1 Introduction

Modern fire safety engineering is closely linked with the concepts of probability and risk, as decisions on fire safety investments require a balance between the improbability of a severe fire and the consequences this fire may induce if it does occur [14, 21, 53]. Until recently, fire safety guidance was largely prescriptive in nature and was updated and evolved in large part in response to fire disasters [57], i.e. these were reactive as opposed to proactive. Recent advances in engineering models, computational power and material technology, however, continually introduce new concepts and construction products into the built environment [13]. Prescriptive regulations are by definition unable to keep up with these new developments (in their basic aim to provide an adequate safety level without wasting resources), resulting in a push towards a more performance based system of regulation [57], which in turn has increased the application of Performance Based Design (PBD).

Probabilistic risk assessment (PRA) is commonly accepted as one tool for PBD, as acknowledged by the fact that the UK guidance document PD 7974-7 is devoted to PRA for fire safety [5], by its inclusion in the SFPE Handbook of Fire Protection Engineering [47], by the many associated research projects in different fields of fire safety engineering (e.g. [3, 24, 29, 66]), and by its identification as a research priority by the FORUM of Fire Research Directors [13].

When carrying out a PRA, various performance criteria can be applied. For example, a limiting probability of smoke entering a protected staircase, or a requirement that the obtained safety level exceeds the safety level associated with a prescriptively acceptable design. The different performance criteria can be collated into groups, applying the same underlying concept for defining acceptance criteria, e.g. comparative, absolute, ALARP [5, 22]; these are hereafter denoted as ‘acceptance concepts’. It may seem to the fire safety engineer that free choice exists between these acceptance concepts, i.e. that the most convenient approach can be used without repercussion, since current guidance documents [5] do not typically provide a clear direction on the use of these acceptance concepts. More generally, in everyday discussions with fire safety engineers and researchers, there is no apparent agreement on the acceptance concepts for application of PRA in fire safety design. It is not clear if (in specific situations) PRA is a requirement for demonstrating safety, or whether it is no more than a tool to be applied only when a client or regulatory authority (directly or indirectly) requests it. It is also unclear whether PRA is, in essence, simply a tool for bringing added value through reductions in safety investments compared to traditional (prescriptive/deterministic) solutions. With these points in mind, there is a need to better understand the relationships between different acceptance concepts available for PRA in the context of fire safety engineering.

This paper outlines a relationship between different acceptance concepts for PRA in fire safety engineering, and discusses the professional responsibility of the engineer undertaking design work. This is achieved via presentation of a series of topics, the relationships between which are illustrated in Fig. 1. Goals and constraints in fire safety engineering, and how these are reflected in common design approaches, are first discussed. Definitions of adequate safety (as goals for the fire safety engineering process) are then proposed from a societal perspective. This definition leads to a discussion of the foundations upon which safety ought to be determined—either through experience or conservatism in the case of common situations; or through explicit demonstration of safety in the case of uncommon ones. This definition of adequate safety, as well as the need to explicitly demonstrate it, necessitates a second discussion focusing on the definition of risk, risk curves and scalar measurements of risk, and on the public’s relationship to risk. These concepts are then linked by focusing on the position of PRA in fire safety design (see Fig. 1).

Figure 1
figure 1

Flowchart describing the paper’s structure as a series of discussions

Full size image

Referring to existing guidelines for performance based fire engineering, a distinction is drawn between probabilistic performance criteria and deterministic performance criteria. This helps to position PRA in the fire safety design process before introducing the prerequisite of tolerability and the different acceptance concepts which could be used to demonstrate that adequate safety can be achieved from a societal perspective. Turning to the problem of optimisation of solutions, the As-Low-As-Reasonably-Practical (ALARP) requirement is reviewed in detail.

Finally, different acceptance criteria arising from the different acceptance concepts for PRA are presented. These acceptance criteria are set within a hierarchy according to the relative obligation of, and onus on, the engineer who is implementing them.

Most of the concepts reviewed are not novel in their own right, however the goal of the current paper is to clarify, rather than redraw, the lines of PRA in fire safety engineering and to highlight important questions. The aim is to contribute to ongoing discussions on PRA and fire safety engineering by tackling difficult issues and presenting tentative solutions that could lead to significant progress. The discussion ends with a call to action to address some of the challenges which may limit the use of PRA in fire safety engineering, perhaps most importantly the need for consensus in defining objective safety targets for fire safety which are applicable to uncommon buildings.

2 Fire Engineering Design and Its Safety Foundation

Successful fire engineering designs seek to find solutions that fulfil project objectives within a set of competing constraints [44]. According to Hopkin et al. [30], defining the fire safety objectives, their translation into quantitative performance criteria, and the foundations upon which the adequacy of a design is accepted (i.e. acceptance concepts) are considered to be the crudest, i.e. least developed or well defined, aspects of the traditional fire safety design processes. Successful fire engineering, however, necessitates that there is consistency of crudeness in the methods used [44], as was originally highlighted in reference to structural fire safety, and the relative incompatibility of primitive fire models with complex structural response simulations [6]. That is, when combining methods with different levels of detail/sophistication, the crudest approach will govern the overall level of fidelity of the design, diminishing the value of applying detailed models in specific areas. Considering the central position of fire safety objectives in the design process, the need for a consistency of crudeness must be extended beyond the models used for design to include the fire safety objectives, the quantitative performance criteria against which the design will be judged, and the basis upon which the design is accepted (or otherwise) [31].

2.1 Fire Safety Engineering Design Objectives

Fire safety designs obviously aim to satisfy a range of fire safety objective(s). When starting from first principles, specific fire safety objectives are derived from a direct elicitation of stakeholders’ qualitative fire safety ambitions for a project. In practice, fire safety objectives listed in legislative or guidance documents are often considered sufficient, drastically simplifying the design process by avoiding any explicit stakeholder consultation. For example, statutory (although aspirational and somewhat nebulous in practice) fire safety objectives for common building projects in England and Wales are listed in Schedule 1, Part B, of the 2010 Building Regulations (as amended) [59]. However, the fire safety objectives listed in legislative or guidance documents do not necessarily take into account considerations by all stakeholders. In many countries, statutory fire safety objectives are considered to relate mainly to the objective of societal life safety, see e.g. the focus on health and safety of persons mentioned in the EU Construction Products Regulation [18], and the sociological review of regulatory fire safety developments by Spinardi et al. [57].

Looking beyond simple legislative compliance, some more typical fire safety objectives are listed in the SFPE Handbook on Performance Based Design [55], i.e. life safety, property protection, continuity of operations, environmental protection, and historic preservation. This list of fire safety objectives makes no obvious distinction between public (societal) and private fire safety objectives, thus presuming that society is an (indirect) stakeholder. Thus, it is assumed that society must be satisfied with the performance of a building should a fire occur. Pros and cons exist regarding alternative definitions whereby fire safety objectives are differentiated as being either private or societal, however this differentiation is not discussed in the current paper.

For consistency of terminology, all fire safety objectives are considered to fall under the broader definition of safety. Critically, these objectives are qualitative, i.e. no quantifiable level of safety can (currently) be directly assigned to each objective without significant standardisation efforts to reach consensus on the relationship between general objectives and quantitative performance metrics. In other words, there is presently no unambiguous single benchmark or even metric with which to quantifiably assess the safety level directly in terms of the fire safety objectives. Later in this paper, the quantification is introduced through defining performance objectives and criteria.

2.2 Traditional Fire Safety Design Approaches

A significant majority of projects relate to (in the fire safety design sense) straightforward (or common) buildings. As such, the minimum and conventionally adopted fire safety objectives for those common buildings concern those in e.g. the Building Regulations for England and Wales [59]. However, with increasing complexity of a project there may be a need to adopt more sophisticated tools to demonstrate the fulfilment of fire safety objectives. This increasing complexity, combined with a more comprehensive definition of the fire safety objectives, leads to a possible hierarchy of traditional design approaches, comprising on one level: (1) the adoption of prescriptive rules in guidance documents; (2) alternative fire engineering solutions at an intermediate level, or (3) full performance based design (PBD) at the highest level (see Fig. 2). All of these design approaches aim to deliver an ‘adequate’ level of safety, however the way in which each design approach achieves, or demonstrates, this differs. As discussed further, characteristic to all three of the above traditional design approaches is the absence of a quantitative safety target. That is, the probability of not meeting the fire safety objective is not assessed in current (commonly applied) fire safety design approaches.

Figure 2
figure 2

Possible hierarchy of traditional design approaches with increasing complexity of the design process

Full size image

The first category (1) in Fig. 2 refers to the application of prescriptive guidelines. When adopting a prescriptive design solution, an adequate level of safety is typically presumed to arise from the application or adoption of the prescriptive rules and guidance [31, 57]. Naturally, this assumption can only apply to buildings falling within the relevant field of application of the prescriptive guidance. Fundamental to the success of such a regime is either: (a) the ability of the guidance to keep pace with innovations, or (b) in the absence of (a), the user’s ability to appreciate that prescriptive guidance has a limited scope of application (either explicitly or implicitly), and adopt alternative approaches where necessary. Prescriptive guidance has historically been developed in a reactive manner, with changes often instigated only after an event has demonstrated inadequate performance in fire [57].

Alternative fire engineering solutions are applied in instances where, for common buildings, deviations from the prescriptive guidance are required because of project specific constraints. For example, a desire to express some structural elements or a need for increased egress travel distances. From the perspective of safety, alternative solutions under this scenario aim to achieve the same implicit ‘adequate’ safety level as solutions which follow the prescriptive guidance. An alternative solution may (qualitatively) assess the increased fire risk resulting from the derogations and seek to offset this increased risk by implementing one or more alternative fire safety features (e.g. sprinklers); or the improved performance in an existing fire safety feature (e.g. the increased fire resistance of protected escape routes). The intention would be to demonstrate that departures from prescriptive guidance maintain at least the apparent level of safety achieved when measured relative to common buildings where the prescriptive guidance is fully applied. That is, the fire safety objectives are deemed to be satisfied on the basis of a qualitative comparative judgement. While the comparison can be based on numerical evaluations of, for example, the evacuation time, the final assessment of (equivalent) fire risk is qualitative, as the obtained safety level is not explicitly determined at any point.

In case of ‘full’ PBD the attainment of adequate safety is no longer directly linked to the adequacy of the prescriptive guidance. Importantly, in a PBD, the fire safety objectives are developed bespoke to the project, as part of a stakeholder elicitation [55]. Thus, a PBD results in a stand-alone evaluation of the adequacy of the design, possibly using prescriptive guidance as a performance benchmark for specific fire safety objectives, but never as a blind justification. In its traditional format, PBD applies deterministic methods, characterizing expected performance for cases deemed to be credible/plausible, and develops solutions accordingly. The adequacy of a design solution is assessed against performance under one or more assumed scenarios and through benchmarking of pre-determined performance objectives (calculable indicators derived from general safety objectives) against corresponding (designer-led) performance criteria. The likelihood of the scenarios is not explicitly considered in traditional PBD. Where uncertainty exists regarding the development of a scenario, there is a need to make assumptions (e.g. fire location, severity, evolution with time, rates of toxic species production, etc. [37]). When the design passes all performance criteria for a given performance objective, the design is accepted. When multiple options are being considered (for example different smoke control systems), and all options pass the performance criteria for a set of scenarios (for example: sufficiently limited smoke in the staircase), no safety preference is deemed to exist between the design options. Any preference between the designs is then fully determined by external (private) criteria (costs, ease of maintenance, aesthetics, etc.). Consequently, as for the above discussion on Alternative Solutions, the treatment of fire risk in the traditional PBD approach is qualitative in nature because no explicit consideration is made of likelihood and the acceptability of the (residual) fire risk inherent in the design.

Characteristic to all three of the above (traditional) design approaches is the absence of a quantitative safety target (i.e. a stated acceptable probability of failure Pf). Thus, the probability that the design does not meet the fire safety objective(s) is not explicitly evaluated. This characteristic of the traditional design solution development process distinguishes any design method as being deterministic as opposed to probabilistic. Increasingly, probabilistic methods are applied in fire safety engineering as a modification of more traditional design approaches. Probabilistic methods can more thoroughly assess the design and explicitly demonstrate the attainment of an adequate safety level (thus, requiring the definition of a safety target). Considering the above distinction between probabilistic and deterministic approaches, assessments in accordance with guidance documents where a quantitative safety target has informed the design rules and design values would, for the discussions herein, be considered probabilistic in nature. This approach of applying specific rules and safety factors in design underlies the Eurocode design formats [9] in structural engineering, ensuring an appropriately low probability of failure while limiting the complexity of the analysis. This approach is commonly referred to as being “semi-probabilistic” [36] and provides a trade-off between simplicity and accuracy. For fire safety engineering applications, however, no generally accepted safety targets and semi-probabilistic design methodologies currently exist, as elaborated further in Sect. 6.

2.3 Defining Adequate Safety

Fire safety engineering aims to limit fire risk to an appropriate level. Safety infinitum, i.e. indiscriminately implementing safety features towards zero fire risk, is impossible as it requires an investment that conflicts with fundamental and (often) immovable constraints such as budget. Even if fire safety budgetary constraints were redefined, the redirection of finances towards proportionally smaller causations of adverse consequences would lead to an inefficient (and unethical) use of societal resources [58].

Considering the impossibility of safety infinitum, a final design implicitly and necessarily includes a residual risk, i.e. a residual probability of an adverse outcome [22]. The acceptable residual risk may differ between stakeholders, may change over time (e.g. in the wake of a disaster), is inherently subjective at an individual level, and is possibly ill-defined on a societal level, see e.g. [23, 58], and [69] for an application to fire safety engineering. This makes the definition of ‘acceptable’ safety particularly challenging in practice. Furthermore, even if an objective, acceptable safety level could be derived, unknown failure modes and modelling limitations may limit an engineer’s ability to identify possible deficiencies. Consequently, the requirement that a design have an acceptable residual risk can only be assessed in relation to the state of knowledge within the fire safety community at the particular moment in time (i.e. from a Bayesian position). This implies that designs which are acceptable today may need to be revisited in the future when an improved understanding of fire science and observed failure events reveal previously unknown or neglected failure modes. This would potentially conflict with current fire regulatory positions, wherein a valid route for compliance would be a non-worsening of a legacy condition/design.

The above discussion suggests that defining acceptably safe designs involves uncertainty and subjectivity. This is unworkable, both from the perspective of the engineer developing the design, and from the perspective of stakeholders or governmental bodies wishing to assess the design, either proactively or reactively. A proxy of an ‘adequately’ safe design is therefore proposed as a benchmark: a fire safety design may be considered adequate if:

An objective, diligent and competent fire safety professional would consider the spectrum of possible consequences (and their associated probabilities) associated with the design to be acceptable to normal societal stakeholders

This adequacy proxy for acceptable safety considers a more objective measure of (societal) expectations against which a design can be compared, and assesses a design’s safety performance in relation to the current state-of-the-art. In essence, this links the expected safety performance of a generic fire safety design to the duty of care of the fire safety professional. The proxy of adequate safety is suggested as a building block for (direct or indirect) self-regulation in the fire safety profession [57].

2.4 The Safety Foundation of Deterministic (Traditional) Fire Safety Designs

The majority of buildings may be considered common in the context of fire safety engineering design norms. As such, via the definitions introduced previously, the design basis is deterministic (i.e. absent explicit safety targets). The attainment of adequate safety is assumed to arise from the application of the method, either through compliance with specific rules, or through the satisfaction of performance criteria adopted by the designer. Necessarily, the assumption of attainment of adequate safety for deterministic designs can only be based on one or both of two fundamental ‘safety foundations’:

  1. 1.

    The collective experience of the profession—i.e., continuous application of longstanding design approaches has not resulted in observations of unacceptable performance in multiple fire events. In this case, the absence of experiences of not-fulfilling fire safety objectives is adopted as a proxy for meeting fire safety objectives. Adequate safety is achieved through precedent, and is assumed to emerge from ‘corrective measures’ after observed failures of performance; and/or

  2. 2.

    A large level of conservatism—i.e. conservatisms are introduced into one or more of the inputs, scenarios and/or performance criteria, and performance under such inputs/conditions is considered to result in an adequate design. This safety foundation requires that that the physics of the fire and the basis of the performance criteria are well understood. Due to the highly nonlinear behaviour and complexity of many fire phenomena this will not always be the case. Consequently, a design based on a ‘large level of conservativeness’ is considered as a special case of a design based on the ‘collective experience of the profession’ (i.e. relying upon engineering judgement, either at an individual or collective level).

The concepts and safety foundations of traditional fire engineering designs as discussed above can be conceptually visualized through the ‘safe-design’ triangle of Fig. 3. The safe design triangle is comprised of the scenarios for which a design will be tested (e.g. fire scenarios and egress scenarios); the design values for the model input parameters (e.g. walking speed) under these scenarios; and the performance criteria against which the adequacy of the response will be measured. Design solutions are subsequently trialled until the response fulfils the performance criteria.

Figure 3
figure 3

Safe-design triangle for prescriptive and traditional fire engineering (deterministic) designs

Full size image

For this triangle to be well conceptualised, the three sides ideally have a consistent level of crudeness. As similarly stated by Buchanan [6] (with reference to Elms [17]), efforts spent at detailed assessments with respect to one of the triangle’s sides are offset/undermined by the crudeness of the other components. The overall crudeness of the design will therefore be governed by the part of the analysis of least fidelity. In traditional fire-engineering design the entire triangle is founded upon a safety foundation of the ‘collective experience of the profession’, implying that the safe design can be assumed to be attained based upon a designer’s (appropriate) judgements of each of three fundamental components (design values, scenarios, and performance criteria).

2.5 Safety Foundation in the Absence of Experience/Precedent

It is clear that reliance on experience as a safety foundation only works when ample example cases exist to learn from. Technically, this requires sufficient sampling of the failure space (i.e. sufficient fire events). As a consequence, justifying adequate safety through experience cannot, by definition, hold for exceptional structures, for (very) low probability events, or for innovative building designs and materials for which there is no track-record (i.e. no collective experience). For exceptional cases, this necessitates that there is an explicit demonstration of adequate safety in delivering a performance based design, and requires that all consequences are considered with their associated probabilities of occurrence. A probabilistic risk analysis (PRA) must therefore be undertaken, leading to a safety foundation premised on an explicit evaluation of the safety level (Fig. 4). This contrasts with the typical existing position, whereby PRA is typically adopted to: (1) rank design options, (2) realise economies in design, and/or (3) inform investments to achieve private fire safety objectives.

Figure 4
figure 4

Safe-design triangle for innovative designs/new engineering applications (based on PRA)

Full size image

3 Risk, Risk Perception, and Risk Aversion

The above discussion suggests that a PRA is necessary to demonstrate adequate safety in specific situations. In other situations, where a PRA is not strictly necessary, it can still provide valuable information within the design process. In the following section, the application of PRA to fire safety engineering is further investigated. First, the concept of risk is defined along with aspects such as risk aversion since these fundamentally influence societal safety expectations.

3.1 The Concept of Risk

No common definition of risk exists [15], but for engineering applications risk can be defined as ‘a function of the probabilities and consequences of a set of undesired events’ [40].

In an extensive PRA, the full spectrum of possible consequences C and their associated probabilities of occurrence Pc is assessed. The curve describing the occurrence probability as a function of the consequence severity is denoted as a ‘risk curve’ [42].

Risk curves can be visualized in different ways. Figure 7 shows a common visualization (log–log scale), where the horizontal axis denotes the consequence severity while the vertical axis gives the probability of exceedance (i.e. the (annual) probability Fc that the observed consequences are equal to or larger than c). The probability of exceedance can be calculated through Eq. (1) for discrete consequences, and through Eq. (2) for continuous consequences. Here, fc is the probability density function for the consequences and cmax is the maximum possible consequence.

$$ F_{c} = \sum\limits_{{c_{i} \ge c}} {P_{{c_{i} }} } $$
(1)
$$ F_{c} = \int\limits_{c}^{{c_{\hbox{max} } }} {f_{c} } \left( c \right)dc $$
(2)

A risk curve gives the stakeholders an understanding of the (modelled) fire safety performance of the design and highlights trade-offs between high probability low-consequence events and low-probability high-consequence events. For example, consider the probability of consequences exceeding 100 units in Fig. 5. The probability of c ≥ 100 is highest for risk curve RC3 and negligibly small for RC1, while the probability of exceedance for low consequences is high for RC1. In other words, the probability of observing any damage is highest for RC1, but its associated probability of observed damage exceeding 20 units is negligible, while RC3 has a lower probability of damage occurrence, but a possibility of much more severe consequences when damage does occur.

Figure 5
figure 5

Illustrative risk curves and corresponding scalar risk indicator RI. The scalar risk indicator is defined here as the expected value

Full size image

Often, however, only the integral of the product C·Pc over the spectrum of all consequences C is considered. This results in a scalar risk indicator, mathematically equal to the expected value of the consequences in the considered time-frame of the probability evaluation. In Fig. 5, the expected values for the different risk curves are indicated, illustrating how very different risk curves (curves RC1 and RC3) can correspond to very similar scalar risk indicators. Translating the spectrum of consequences and associated probabilities into scalar risk values thus results in significant loss of information [42]. Specifically, two designs with completely different probability density functions (PDFs) of the consequences may result in the same scalar risk value.

3.2 Public Risk Perception

In the wake of an adverse event, and especially in case of disastrous and mediatized high consequences [7, 58], an increased perceived risk is often associated with the hazard [45]. On the contrary, in the absence of personal experience or (recent) historical precedents, risks may be underestimated [58]. These tendencies of heightened and reduced perceived risk are related to the availability effect [41]. Examples of other factors influencing decisions on risk are probability neglect [68], causing people to neglect order of magnitude changes in low probability risks [58], and psychophysical numbing [20], where considerable changes in ‘numbers of lives saved’ are disregarded when both the initial and final values are high. This implies that individuals may exhibit excessive reactions to risks that are cognitively available and insufficient reactions to risks that are not [58].

Spinardi et al. [57] have observed that fire safety regulations tend to shift in the wake of fire disasters, and Camerer and Kunreuther state that the public may interpret accidents as signals that technology is not as safe as experts say [7]; this is due to the availability effect and results in a form of hindsight bias.

With multiple risk perception phenomena at work, low probability—high consequence (multi-fatality) events are often less tolerated by society than more frequent (i.e. higher probability) events with lower consequences (i.e. a lower number of fatalities), even when the expected value given by the product of the associated frequency and consequence is the same [5]. Choosing between the risk curves RC1 and RC3 in Fig. 5, most humans can be expected to prefer RC1, neglecting the difference in probability for low consequence events and shying away from high consequences. This differentiation in societal tolerance makes it particularly difficult for regulators and the engineering profession to introduce, strengthen, and commit to rational, measured allocation of engineering resources and safety investments. In Sect. 2.3 the objective proxy of the normal societal stakeholder was proposed to overcome the issue of subjective risk preferences by individuals. The overall societal risk perception can thus not be neglected in a PRA, since for the proxy of the normal societal stakeholder the differentiation between low consequence and high consequence events can be considered to apply. This unequal valuation of events that correspond with the same expected scalar risk indicator is referred to as risk aversion. The question then arises as to how this should be taken into consideration in a PRA.

3.3 Risk Aversion

Some authors have argued that apparent risk aversion in societal risk preferences is due to an incomplete assessment of indirect costs [46], and that the true societal preferences correspond with a risk-neutral evaluation (where events with the same risk indicator are similarly valued). This is important because in principle only a risk-neutral position can be justified for a societal decision-maker [49]. Since societal resources are limited, safety investments are necessarily limited as well, and a balance between different safety investments is required. Sunstein [58] suggests that real risk aversion does not exist, since some of the money spent on the overvalued low-probability—high-consequence events could be put to better use elsewhere, thus saving more lives.

Some level of risk aversion may be a pragmatic way of treating the inherent increased uncertainty regarding many high consequence events. That is, the occurrence rate and consequence distribution of low-probability—high-consequence events are, by their very nature, much less understood than those of frequently observed low-consequence events. As the low-probability events are not well understood, some level of restraint may be appropriate, as indirectly identified by Maes and Faber [46], and incorporated in EU and UK Health and Safety Executive (HSE) legislation via the precautionary principle [11, 26]. Furthermore, a trial-and-error approach with respect to these events (which would permit an improvement in understanding in the long run) would not be appropriate [48]. Consequently, a reserve with respect to less well understood (or even unknown) high-consequence events may justify a risk averse position of the societal decision maker, when evaluating risk based on current best available data and models. Possible applications include fire safety for high-rise buildings or nuclear power plants. See also the discussions by Taleb [61] on unforeseen events and decision-making. The above interpretation corresponds with the anti-catastrophe principle proposed by Sunstein as a rational interpretation of the precautionary principle [58].

For a risk neutral decision-maker (or stakeholder) no preference exists between events with the same expected value. Thus, for this risk-neutral decision-maker, a single scalar risk indicator is sufficient. When the decision-maker, however, makes a qualitative distinction between events as a function of the consequence-size or occurrence frequency, a scalar risk indicator is incapable of transferring the necessary information. Some authors have sought to avoid this issue by unequally weighting consequences when calculating the risk indicator, i.e. by introducing (risk aversion) correction factors [50]. However, this distorts the relationship between the risk indicator and the consequence PDF, without recovering the lost information and frustrating the interpretability and comparability of risk indicators.

It is therefore concluded that, in principle, only the risk curve can transfer the necessary information to the decision maker who does not have a fully risk neutral position. Acknowledging both the advantage of scalar risk indicators in risk communication [67], and the moral preference for a risk neutral evaluation, a compromise is sought to allow the use of a risk neutral scalar risk-indicator, while ensuring that information incorporated in the risk curve on the entire spectrum of consequences and societal aversion to high consequence events, is taken into account.

Accounting for existing risk engineering practice [8], a limiting risk curve can be defined, denoting the societal limit above which designs cannot be justified irrespective of the associated benefits, due to the occurrence rate of events with high consequences. This limiting risk curve is denoted as the tolerability limit. Designs below this tolerability limit are, in principle, acceptable to society if the corresponding benefits are sufficient—commonly this is further specified with a requirement to reduce the residual risk to As Low As Reasonably Practicable (ALARP), see Sect. 5.3. As designs below the tolerability limit are, in principle, acceptable to society, further safety investments below the tolerability limit can (and should) be based on a risk neutral scalar indicator.

4 Demonstrating Adequate Safety in Design

Taking note of the specific aspects of risk discussed above, the position of PRA as part of the fire safety design process is discussed in this section, and the hierarchy of acceptance concepts is investigated in the next. The intention is to clarify how adequate safety can be demonstrated, along with the implications of the different possible acceptance concepts (comparative, absolute, ALARP) on the level of responsibility adopted by the designer.

Considering the safety-foundation of fire engineering design introduced in Figs. 3 and 4, a flowchart is proposed in Fig. 6 describing the design process for demonstrating adequate safety for a generic building design. This is based on the design methodology given in the SFPE Engineering Guide to Performance-Based Fire Protection [55].

Figure 6
figure 6

Potential flowchart for demonstrating adequate fire safety of a design

Full size image

As indicated in the flowchart, deterministic and PRA approaches can be combined for a single design, i.e. both approaches can be used to demonstrate adequate safety for different fire safety objectives. The primary criterion governing the choice between the deterministic approach and the PRA is whether adequate safety can be demonstrated through deterministic methods, as indicated by the central decision diamond in Fig. 6. Since there may be other reasons for applying PRA outside the situations of necessity for demonstrating adequate safety, it is of course acceptable to demonstrate adequate safety through PRA even when a deterministic analysis would suffice.

In Fig. 6, the term ‘performance criteria’ is used to denote the pre-determined performance metrics used to assess the design, as discussed in Sect. 2. Contrary to the PRA, the deterministic analysis ignores target failure probabilities or probability assessment, and thus meeting the performance criteria is a binary evaluation (i.e. yes/no, pass/fail). On the other hand, the performance criteria of the PRA are probabilistic in nature and directly relate to a (maximum accepted) target failure probability.

Considering Fig. 6, the definition of performance criteria for PRA (Step 4B) requires special attention. For the more general steps identified in the flowchart (i.e. defining project scope, etc.) the SFPE Engineering Guide to Performance-Based Fire Protection [55] and BS 7974:2001 [4] are cited.

5 Definition of Performance Criteria in PRA

5.1 Concepts for Design Acceptance

The PRA performance criteria are such that the residual risk is appropriately low and an adequate safety level is obtained. The performance criteria will vary depending on the fire safety objectives of the study and should, in principle, be defined through consultation with the stakeholders. Often a distinction is made between absolute and comparative performance criteria, supplemented with ALARP and cost-optimization considerations [5, 22]. FN-curves are regularly used to differentiate as a function of frequency and consequence of an event [40, 67]. All these concepts fall under the definition of ‘acceptance concepts’, which has already been introduced. As mentioned, the relationship between and/or hierarchy of the acceptance concepts is not clear, even in existing guidance documents such as PD 7974-7:2003 [5]; and as a consequence there is some concern that designers are effectively free to choose the acceptance concept which best fits their purposes. It is argued herein that freedom of the designer only applies once the tolerability of the design has been established and, furthermore, that the responsibility level of the designer differs as a function of the applied acceptance concept.

5.2 The Consequence-Frequency Diagram: Tolerability as a Prerequisite for All Designs

Concluding that a trial design meets the requirement of adequate safety for a given design objective necessarily implies that the design is tolerable (with respect to the investigated design objective). A design that is not tolerable cannot be justified irrespective of the associated benefits. The tolerability of a design is a function of the severity of possible consequences and their associated occurrence probabilities, and ensures that societal differentiation between high consequence and low consequence events is taken into account. The tolerability evaluation should be followed by a risk neutral assessment once tolerability has been confirmed, as proposed in Sect. 3.3 as a pragmatic and practical reconciliation of risk neutrality requirements with alleged societal risk aversion.

For example, with respect to the risk of (multiple) fatalities, tolerability limits in function of the number of fatalities are often specified through the concept of FN-curves [67]. The FN-curve is a specific application of the more general concept of risk curves, discussed in Sect. 3.1, and has its origins in the nuclear industry [19]. The FN-curve displays the (annual) frequency FN, of specified adverse events (e.g. fire) resulting in N or more fatalities [40]. Only designs with a risk curve below a tolerability threshold curve can possibly be justified.

Often a second FN-curve is specified, denoting a threshold below which the design is considered adequately safe without requiring any further justification. In the UK HSE terminology, designs below this lower threshold are denoted as ‘broadly acceptable’ [26]. Ale refers to this limit as the ‘negligibility limit’ [1]. Herein this lower limit is denoted as the ‘de minimis limit’, based on the legal adagium de minimis non curat lex, specifying no further requirement to investigate further risk reduction measures below this threshold. This, however, does not negate the designer’s obligation to implement safety measures that are known to be cost-effective [26]. The area between the tolerability and de minimis curves is denoted as the ALARP region. In this region, the risks must be reduced to achieve a risk level which is As Low As Reasonably Practicable. Illustrative examples of FN-curves from the field of land use planning are given in Fig. 7, taken from [8].

Figure 7
figure 7

Illustrative FN-curves applied for land-use planning, given in [8]. Left: Hong Kong (China) 1993. Right: New South Wales (Australia) 2007

Full size image

Generalizing the concept of the FN-curve to generic design objectives, a tolerability limit is defined by a limiting risk curve, or frequency-consequence-curve. A conceptual visualization is given in Fig. 8 (FC-diagram). The less conventional shape of the tolerability and de minimis limits compared to the examples in Fig. 7 relates to a number of conceptual issues: (1) The tolerability of low-consequence events is considered to relate mostly to a maximum acceptable value for the probability of occurrence (e.g. a maximum annual probability of a loss of containment scenario). Therefore, the gradient of the tolerability limit is shallow for low consequences; (2) The tolerability of high-consequence events is considered to relate to the severity of the consequences, as observed for example in the Hong Kong land use planning tolerability limit in Fig. 7. Thus, the gradient of the tolerability limit is steep for high consequences which is an explicit acknowledgement of risk aversion (i.e. total non-acceptance of consequences above a certain threshold); (3) The de minimis limit for low consequence events has a steep gradient, indicating a very limited willingness to readily accept higher consequence events without justification (e.g. events with multiple fatalities). Similarly, low consequences may be considered negligible (e.g. emission below a lower threshold value), resulting in a high de minimis threshold for low consequence events; (4) The de minimis limit for high consequences is considered to relate mostly to the probability of occurrence, i.e. an occurrence probability below which no reasonable assessments can be made, since probabilities are negligibly low. Similarly, the very low corresponding probabilities may make an increase in consequence negligible from the perspective of societal risk perception. Therefore the de minimis limit has a shallower gradient at large consequences and flattens out at negligible probabilities.

Figure 8
figure 8

Generalized frequency-consequence (FC) diagram

Full size image

The shape of the tolerability and de minimis limits in Fig. 8 results in a wider ALARP region, increasing the range of design solutions requiring explicit cost–benefit assessment, as discussed later in Sect. 5.3. This is a desirable feature since it results in a wider region where safety investments are based on an explicit assessment, thus maximizing societal welfare. The shape of the generalized FC-diagram can intuitively be accepted for fire safety objectives such as environmental protection, property protection, or business continuity.

Returning to the application to life safety considerations, FN-curves are often augmented with an individual risk limit which seeks to assure that a specific individual is not subject to a specific level of harm with inappropriate frequency. The HSE define individual risk as “the likelihood that a particular person in some fixed relation to a hazard (e.g. at a particular location, level of vulnerability, protection and escape) might sustain a specified level of harm” [54]. Other authors, e.g. Jonkman [40], place less emphasis on individuals and more on the permanent nature of the hazard. Importantly, the level of individual risk is independent of the size of the population affected due the realisation of a particular hazard, and concerns an identifiable person or a specific group, e.g. a named individual, a hypothetical (idealized) person, or a community residing in a particular geographical location.

Hazards that lead to individual risks also give rise to societal concerns, and the latter often have a more significant role in deciding whether a risk associated with a particular hazard is unacceptable [27]. The FN-curves discussed above relate to these societal concerns. Contrary to individual risk, the size of the population subject to a specific level of harm due to the realisation of a particular hazard influences whether a risk is tolerable when considering the FN-curves. The population in this case is neither made up of identifiable persons nor members of a specific group. Rather, they are unidentifiable members of a potentially exposed population that could vary in size, but would typically be significant.

Depending upon the size of population and the extent to which identifiable persons are consistently in proximity to a hazard, it is apparent that individual risk tolerability thresholds may govern designs. For the Hong Kong land use planning an individual risk limit of 10−5 per year is considered. New South Wales guidance limits are in the range of 0.5 × 10−6 to 5 × 10−5 per year, and apply as functions of the occupancy type of the exposed land use (i.e. residential, industrial, etc.).

5.3 The ALARP Requirement

5.3.1 Introduction and Interpretation

Figure 8 suggests that designs that fulfil the tolerability prerequisite must subsequently demonstrate compliance with the ALARP requirement to be acceptable. The origin of ALARP is often attributed to the 1949 UK case Edwards versus National Coal Board [51], where Lord Asquith in the Court of Appeal stated that mitigation measures can be wavered [only] if there is a gross disproportion between the risk and the costs required to mitigate it [39]: “if it be shown that there is a gross disproportion between them – the risk being insignificant in relation to the sacrifice – the defendants discharge the onus on them” [16]. In 1974, the ALARP principle became an explicit regulatory requirement for health and safety at work in the UK, through the Health and Safety at Work Act [39]. In subsequent decades, the ALARP principle has found application in different ways internationally, e.g. [8] and [50].

The ALARP principle recognizes that beyond a certain point, risk reduction measures may be too costly to implement [39]. Thus, the ALARP principle can symbolically be represented by Eq. (3), where ΔC is the cost of the investigated safety feature, ΔRI is the associated change (< 0) in a scalar risk indicator RI, and a is the disproportionality constant. This symbolic representation specifies a criterion for implementing safety features, i.e. the safety feature should be implemented when the cost–benefit ratio is below the threshold a.

$$ \frac{\Delta C}{ - \Delta RI} \le a $$
(3)

Considering Eq. (3), it is not the risk level which is directly deemed acceptable, but the efficiency of the safety measure. Consequently, the safety measures required as part of the ALARP assessment will depend on the specifics of the building, and the resulting fire safety/risk level will generally differ between buildings. However, the risk level for all buildings must be tolerable as a minimum requirement.

It is therefore proposed that the ALARP criterion of Eq. (3) entails a ‘societal, risk-neutral and scalar cost–benefit analysis’. Different aspects of this definition are discussed below, along with some limitations of the approach and its relationship to private cost optimisation.

5.3.2 Societal Risk Neutral and Scalar Risk Indicator

The ALARP requirement relates to a demonstration of adequate safety. Consequently, the ALARP criterion is evaluated from a societal perspective. Private considerations reside under ‘other reasons for PRA’ as already mentioned. These alternative motivations are not directly concerned with the FC-diagram of Fig. 8 or with demonstrating adequate safety.

As discussed in Sect. 5.2, only risk neutrality can (in principle) be justified for a societal decision-maker. A certain risk aversion can be accepted with respect to the tolerability and de minimis limits as a pragmatic way of tackling uncertainty in terms of rare events and taking account of societal risk preferences (Sect. 3.3); however, the subsequent ALARP assessment should necessarily be fully risk neutral (in accordance with traditional considerations of social welfare [49]). Any other position would result in an unnecessary loss of lives as a result of under-investment elsewhere, see e.g. [58]. The tolerability assessment ensures that all consequences in the ALARP assessment are bearable. The risk neutrality also implies that the ALARP assessment is done based on a scalar risk indicator, since no qualitative distinction is made between low and high consequence events.

Applied to the fire safety objective of life safety, this results in a maximization of lives saved for the project at hand (when considering all possible safety measure combinations as part of the cost–benefit analysis, see Sect. 5.3.4). It is, therefore, not the individual risk, nor the societal risk that is reduced to a minimum. Rather, application of the proposed ALARP interpretation to life safety in the context of fire safety ensures that finite financial resources are applied where they are most effective at saving lives. It is emphasized that individual risk tolerability is a boundary condition in the ALARP assessment, resulting in a prohibition on imposing risks on identifiable persons, as discussed in Sect. 5.3.5.

The concept of preceding the ALARP evaluation with a tolerability assessment thus conceptually corresponds to decision-making where a cost–benefit analysis is preceded by a minimax regret assessment [2].

5.3.3 Gross Disproportion

The scalar risk-neutrality presented above has the important consequence that the concept of gross disproportion, mentioned by Lord Asquith [51], is not explicitly retained in the current paper’s interpretation of ALARP, and that the disproportionality constant, a, in Eq. (3) is rather a proportionality constant. This is justified by considering the requirement of gross disproportion as an aspect of risk aversion that is incorporated within the tolerability assessment, resulting in an ALARP interpretation which is closer to the precise Dutch interpretation as a true cost–benefit assessment [1]. Thus, through the benchmark of the objective, diligent, and competent fire safety professional, and the proxy of the normal societal stakeholder, the ‘reasonably practical’ nature of a proposed design is, in the current paper’s interpretation of ALARP, (in principle) an objective question. If a design is scrutinised (e.g. after a fire event), the question is not what the value of a should be, but whether the proportionality constant has been set considering the combined fire safety professional benchmark and societal stakeholder proxy. This avoids the criticisms raised by Melchers [48] with respect to subjective ALARP criteria, where e.g. (1) different regulatory authorities have their own interpretation of what constitutes an ALARP design, (2) societal risk aversion is (implicitly) part of the ALARP evaluation, (3) lobby groups try to influence the assessment, and/or (4) the ALARP evaluation ends up being a political decision. Arguably, in the absence of an extensive set of accepted reference cases or guidance documents by professional bodies, Melchers’ criticism can still influence specification of the threshold value of a in practice. This will, however, alleviate as reference cases and guidance documents become available.

Furthermore, it is hypothesized that the gross disproportion in the HSE ALARP assessment can partially be related to a wariness with respect to a private valuation of societal costs (or in extremis, an attempt to apply ALARP directly to a private valuation—which cannot be supported since the private choice of valuation is necessarily free, with societal considerations as boundary requirements [36]). Similarly, a wariness with respect to a private valuation of societal costs and benefits has induced Fischer [22] to neglect material societal benefits when defining minimum fire safety investment levels in life safety. This, however, undercuts the intention of the approach in situations with considerable material societal benefits resulting from an expensive life safety investment.

Other justifications for applying gross disproportion in ALARP evaluations have been presented [39], but these implicitly relate to the considerations above on the uncertainty (and risk aversion) with respect to high consequence events, the incomplete assessment of costs indicated in [46], and a wariness with respect to the designer’s valuation of societal costs and benefits, as well as on the issue of identifiable persons being at risk. Wilful shortcomings in the societal valuation by the designer ought to be addressed through the legal system (as is the case for other types of liability), and not through knowingly increasing the safety requirement to disproportionate levels (e.g. Jones-Lee and Aven report a disproportion factor of 3–10 applied by the UK Rail Inspectorate, HMRI, in cases of high individual risk [39]). Application of (large) disproportion factors would lead to an unjustifiable overinvestment in safety, as acknowledged in discussions in the UK House of Lords [35], reported in [39]. On the other hand, it is acknowledged that a design which applies a gross disproportion factor in the ALARP assessment will more clearly demonstrate its fulfilment of the ALARP requirement, limiting the possibility of questioning the design. Especially in the absence of a set of reference cases or guidance documents, this approach allows for practical decision-making. This application of a gross disproportion factor should, however, be considered as a pragmatic choice made by the designer who aims to limit the possibility of scrutiny, or who wants to simplify the assessment to a limited evaluation (as an assessment with gross disproportion multiplication does not need to be as detailed [1]).

5.3.4 Societal Cost–Benefit Analysis, and the Relationship with Private Decision-Making

The formulation of Eq. (3) requires the definition of a threshold a. However, rewriting Eq. (3) results in Eq. (4), where –ΔRI is necessarily a positive quantity for a reasonable risk reduction measure (where a high RI corresponds with a high risk level and a low RI with a reduced risk level). Equation (4) suggests that the safety feature should be implemented if the (monetary) costs are smaller than the product of a factor, a, and the change in scalar risk indicator. Since for comparability the right-hand of the inequality necessarily also has monetary units, the factor a is simply a valuation constant for the risk indicator RI, translating the change in the scalar risk indicator in an equivalent monetary value. The larger the valuation constant a, the more safety measures will need to be implemented for the design to be considered ALARP (always under the prerequisite of tolerability). If the value of a is sufficiently large, this may push specific designs into the de minimis region as part of the ALARP requirement.

$$ \Delta C \le a \cdot \left( { - \Delta RI} \right) $$
(4)

The above transforms the ALARP criterion of Eq. (3) into a traditional (monetary) cost–benefit analysis (CBA). A safety feature is then implemented if the benefit outweighs the cost, as applied in [34, 65]. As ALARP is always assessed from a societal perspective, the valuation in the cost–benefit analysis is necessarily also made from a societal perspective. As touched upon in the previous section, this introduces a number of practical difficulties:

A first difficulty relates to the designer’s trustworthiness when evaluating the societal costs and benefits sometimes being (indirectly) questioned, e.g. [22, 39]. Jones-Lee and Aven consider this a reason for applying a disproportionality factor to the assessment, but note that this puts undue strain on designs which have been properly assessed [39]. Fischer proposes not to consider monetary benefits due to cost or damage reductions when investing in life safety [22], although this distorts the assessment in favour of not requiring the safety feature [63]. As discussed above, however, and as indicated in Fig. 9, this wariness with respect to the designer’s evaluation of costs and benefits seems unnecessary; it is the designer’s obligation to evaluate these costs as a ‘reasonably diligent and competent professional’ and they would incur liability in failing to do so.

Figure 9
figure 9

Flowchart to determine the applicable PRA acceptance criteria for demonstrating adequate safety

Full size image

A second difficulty relates to the valuation of societal costs and benefits being (at times) difficult by itself, as it is (generally) a private investor who bears the costs of the safety measure. However, in the absence of further specification, it is reasonable to assume that the private investor will account for the safety investment costs when charging other companies or the general public for services. Consequently, in most cases it is reasonable to equate the societal cost of a safety feature with the investment cost for the private investor. With respect to the valuation of further indirect societal benefits it is considered that non-negligible costs (e.g. risk of fire spread to other buildings) can be identified and assessed using simplified models.

Fully-private fire safety objectives can of course be assessed using similar methods, i.e. a traditional cost–benefit evaluation with free choice of valuation by the private decision-maker. For example, the private decision-maker is allowed to apply free (private) valuation and cost–benefit assessments to determine the optimum investment level with respect to life safety considering his own private preferences. In those situations, the societal ALARP investment level functions as a lower bound to the private cost-optimisation as conceptually proposed by Fischer [22] and incorporated in the recent ISO standard on structural safety ISO 2394:2015 [36].

5.3.5 Limitation: No Direct Application to Identifiable Persons

Special emphasis is placed on the statement that a monetary value is placed on a reduction of risk to human life and that this should not be interpreted as putting a direct value on any specific human life. In no circumstances can the ALARP principle be used to balance the lives of identifiable persons against a monetary benefit. Activities where identifiable persons are exposed to a high level of fire-related risk and where only costly risk-reduction measures are available, will generally be intolerable. In principle those activities can, therefore, not be accepted.

It is not unthinkable that the specific activity at hand nevertheless must be performed, for example because it is essential for providing safety to many more people. One could think of a team of engineers providing maintenance in a high-risk area in an industrial plant, where failure to perform the necessary maintenance may result in a societal catastrophe. Those specific situations fall outside the scope of traditional PRA. In those situations, a direct agreement between the stakeholders is recommended. This may result in the implementation of fire safety measures beyond those considered cost-effective in a CBA. Also, alternative compensation measures (e.g. remuneration) can be considered. These aspects are not further discussed here.

5.3.6 Flowchart Indicating the Hierarchy of Acceptance Criteria

Section 4 introduced a means of evaluating situations when adequate safety can be demonstrated through deterministic appraisal, or alternatively, where PRA is central and the level of safety must be explicitly evaluated. Upon arriving at a need for PRA, Sect. 5.1 introduced acceptance concepts, identifying ambiguity regarding their interaction and hierarchy. Herein, a proposed hierarchy of acceptance concepts is introduced, with Fig. 9 offering a conceptual visualization of this hierarchy.

Figure 9 is conceived as a flowchart determining which acceptance concept can be applied to demonstrate adequate safety (via PRA) and what this implies for the designers’ (and stakeholders’) responsibilities. This focus on the designers’ responsibility relates to the statement by Spinardi et al. [57] that performance based design approaches “appear to shift responsibility towards forms of self-regulation that depend on the professionalism and technical competence of fire safety engineers”.

The first decision node in Fig. 9 indicates whether or not tolerability is explicitly assessed. The option to omit the tolerability evaluation relates to the aim to provide a place for current engineering practice. However, in those situations only a comparative safety evaluation is open to the designer (AC1 in Fig. 9), with the designer taking responsibility for the relevance and tolerability of the reference design. The suggestion to limit acceptance concepts to a comparative safety evaluation in absence of an explicit tolerability assessment is based on the consideration that a PRA premised on an absolute or ALARP evaluation would at least implicitly entail an assessment of the possible consequences and associated probabilities needed for an explicit tolerability assessment.

The second decision node relates to the application of the de minimis limit, i.e. for designs which manifestly impose only very limited risk (with respect to one or more safety objectives), there is no need for further detailed evaluations, resulting in application of AC2 in Fig. 9.

In all other situations, the design is situated in the ALARP region of Fig. 8 (ALARP sensu lato). A detailed cost–benefit analysis (ALARP sensu stricto) as discussed above can, however, be omitted by approximating the ALARP criterion by absolute safety targets (AC3) or through a comparative safety evaluation (AC5). The use of absolute safety targets as a proxy for an ALARP assessment is, for example, standard practice in structural engineering design, through the safety framework of the structural Eurocodes [9].

Comparative safety evaluations are indicated twice in the flow-chart of Fig. 9, but the corresponding level of the designer responsibility differs. This is elaborated in the following sections, with Sect. 5.4 providing a more detailed comparison between the different ACs of Fig. 9, and Sect. 5.5 discussing pitfalls specific to comparative safety assessments.

5.4 Acceptance Criteria for PRA and Implications on the Designers’ Responsibilities

A detailed overview of the different acceptance criteria identified in Fig. 9 is given in Table 1. Special emphasis is put on the consequence of the chosen acceptance criterion for the designer’s responsibility. The comparative safety criteria of AC1 and AC5 are, however, prone to a number of pitfalls. These are discussed in more detail as special cases in Sect. 5.5.

Table 1 Detailed Overview of Acceptance Criteria Identified in Fig. 9
Full size table

Table 1 further contains a conceptual application for each of the safety criteria (AC1-AC5), where its application is described for determining the structural fire resistance for a 200 m tall high-rise residential building considering the objective of life safety for the occupants. For this example, it is assumed that the available prescriptive guidance for residential high-rise buildings in the country of origin is (explicitly or implicitly) limited to lower heights (i.e. the building is uncommon). The building is sprinkler protected and has permanent on site presence. For clarity in the discussion, tolerability limits are described by a single probability measure (denoting an overall probability of structural failure of a critical component given fire exposure). As indicated in Fig. 8, the tolerability limit can be defined by a full consequence-frequency diagram. For structural fire resistance applications, the link between consequences and occurrence probabilities may relate fire-induced structural failure to the time of failure (i.e. taking into account the building occupancy in function of time during the evacuation process, as in [33]). In the presented text, it is assumed that the tolerability (and de minimis) assessments have been specified in more simple terms in discussion with the stakeholders. Note that the procedures described are illustrative only, i.e. the examples should not be considered to exhaustively describe options for the different ACs (for example, methods to define the tolerability limit are generally applicable, independent of the AC).

5.5 Pitfalls of Comparative Safety Evaluations

Comparative safety assessments are often considered to allow the limiting of the detail of the PRA as some model aspects in the evaluated design and the reference design are assumed to cancel each other out (e.g. fire ignition frequency) [5].

As an approximation of the ALARP criterion, the comparative safety assessment allows the demonstration of ALARP without requiring a detailed evaluation of costs and benefits when the costs and benefits of the reference design are similar as for the assessed trial design. As a tool for an indirect tolerability assessment (as applied in AC1), the spectrum of possible consequences and associated probabilities must be comparable.

However, comparative safety evaluations are prone to a number of pitfalls; these cannot be ignored when demonstrating equivalence. The following list is based on discussions in [22] and [28]:

  1. (a)

    Accepted prescriptive design solutions are not necessarily tolerable, and (consequently) are not necessarily ALARP. While prescriptive requirements can be assumed to converge upon tolerable designs and subsequently ALARP if allowed to evolve, this requires sufficient time and a sufficiently high number of observed failures. Thus, in case of longstanding design approaches, the assumption of tolerability and ALARP can generally be considered to hold. However, this is not the case when new design approaches or materials are introduced in prescriptive guidance. This relates to the absence of ‘collective experience of the profession’ as a safety foundation for exceptional designs and new applications (see 2.5).

  2. (b)

    Similarly, not all prescriptive guidance relates to common buildings, see e.g. [60]. Such prescriptively accepted design solutions thus lack testing and cannot serve as a benchmark founded on the collective experience of the profession.

  3. (c)

    Safety levels incorporated in prescriptive guidance differ between building types. Consequently, there is room for influencing the comparison through the choice of prescriptive design solution used as a benchmark for the comparison, e.g. two otherwise identical UK offices, but with a top qualifying storey height of 30 m (without sprinklers) versus 30.1 m (requiring sprinklers as per [12]).

  4. (d)

    The application of prescriptive guidance to structures that are outside the scope of the guidance document cannot result in a benchmark for adequate safety. Consequently, the scope of the building must necessarily remain inside the (extended) scope of the prescriptive standard when demonstrating equivalency.

  5. (e)

    Modelling assumptions and simplifications applied in the safety evaluation do not necessarily have the same effect on both the prescriptive design solution and the alternative design (i.e. ‘asymmetry effect‘). Modelling assumptions which are at first sight ‘conservative‘can unduly penalize the reference design.

6 Discussion and Outlook

6.1 Difficulty in Application

The discussions above identified PRA as a necessary tool for demonstrating adequate safety for exceptional designs and new applications. The generalized FC-diagram of Fig. 8 and the hierarchy of acceptance criteria presented in Fig. 9 imply that most designs will need to demonstrate that they meet the ALARP criterion sensu lato (i.e. via application of AC3, AC4 or AC5). The detailed cost–benefit assessment in the ALARP evaluation sensu stricto (i.e. AC4) requires a balancing of whole-life investments with uncertain safety benefits. This balancing of costs and benefits can be done explicitly by applying cost–benefit analysis (CBA, or Lifetime Cost Optimisation). Details on the methodology are given in [22, 52] and [62], but the valuation of uncertain future costs and benefits is challenging.

In accordance with Fig. 9, the explicit cost–benefit evaluation can be avoided by approximating the ALARP assessment either through a comparative safety evaluation (AC5) or by using absolute criteria (AC3). The pitfalls of comparative safety assessment (Sect. 5.5), the workload associated with developing and evaluating an often project-specific reference design, and the need to justify its applicability, however make AC5 less attractive. Absolute (conservative) safety criteria on the other hand would provide a valuable tool to simplify the PRA fire safety design, similar to their adoption in structural engineering.

6.2 Absolute Safety Targets in Structural Engineering

In structural engineering the need for an explicit ALARP assessment through CBA is commonly avoided via explicit safety targets [9, 36] and [38]. These safety targets specify the maximum probability of failure considered acceptable for a structural element, and have been calibrated through CBA based on generalized cost assumptions (and on the premise of meeting the tolerability threshold) [64]. Thus, the target safety levels applied in structural engineering ensure that an adequate safety level is obtained, while implicitly accounting for the costs and benefits of safety investments [36]. In the Eurocode design philosophy, these safety targets are the basis for defining safety factors used in everyday structural design practice [25], slightly obscuring the safety foundation, but ensuring that adequate safety is obtained [9].

No similar clearly defined and accepted safety targets however exist in fire safety engineering. The applicability of the structural engineering targets to structural fire safety design has been discussed by both Hopkin et al. [32] and Lange et al. [43], and as part of the Natural Fire Safety Concept (NFSC) [56] where the normal design target failure probabilities were scaled with the fire occurrence rate to determine target failure probabilities for structural fire design. While the NFSC has found application in the current version of the Eurocodes [10], recent assessments have questioned the underlying assumptions and recommend further evaluations [64]. Especially a differentiation in target safety levels as a function of time from ignition, i.e. both ‘evacuation phase’ targets and ‘burn-out’ targets have been proposed [32] and is subject to investigation [33].

Importantly, the target safety levels from structural engineering cannot be readily transposed to general fire safety design. The costs and benefits of different safety measures related to, for example, smoke control or external fire spread are (likely) fundamentally different from the costs and benefits obtained in structural engineering. Consequently, for non-structural aspects of fire safety design, no target safety levels are currently available, implying that absolute criteria (AC3) can only be applied on a case-by-case basis. In most situations, a full CBA (AC4) will be required to demonstrate ALARP. This severely hampers the increased use of PRA for fire safety design and may perpetuate the (sometimes) unjustified reliance on traditional ‘experience based’ safety foundations.

6.3 Call for Action

In order to support the fire safety industry’s move towards a clear safety foundation for all fire engineering designs, a concerted effort by the fire safety community to address uncertainties and to determine target safety levels is required. This has the potential to significantly improve the process of demonstrating adequate safety for exceptional designs and new applications.

Specifically, the fire safety community could look towards the Joint Committee on Structural Safety and its Probabilistic Model Code [38] and ISO 2394:2015 [36] for inspiration on the development of risk- and reliability-based fire safety methods. Although codification cannot take away the duty of care of the fire safety designer, a ‘Probabilistic Model Code’ with information for PRA in fire safety design can significantly improve the safety foundation and the comparability between designs within the fire engineering profession.

7 Conclusions

Investigating traditional fire safety design approaches, the safety foundation of fire safety designs has been discussed, resulting in a proposal for two ‘safety-triangles’. For prescriptive designs and traditional deterministic fire-engineering designs, the basis of the safety triangle is given by the collective experience of the profession. However, for innovative designs, reliance on the collective experience is impossible and in those situations adequate safety must be explicitly demonstrated. This leads to a suggestion to apply probabilistic risk assessment (PRA) in fire safety design and highlights the potential for shortcomings in current deterministic fire design approaches for uncommon buildings.

Every fire safety design necessarily includes a residual risk. The level of residual risk which is considered acceptable may differ between stakeholders, may change over time and is largely subjective. To define a workable safety benchmark against which to assess designs, the concept of ‘adequate safety’ is proposed as an objective proxy for the subjective assessment of acceptable safety (i.e. acceptable residual risk). This benchmark of adequate safety is intended to drive the fire safety professional towards both technical excellence and reflexiveness. A professional who is less familiar with specific aspects of fire safety science cannot be expected to deliver an adequately safe design and will thus fail to fulfil their duty as a designer. In these situations, the concept of adequate safety should push the designer to acknowledge the limits of their competence and therefore to consult other more competent professionals. The proxy of adequate safety helps to avoid many of the pitfalls and criticisms for risk acceptance in fire safety highlighted in literature.

Little discussion is found in current literature and guidance documents on the relationship between different acceptance concepts (comparative, absolute, ALARP). To alleviate this, the hierarchy of different acceptance concepts (often denoted as ‘acceptance criteria’) has been clarified with a focus on fire safety design, placing special emphasis on the prerequisite of tolerability and the evaluation of ALARP. The prerequisite of tolerability assures that societal risk considerations are accounted for in the design process. Because risk aversion is considered to be a pragmatic way of handling uncertainty regarding rare events with severe consequences, the tolerability assessment through FN-curves is recommended. These FN-curves can explicitly take into account a differentiation in tolerability in function of the consequence size through an appropriate shape of the curve. Considering obligations for societal decision makers to value all risk to human life equally, the subsequent ALARP assessment necessarily entails a societal, risk-neutral, and scalar cost–benefit analysis, choosing between safety features so as to maximize societal welfare (i.e. maximize the number of lives saved within the scope of the project, when considering the objective of life safety).

Many criticisms found in literature with respect to PRA-based designs seem to relate to a wariness with respect to e.g. the valuation of societal costs and benefits by the designer. These criticisms are effectively overcome by highlighting the duty of care of the fire safety professional and acknowledging that wilful shortcomings by the fire safety engineer ought to be addressed by the legal system and not through engineering ‘safety factors’. Throughout the paper responsibilities of the designer have been highlighted, noting that the designer must evaluate societal costs in the ALARP assessment as a ‘diligent professional’. It is suggested that increased emphasis on designer responsibility would be beneficial for a dynamic and specialized fire safety profession, and would strengthen a self-regulation environment for Performance Based Design.

To further the application of risk and reliability methods in fire safety design, a concerted effort of the fire safety profession is required to address uncertainties and determine target safety levels. The development of a ‘probabilistic model code’ for fire safety engineering, or further development in the direction of the JCSS Probabilistic Model Code, would provide a boost to the further development of PRA applications and could improve the explicit safety foundation of fire safety designs.