A Sociotechnical Systems Framework for Performance-Based Design for Fire Safety

The fundamental construct for performance-based design for fire safety in use today has not significantly changed since the early 1990s. While the current construct has seen some success, performance-based design for fire safety is not as broadly accepted as performance-based design approaches in other building-related engineering disciplines. To advance performance-based design for fire safety, it is proposed to move towards a sociotechnical systems approach. This means changing the starting point from a focus on fire safety objectives as a unique property of buildings, infrastructure, or operations, and considering fire safety as one of several sociotechnical objectives. It also means focusing fire safety analysis and design on system attributes which can be controlled through design, and less on variables for which control is unlikely or not possible. As part of this, consideration of fire safety systems performance should be considered in terms of a ‘fail-safe’ perspective, in which there is less focus on all possible events that could occur, and more on preventing those which could result in unacceptable performance. Evaluation of building fire safety as a sociotechnical systems problem would also need to consider the interactions of all components that contribute to safety over the lifetime of the system, including in-use safety system management and system performance over time.


Terminology and Definitions
In this paper, the terms 'performance-based design for fire safety' (PBD for fire safety) and 'fire safety engineering (FSE) are largely interchangeably. The terms are used to describe the application of engineering and risk principles to the analysis and design of fire safety for the built environment to agreed goals, objectives and criteria.
There are two fundamental levels or types of fire safety systems discussed in this paper. Fire safety systems (and features) refers to individual active and passive fire safety systems typically incorporated into building design. The performance of these systems is largely considered on an individual system basis. Together, these *Correspondence should be addressed to: Brian J. Meacham, E-mail: brian@meachamassociates. com Fire Technology, 58,2022 Ó 2022 The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature Manufactured in The United States https://doi.org/10.1007/s10694-022-01219-0 systems form the 'building fire safety system,' which is a term used to reflect the complex interactions needed to deliver the target fire safety in a building.
Discussion of 'systems thinking', 'sociotechnical systems' and 'safety systems thinking' reflect a broader conceptualization of how the 'building fire safety system' interacts and works together with other building systems, users and institutions, to meet societal objectives for the use of buildings. These terms are expanded upon in the sections below.

Current Structure/Process of PBD for Fire Safety
It is suggested in the literature that PBD for fire safety emerged in the 1990s, concurrent with the introduction of functional-and performance-based building regulations in several countries and building on the foundations that emerged from the development fire safety science, risk analysis, reliability-based design, systems constructs and computation modeling from the 1950s through the 1980s [e.g., [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

Challenges with Current PBD for Fire Safety Structure and Approach
Even with advancements in understanding and thinking about PBD for fire safety, the fundamental approach has not changed significantly over the past 30 years. This would not necessarily a bad thing-if the current approach is robust, one might argue few changes are needed. However, there are indications that this is not the case and that some challenges exist, even after some three decades of experience. At present, the acceptance of PBD for fire safety remains mixed in many countries [e.g., [71][72][73][74][75], there has been what some have suggested as 'backward' movement with the development of 'prescribed performance' based approaches [e.g., 71,76], and inadequate consideration of technological performance for facilitating consistent building or infrastructure fire performance throughout the artefact's life [e.g., 57,58,60,63,68].
It is suggested that there are several potential reasons why such challenges persist.

1138
Fire Technology 2022 1. Fire safety engineering, and PBD for fire safety in particular, are in the adolescent stage of development [7]. The development and internal coordination of the areas are still largely incomplete: some topics are virtually untouched, limits of effectiveness of the parts or the whole are not well understood, some applications are rather naively formulated, and some practical applications have begun to address a larger framework but not yet with the confidence or the wisdom of experience. 2. Much of performance-based design for fire safety currently focuses of safety to life of people, and control of human behavior is extremely challenging to assure a. building occupants are highly variable and dynamically contribute to the fire hazards and risk, both in the probability of fire occurrence and in the magnitude of fire consequences, and it is not clear that assurance of life safety is feasible, and b. consideration of 'acceptable' levels of risk to life is a difficult construct for many actors in the building regulatory system, but 'risk-free' environments are not possible.
3. Following on (1), even though fire is stochastic in nature, and therefore risk-informed and risk-based approaches to PBD for fire safety should be recognized Step 1: Identify site or project information Step 2: Identify fire safety goals & objectives Step 3: Identify performance criteria Step 4: Identify and select fire scenarios and design fires Step 7: Develop final design documentation Step 5: Develop candidate fire protection design options Step 6: Evaluate candidate design options and select final design A B Figure 1. Fundamental steps in the PBD for fire safety process [5].
as appropriate approaches, it can be difficult to gain acceptance of risk-informed and risk-based approaches to PBD for fire safety because a. it can be difficult to gain agreement on, and acceptance of, the fundamental premise that there is impossible to remove all risk (i.e., there is no absolute safety or 'zero risk' condition), and 4. Performance-based design for fire safety has not adequately recognized and embodied sociotechnical system (STS) constructs a. Buildings, infrastructure and many hazardous operations are complex sociotechnical systems (STS), with many complex interactions, not all of which are generally considered-or used-in fire safety analysis and mitigation, especially once the building, infrastructure or operations are in use, b. Fire is a rare event, and there are few 'immediate' indicators of poor fire performance, so fire performance is rarely tested, and feedback on performance into the system is limited and often incomplete, and c. In some parts of the world there is a lack of adequately educated and suitably qualified professionals across the spectrum, from analysis and design to approval and enforcement of designs, inadequate communication and information flows, and lack of feedback into the system on actual performance, which can all contribute to a lack of confidence in analysis and design, the proper implementation of designs, and of actual performance in use (i.e., inadequate considerations of institutions and actors in STS context).
These are all difficult challenges. The latter three are sociotechnical system challenges-none can be solved solely through technology (e.g., computational modeling tools, building fire safety systems), institutions (e.g., regulations, certification), or actors (stakeholders)-but only with an integrated sociotechnical systems approach that recognizes and accounts for challenges and opportunities associated with each component. Furthermore, it means that perhaps a different focus is needed, with a different approach to describing the fire safety objective(s), how they might be attained, and how performance might be assessed.

Sociotechnical Systems (STS) Concept
Sociotechnical systems (STS) theory and concepts emerged from the study of the roles of social and technological components within organizations and the realization that they are integrally linked [77,78]. STS have been characterized as having three levels of focus: (1) primary work systems within an organization, (2) whole of organization systems, and (3) macrosocial systems, which include systems in communities and industrial sectors, and institutions operating at the overall level of society [79]. Macrosocial systems are characterized by the interactions of technology, actors and institutions, and often require complex decision-making related to defining performance, achieving 'safe' operation and managing risk [e.g., [80][81][82][83][84][85][86][87][88][89][90][91][92][93][94]. A simple framing of STS is provided in Fig. 3.
Consider the framing of engineering systems as presented by Ottens et al. [87, pp.134-135], in which three types of engineering systems are suggested: ''(1) engineering systems that perform their function without either actors or social institutions performing a sub-function within the system [e.g. the landing gear of an airplane], (2) engineering systems in which actors perform sub-functions but social institutions play no role [e.g. an airplane] and (3) engineering systems that need both actors and some social/institutional infrastructure to be in place in order to perform their function [e.g. an airport]''. In considering the necessary relationship between technologies, actors and institutions that is needed to manage the safe transport of people via aircraft, which has at its core the complex operations of an airport, they conclude that airports and similar 'type 3' engineering systems are STS. This reflects well the macrosocial STS domain as defined by Trist [79].
These 'type 3' engineering or macrosocial systems, which rely on numerous actors and social/institutional infrastructure, have the added complexity of numerous actor involvement in decision-making and safe operation. Kroes et al. [88, p. 813] note that for example: ''At the sociotechnical level many stakeholders are involved that all have their own goals and visions, and normally none of these actors can impose their decisions on the other actors. For this reason, STSs cannot be designed, made and controlled from some central point of view, as for instance a car. Instead, the STS is continuously being redesigned by many actors from within the system''. This continuous redesign as a function of multiple actor involvement is another significant attribute of STS.
It has been argued that buildings, the building construction process, and the building regulatory processes that govern them, are all STS, as the 'system' in each case is characterized by complex interactions of technology, actors and institutions, continuous redesign facilitated by many actors from within at various stages, and for which safety and risk management concerns requires application of systems thinking [85,90,95,96]. As such, design of any building 'subsystem', including a buildings' fire safety system (the aggregate of all fire safety features), should be considered a STS design challenge. If considered as a STS design challenge, the design focus then becomes control of fire hazards and safe operation of

1142
Fire Technology 2022 the STS-which is the building, system or infrastructure-throughout its intended life. This presents a paradigm shift in thinking about PBD for fire safety.
5. Buildings, Building Regulatory Systems, and Performance-Based Design for Fire Safety as STS Buildings (complex buildings in particular) are macrosocial, or type 3 'systems of systems' that need both actors and some social/institutional infrastructure to be in place, and working integrally with technology, in order to deliver their intended performance [85,95,96]. Buildings have multiple types and levels of technology which need to work together for the building to operate, such as heating, ventilation and air-conditioning systems, fac¸ade/envelop design and construction, and sensor and control networks, or passive and active systems, sensors and controls for fire safety and occupant evacuation. These technology systems are designed to work for the users-and rely on users to maintain them. The performance of these systems is regulated by and controlled via complex regulatory and private sector institutions, from building regulation to insurance. Ultimately, all components-actors, institutions and technology-must work together holistically for the building (as a complex system-of-systems) to meet its societal and private sector objectives.
Building regulatory systems are STS since they must consider the roles that institutions, stakeholders and technology play in design, construction and operation of buildings [85,90,[95][96][97]. This includes (a) the need to establish clear societal objectives for buildings, (b) how the technologies must work at each phase, and in total, in meeting the societal objectives, and (c) how to balance the myriad stakeholder input from those involved in the building design, construction and operation phases of a building's lifespan. Failure to adequately consider any of these aspects, and their multiple components, can result in building regulatory system failure: the failure of the building regulatory system to meet societal expectations.
One example of building regulatory system failure was the 'leaky building' situation in New Zealand in the early 2000s [71,119,120], in which moisture penetrated into buildings, sometimes around window openings which had inadequate flashing, leading to mold, mildew and rot, causing damage in tens of thousands of buildings. Contributing factors included new building technologies, inexperience with the performance-based building regulatory system, lack of qualifications of practitioners, and lack of oversight in approvals. This widespread regulatory system failure resulted in billions of NZ dollars in economic impact. More recent examples include fire performance of cladding systems problems in England [e.g., 97, 99-101] and Australia [e.g., 75,117], in which shortcomings were found with testing of systems, engineering design, and regulatory oversight, and which in each case led to recommendations for significant regulatory system change.
As a more holistic means to consider buildings and infrastructure as STS, Bjelland [57,59] introduces systems thinking concepts for fire safety design in the context of tunnels and novel buildings.. Gehandler [68] takes a similar approach for the fire safety design of tunnels. Similar thinking underpins the sociotechnical building regulatory system assessment model (STBRSAM) framework [96,97], which is based on Rasmussen's Abstraction Hierarchy as applied to safety control [81][82][83][84] and Leveson's System-Theoretic Accident Model and Processes (STAMP) construct for safety control [86,93,94]. The STAMP approach is useful for failure investigation and for safety system design for complex engineering systems.
The premise behind the STBRSAM can be summarized as follows [96,97]. Building on Rasmusson's Abstraction Hierarchy and its application to risk management for complex systems [81][82][83][84], Leveson [86] argues that a safety management system has two basic hierarchical control structures-one for system development and one for system operation-with interactions between them flowing through a 'system controller'. Like the characterization by Ottens et al. [87], Leveson presents the example that an aircraft manufacturer might only have aircraft system development under its immediate control, but aircraft system safety involves both development and operational use of the aircraft, and neither can be accomplished successfully in isolation: safety must be designed into the system, and safety during operation depends partly on the original design and partly on effective control over operations (the system control, presented by interactions of regulation, air traffic control and the like).
The STAMP model applies system theory to identify where in the 'system' failures can occur, since ''accidents occur when external disturbances, component failures, or dysfunctional interactions among system components are not adequately handled by the control system, that is, they result from inadequate control or enforcement of safety-related constraints on the development, design, and operation of the system'' [86]. In this paradigm, safety can be viewed as a control problem, and safety is managed by a control structure embedded in an adaptive sociotechnical system, the goal of which is to enforce constraints on system development (including both the development process itself and the resulting system design) and on system operation that result in safe behavior. In this conception, understanding why an accident occurred requires determining why the control structure was ineffective, and preventing future accidents requires designing a control structure that will enforce the necessary constraints.
The STBRSAM applies thee concepts to the 'building regulatory system,' outlining the regulatory, management, control structures and feedback loops necessary for an effective building regulatory system [96,97]. The 'control system' component is reflected in Fig. 4.
In Fig. 4, the 'system development institutions' and 'system operation institutions' reflect the legislation, regulations, standards and such which govern building design and operation; the technological components of the STS are the building and its fire safety systems; and the building fire safety system is controlled via the interactions of actors and systems within the 'system control' framing. Proper communication and feedback are essential to proper operation of the system.
A main outcome of STS for building regulatory systems is that well-performing buildings depend on far more than just building regulations, which direct many of the design requirements (system development institutions), and the fire and occupational health and safety regulations that address building safety in use (system

1144
Fire Technology 2022 operation institutions). There is a strong dependency on extra-regulatory (system control) interactions between: the design, including required functionality of critical systems and the documents which define these requirements; requirements around safety in use, including evacuation and related operational requirements, inspection, test and maintenance (ITM) testing, and related assurances of critical systems performance; and the actors in the systems (e.g., designers, engineers, technicians, building owner/manager, tenants). The system also learns from system failures by having loss experience introduced into decision-making, policies and procedures for buildings and the building regulatory system. In this way, one can say that tolerable safety (risk) performance expectations for buildings derive from experience of buildings in use, over time, as subjected to different stressors, such as fire or other hazard events. The building regulatory system thus reflects the need to focus on STS interactions between institutions, actors and technologies to define (describe, reflect) acceptable/tolerable building performance, and acceptable/tolerable building fire safety performance.
Likewise, the PBD for fire safety process requires the interactions of actors, institutions and technologies to develop and deliver well-performing buildings. How fire safety engineers undertake designs, following which institutional norms (standards, regulations), using what technologies for analysis (e.g., computational modeling), specifying which technologies as safety barriers (e.g., compartmenta-  tion, sprinklers, smoke and heat venting), and with what expectations (i.e., use, operation and maintenance of building to continually achieve safety performance expectations), should be reflective of a STS design process. Fire safety engineers need to recognize that buildings can be regarded as complex systems of systems, which must work integrally and holistically to meet societal expectations for building fire performance, but not just during design and construction, but throughout the buildings' lifetime as well. Gaps in any area of the STS can lead to failures in achieving performance expectations.
6. Evaluating Performance-Based Design for Fire Safety Through a STS Lens

Sociotechnical Systems Principles
From the premise that PDB for fire safety should reflect a STS design process, one can look to core concepts of STS design to understand perhaps why further advancement or acceptance of PBD for fire safety has not been realized, and how one might facilitate change. Starting with representative STS design principles from Cherns [77] (in italics), and applying them to PBD for fire safety, some key issues emerge.
The process of design must be compatible with its objectives. Performance-based design for fire safety is an objective-driven activity, the aim of which is to design buildings that perform well during fire events, taking into account people and technology interactions. The PBD for fire safety process should therefore be structured around the ability to demonstrate achievement of objectives considering STS interactions. In principle, this is the current process, but in practice, it seems to fall well short in many applications [e.g., 57-59, 63, 71, 72]. One aspect that seems to warrant reconsideration is the extent to which people directly are considered as a target of PBD for fire safety, as compared with the target being the building, including the design of systems to limit fire (which in turn impact life safety), as the focus. That is, if building fire performance is the societal objective, this means that fire safety design objectives and criteria should be expressed in terms of building performance in case of fire. It also means that analysis of the fire performance of building should be focused on achieving the building performance expectations (with impacts on life safety being an attribute of building performance). No more should be specified than is absolutely essential, but the essential must be specified. This is an aim of performance-based design in general-focus on functional requirements, performance objectives and performance criteria, and not on specifications-but it also reflects one of the major challenges with performance-based design for fire safety-how to assess tolerable (acceptable) performance under continually changing conditions. It is not apparent that we have yet clearly identified what is absolutely essential and how to reflect this in a way that can be analyzed, designed and suitably assessed. Also, establishing objectives is not for the FSE alone-in must be undertaken in a STS interactions

1146
Fire Technology 2022 environment. As noted above, this might manifest as a refocus on building system performance. Furthermore, focusing on the 'absolutely essential' may mean a shift in thinking about fire scenarios from a focus on 'subsystem' verification to overall systems performance. For groups to be flexible and able to respond to change, they need a variety of skills. These will be more than their day-to-day activities require. This is a critical area that remains far from the level that is necessary for a well-functioning PBD for fire safety system approach. This applies to all actors in all sectors of the building fire performance arena: fire safety engineers, technicians, building officials, fire officials, insurers, and more who are directly working with fire performance aspects, but also those working within the broader sociotechnical building regulatory system. Even if a particular job function does not utilize education and training associated with performance analysis or design every day, a robust understanding of the concepts, and of how the performance system works, is required for actors to work effectively in a performance system. Appropriate education and training have been identified as a need for some 30 years [e.g., 5,9,30], and yet remains unfulfilled [e.g., [71][72][73][74][75]98]. Information must go, in the first instance, to the place where it is needed for action. In hazardous process industries, Rasmusson and Svendung [84] and Leveson [86,93,94] provide several examples where lack of good information flow and feedback were significant contributors to major losses. Inadequate information flow has been a challenge throughout the history of PBD for fire safety as well. Challenges exist within the design team, in particular when fire safety engineers are engaged at the end of the process, and without full information. This translates into a lack of consideration of key issues, and subsequent communication of limitations to the end user. Following from these information gaps, there are concerns that the ultimate building owner, managers and tenants do not get the PBD documentation and critical information aimed at assuring the target performance in maintained. This 'golden thread' of information, or lack thereof, was identified as a major concern coming out of early Grenfell Tower reviews [e.g., [99][100][101]. Proper and adequate information flow is essential. Ignoring this, or not addressing it comprehensively, can leave significant gaps in understanding needed for the PBD to work as intended.
Boundaries should facilitate the sharing of knowledge and experience. They should occur where there is a natural discontinuity-time, technology change, etc.-in the work process. Boundaries occur where work activities pass from one group to another, and a new set of activities or skills is required. All groups should learn from each other despite the existence of the boundary. This principle is closely tied to the above two. Boundaries exist each time information relevant to a PBD for fire safety is transmitted through the system, e.g., standards to regulation, client to architect, architect to engineer, engineer to technicians and manufacturers, manufacturers to contractors, contractors to owners/managers, owners/managers to clients. These boundaries are attributes of the system. However, these boundaries should be opportunities for teaching and sharing knowledge and experience-so as to help broadening and deepening of skills needed to work effectively in a PBD system-and to facilitate proper and appropriate flow of information.
Systems of social support must be designed to reinforce the desired social behavior. In the PBD for fire safety realm, this relates to (1) assumptions engineers make about human behavior and actions, and (2) to social behavior in terms of professionals. Poor assumptions about social behavior of occupants during normal and emergency use of buildings can have a negative impact on fire safety systems design. Systems must be designed to influence the desired behaviors. Likewise, market behavior influences the comprehensiveness of analysis and design. Social constructs in which market behavior forces a 'race to the bottom' works against PBD for fire safety-and confidence in resulting designs. There is a critical need for high levels of competency, ethics and professionalism to responsibly and comprehensively undertake performance-based design for fire safety. Underpinning this is the need for appropriate education across all actors in the systems-not just FSEs-but building and fire officials, manufacturers, and others involved in the process. The recognition that design is an iterative process. Design never stops. New demands and conditions in the work environment mean that continual rethinking of structures and objectives is required. This is a significant opportunity and challenge for PBD for fire safety. First, it can be argued that the structure of PBD for fire has not changes, and in doing so, has ignored consideration of changing societal expectations, institutional constraints, and technological evolution. Second, while building design often iterates during the design phase, input from the user perspective can get omitted from last-minute iterations, thus missing important STS considerations and interactions. Furthermore, even though iteration is built into the current PBD for fire safety approach, there are concerns that some practitioners are shortcutting the iterative process, whether that is scenario development and analysis, trial design development and evaluation, or expected use of the building once occupied.
Bjelland [57,59] and Gehandler [13,68] have identified many of the issues outlined above and have suggested that PBD for fire safety be viewed as an iterative problem-solving process between the designers and the stakeholders, the overall aim of which starts with an objective of an inherently safer (cannot fail) and fail safe (forgiving to errors) design of the building fire safety system. The framing should be that of a STS, where solutions consider technology as well as users, operators and institutional elements, with the aim to keep the system within safe limits, given the variability in human behavior. Deliberation should Include any objectives the stakeholders value, be they technical, social, ethical, political or societal, with decisions made through the application of appropriate decision theory to structure and decompose the decision into manageable parts.

Safety Systems Thinking
Furthering the application of systems thinking for PBD for fire safety, many insights can be gained from the system safety perspective, especially those of Leve-

1148
Fire Technology 2022 son, who outlines a systems approach to engineering safety [93,94], and lays out definitions and principles of what she refers to as Safety-III, the third phase of evolution of systems safety, [94,  Each of these areas where Leveson suggests that additional focus is needed are applicable to the evolution of PBD for fire safety as well, especially in consideration of PBD of buildings and other systems as STS.
Another perspective on systems thinking, that is also pertinent for PBD for fire safety, is that of Checkland, in particular the soft systems methodology (SSM) [91,92]. SMM was developed as a result of perceived shortcomings in early systems thinking, which focused on systems as individual representations of a particular worldview, and arguably had shortcomings in being able to address complexity associated with different worldviews and changing conditions over time. The introduction of the notion of 'worldview,' which was considered essential in dealing with human social complexity, resulted in a change in thinking of systems models not as descriptions of something in the real world, but simply as devices (based on worldview) to organize a debate about 'change to bring about improvement' [91, p. 196]. A critical component of SSM is the acceptance that complexity requires adaptation, and adaptation comes often from emergent properties of the system, which may be unknown at the outset of system planning or design. Acceptance of the concepts of complexity, adaptation and emergent properties are important to the STS formulation of buildings and infrastructure as STS, and of how PBD for fire safety needs to operate in such systems, especially in decision-making about system objectives.
In PBD for fire safety, it is already a part of the approach that the measure of successful performance should be a result of stakeholder deliberation and agreement. However, that still does not occur to the extent it should, and key stake-holders (actors and institutions) can be left out of the decision-making process. It is also that case that fire safe operation of buildings focuses on reducing hazards and should learn from audits of how 'the system' is performing, but the latter seems to be missing in many instances. As is argued here, to develop robust PBD for fire safety, the entirety of building as a STS must be considered, and design for fire integrated into the overall building performance objectives. While it is possible to design building fire safety to allow for human flexibility in managing fire events, that is often not feasible, given the lack of focus on education and training, in particular responses to emerging situations (as compared with predetermined scenarios). Finally, while building fire safety design could be focused more on a 'fail-safe' approach, that is often not the case. Rather, emphasis is often placed on engineering out robustness and redundancy (so called 'value engineering'), which if in place could be helpful if primary system components or subsystems fail. All of these factors should be reconsidered in the PBD for fire safety construct.
In the system safety construct, one could argue that the analysis and design is less about the scenarios that could occur, and more about the ones that could lead to system failure, and then to design 'fail-safe' systems. This would deviate from current PBD for fire safety practice in considering all possible fire scenarios, and reducing them to likely scenarios through probabilistic analysis, and instead focusing on scenarios or conditions that could lead to failure of the fire safety system, regardless of probability, and designing for prevention of failure, taking into account other stakeholder objectives (such as cost, operability, and so forth). In the broader STS context, the 'system' for which fail-safe status is sought is the building as a STS, not specific fire safety subsystems (e.g., suppression systems), which need to deliver on their performance objectives as part of the whole.
A change to include more of a systems safety approach would not mean the quantitative or probabilistic risk analysis for fire would go away; rather, its use would be more for informing decisions, which have other considerations as well (in the sociotechnical system), as compared with producing a risk estimate that would be the sole determinant in a decision. This is the foundation for the U.S. Nuclear Regulatory Commission's (USNRC) 'risk-informed performance-based' regulatory and design approach [102], which was brought into some design standards for fire safety [e.g., 103], and has been suggested as being more widely applicable for fire safety regulation and design for some time.
To bring everything together, one can again look to Checkland [92], who outlines four concepts that help to define, minimally, the concept system (pp. 446-447): 1. A system will, in principle, be part of a 'layered structure' making a hierarchy of systems. 2. To achieve adaptation to change, there will have to be 'processes of communication'. 3. If action to adapt is to be taken, the system will have to have available a number of possible control processes (responses to the shocks from the environment 1150 Fire Technology 2022 and internal failure), which can be appropriately activated to bring about change. 4. There will be definable 'emergent properties' that characterize the particular system or systems of interest, this being the pre-eminent systems idea.
The first three concepts are completely consistent with Leveson, including subsystems, controller and communication feedback loop, and arguably the emergent properties are built into Leveson's control system, albeit not defined as such. For PBD for fire safety, consideration of the emergent aspects of the design process is important as system objectives are developed during the iterative design process.

Impacts of Rapid Technological Change and Market Lag
Lastly, another attribute of STS that is important to consider is the rate at which technology advancements are understood and applied, and knowledge is gained and applied, within different elements of STS systems. Rasmussen and Svedung [84] observe that if the pace of change of technology is much faster than the pace of change within legislation, regulation and management structure, that the potential for system failure exists. In many respects, performance-based building regulation, and PBD for fire safety, is a response to the challenge of the time lag associated with updating building regulations and standards during periods of rapid changes.
In the 1980s and 1990s, technology and innovation was outpacing the ability for approval and adoption for use into prescriptive building regulation, and performance-based design was seen as a mechanism to demonstrate that the new technology and innovation could be used without negatively impacting building fire safety [6]. Emerging tools and methods used by FSEs, such as computational modeling, was not familiar to enforcement officials. Many lacked the education or training to understand well how they worked (as that was not needed before), the process that FSEs were following (i.e., PBD and FSE frameworks) were largely 'high-level' processes and lacked details (such as specific scenarios, design fires, or performance criteria to consider), and their ability to confidently verify compliance (or performance) was limited. This created a disparity between engineers excited about new technologies and opportunities and enforcement officials concerned with the ability to assure designs would perform as stated. Perhaps more than any other sociotechnical issue, this mismatched set of expectations, amongst integrally linked actors and institutions in the system, as related to the technology being used, resulted in a lack of confidence by authorities of the new PBD approach.
Such challenges with the rapid introduction of technology resulted in the formulation of the so-called 'hype cycle' [104,105], illustrated in Fig. 5 [105], which was developed to represent the maturity, adoption, and social application of specific technologies.
Although developed with a focus on high-tech developments, and criticisms of the veracity of the hype cycle for product development exist (e.g., it is not actually a cycle) [106], it provides a useful graphical / thought structure with which to look at the evolution of PBD for fire safety.
''Technology triggers-the development of computational models to explore fire effects in compartments, the response of structural elements to fire, and movement of people, as accelerated by the widespread availability of the personal computer (1980-1990s). The availability of ready access to fire safety science and engineering knowledge through the first edition (1983) of the SFPE Handbook of Fire Protection Engineering played a major role as well. The introduction of functional-and performance-based building codes was an enabler. So too were analogies drawn from structural engineering, such as the formulation of the concept that available safe egress time (ASET)-required safe egress time (RSET) must be greater than zero, with some margin of safety. Such developments provided inspiration to 'engineer' fire safety in a way that had not been done to a large extent previously. Peak of inflated expectations-arguably the 'peak' occurred in the 1990s-2005 timeframe, as the introduction of performance-based codes in several countries took place, and several PBD for fire safety concepts and frameworks were introduced and advanced. Some of the excitement about PBD for fire safety was facilitated by development of PBD concepts in related areas, such as seismic engineering, and the rapid development of lower-cost, higher-power computers, the explosive availability of information through the internet, and the sense that perhaps the discipline of fire safety engineering was maturing [7]. Trough of disillusionment-it is suggested that the fall began sometime after 2005, perhaps bottoming-out around the 2010-2012 timeframe. During this period, PBD for fire safety was highly scrutinized by building and fire enforcement officials, in particular, in part because the 'process-oriented' frameworks lack sufficient detail for critical components (e.g., scenarios, design fires, performance criteria, modeling parameters) to result in consistency in application of PBD for fire safety approaches and the verification of post-design fire performance of

1152
Fire Technology 2022 buildings. This led to uncertainty in approvals, which led to additional time and cost of projects, which diminished its attractiveness to the market (e.g., developers). While advancements in thinking and approaches to PBD for fire safety were made [e.g., [54][55][56][57][58][59][60][61][62][63][64][65][66][67][68][69][70], as well as early thinking about better fire technology integration in buildings, including integration with sensors [e.g., 107,108], there were few gains in terms of either raising the level of confidence by authorities and the market, or in developing truly innovative solutions. In this way, the lack of due consideration of institutional, stakeholder and technology concerns effectively stagnated the advancement of PBD approaches and their acceptability, resulting in 'prescribed-performance' verification methods and 'traditional' design solutions. Slope of enlightenment-the current state of practice in 2021 is arguably advancement up the slope of enlightenment. This is surmised considering recent contributions regarding systems thinking [e.g., 57,58], risk-informed approaches [e.g., 54, 55, 58, 63, 65-67, 69, 70], and the need to make better use of building technologies as part of both designing and maintaining expected building fire performance [e.g., [108][109][110][111][112][113][114]. While one hopes that PBD for fire safety reaches the plateau of productivity within the decade, that remains to be seen.
As evaluated through a STS lens, PBD for fire safety has neither evolved as anticipated nor gained the broad acceptance as was expected since its introduction in the 1990s. This is not a failure of the core concepts, per se, but more so a function of the failure to consider STS attributes that are critical to the application and acceptance of new technologies within a sociotechnical building regulatory system, within which PBD for fire safety aims to design safety systems to mitigate fire hazards in buildings, infrastructures and operations to an acceptable or tolerable level.

Advancing PBD for Fire Safety by Incorporating STS Concepts
Evaluating PBD for fire safety through a STS lens has illustrated why perhaps PBD for fire safety has not yet reached its full potential, regardless of having been accepted in concept for some 30 years. Key requirements for fire safety of buildings and other systems as sociotechnical systems have not been addressed, and institutional and market lag associated with uptake of new approaches has played a role as well. However, in the coming decades, it can be expected that more technological advances will occur within the realms of fire safety performance buildings, systems and infrastructures, and that a STS framing for PBD for fire safety can both advance the use of PBD concepts and the use of innovative technology to achieve fire safety of STSs. The following steps are proposed to help facilitate this advancement.

Steps Toward a STS Approach for PBD for Fire Safety
Step 1-Recognition and acceptance of PBD for fire safety as a STS challenge PBD for fire safety cannot be undertaken in a vacuum. First, it must be accepted that buildings and infrastructure, and building regulatory systems, can be viewed as STS, and that there are institutional, technological, economic and human factors which must be considered in designing for safety from fire in these systems. A potentially helpful framing is to consider the whole of the building fire safety approach (i.e., active and passive system design, ITM, safety management, etc.) as being the 'system control' that must work holistically and integrally to result in building fire safety. The development of the fire safety 'system controller' for the building or infrastructure is the aim of PBD for fire safety. To move in this direction, not only will more systems safety thinking be required, but better consideration of STS attributes will be required, including: developing process guidance that better addresses institutional concerns, particularly those from the building and fire authorities, with respect to how data and technology are used in the analysis and design process, reconsidering and potentially restructuring the fire safety objectives for design, reconsidering the role of risk and uncertainty in the process, and how best to address these constructs, more explicit consideration of how building fire safety technology performance will be used and assured throughout the lifetime of the building or infrastructure, to assure that building fire safety performance objectives will be met.
Getting agreement of stakeholders within the process remains a key component, and more engagement in the broader environment is critical. Embracing the iterative nature of STS design is important, and there can be no shortcutting of deliberation with stakeholders on appropriate means of analysis and on the range of potential design options. Figuring out, and focusing on that which is essential, will be vital.
Step 2-Revisit design goals and objectives-start by asking if we are solving the right problem-and focus on the building as a STS Buildings are sociotechnical systems, in which people and buildings interact. The focus needs to be on those interactions, with a focus on what PBD for fire safety can control for. While human behavior must be considered, it cannot necessarily be controlled. Implementing building technology, which helps identify and control fire hazards, that in turn limits occupant risk, is within the realm of the FSE. Earlier in the paper a representative objective was stated as 'the building and fire safety systems shall be designed to prevent the exposure of those occupants not intimate with first materials burning to untenable conditions during the time required for them to reach a place of safety outside of the building.' Stating an objective in this manner should be reconsidered. For example, is it possible to 'prevent' exposure, or should the objective be to 'limit' exposure, or perhaps to 'limit the spread of fire effluents from entering protected exit components'? Can the 'time required' to reach a place of safety be accurately estimated, given the variability in population and

1154
Fire Technology 2022 unknowns that may exist at the time of an actual fire, or should some time limits be developed for different building uses and occupant characteristics? This is not to say that the ASET and RSET comparison is not a viable method of evaluation, but that if used, the uncertainties need to be clearly addressed, and in the STS thinking for design, a 'fail safe' design option should be the aim. (From a system safety perspective, if you adequately control the hazard, you control the loss potential.) The area in which the FSE has most control is in managing the creation and extent of the hazard, followed by implementing technologies to help guide escaping occupants. FSE has no real control over occupant behavior. If certain behaviors are assumed, requirements for educating and training occupants to facilitate expected responses should be part of designs. Finally, for what targets in a building is society most concerned, and how are they being addressed? If vulnerable populations are a major concern of society, objectives should be recast or reprioritized to provide appropriate focus (e.g., redefining an intolerable hazard), for which building fire safety features can be designed to address. Overall, this requires reconsideration of: what are the goals of the system for which fire safety needs must be addressed, what are the fire safety objectives within the system and how should they be defined, and how can fire safety be built into the system to achieve the goals and objectives.
Step 3-Consider the appropriate balance of risk and safety as bases of performance objectives, criteria and performance evaluation This is a critical area, and perhaps the one in which least socio-institutional acceptance has been achieved over the past 30 years. Fire is a stochastic event. Human behavior and reaction to fire and other hazard events is highly uncertain but may be characterized probabilistically, within clear boundaries. Reliability of fire safety systems is not 100%. The framing of PBD for fire safety as strictly a deterministic problem, based on a very small number of nonrepresentative scenarios and limited size design fires, is inappropriate and contributes to challenges in obtaining agreement on design verification. However, a push for quantitative risk assessment methods, when there is a lack of data, and lack of understanding of the concepts, is inappropriate as well. A risk-informed framing can provide opportunities to overcome these challenges.
At present, because statistical data are often lacking for quantitative fire risk and reliability analyses, it can be difficult for some authorities to accept risk-based fire engineering design. However, if a broader analytic-deliberative approach is taken to characterizing fire risk, it is possible to obtain agreement on acceptable means to estimate and incorporate risk data into fire safety decisions. For system safety, Leveson [94] suggests that there is a need to ''create new holistic hazard/risk modeling and analysis techniques that include all facets of the sociotechnical system and how they can operate together to prevent losses. These tools should assist in making difficult conflicts and tradeoffs. Create tools to provide qualitative safety design information to engineers and decision makers.'' For PBD for fire safety, this means careful thinking about which aspects of the building of infrastructure fire safety system design problem can benefit from risk analysis for the benefit of informing decisions. However, more than just new tools are needed, it is also necessary to address the general lack of knowledge and experience in probability, statistics, risk, and risk-informed design for fire, both by FSEs and authorities. If one looks to other disciplines, such as reliability-based structural engineering, in general, or performance-based design for earthquake or wind loads in particular, the risk underpins many of the design approaches in use and are accepted by building authorities. This did not happen overnight, but is an outcome of years of research, development of codes of practice and standards, and of education. The discipline of FSE, and approaches to PBD for fire safety, have been slow to incorporate risk characterization and risk-informed design concepts, and slow to educate and prepare institutions and the market for risk-informed design. A significant step came with the publication of ISO 23932 in 2018 [41], in which it is recognized and stated that all FSE analyses, including PBD for fire safety analyses, are risk analyses-the issue is simply who identifies the tolerable risk and how (e.g., as embodied in prescriptive requirements or some form of design criteria). In this regard, one approach to advance PBD for fire safety is to think about how risk might be used as a basis for establishing desired/tolerable levels of safety performance. This is not a new insight [e.g., 55,58,67,95,115], but in the STS framing, it becomes a critical need.
Step 4-Revisit scenario construction and application within a STS context This might require the biggest shift in thinking about PBD for fire safety as compared with current practice. The current approach is largely to consider all possible fire scenarios that could occur, and through scenario reduction techniques, group them into representative design fire scenarios. It is often suggested that risk analysis techniques can be helpful in this process. In deterministic analyses, the approach may be shortcut to simply picking a few (or in some cases, a single) design fire. In either approach, the resulting design fires are ultimately used to 'test' the proposed fire safety system design. A long-standing concern with the 'common' deterministic approach is that there is often not a robust approach to identifying 'the' design fire (sometimes just a single fire), and thus it may not be representative. For probabilistic approaches, the concern is that key data are often missing, such as fire ignition frequencies, for estimation of probability of scenario occurrence. In either approach, it is typically unknown what the actual fuels and ventilation parameters will be at the actual instance of a future fire event, what the state of proposed fire safety systems will be at this time, and whether other system parameters will be as assumed (e.g., occupant characteristics). These approaches, which focus on picking scenarios/fires that may occur, and then testing potential mitigation for their efficacy in controlling the event, depend significantly on the adequacy of the scenarios and resulting design fire representations. Arguably, the risk analysis approach should result in more representative scenario and design fire selection; however, the unknowns can be significant, and uncertainty may not be treated adequately.
In system safety thinking, the consideration is more on how the system can be engineered to prevent unwanted scenarios (accidents, losses) from occurring, as compared with identifying the scenarios. In the case of PBD for fire safety, the system is the building or infrastructure of interest. Since buildings and infrastruc-

1156
Fire Technology 2022 ture are STSs, a systems approach would consider how the whole of the STS can help in preventing unwanted scenarios from occurring, and likewise, should consider the whole of the system design for fire safety. In this case, the focus shifts from considering all scenarios that could occur, to focusing on those which could cause significant disruption of the STS and designing to prevent it (or at least lower the probability of occurrence). A possible approach is considering fire scenarios as ''learning tools'' more so than ''verification tools''. That is, the purpose of fire scenarios is to gain insight about how the system performs under different loads, rather than assuming the scenario (and load) will be the 'right one' for the building or infrastructure. In such a construct, some learning may be relevant for design of the building, some for the design of the safety organization, while other learning is relevant for the emergency responders.
Step 5-Embrace innovative and emerging fire safety technologies in performancebased analysis and performance-based design for fire safety-in an appropriate and robust manner Over the past 30 years, numerous advancements have been made in the area of 'smart building' technologies (sensors, controls, algorithms) for energy performance, with research needs continuing to be advanced [e.g., 116]. Arguably, fire safety systems in buildings have been slow to embrace similar opportunities. As noted previously, the integration of sensors, fire safety technology, and computation modeling has been explored to forecast fire development in buildings [107,108] but not advanced. New efforts are underway in this area [109], but it will likely be several years before mainstream technologies are available.
Similarly, concepts such as occupant self-evacuation elevators were explored and promoted following the 2001 attack on the World Trade Center towers in New York City, but it took several years for many building regulations to recognize such systems and they are still not widely used, with researchers noting that there is still a reluctance to incorporate such systems into building fire safety designs [e.g., 110]. There are several reasons for this, including incomplete understanding of human evacuation decision behavior and institutional concerns, clear STS components. Likewise, dynamic evacuation signage, in which exit signs are connected to intelligence about location of a fire in a building and directionality is dynamically indicated has been researched and is available [e.g., 111,112], but remains largely still a research issue, as the technology is not yet readily accepted in some building regulatory systems. Recently, it has been hypothesized that an intelligent adoption of autonomous structural components (ASCs) can institute a platform to enable resilient performance in critical infrastructures, such as buildings, that allows self-deployment mechanism when triggered by external actions [e.g., 113,114].
Gaining acceptance of new technologies in building fire safety is a STS challenge. Like PBD for fire safety, a convergence of technology acceptance, institutional acceptance, and stakeholder acceptance is needed. In this regard, performance-based design for fire safety as a STS system can, and arguably should, be a facilitator in bringing the realms into convergence as part of building fire safety design, in promoting innovation in design remains an objective.
Step 6-Place equal emphasis on assuring continued delivery of performance in use as on design In general, performance-based design of buildings should be usercentered. Unfortunately, the current paradigm is largely regulatory compliance. Performance-based design for fire safety should explicitly consider and address how buildings will be used throughout their normal life-not just in emergencies-and assure that the fire safety systems will be ready when needed. Alvarez [83,88] refers to this as designing for the chronic use and not just the acute. To do this effectively, FSEs need to consider those attributes of normal building use that can render ineffective the fire safety systems and features that may only be used on occasion. A classic example is the use by building occupants of doorhold-open devices to effectively negate smoke (and sometimes fire) doors to ease normal building flow. Blocking exit doors, which are rarely used in some building occupancy types, is another example. There are many more.
It is not appropriate for FSEs undertaking PBD for fire safety to say, 'fire safety management is the owner's responsibility and not mine'. In a STS, it is joint responsibility. It cannot and should not be assumed that the owner/manager/tenant will know what is critical for fire safety performance if not adequately informed. Likewise, it cannot be assumed that systems will adequately be maintained without appropriate information, or that proper evacuation training will occur without specific guidance. Significant loss of life and damage to property can result from poor or inadequate information flow. One can look to the 2017 Grenfell Tower fire disaster to see the impact of poor information flow to end users [e.g., 96,97,[99][100][101]. Design guidance and/or engineers that consider operations and maintenance manuals, or adequate description of critical systems, features and assumptions that may impact building fire performance, are doing a disservice to their clients and to the aims of performance-based design for fire safety. As we see post-occupancy changes to buildings, some of which may be extra-regulatory, such as energy performance retrofits, it is important to consider fire safety impacts. Such potential changes should be considered in the PBD for fire safety process, as it is a critical component of buildings as STS.
Step 7-Recognize and address the risks within the system associated with inadequately prepared, unqualified and/or noncompetent actors In the current paradigm, it is presumed that only suitably educated, competent, and qualified fire safety engineers will undertake PBD for fire safety; however, it has been identified that this is not always the case, and that as a result, the reputation of, and confidence in, FSEs and PBD for fire safety has suffered [e.g., 71,72,74,75,99,117]. While this is a significant concern, the magnitude of the concern increases when one expands the scope to PBD for fire safety design of buildings and infrastructure as STS. Within the broader STS realm, numerous other actors also play significant roles in achieving well-performing buildings and infrastructure, and if there are failures by other actors as well, this too can influence fire safety performance. Examples of system failures, involving many actors with some responsibility for design and delivery of appropriately fire safe buildings, include the 2017 Grenfell Tower fire in London [e.g., 99-101] and the 2014 Lacrosse Building fire in Melbourne, Australia [117].

1158
Fire Technology 2022 In both situations, incomplete/incorrect interpretation of regulations, incomplete specification of product, incomplete understanding of fire performance in the intended use, and incomplete knowledge and training associated with fire-safe building use, contributed to significant fire events. The failures were evidenced across numerous actors involved in the assessment, design, construction and approval/verification process, as well as by occupants of the building. By failing to consider these buildings as STSs, and the associated interrelationships and requirements of all actors to appropriately fulfill their roles in achieving a safe building, gaps emerged that ultimately resulted in failures of expected building fire safety performance. While it is not within the realm of fire safety engineering to control all other actors and aspects of the design, construction and use stages, one can argue that fire safety engineers should consider implications of failure by these actors, and other aspects of buildings or infrastructures as STSs, in the fire safety strategy and PBD for fire safety processes. This would contribute significantly to the system safety concepts overviewed above.
Step 8-Broaden participation of institutions and actors in establishing-and achieving-building fire safety performance goals At a regulatory level, and often at the design level as well, decisions regarding building or infrastructure performance are made within 'silos' by a wide range of subject matter experts, often without comprehensive consideration of the performance of the integrated system as a whole (the building or infrastructure as a STS). While this is arguably done to take advantage of subject matter expertise, the lack of holistic consideration of how performance goals should be described, defined, quantified (where possible), evaluated, and assured, can result in unintended consequences. Examples include: energy performance of buildings requirements for increased thermal insulation, which could result in the use of insulation materials with poor fire performance; desire for lightweight timber systems as sustainable materials, which are highly combustible and can contribute significantly to fire if not adequately protected; and, use of lightweight high-strength concrete, which can result in small structural members and less massive structural systems, but which can fail more significantly in fire due to spalling if not appropriately addressed by noncombustible fiber additives or other mitigation measures [e.g., 118].

Towards a STS Framework for PBD for Fire Safety
If one considers the above eight steps, the first six can be used to envision a new framework for PBD for fire safety (Fig. 6). This approach is predicated on: accepting buildings and infrastructure are STS, that doing so requires broader stakeholder participation (step 8), and that risks associated with inadequately prepared, unqualified and/or noncompetent actors must be considered.

Summary
Performance-based design for fire safety has been applied for some thirty years. During this time, the approach has not changed significantly, and its acceptance remains low in many parts of the world. It is suggested that this is a result of a failure to recognize that PBD for fire safety is applied within a complex sociotechnical systems environment, and therefore needs to account for sociotechnical system interactions and attributes to evolve to a place of greater acceptance and confidence in use.
To advance PBD for fire safety, it is proposed to morph the current PBD approach into one in which the objective of analysis-buildings, infrastructure, operations-are sociotechnical systems, and that the PBD for fire safety framework must appropriately consider and take advantage of sociotechnical interactions. This means changing the starting point from a focus on fire safety objectives as a unique property of buildings, infrastructure, or operations, and considering fire safety as one of several sociotechnical objectives. It also means focusing fire safety analysis and design on system attributes which can be controlled through design, and less on variables for which control is unlikely or not possible. As part of this, consideration of fire safety systems performance should be considered in terms of a 'fail-safe' perspective, in which there is less focus on all possible events that could occur, and more on preventing those which could result in unacceptable performance. Evaluation of building fire safety as a sociotechnical systems problem would also need to consider the interactions of all Step 1: Identify STS of focus and key STS interactions Step 2: Identify responsible actors, STS goals & objectives, and safety systems performance objectives Step 3: Agree approach to tolerable risk/safety performance, how measured, how controlled Step 4: Identify and select fire scenarios and design fires Step 7: Develop final design and STS operations documentation, that requires feedback and control through STS expected lifetime, to deliver on STS and fire safety system objectives Step 5: Develop candidate STS options to achieve safety objectives Step 6: Evaluate STS, including control functions, for achieving lifetime STS objectives for fire safety Key actors and institutions for defining overall goals for STS; key actors and institutions for defining and assuring tolerable safety; defining fire safety system objectives Building, infrastructure or operation; technology, institution & actor interactions Agree how to use risk to set safety targets, performance metrics, required STS functionality for fire safety, and control system components Conduct risk analysis in regard to identifying scenarios and fires to test safety system performance; identify analysis method(s) Identify range of STS components that can be used for fire safety, their interactions, and control system components and requirements Evaluate not only STS fire safety system functions at design delivery, but throughout STS life and expected impacts from use Documentation of design must include requirements, information flows / feedback, and accountability structures that identify required operational safety management, system functionality, training, education, risk management needed to continuously achieve objectives Figure 6. A STS Framework for PBD for fire safety ( Source Author).

1160
Fire Technology 2022 components that contribute to safety over the lifetime of the system, including inuse safety system management and system performance over time.
Ultimately, while many aspects of fire safety analysis and design as undertaken today may not change, by considering better the STS environment within which analysis and design are undertaken, the interconnections between sociotechnical system component interactions, the components of system safety that can be designed for, and the aim for lifetime performance assurance, can result in more robust, accepted, and better performance fire safety system designs.