools and methods were deployed to investigate structural response when subject to comparably primitive idealizations of fire conditions. However, the need for a “consistency of crudeness” isn’t limited to the interface between the structural and fire engineering disciplines.

In developing fire safety designs, engineers endeavor to propose solutions that are aware of project goals and delivered within often-competing constraints.2 The most fundamental of these goals is ensuring that an adequate level of safety is achieved. Defining what is adequate under differing circumstances is not straightforward. The ability to articulate and quantify this most fundamental goal is often the crudest facet of the fire safety design process.3

Convention in Performance-Based Fire Safety Design

By tradition, performance-based fire safety design is deterministic. The adequacy of a proposed design is demonstrated through an evaluation of performance under one or more assumed scenarios and through benchmarking against pre-determined safety objectives. The likelihood of the scenarios is not explicitly considered. Where uncertainty exists about the development of a scenario, assumptions are made (e.g., where the fire is, its severity, its evolution with time, the rates at which species are produced, etc.). When the design passes all performance criteria for a given objective, the achievement of “adequate safety” is assumed and the design is accepted. This assumption is often valid and is premised on fundamental “safety foundations.”

Safety Foundations

The safety foundations are the justifications upon which the safety of the design relies. For traditional deterministic fire safety design, the following two safety foundations are:

  1. Collective Experience of the Profession

    Common and longstanding application in designs, where there are no observations of unacceptable performance in multiple fire events, indicates meeting the fire safety goals.
  2. Large Level of Conservativeness

    The assumptions associated with the investigated scenarios are conservative; acceptable performance with respect to these scenarios is sufficient to demonstrate overall adequate performance.

The first safety foundation recognizes that continued trial and error, combined with public outcry at unacceptable failures, has resulted in the adequacy of design assumptions being accepted by precedent.4 The second safety foundation requires that the large level of conservativeness is obvious and thus requires that the physics of the fire and the basis of the performance criteria are well understood. In the end, the second safety foundation is, again, based on the common experience of the profession. The above is visualized conceptually in the left-hand side of Figure 1 below, introducing the “safe-design triangle” in analogy to the well-known “fire triangle.” Only when the safe-design triangle is based on a solid safety foundation of “collective experience of the profession” can safe design be assumed.

Reliance on the collective experience of the profession can, however, only hold when there are ample examples to learn from (i.e., a sufficient number of fire events) that guide the profession toward adequate safety levels. Consequently, the justification of adequate safety through experience by definition does not hold for exceptional structures, (very) low probability events, or innovative building designs and/or materials.5 This implies that the safety foundation of the safe design triangle is weak, or missing entirely, and thus adequate safety cannot be assumed. To provide a basis for the safe design triangle, an alternative safety foundation must be found. This is an “explicit evaluation of the safety level,” resulting in the right-hand side of Figure 1, indicating a need to explicitly demonstrate adequate safety.

Figure 1. Assumed basis of safe design (left); demonstrated basis of safe design where experience is not an adequate basis (right)

Explicitly Demonstrating Safety

Demonstrating safety requires taking into account the uncertainties associated with the design problem. For example, if a sprinkler system is installed, then the reliability of that system must be taken into account to correctly identify the range of possible consequences (see the probability tree in Figure 2). Evaluating the safety level and demonstrating safety requires that the designer take into account the probabilities of different scenarios and the uncertainty associated with input variables. Consequently, the safety verification should be based on a Probabilistic Risk Analysis (PRA)—a departure from the currently widely adopted deterministic approach to performance-based design.

This makes PRA not a methodology for “future fire safety engineering”6, but rather the methodology that the fire safety community has “neglected for too long,” since it is a necessary methodology to provide a safety foundation for uncommon fire safety designs.

Figure 2. Concept probability tree—the consequence of fire occurrence depend on sprinkler operation. Assuming operation/no operation misses important aspects of the range of consequences

In the UK, guidance on the application of PRA is in PD7974-7:2003,7 which is currently under revision. In its most standard form, PRA considers the entire range of possible consequences C and the associated probabilities P. This combination defines the risk of the design. Acceptability of the design is then determined through absolute or comparative acceptance criteria, or by application of the “As Low As Reasonably Practicable” (ALARP) principle (Figure 3).

Figure 3. Illustrative fN curve—societal acceptance criterion for a disaster: relationship between consequence severity (event severity) and the frequency of event (event likelihood)

Most designs will have to demonstrate that they meet the ALARP criterion. Defining ALARP is, however, difficult, since it requires balancing whole-life investments with uncertain safety benefits. This balancing of costs and benefits can be done explicitly by applying cost-benefit analysis (CBA, or Lifetime Cost Optimization), but the valuation of uncertain future costs and benefits quickly becomes particularly challenging. In structural engineering this challenge is regularly avoided by directly introducing safety targets8.

These safety targets specify the maximum probability of failure considered acceptable for a structural element and have been calibrated through CBA, based on generalized cost assumptions (and on the premise of meeting the tolerance threshold). Thus, the target safety levels applied in structural engineering (i.e., those found in the Joint Council on Structural Safety (JCSS) (probabilistic model code)9 ensure that an adequate safety level is obtained, while implicitly taking into account the costs and benefits of safety investments.

The lack of clearly defined and accepted safety targets in fire safety engineering means that currently a full CBA is required to demonstrate that a design meets ALARP. This, however, can be seen as onerous by fire safety engineers, particularly given that the PRA process is not convention, and perpetuates the sometimes-unjustified reliance on traditional “experience-based” safety foundations.

Conclusion and Call to Action

At a minimum, the role of the engineer is to achieve a design that delivers adequate safety levels. The regulatory environment in which many fire engineers work perpetuates the reliance on either the collective experience of the profession, or a large level of conservatism, to be able to conclude that a design is safe. However, without sufficient probing of the safety level, there is a risk of failing to meet safety obligations, particularly when extrapolating a precedent-premised safety foundation to include exceptional structures.

Fire engineers have the tools—and frequently exercise them—to analyze solutions based on various design values and an almost-endless variety of scenarios. The capability exists to determine additional performance criteria assigned to any project through dialogue with all involved stakeholders: developers, regulators, and end-users. However, to date as a community, there has been little explicit consideration of the safety level as required to demonstrate a safe design. This means that the foundation of the safe design remains assumed as opposed to evaluated.

The fire safety profession has often relied in the past on so-called magic numbers and golden rules10 entrenched in standards and against which the adequacy of alternative solutions are often gauged. The field has progressed now to the point that the tools and techniques available can be applied to explicitly determine the safety levels achieved.

The next step is to address the foundation of safe design and explicitly probe the safety level that is appropriate for a given case. A concerted effort by the fire safety community to address uncertainties and to determine target safety levels as is done in, for example, structural engineering has the potential to significantly improve the process of demonstrating adequate safety for exceptional designs and new applications. In the absence of this, the foundation on which a performance-based solution is accepted is just another crude golden rule, based on precedent.

Danny Hopkin with Olsson Fire & Risk
Ruben Van Coile with University of Edinburgh
David Lange with Research Institutes of Sweden


[1] Buchanan, A. (2008). The Challenges of Predicting Structural Performance in Fires. Fire Safety Science 9: 79-90. doi:10.3801/IAFSS.FSS.9-79.

[2] A. Law, J. Stern-Gottfried, N. Butterworth. (2015). A risk based framework for time equivalence and fire resistance. Fire Technol, 51 (4), pp. 771-784, 10.1007/s10694-014-0410-9

[3] Hopkin, D., Ballantyne, A., O’Loughlin, E., McColl, B., 2016. Design goals – fire resistance demands for tall residential buildings. Proceedings of Interflam 2016.

[4] Spinardi, G., Bisby, L., Torero, J. (2017). A Review of Sociological Issues in Fire Safety Regulation. Fire Technology, 53, 1011-1037

[5] Croce, P.A., Grosshandler, W.L., Bukowski, R.W., Gritzo, L.A. (2008). The International FORUM of Fire Research Directors. A position paper on performance-based design for fire code applications. Fire Safety Journal, 43, 234-236.

[6] Hadjisophocleous, G.V., Benichou, N. (1999). Performance criteria used in fire safety design. Automation in Construction, 8, 489-501.

[7] BSI. (2003). PD 7974-7:2003, Application of fire safety engineering principles to the design of buildings – Part 7: Probabilistic risk assessment. British Standard

[8] ISO 2394:2015, General principles on reliability of structures. International Standard.

[9] JCSS.  (2001). Probabilistic Model Code, Joint Committee of Structural Safety, JCSS-OSTL/DIA/VROU -10-11-2000.

[10] Law, M., Beever, P. (1994). Magic Numbers and Golden Rules. International Association for Fire Safety Science - Proceedings Of The Fourth International Symposium, pp. 79-84.