The two most spectacular collapses of 2001 were the World Trade Center and Enron. Both involved people subverting the safety systems built into modern social systems to further the ambitions of the perpetrators.

Although the guilt of those perpetrators shouldn't be minimized, both events also show flaws in the regulatory structure that could be exploited to cause spectacular failures. These flaws represent regulatory system failures. I believe that some aspects of performance-based design can demonstrate the same systemic failure characteristics and that close comparison to these and similar disasters will allow us to improve the process of performance-based design and regulation.

First, it should be clear that the World Trade Center collapse represents a failure of traditional regulation. The cause of the collapse is not yet known with certainty, but it's obvious that the building could withstand the initial impact, but not the subsequent fire and related developments. It would seem that the scenario used in the design process didn't include both an impact and a subsequent fire.

An analogy might be drawn to the sinking of the Titanic. The Titanic didn't sink because of the initial impact — the opening was actually quite small — but because the only collision scenario it was designed to resist was “head-on impact.” The glancing blow, the brittle steel and the lack of horizontal compartmentation combined to create a scenario that the designers hadn't anticipated.

The safety systems also were inadequate. For example, the lifeboat system had been designed only for what fire engineers would call phased evacuation. There wasn't room for everyone in the exit system at once, so some were expected to wait while others exited. The World Trade Center failure shows a similar attention to limited scenarios. No one seems to have anticipated that impact and fire could occur sequentially, and that fireproofing might need to be impact resistant.

Should the towers have been designed to resist that scenario? That's a policy question, but what's clear is that the question may never have been asked. If that's the case, then the World Trade Center represents a regulatory system failure. Wasn't it someone's job to anticipate the risk of an impact followed by fire?

Regulators and engineers will quickly point fingers at one another. Engineers chant the Titanic defense: “We complied with all government regulations.” Regulators say the engineers never explained to them what risks were involved in the building. The critical issue for safety regulation is to differentiate between the technical ability to analyze a failure mode and the political decision to take a given risk. If that issue isn't resolved, the two parties can end up like two outfielders letting a ball drop between them, both saying “Yours!”

Dealing with this debate is critical to the discussion of performance-based codes. In traditional prescriptive codes, the legislature does not set a “level of safety” or other social goal. It lays down a set of requirements that are subject to mandatory compliance. Engineers also may have ethical or liability requirements to anticipate other hazards, but the code's requirement is simple.

Performance-based design at first offered the claim that if the legislature would set down a social safety goal, the engineers would design to meet that goal. But at the present it's difficult or impossible to link the fire risks involved in the operation of buildings to any clearly defined social goals. This is true whether we're discussing performance codes or traditional codes.

However, it isn't clear that current approaches to performance-based design would have properly responded to the World Trade Center hazard either. The key problem with performance-based design is that it has become totally focused on the limited fire scenario approach rather than an overall safety approach. The Life Safety Code is explicit:

“5.2.1 A design shall meet the objectives specified in Section 4.2 if for each design fire scenario, assumption, and design specification, the performance criteria in 5.2.2 is met.”

That's it. No overall statement that the building meets a social goal or is safe. So what happens if the actual fire doesn't match one of the scenarios? Whose job is it to ensure that buildings are built safely? This is where the Enron scandal becomes relevant. Enron had owners (the company itself), professionals (accountants) and regulators (Security and Exchange Commission). The regulators set the rules for the professionals, who are supposed to be watching the owners in the public interest. The professionals have university degrees and put initials denoting professional certification after their names.

So what went wrong? First, there's a longstanding conflict of interest in the accounting profession between auditing and consulting. In my last column, I highlighted the conflict of interest in fire engineering when the same people perform both hazard analysis and system design. Accountants have the same conflict by doing both auditing, which is equivalent to hazard analysis, and consulting, which can be compared to system design.

Accountants fended off any separation of these two functions despite the conflict of interest by explaining that they were professionals who could be trusted to protect the public interest. Since the collapse of Enron, every single one of the Big Five accounting firms has announced that it will divide these two functions into separate companies. I predict that the first disaster involving a performance-based design will lead to the same effect in fire engineering.

The second problem with Enron was the elevation of an obscure rule of thumb to a bright-line accounting standard. In the early '90s, accountants started using a 3% test for outside investment to determine when a partnership was independent. Enron seized on this test and used it in ways that had never been anticipated, turning a rule of thumb into a physical constant. The fire engineering treatment of carboxyhemoglobin has many similarities. Engineers elevate a rule of thumb to a bright-line rule, and then they develop systems that have nothing to do with the original rule of thumb.

Another similarity was the use of operational controls instead of built-in protections. Enron tried to manage its internal conflicts with a series of operational controls that were supposed to manage the daily risk. However, the control system was abandoned because it was in the hands of the very people who would profit by ignoring the controls.

In performance-based design, operational controls are proposed routinely by people who can't even get others to stop putting wooden wedges under fire doors. Who would expect a building operator to be willing or able to keep the fire load of a convention center within the 5 or 10 megawatts of the scenario fire anticipated by engineers.

Finally Enron, the World Trade Center and the Titanic shared a common legal/economic strategy known as externalizing the loss. When things are going well, the insiders get the profits; when things go bad, the public takes the loss.

The existing liability system creates no financial incentive to protect the public against injury. Engineers and owners alike have aggressively lobbied legislatures to limit their liability. Enron and its accountants can be the beneficiaries of just such legislation that passed Congress a few years ago. Alternatively, owners and operators can use corporate organizations, mortgage terms and bankruptcy legislation to externalize the risk to the public.

Modern fire engineering has enormous potential to improve fire safety in modern buildings, but it requires more than just proving that a building plan meets a specific scenario. Buildings should be certified to their overall safety. The sec requires accountants to affirm not merely the compliance with scenarios but the overall accuracy of the audit.

For example, “In our opinion, based on our audits and the reports of the other auditors, the financial statements referred to above present fairly, in all material respects, the financial position of XYZ Corp. and subsidiaries… in conformity with generally accepted accounting principles.”

Similarly, regulators might ask fire engineers to certify that “Our engineering analysis presents fairly, in all material respects, the fire safety of the XYZ Building … in conformity with generally accepted engineering principles. We certify that the building will meet the Life Safety Code Goal 4.1.1 of ‘Protection of all persons not intimate with ignition.’”

If fire engineers won't sign, perhaps regulators should ask why. Is there a problem with system failure? If engineers claim that they can't protect against every hazard, which is true, then they should be asked what hazards represent the limit of the building's capability. Regulators could then decide on a policy basis whether that risk is acceptable. If the engineer knows the building meets the criteria at a 5mw fire but fails at a 6mw fire, the regulator certainly should know that also.

The bottom line with performance-based designs is that society can make decisions on a political basis that would be unacceptable if made by engineers for society on an inadequate technical basis. The regulatory system requires both parties to do their job. It is an engineering decision to determine what risks are presented by a building and a policy decision to determine on an overall basis whether those risks are acceptable. Otherwise, the ball will get dropped between them.

---

Vincent M. Brannigan is an attorney and a member of the Maryland and District of Columbia bars. A professor in the Department of Fire Protection Engineering at the University of Maryland, he is also a lecturer at the National Fire Academy. His father, Francis Brannigan, is the author of Building Construction for the Fire Service.