Skip to main content

Road tunnel fire safety and risk: a review


A review concerning road tunnel fire safety and risk is presented. In particular different perspectives and methods on safety and risk are discussed. Road tunnel fire safety usually involves high uncertainty and high-stakes decisions. Thus, a wider group of stakeholders and different types of knowledge should be included in the fire safety analysis and evaluation, than what is required by technical risk analyses. It is argued that the decision process should not be separated from the design and safety evaluation as they are strongly dependent and iterative processes. Decision theory can guide the design and decision process in negotiation with stakeholders. Key parameters for the decision can be analysed through a combination of functional requirements, societal and political values, safety engineering, safety factors and systems theory. By taking an organisational viewpoint, potential latent and active errors can be analysed and a good safety culture can be engineered. In order to improve the safety culture of truck companies, regulation ensuring proper maintenance, training and quality management may be necessary in a competitive global economy.


Despite sometimes heavy regulation and sophisticated assessment methods, accidents continue to occur. A recent example is the Fukushima Daiichi nuclear power plant accident in 2011, which happened due to an earthquake followed by a 14 m tsunami wave. The plant had been designed for a 6 m wave despite that more severe waves had occurred in the past. Severe flooding have also happened near nuclear power plants before, why have we not learned (Epstein 2012; Epstein et al. 2012)?

Several studies suggest that large uncertainties can be expected in a Quantitative Risk Analysis (QRA) (Amendola 1986; Contini et al. 1991; Lauridsen et al. 2001a,b; Fabbri and Contini 2009), this is not least the case for road tunnels, where data is sparse and models for basic phenomenon such as fire behaviour, human behaviour and fire spread include rough assumptions, if they are at all considered (PIARC 2008; Ferkl and Dix 2011; Kirytopoulos and Kazaras K 2011; Kazaras et al. 2012; Rein et al. 2009). Bjelland (2013) argues that the scientific framework within fire safety is too narrow. In order to improve fire safety, other methods and perspectives on safety and risk can contribute. This review article aims to explore different methods and perspectives concerning road tunnel fire safety and risk.

A striking comment from a risk analysis assessor is that “what is actually quantified is the assessor’s knowledge of the situation” (Contini et al. 1991:146). This means that any model is limited by the assessor’s understanding of road tunnels, traffic safety, human behaviour and tunnel fire dynamics, which will be the starting point of this review.

Road tunnel fire safety

Setting the scene

Fire requirements for tunnels and buildings in general are stated in the EU regulation on harmonised conditions for the marketing of construction products (CPR): “The construction works must be designed and built in such a way that in the event of an outbreak of fire:

  1. a)

    the load-bearing capacity of the construction can be assumed for a specific period of time;

  2. b)

    the generation and spread of fire and smoke within the construction works are limited;

  3. c)

    the spread of fire to neighbouring construction works is limited;

  4. d)

    occupants can leave the construction works or be rescued by other means;

  5. e)

    the safety of rescue teams is taken into consideration.” (CPR 2011 )

Due to severe alpine tunnel fires in 1999 and 2001 the European Commission later released minimum requirements for road tunnel safety (EC 2007, 2004) in support of the CPR. The EC-requirements cover administrative, organisational and technical aspects. Risk analysis as a method is highlighted for verification of safety. Due to the increased awareness of tunnel fire risk, several research projects where initiated including several tunnel fire tests (Ingason and Lönnermark 2012; DARTS 2004) and a study of the assessment of tunnel safety which further explored the use of risk analysis (Beard and Cope 2007).

Tunnel fire dynamics

Despite that knowledge on tunnel fire dynamics now exist, enclosure fire dynamics is of importance, although some large differences exist (Ingason et al. 2015). In enclosure fires, the heat and smoke is kept inside the enclosure and the availability of oxygen likely becomes a limiting factor. The size of openings will determine how large the fire can grow before it becomes ventilation controlled, i.e. controlled by oxygen supply (Karlsson and Quintiere 1999). For enclosure fires, unburnt fuel can burn outside the enclosure openings as it is mixed with fresh air. When the fuel is surrounded by a gas mixture with less than approximately 13% oxygen, the fire will extinguish.

In tunnel fires fresh air is usually transported to the fuel along floor level which sustains the fire. Unlike enclosure fires all combustion takes place inside the tunnel and for ventilation controlled fires this can lead to nearly zero % oxygen further downstream. In tunnel fires the hot smoke initially rise and impinges on the ceiling, extends along the ceiling and gradually descends towards the floor as it is being cooled, see Figure 1. The amount of backlayering and the distance downstream that the smoke remains stratified is highly dependent on the ventilation conditions (Ingason 2012; Ingason et al. 2015).

Figure 1
figure 1

A schematic diagram over a tunnel fire introducing several important terms.

In recent years, a comprehensive theory on tunnel fire dynamics has started to develop. Fire parameters such as the temperature development, flame length, backlayering, visibility and gas concentrations can be calculated for tunnels with longitudinal air flow (Ingason et al. 2015; Ingason 2012, 2008). In tunnels with longitudinal or natural ventilation there is an air flow along the tunnel due to static and dynamic pressure differences. Transversal ventilation systems have air inlets and outlets along the tunnel length. With some minor modifications or limitations, a large part of the theory will also apply for tunnels with transversal ventilation. When a fire develops, buoyancy forces make the hot gases rise and spread along the ceiling depending on the tunnel inclination and initial ventilation. Depending on the air flow speed, the hot smoke and cold air mix and the smoke eventually becomes homogenously distributed in the cross-section downstream the fire. The first tunnel fire science study was performed by Thomas (1958) to study the effect of backlayering, when hot smoke travels upstream along the ceiling against the air flow, see Figure 1. Later Thomas (1968) introduced the concept of a critical air velocity needed to prevent backlayering. The critical air velocity will increase with the heat release rate (HRR) towards a constant value at around 3 m/s for most tunnels (Ingason 2008; Ingason 2012). The fire generates a resistance that increases with the fire size, called the throttling effect. Therefore, although 3 m/s will be sufficient to resist backlayering, the fan capacity has to be increased for increasing fire sizes (Vaitkevicius et al. 2014).

The main fire load in tunnels concerns the vehicles that drive through it. A typical car has a fire growth rate corresponding to a fasta fire and a peak HRR at around 5 MW. A bus reaches around 30 MW and a heavy goods vehicle (HGV) between 20 and 200 MW with an ultra-fast1 fire growth rate. For dangerous goods vehicles (DGV) there is no experimental data available although fires similar or worse than the HGV fire can be expected (Ingason and Lönnermark 2012; DARTS 2004). HGV and DGV fires can develop into catastrophic tunnel fires involving several vehicles with a ventilation controlled HRR between 300 and 700 MW (Ingason 2003). The heat release rate (HRR) of ventilation controlled fires will increase with larger cross-sectional area while fuel controlled fires (unlimited oxygen supply) will increase with decreased cross-sectional area due to increased heat transfer from the surrounding enclosure to the fuel (Ingason 2012; Ingason et al. 2015). Typically 2/3 of the HRR will be transferred by convection and 1/3 by radiation. If a sprinkler system is activated the convective part decrease to about 50%. The ventilation system is only affected by the convected HRR while the structure is exposed to both convective and radiative HRR Ingason and Li (2014)).

According to Carvel et al. (2001) ventilation has a strong impact on the fire growth rate. In a more recent study Ingason and Li (2010a, b) found the fire growth rate to increase linearly with the ventilation velocity. Also, depending on the type of fuel, ventilation conditions and fuel porosity the HRR can increase by a factor of 1–3 compared to free-burn tests if the ventilation is increased (Ingason 2005; Lönnermark and Ingason 2007). There is an upper limit to how much a material can burn per fuel area, therefore the HRR will reach a maximum level at which higher ventilation does not increase the HRR further (Ingason and Li 2010a, b). The ceiling height is an important parameter that receives limited attention when tunnels are designed, although the ceiling height together with the ventilation conditions is the most important parameters for the fire development. Another important factor is the geometry and the design of the vehicle on fire, e.g. containers or solid panels will significantly reduce the fire (Ingason et al. 2015).

There are three mechanisms by which heat is transferred from one object to another: heat flux by radiation, conduction inside objects, and convection between hot air and objects, see Figure 1 (Holman 2010). The driving force of all heat transfer modes is the temperature difference. For the estimation of heat flux for tunnel applications, basic theory is presented in (Ingason et al. 2015). Tunnel theory commonly ignores the effect of heat transfer through conduction, which means that the temperature development may seem independent of the thermal inertia of the tunnel structure. Decreased thermal inertia, e.g. insulation instead of concrete, will in general result in higher temperatures and faster fire growth rates; which has the potential to, for example, increase the risk of fire spread (Gehandler et al. 2014a, b; Gehandler and Wickström 2014).

Modelling of fire in general as well as tunnel fires in particular is challenging as several basic mechanisms, e.g. combustion and fire spread, are poorly understood. Furthermore, modelling assumptions are numerous, e.g. the grid size, radiation model, turbulence model etc. In single comparisons between computer simulations and experimental data good results are often reported, e.g. (Hadjisophocleous and Jia 2009). However, a round-robin study involving 11 independent teams reveals another picture (Rein et al. 2009). A significant spread in the simulated results was found, despite the fact that each team received the same information of the fire test set-up that was to be modelled. The basic tunnel fire dynamics theory presented by Ingason (2012) seems to perform well in comparison with more advanced models (Nilsen and Log 2009), and to offer sufficient precision for risk analysis (Gehandler et al. 2014a).

Tunnel accidents

In Europe, about 20 vehicle fires occur per billion vehicle km in tunnels (Nævestad and Meyer 2014). Around 30% of all fires originate from HGV, despite that they only constitute 15% of the overall traffic volume (Ingason et al. 2005; Nævestad and Meyer 2014). An Austrian survey (Rattei et al. 2014) covering the period 2006–2012 identified 38 car fires and 30 HGV and bus fires inside tunnels from national incident statistics, indicating HGV fires may have an even larger share of all fires. The rate of HGV and bus fires was 25 per billion km and the corresponding number for car fires was 4.2. A wide spread in the number of fires per vehicle km was found between different tunnels (Rattei et al. 2014).

The most common causes for tunnel fires are collisions, overheating in combination with leakage or electrical failure, overheated bearings, brakes, tyres or engines. Collisions involving HGV or DGV are clearly overrepresented among the severe fires causing fatalities (Kim et al. 2010). According to recent Norwegian statistics, injuries or fatalities result from traffic accidents rather than from fires (Nævestad and Meyer 2014). In the Austrian survey only 7% of the fires were reported to have been caused by collisions, among which all were assumed to have included the entire vehicle. Out of 28 HGV fires caused by spontaneous ignition only 3 fires spread to the entire vehicle (Rattei et al. 2014).

A Norwegian risk analysis estimated the expected loss of life from dangerous goods accidents to be less than 2% of the expected loss of life from normal traffic accidents (Lille and Andersen 1996). An international survey of 1932 accidents during the transport of hazardous substances by road and rail found that the most frequent accidents were release of hazardous substances (78%) followed by fire (28%), explosion (14%) and gas clouds (6%). 63% of the accidents occurred on roads. Most accidents (75%) were caused by collision between vehicles. 3% or 13 accidents with hazardous materials took place in tunnels among which five were in road tunnels (Oggero et al. 2006).

The major cause of collisions is driver error, according to a US study in 57% of cases and a UK study in 65% of cases. Adding all the cases when the road user was at least a contributing factor the numbers rise to around 95%. According to Oppenheim and Shinar (2012), traffic safety is more than the mere absence of accidents. We must go beyond accidents if we are to understand safe driving behaviour. Three error types can be distinguished as follows: #1 slips, i.e. right intention incorrectly executed, #2 lapses, i.e. failure to carry out any action at all, and #3 violations, i.e. deliberate deviation from accepted safe driving behaviour, e.g. speeding. Both slips and lapses relate to attention and memory failures. Lapses are of particular relevance to traffic safety as they relate to skill-based automatic behaviour. A mistake occurs when a driver intentionally performs an action that is wrong. Non-deliberative errors (lapses, slips and mistakes) may be reduced by training, memory aids, and better human-machine interfaces (Oppenheim and Shinar 2012). Violations are best dealt with by trying to change users’ attitudes by improving the overall safety culture.

Among environmental factors, high traffic density, narrow lane width, high horizontal curve grade, rising and falling gradients and limited lateral clearance are related to increased incident rates (Oppenheim and Shinar 2012; Martens and Jenssen 2012). In particular rising and falling gradients is highlighted to increase the number of HGV and bus fires in Austria (Rattei et al. 2014). The area where the gradient goes from falling to rising is accident prone due to a likely abrupt change in speed (Martens and Jenssen 2012), which is also confirmed by Norwegian tunnel incident statistics (Nævestad and Meyer 2014). Tunnel entry portals have a high accident frequency, probably due to changing lighting conditions. The provision of traffic and safety information is necessary to improve driving behaviour and safety; but there is also a risk in providing too much information. In particular, information should be restricted 200 m before the tunnel entrance since then most drivers focus on the tunnel portal. It has been seen that many vehicles continue entering a tunnel even though traffic signals indicate the tunnel is closed, instead some kind of physical obstacle should be used (Martens and Jenssen 2012).

Kim et al. (2010) analysed 69 tunnel fires and divided them in four incident categories:

  1. 1.

    Single fires that do not spread to other vehicles. The majority (43) belong to this group. Only 11 caused fatalities.

  2. 2.

    Single fires that propagate to neighbouring vehicles. All 5 fires in this category originated from HGVs and claimed fatalities.

  3. 3.

    Collision fires limited to the vehicles that are involved in the collision. In 5 out of 7 cases fatalities occurred.

  4. 4.

    Collision fires that spread to other vehicles which were not involved in the collision. 13 fires belong to this group and all claimed fatalities.

The analysis shows that fire spread is one of the key factors behind escalating consequences, both in terms of fatalities and tunnel downtime (Kim et al. 2010). Ingason et al. (2015) offers a comprehensive theory on fire spread in tunnels. Fire spread is closely related to the HRR, gas temperatures, ceiling height, distance between neighbouring vehicles, flame length of the fire, and ventilation conditions. Tunnel fires can spread in a few minutes after the start of the fire (Kim et al. 2010; Lönnermark 2007). Fire spread in tunnels can occur through five main mechanisms (Ingason 2008; Ingason et al. 2015):

  1. 1.

    Flame impingement due to flame tilt in the presence of a ceiling and due to the ventilation flow.

  2. 2.

    Flame spread along the fire load.

  3. 3.

    Spontaneous ignition of vehicles downstream due to increased temperature.

  4. 4.

    Fuel transfer through leaking fuel tanks or debris downstream of the fire.

  5. 5.

    Sudden deflagration.

Hansen and Ingason (2011, 2012) have developed a method for calculating the critical heat flux for ignition according to mechanism 3 above. Beard (2006) has developed a non-linear model called FIRE-SPRINT to identify the onset of instability with major fire spread according to either mechanism 1 or 3 above, see (Grant and Jagger 2012; Charters 2012) for an overview.

Despite the fact that fire spread and catastrophic fires involving multiple vehicles are key indicators of tunnel fire safety they are not accounted for among the most common QRA methods for tunnels (PIARC 2008). Several parameters and systems can be used to reduce the risk of fire spread, such as reduced longitudinal ventilation speed, transversal ventilation systems, Fixed Fire Fighting Systems (FFFS) or manual extinction (Mawhinney 2011; Ingason and Li 2010a; Ingason 2012). Transversal ventilation systems reduce the risk of fire spread outside the fire and smoke zone. In the near field of the fire, the risk of fire spread is similar to longitudinal ventilation. Transversal systems work effectively if enough fresh air is supplied from both sides of the fire (Ingason and Li 2010a; Ingason et al. 2015).

From a compilation of 20 fire fighting activities Kim et al. (2010) found that 15 were extinguished by the fire brigade or driver. It was further noted that fires caused by collision develop very rapidly and have a short time frame when fire fighters are able to approach them. Therefore FFFS is highlighted as a preventive measure to reduce catastrophic tunnel fires. From their study Kim et al. (2010) proposed the following four parameters for tunnel risk classification:

  • Allowance and amount of HGV and DGV

  • Bi-directional or uni-directional traffic flow

  • Tunnel congestion

  • Rescue service response time.

HGV and DGV represent a large risk as they constitute the fire load that potentially can lead to a catastrophic outcome. Bi-directional tunnels increase the risk of collision and make the evacuation process more difficult as road users are found both upstream and downstream of the fire. Highly congested tunnels have a higher frequency of collisions and greater risk of fire spread to nearby vehicles. Finally rescue service response time can significantly influence the ability for assisted egress and the potential for the fire service to approach the fire for manual fire fighting.

Tunnel fire hazards

As for fires in general, exposure to smoke poses the main threat. During a large tunnel fire the hazards that an evacuee meet are numerous. Firstly, the visibility is impaired and the evacuee is forced to move through smoke. Within a few minutes, due to smoke irritants, the visibility is further impaired, furthermore, pain and breathing difficulties occur as irritants also affect the respiratory tract. After some further minutes of smoke exposure asphyxiant gases start to cause asphyxiation leading to confusion and loss of consciousness followed by death from hypoxia (Purser 2009). Another hazard concerns the heat generated from the fire. Heat can be an issue for evacuation close to the fire, but foremost heat restricts rescue service intervention and can damage equipment or the tunnel structure, potentially leading to collapse or expensive renovation.

Most materials that burn are carbon-based. The end product of carbon-based fuels is mainly CO2, H2O and heat. CO2 is a toxic asphyxiant gas in large doses. Depending on the fuel composition, temperature and ventilation conditions, other toxic products can be formed, e.g. CO or HCN (Blomqvist 2005). Methods for quantifying fire hazards can be distinguished into limit-based and accumulative methods. In a limit-based method the gas concentration is estimated and compared with a limit value for each gas. If the limit is exceeded the evacuation has failed. By accumulative methods the accumulated effects from several asphyxiant gases are combined into a Fractional Effective Dose (FED) value. A FED value of 1.0 corresponds to the median of log-normal distribution of responses. A typical endpoint is incapacitation (Forster and Kohl 2012; ISO 2012a).

The risk of explosion most notably exists for transportation of gases that are liquefied by cooling or high pressure. An explosion occurs when the energy stored in the gas is released in a short time. In a full vessel almost all gas will be in liquid phase. A rupture in a full vessel leads to a sudden pressure drop to ambient causing the liquid to boil. The quick change from liquid to gas phase cause an increase in volume. Depending on the vessel temperature a blast wave can occur, if the evaporation is fast enough. This process is called, boiling liquid expanding vapour explosion (BLEVE). In an almost empty vessel much fuel will be in the gas phase. In this case a rupture causes an expansion of the pressurized vapour. The resulting blast depends on the temperature, type and amount of gas, and the dimensions of the tunnel. These two bursting vessel scenarios, without ignition, lead to high explosion loads in the zone around the bursting vessel (200–500 kPa), but is reduced after a couple of metres when the blast is directed along the tunnel axis, at around 100 kPa. Once the gas has expanded, ignition, e.g. by a spark or a hot surface, can occur if the gas-air mixture is within flammability limits. Depending on the speed of the flame front and expansion from combustion, a deflagration (10–800 kPa for HC-air mixtures) or detonation (1500–2000 kPa for HC-air mixtures) can take place. Of these, a deflagration in the order of 100 kPa is the most plausible scenario. Detonation is less likely as it requires instantaneous release of an almost empty tank. A pressure of 100 kPa or larger will cause direct casualties from the blast (Weerheijm 2014).

Structural behaviour

A number of past fires, for example the Channel tunnel fires and the Mont Blanc tunnel fire, show that fires pose a serious threat to the tunnel structure. There are four main types of tunnel constructions: cut and cover, immersed tube, drilled and blasted and bored tube tunnels. The dominating construction material is concrete. There are two main classes of concrete for tunnels: low-porosity (high-strength) and high-porosity concrete. For low-porosity concrete (often used in bored and blasted tunnels) the dominant failure process in tunnel fires is spalling, i.e. the explosive delamination of concrete. For high-porosity concrete in immersed and cut-and-cover tunnels the main failure mode is sagging of the roof due to loss of strength and expansion due to heat. Another threat for cut-and-cover and immersed tunnels is that the opposite, unexposed side, cracks. Measures to protect the tunnel integrity are, for low- and high-porosity concrete tunnels, either focused on withstanding fire exposure (fireproof concrete or insulation) or on fire suppression (Carvel 2005; Carvel and Both 2012).

The Eurocode offers general rules for structural fire design of concrete structures (CEN 2004). It is generally sufficient to assume a fully developed ventilation controlled compartment fire with a uniform temperature distribution and to only verify individual members directly exposed to fire (Thomas 1986). For this purpose, standardised testing of internal members using pre-defined time-temperature curves have been developed, e.g. the standard fire curve in EN 1363–1 and ISO 834, the hydrocarbon (HC) curve in EN 1363–2, or the Rijkswaterstaat (RWS) curve from the Dutch regulations. Members are classified according to the number of minutes that load-bearing capacity (R), integrity (E) or insulation (I) is ensured. A more performance-based alternative to the standardised fires is to develop a unique time-temperature curve given actual fire load and conditions, see for example the Natural fire safety concept (Sleich et al. 2002). An attempt to develop a similar concept for performance-based tunnel design can be found in (Gehandler et al. 2014b).

Human behaviour in fires

Key theories and concepts concerning human behaviour in fires were mainly developed during the 1970s and 1980s. More recently, interest in human behaviour during tunnel fires has started to develop, see (Shields 2012; Noizet 2012) for an overview. This research into human behaviour in tunnels has merely scratched the surface.

Social influence explains why we act differently to a fire threat alone and in groups, e.g. the apparent indifference of others can lead to passivity (Latané and Darley 1970). The importance of social influence is believed to increase with decreasing distance to the nearest person and when the fire cue is unclear or uninformative (Nilsson and Johansson 2009).

According to the behaviour sequence model the phases of evacuation are characterized by interpretation, preparation and action. The action in the last stage depends on previous stages. The activities people engage in to fulfil their role in any given situation are influenced by guiding principles or rules. When faced with a fire threat this role-rule attribute continues to guide the individual’s behaviour (Canter et al. 1980). The affiliative model suggests that people in a situation move toward familiar persons and places simply because they are familiar (Sime 1985).

In the process model the focus is shifted to human information processing and decision making. Earlier models for understanding human behaviour (such as the affiliative and role-rule model) can be used but in an iterative process. Two new concepts are introduced to describe the process. Feedback in action describes how people continuously act in response to new information rather than from an inert condition. Effectance motivation describes the continuous interaction of an individual with their environment to reduce uncertainties and ambiguities (Tong and Canter 1985).

An important finding concerning human behaviour in fire is that people’s reaction to an alarm is as important as the time it takes to physically move to an exit, if not more. In a lecture theatre evacuation study, two thirds of time from the onset of the alarm was spent not moving at all. Sime et al. (1992) therefore concluded that there is a disproportionate emphasis on time to move and exit flow rates in design standards and regulations.

The theory of affordance explains what affordances (perceived utility) an object such as an emergency door has on a person escaping. People perceive objects in terms of what they can offer or afford in relation to the fulfilment of their goal. Affordances can be divided into different categories depending on how they aid or support the user. Sensory affordance is the affordance of an object to be seen or sensed. Cognitive affordance supports understanding, such as how or why an object is used. Physical affordance supports the user physically, e.g. opening an emergency door. Functional affordance help users to achieve their goal (Nilsson 2009).

As the understanding of human behaviour in fire in tunnels is limited, knowledge of human behaviour in buildings is of high value, although, differences between tunnels and buildings must be considered. The human-tunnel-vehicle system is different in many ways from that of human-building systems. Some of these differences are that road users are sitting inside a vehicle which in general is a familiar place and not on fire. Furthermore, the surrounding environment is an alien environment. The road user depends on visual impressions, since she cannot smell or hear much from the environment outside the vehicle. For buildings, user familiarity can sometimes be assumed, for tunnels user familiarity cannot be assumed. In particular, the notion of destination, person and property affiliation can explain why instructions to drivers often are disobeyed (Shields 2012). Note that most studies on tunnel egress behaviour neglect differences in cognitive behaviour due to age and/or abilities (Noizet 2012).

Emergency information is often provided for pedestrians. According to Shields emergency information should immediately be available for road users inside their vehicle. Especially considering that it has been noted in real tunnel fires that many road users stay in their vehicle (place of affiliation and familiarity) during an emergency. Emergency exits and signs should have sufficient affiliation to persuade the road user of the associated benefits. When driving through tunnels, signs, emergency doors or even the tunnel walls are hardly noticed, the side walls flash by due to the speed of the vehicle (Boer and van Zanten 2007). The tunnel is seen in a flash and when tunnel users have to evacuate by foot they have no idea of the appearance of the tunnel.

In an evacuation experiment in the Benelux tunnel a truck fire was simulated to study human behaviour. In 6 out of 7 tests, motorists stayed in their cars until the first announcement. In one test motorists started to leave their cars immediately and others followed. In all seven tests the first announcement was sufficient to start the evacuation. One test showed extreme passivity by the motorists in the front who stayed in their cars even after they were engulfed with smoke. First after the second announcement did they react and commence evacuation. A common reason for not reacting to the incident was that no one else did anything. Another reason to stay in the car without reacting can be to stick to the role of being a motorist. As visibility decreases so do these social influences. This is believed to be part of the explanation as to why some motorists stayed in their cars being engulfed by smoke: they did not see the motorists leaving behind them (Boer and van Zanten 2007).

Proulx and Sime (1991) investigated the efficiency of different communication systems for initiating evacuation in a Newcastle underground metro station. It was found that a regular alarm bell lead to a delayed evacuation or no evacuation at all. Although an alarm bell is supposed to mean ‘evacuate the building’, people seem to interpret the information as a system failure or a test. The will to reach the destination is so strong that everyone continued with their normal behaviour only slightly disturbed by the ringing of the bell. The response to evacuate was improved if staff members shouted at people to evacuate, or, even better, if a message was given on the public communication system. The fastest response was achieved when the message was timely and precise, e.g. a live voice describing what action is expected and why, and giving personal messages to people identified on the CCTV who had not started to evacuate. It is important that the message is clear, reliable, and easy to understand.

In a survey conducted on 151 firemen, truck drivers, regular drivers and student drivers, the management strategies in the event of a tunnel fire were investigated (Gandit et al. 2009). The spontaneous response to a tunnel fire was to evacuate (40%), exchange information (35%), or to help others (13%), mainly through the use of a fire extinguisher. Of those who wanted to evacuate 50% looked for an emergency exit, 33% said they would move to the tunnel exit, and 17% towards the tunnel entrance. Gandit et al. (2009) concluded that although users are well aware of the safety devices, they do not use them automatically. Safety campaigns or a fire safety module in driver training courses could improve the situation to clarify why and how safety devices should be used (Gandit et al. 2009).

There is a wide range of egress models available for buildings and an extensive review can be found in (Kuligowski et al. 2010). As can be seen in the review above modelling of human behaviour is a challenging task as many parameters affect the complex decision-making process resulting in a wide range of behaviours. To account for this fact some models try to use artificial intelligence or probabilistic rules. Some models have been tested against fire drills or people movement experiments. One can expect a large operational uncertainty in applying these models, in particular with relation to tunnels.

Perspectives on safety

Although this paper belongs in the technical science field it is also in accordance with Renn (2008), who believed that insights from other sciences, e.g. natural, psychology, economics, and cultural and social sciences, can enrich the understanding of safety and risk. The main paradigm for dealing with safety is risk analysis as developed from the technical science field, called technical risk analysis by Renn (1998). Similar to technical risk analysis, the economic concept of risk transforms physical harm and other effects into utilities. In contrast, a psychological perspective on risk reveals that we as individuals have a multidimensional concept of risk, which cannot be reduced to utilities, probabilities and consequences. A sociological perspective on risk tries to understand how the risk society works. A basic notion is that humans do not perceive the world with pristine eyes, but through perceptual lenses filtered by social and cultural meanings. Cultural theory seeks to make sense of the things humans do. Studying the origins of beliefs that guide risk-taking decisions reveals cultural patterns and different world views. This helps explain controversies concerning risk issues and explains why risk assessment cannot claim universal validity among all groups and cultures in society (Adams 2000; Renn 1998).

The scientific method can be defined in terms of the three characteristics: reductionism, repeatability, and refutation. The complexity of the real world is reduced in experiments whose results are validated by their repeatability and knowledge is built by refutation of hypotheses. The scientific method has been successful in many fields, however, complexity and social phenomena pose difficult problems. After having conducted case studies of fire safety engineering projects, Bjelland (2013) argues that the scientific framework for fire safety is too narrow to capture the essence of fire safety. In particular, reductionism leads to great simplifications in the treatment of complex systems and excludes critical issues that are difficult to quantify, e.g. human and organizational behaviour. This leads to an overemphasis of model concepts such as relative frequencies or causal structures. Bjelland (2013) highlights design science, systems safety and social constructivism as good compliments to the scientific method to broaden the view of relevant knowledge in the design process. In the design process, more emphasis should be placed on prior experience and tacit knowledge. Engineers should be allowed to creatively frame and reframe the problem in negotiation with stakeholders (Bjelland 2013).

The method of systems is, unlike the scientific method, based on the idea that at certain levels of complexity there exist properties which are emergent at that level and which cannot be reduced to lower levels. An example of such a complex system is the human body with its organs, cells and DNA. At each level, e.g. that of organs, properties can be found that cannot be found at other levels (Checkland 1985). Performance is controlled by the higher levels of system hierarchy. In order for this control to be effective there is the need for communication, feed-back and feed-forward about the state of the system (Bjelland 2013).

Möller and Hansson find no less than 24 safety principles in the engineering literature, which are grouped in four categories as follows (Möller and Hansson 2008):

  1. 1.

    Inherent safe design. Potential hazards are excluded rather than just enclosed or coped with. In general this is the preferred solution if possible.

  2. 2.

    Fail-safe. If the system does fail it should fail safely, or it should be fail-safe, i.e. internal components may fail without the system as a whole failing, or the system fails without causing harm. Defence in depth, reliability, and safety barriers are example of fail-safe concepts.

  3. 3.

    Safety reserves. A system or construction is made strong enough to resist loads by a margin of safety to account for higher loads than foreseen, worse material properties than foreseen, imperfect theory of the failure mechanisms, possible unknown failure mechanism, and human error.

  4. 4.

    Procedural safeguards. Procedures and control mechanisms are implemented to maintain safety. This includes safety standards, quality assurance, and training.

In general the efficiency of a safety measure decreases with increasing number above, i.e. inherent safety is more efficient than implementing procedures and safeguards. The Netherlands has adopted a policy for intrinsic infrastructure safety. To achieve decisions for intrinsic safety, a shared view of safety among all decision makers should emerge before safety objectives are evaluated against other objectives, e.g. economic (Rosmuller and Beroggi 2004).

The safety circle in Figure 2 visualises different aspects of safety as a dynamic process of learning and improving. In any holistic safety approach all elements in the safety circle should be addressed, and it may be inefficient to only focus on one or a few. Pro-action is about eliminating the root causes, for example through training or design. Prevention is about reducing tunnel accident probabilities of crucial events, for example through reduced speed. Preparation concerns the management of emergencies. Mitigation (also called protection) is about mitigating the consequences of a tunnel accident. Intervention refers to the efforts of rescue teams. After-care actions are performed to quickly return to normal operation. Lastly, evaluation is about learning and constantly improving. Safety features that function early in the circle are in general most cost-effective (PIARC 2007).

Figure 2
figure 2

The safety circle (PIARC 2007 ).

The five requirements stated in the CPR (2011) are largely consequence focused. One reason is that fire rules and regulation have developed as a reaction to occurred incidents. The fire is already assumed to have happened and regulations are designed to protect ourselves against future occurrences (IRCC 2010). This is a reactive safety approach in contrast to a proactive approach. Consequently Malmtorp and Vedin (2014) find that about 80% of all safety measures aimed at tunnel safety focus on reducing consequences, despite the fact that preventive measures generally are more efficient. An overview of key terms and measures aimed at prevention and protection for tunnels is given by Beard and Scott (2012). Gehandler et al. (2014a, b) argue that today’s tunnel fire safety codes and standards do not cater to the complexity of modern multi entry and exit urban road tunnels. A suggested solution to account for both this complexity and the need for more proactive/preventive measures is to move to a performance-based design methodology and QRA (Gildersleeve and Sherlock 2014; Malmtorp and Vedin 2014).

However, both prescriptive and risk-based approaches have their positive and negative aspects. Prescriptive approaches contain a rich seam of knowledge and experience encapsulated in codes and guides, grounded in the real world, based on implicit risk but without explicit understanding of risk. A risk-based approach allows us to estimate the risk, although with several assumptions and considerable uncertainty, grounded more in models than in the function of the entire system in the real world (Beard 2004, 2012). Fire models have the potential to be valuable and aid decision-making, but they also have limitations and can be used in ways which cause poor decisions to be made, see (Beard 1992, 1997, 2005). Consequently Beard and Scott (2012) argue for a systemic approach where fire risk is seen as a product of the working of a system as a whole, and a healthy mixture of prescriptive requirements, qualitative risk assessment and quantitative risk assessment is applied (Beard 2012).

Technical risk analysis

Due to the diversity of fields that deal with risk analysis, a wide spectrum of concepts and names are used. Sometimes the same words are used for different methods and sometimes different words are used for the same method; this is a fertile ground for confusion and misunderstandings (Kaplan 1997). Central concepts for risk can be identified from the ISO (2009a) definition of risk which is: “effect of uncertainty on objectives” in which events, consequences and likelihood are key parameters. Uncertainty is the state of deficiency in information related to, understanding or knowledge of, an event, its consequences, or likelihood (ISO 2009a). IEC/ISO (2010) defines the risk assessment process with the following phases: #1 risk identification, what can happen? #2 risk analysis, the consequences and likelihood of future occurrence is analysed, and #3 risk evaluation, decisions are made in relation to objectives and risks.

One way of classifying different models for risk analysis is by examining how uncertainty is treated. Six levels (from 0 to 5) are introduced by Paté-Cornell (1996). The success of analysis at various levels is dependent on resources, available knowledge, models and data. In some cases it does not make sense to perform an analysis at level 5 because there may not be any numerical models or data available. Uncertainty can also be treated in words by stating the gaps in knowledge, or through reducing the uncertainty in the system by making it more robust.

At level 0, the first step in risk analysis, risk identification is carried out. This can be sufficient for a strict zero-risk policy or for low cost decisions when the options are clear. Analysis at levels 1 and 2 consider a worst or plausible worst case and can be an option if this is sufficient to support a decision, e.g. to design for the maximum credible earthquake. The uncertainty in consequences is implicitly considered. This approach can be used in deterministic design procedures where scientific theories and empirical methods using conservative assumptions are used to evaluate the design as either successful or not (BS, 2001). Analysis on Level 3 uses the best estimate or central value that reflects the most probable outcome and is often used in Cost and Benefit Analysis (CBA). An analysis on level 3 has a poor capability to capture the uncertainty of the outcome. (Paté-Cornell 1996).

At levels 4 and 5, a Probabilistic Risk Assessment (PRA), or a QRA is performed. A distribution of probabilities is used in contrast to the previous deterministic approaches. This includes the worst case, plausible worst case, central values and a set or continuum of other cases. The output of level 4 is a risk curve over the likelihood for different consequences. This curve represents the uncertainty involved under the limitations of the method used and the assumptions made. At level 5 competing models and assumptions are taken into consideration and results in a distribution of risk curves providing an estimate of the inherent uncertainty of the risk measures (Paté-Cornell 1996). PRA emerged from a reactor study on nuclear power plant safety (WASH-1400) in the mid-1970s (Stamatelatos et al. 2002a). The introduction of the notion of ‘scenario’ contrasted with the deterministic practice current at the time, which was to only study reliability for a given design basis challenge, Level 1 or 2 above (commonly done in fire safety science where the term design fire is used to define the stress for the system in question). In contrast WASH-1400 studied several high consequence-low probability scenarios (Stamatelatos et al. 2002a).

An informative definition of risk is the set of triplets definition (Kaplan and Garrick 1981):

$$ R={\left\{{S}_i,{L}_i,{X}_i\right\}}_c,\kern1.5em i=1,2,\dots, N $$

The risk (R) is the comprehensive answer to the following three questions (Kaplan 1997).

  1. 1.

    What can go wrong? This gives all possible scenarios S i .

  2. 2.

    What is the likelihood of each scenario S i ? This gives L i .

  3. 3.

    What are the consequences of each scenario S i ? This gives X i .

The brackets denote the set of triplets, i.e. the set of each scenario Si with its likelihood Li and consequence Xi and the subscript c implies that the set is complete, i.e. all relevant scenarios are evaluated. In practice the identified scenarios will never be complete as we do not know what we have not thought of (Beard 2002); this calls for cautionary decision-making (Beard 2004). No quantitative number or curve is “big” enough to capture the concept of risk. Scenarios and evidence also needs to be described in words since it is not possible to express everything in numbers (Kaplan 1997). The aim to identify all scenarios including scenario descriptions, likelihood estimation and consequence estimation and description is according to Kaplan (1991) versatile and have worked well for several types of risk.

Another way to describe one or more risk scenarios is by logic diagrams, e.g. the bow-tie model (PIARC 2007) or the crucial event model (Beard and Scott 2012). The essence of these models is that causal factors come together to produce one or more events that then lead to consequences, see Figure 3. A causal factor can be of any nature, e.g. it may be a temporal event or condition such as ‘fuel is present’ or a latent condition. The causal factors can be further analysed in a Boolean fault tree with AND or OR gates representing the logic of how the causal factors produce the failure event. Likewise, the possible consequences from each event can be logically constructed in an event tree, see Figure 3. By applying probability theory to the fault and event trees the probabilities of the end states can be calculated (Stamatelatos et al. 2002a).

Figure 3
figure 3

Fault tree and event tree.

An important qualitative result of fault trees is the minimal cut set (MCS) for top event failure to occur. An MCS is the smallest combination of basic events that result in the top event. Any MCS with only one basic event represents a single failure that alone can cause the top event to occur. These are often weak links in the safety chain. An MCS having events with identical characteristics are susceptible to common cause failures. Through a quantitative evaluation the dominant cut sets with the highest risk contribution can be identified (Stamatelatos et al. 2002b). Although theoretically sound, it has proven difficult to model common cause failures (Renn 2008). Nývlt et al. (2011) apply PRA on road tunnels using an unknown base probability. The logic is that, despite the fact that the probability of fire is unknown, it can be analysed and demonstrated to be well managed and mitigated. Similarly a logic tree approach is used by Beard (1983) where a reduction factor is calculated for various combinations of safety systems with unknown base probability.

Economic perspective on risk

Through an economic perspective on risk the physical damage is transformed into utilities. The objective yardstick for measuring utility is the amount of money someone is willing to pay for a change. By this transformation other aspects such as psychological or social effects can be measured besides physical harm. Furthermore risks and benefits can easily be compared as they are expressed in the common denominator of utility. Collective utility can be deduced by looking at past behaviour or through surveys. The economic perspective on risk conceptualizes risk as a cost factor that can be exchanged (Renn 1998).

A controversial issue with the economic perspective on risk, e.g. CBA, is that all costs and benefits are translated into the single dimension of money, including e.g. life, which for many of us is considered to be incommensurable. Since resources are finite, society needs to make tough decisions when setting priorities between different life-saving alternatives (HSE 2001). Mooney (1977) argues that valuation of human life for life safety decisions is an useful aid that complies with liberal democratic traditions and ensures rational decisions. According to social theory, human valuation and CBA are tools that are used by some groups in society to ease management, but lack validity among other groups (Adams 2000).

Another controversial issue is how costs and benefits are to be compared over time. Economists have developed a widely accepted solution to this problem by discounting the future. According to Fischhoff and Kadvany (2011) it is questionable how well this applies to public decisions, e.g. future generations may not benefit from money that is saved today at the cost of the environment, and there is no obvious justification for discounting future lives.

According to Thomas (1986) the general objective of fire protection is to minimize the combined loss and cost of fire. An early application of utility theory on fire protective trade-offs was developed by Baldwin and Thomas (1974). In particular they were investigating the optimal combination between passive and active (sprinkler) fire protection. An important notion is that both active and passive protection may fail, there is in this sense no need to discriminate between the two modes of protection, and they both have a non-zero probability of failure. A balance has to be struck between the risk of failure, the ensuing damage, and the cost of reducing the risk or damage. A probabilistic approach for such evaluations is offered by Johansson (2001).

Risk evaluation and decision-making

Methodologies for risk evaluation and decision-making range from hard methodologies to soft systems methodologies. Hard methodologies are derived from the scientific method, characterized by reductionism, repeatability and refutation. At the other end of the spectrum are the soft systems methodology, e.g. by Checkland (1985). In a purely hard methodology, a considerable knowledge and understanding of the system is necessary. The method proceeds from problem to solution in a mechanical, orderly manner without any iteration. On complex and/or social systems the scientific method can be less successful, e.g. risk controversies where different actors have different values and objectives. The soft systems methodology is described as a never ending learning system that starts by expressing the situation where the perceived problem lies while not distorting the problem into a preconceived or standard form. Hard systems thinking (e.g. systems engineering and systems analysis) assumes that problems can be formulated as the making of a choice between alternative means achieving a known end (Checkland 1985; Beard 2012).

Beard and Cope (2007, 2012) proposed an intermediate methodology between the hard and the soft ends of the spectrum for tunnel fire safety. Such a methodology is the risk management process in IEC/ISO (2010), see Figure 4. Beard and Cope (2007, 2012) further presents a check-list concerning what a tunnel fire safety methodology should include, e.g. to make all assumptions clear, and to use an iterative process.

Figure 4
figure 4

The IEC/ISO ( 2010 ) Risk management process.

Funtowicz and Ravetz (1992) argue that the limit of science is being reached for risk analysis involving ineradicable uncertainties in value-laden contexts. They argue that awareness of complexities in both the factual and the value-laden dimensions of the problems are necessary, which they call post-normal science. The gap between scientific expertise and a concerned public can be bridged by dialogue among all stakeholders. The democratization of the political life of modern societies means ordinary people can read, write, vote and debate. Funtowicz and Ravetz (1992) hope that a similar democratization of knowledge in society will take place, creating space for enhanced participation in decision making for common problems, which is necessary for meeting the challenges of modern times. This requires that the problem is framed in a way that acknowledges the different perspectives of the stakeholders, e.g. trustworthiness of managing institutions (Funtowicz and Ravetz 1992; Wynne 1992). Meacham (2004a) argues that fire safety design, involving modelling of fire and human behaviour with significant uncertainties, has reached the realm of post-normal science. This then requires the input from a broader group of concerned stakeholders in the decision process.

Risk analysis has achieved a more and more distinct and separate role in relation to decision-making and evaluation. This separation started in the 1980s when a National Research Council (NRC) report called the ‘Red Book’ proposed a division between analysis and evaluation arguing that this would remove overt policy values form the assessment part and ensure scientific expertise without value judgments (Vareman and Persson 2010). An earlier NRC report had warned that it is difficult and sometimes unwise to separate analysis from evaluation. Some members of the committee felt that setting an ideal of value-neutral reporting of uncertainties is so unattainable that it distorts the analytical process (NRC 1982). Fischhoff et al. (1981) argue that, although a distinction between facts and values enrich risk debates, such a distinction is often impossible to attain. The objectivity of a fact is always contingent on a correct statement of the problem. Beliefs concerning “facts” shape our values and those values in turn shape the facts we search for and their interpretation. According to Fischhoff et al., the search for an objective method such as risk analysis is doomed to fail and may obscure the value-laden assumptions that inevitably will be made (Fischhoff et al. 1981).

Another consequence of the separation between risk analysis and decision-making and evaluation is that the search for the best decision is sometimes framed as an “acceptable risk” problem. In 1969 Chauncey Starr published a study aimed at finding a formula for determining whether risks were socially acceptable. He assumed that society revealed its preferences through the risks and benefits that are accepted from various hazards. The general rationale for acceptable risk is that if people accept one risk, they should accept all risks of the same order of magnitude measured in the same way. According to Fischhoff and Kadvany (2011) such comparisons are flawed in three fundamental ways:

  • by assuming that all risks can be defined by the same risk measure,

  • by assuming that risk decisions are about risk alone, and

  • to assume that accepted risks are acceptable.

According to Renn (2008), it is important to understand the central importance of benefits. Benefits are weighted versus risks and make them “acceptable”. Risky decisions are not about risk alone. Rather they are a choice between options with different features, including the level of risk. When a technology is adopted, so is its entire package of features which means it is impossible to infer some level of acceptable risk. All relevant features must be included in risky decisions to find the right level of risk for each particular case (Fischhoff et al. 1984; Slovic 2000). As an example one may accept a large risk, such as smoking, if the benefit from smoking is perceived to be worth the risk; while one may reject a small risk from a chemical plant nearby that is perceived as bringing no benefits but noise and disturbance. In risk perception studies several more factors have been identified that affect how risks are perceived and judged by the public (Slovic 2000, 1987). According to Otway (1992), attitudes towards technology as a whole, associated with risk, reveals a better understanding than the more narrow framing of risk perception.

It follows that one cannot and should not define risk in general terms suitable for all problems. Defining risk is a political act that expresses values regarding the relative importance of different possible adverse consequences for a particular decision (Fischhoff et al. 1984). Whoever controls the definition of risk controls the rational solution (Slovic 2000). Defining risk is a political and social act, determining what should be regarded as risk and how it is to be measured. The risk measure should be related to the decision context, e.g. if risk relates to an individual question concerning means of transportation the measure should reflect the whole journey from start to finish, and include the values of the concerned stakeholders (Holmgren and Thedéen 2003).

Vrijling et al. (1998) argue that the degree of protection should be expressed in terms of acceptable risk. Additionally the choice of a certain technology and risk should be made in a cost-benefit framework. Since almost all studies on acceptable risk use two measures for acceptable risk Vrijling et al. use the same. One is the point-of-view of the individual who “decides to undertake an activity against direct and indirect benefits”. The other measure considers if the benefits outweigh the risk for society. As the acceptable level of risk stands in relation to the benefits and voluntariness, the notion of acceptable risk needs to be flexible in relation to these aspects. Both the individual and societal level of risk needs to be “acceptable”, i.e. below a defined threshold, or in relation to benefits and voluntariness. Society should represent the whole nation so that several local risks cannot add up on a national scale. Depending on the benefit and relation a person has with a given activity, a useful distinction in risk acceptability is often made between third party users, users/passengers, and employees. The framework rests on statistical accident data, similar to the study by Starr mentioned above, which shows that the individual risks can be ordered according to the generated benefit and voluntariness. To account for the different categories a policy factor, β, is defined so that the individually acceptable probability of failure can be calculated accordingly (Vrijling et al. 1998):

$$ {P}_{fi}=\frac{10^{-4}{\beta}_i}{P_{d\Big|{f}_i}} $$

Where \( {P}_{d\Big|{f}_i} \) denotes the probability of being killed in the event of an accident. In Table 1 policy factors (β) for different types of activities are proposed, based on historical accident data.

Table 1 Different policy factors to account for different type of activities in terms of voluntariness and benefit (Vrijling et al. 1998 )

For social risk Vrijling et al. (1995) assume that individuals assess social risk on the basis of the events that occur within their circle of acquaintances. Assuming that each individual on average has 100 fairly close acquaintances, statistical data show that the recurrence of an accident claiming the life of one out of 100 acquaintances, is on the order of a human life span. They next use statistical accident data for different policy factors (β) as above, which results in an activity that is permissible if it claims less than

$$ 7*{10}^{-6}{\beta}_i* national\ population\ size $$

deaths per year. The model also includes a risk aversion index and a model to calculate locally acceptable risk from nationally acceptable risk.

For transportation risks it is noted that the applicability is questionable. One solution would require the definition of a standard unit length, but it is arbitrary what unit length is defined (Vrijling et al. 1995). In a later article the framework is applied to road traffic where each vehicle is seen as an installation. As so many “installations” exist the current risk should not be acceptable according to this framework (Vrijling et al. 1998).

Finally, the framework for acceptable risk proposed by Vrijling et al. (1998) aims at an economically optimal level of risk. The rationale is that the total cost for safer systems and expected total damage in monetary units is minimized. Vrijling et al. (1998) further underline that the three means they propose, i.e. individual and societal risk criteria and economical optimization, are just means to reach the goal of managed safety. The tools only measure some aspects of the entire system. The framework on risk acceptance proposed by Vrijling et al. is applied to tunnels by Arends et al. (2005). However, it is unclear how the method is applied in practice considering the lack of data which is also acknowledged by the authors.

The Tolerability of Risk (ToR) framework was developed by the UK Health and Safety Executive (HSE) in order to efficiently align decisions with policies and the preferences of UK citizens. Tolerability is a better word than acceptability since one does not really accept risks, although the practical implications are the same. In the HSE approach risks are characterized as unacceptable, tolerable or acceptable depending on the risk magnitude. In order for a risk to be tolerable it should be reduced to a level that is As Low As Reasonable Practicable (ALARP). CBA is the main tool to prove that a risk is ALARP (Bandle 2007; Bouder et al. 2007).

HSE apply the precautionary principle for hazards subject to high scientific uncertainty, which rules out lack of scientific certainty as a reason for not taking preventive action. A key point of the framework is to generate trust, therefore it is important to base the process on openness, transparency and stakeholder involvement (Guen 2007; HSE 2001). A drawback with ToR is that CBA and the ALARP principle do not consider how the benefits and risks are distributed, e.g. whether one person is benefitting grossly while many others are taking the risk (Fairman 2007).

The approaches put forward by Vrijling et al. and HSE are the current dominating paradigm for risk evaluation and builds on utilitarian ideas where the collective is seen as a carrier of utility. The underlying rationale is that through a levelling of differences in cost per statistical life, financial resources can be used in a more cost-effective way allowing more lives to be saved (Hermansson 2005; Hansson 2003).

As already mentioned, this paradigm may not protect the individual from unfair risk exposure. Hermansson (2005) argues that risk management should acknowledge moral factors such as individual rights and fair risk taking. She also argues that the focus in risk management should shift from the outcome to the procedure for decision-making. Those affected by a risk decision should have the opportunity to be involved in a fair decision-making process. Public participation is a goal for democracy and a requirement for rational decision making (Renn 1998; Hermansson 2010).

Risk management implies value judgement on three levels: the choice of acceptability criteria, trade-off between criteria, and generation rational solutions. The dual nature of risk as a potential for physical damage and as a social construction demands a dual strategy for risk management. Public values and social concerns can identify the topics for risk management. Technical expertise can assess the magnitude and likelihood of risks, but public input is needed to set priorities and objectives (Renn 1998).

Hermansson (2007) proposes a model that analyses ethical factors in risk issues. The model focuses on the ethical relationships amongst the three parties: the risk-exposed, the beneficiary, and the decision-maker. Seven questions have been developed to cover the ethical issues between the three risk parties (Hermansson 2007):

  1. 1.

    To what extent does the risk-exposed benefit from the risk exposure?

  2. 2.

    Is the distribution of risks and benefits fair?

  3. 3.

    Can the distribution of risks and benefits be made less unfair by redistribution or by compensation?

  4. 4.

    To what extent is the risk exposure decided by those who run the risk?

  5. 5.

    Do the risk-exposed have access to all relevant information about the risk?

  6. 6.

    Are there risk-exposed persons who cannot be informed or included in the decision process?

  7. 7.

    Does the decision-maker benefit from other people’s risk exposure?

In order to consider a wide range of concerns, Fischhoff and Kadvany (2011) put forward a British framework called ‘concern assessment’ that included a CBA and the six societal factors: familiarity, understanding, equity, dread, control, and trust. Each societal concern is measured with judgements allowing five levels for each attribute.

Bilson and Purchase (2014) employ a risk evaluation framework to tunnel safety that includes several ethical aspects. Utilitarian values are evaluated through a CBA. Duty ethics concern an evaluation of whether the required level of safety in terms of standards and regulation and societal expectations is achieved. Rights ethics concern an evaluation of the different perspectives of the owner, constructor and polititians (obviously the exposed should also be included here, see Hermansson above). Finally, virtue ethics is about finding a balanced decision that takes account of all relvevant factors.

In many fields such as nuclear safety, QRA has proven to be very successful to ensure and increase nuclear safety and aid cost efficient decision making (Apostolakis 2004; Garrick et al. 2010; Garrick 1998). As pointed out by Apostolakis (2004), a QRA can improve safety decision making, but it is not a replacement for traditional safety methods or philosophies. QRA benefits include the logical and analytical consideration of thousands of scenarios, in-depth understanding of system failure modes, uncertainty quantification, identification of dominant scenarios so that resources can be wisely used (Apostolakis 2004; Garrick et al. 2010).


Uncertainty is central to the concept of risk. Any decision involves uncertainty in several aspects, e.g. empirical parameters, decision variables, value parameters, model domain parameters or outcome criteria. Empirical quantities represent measurable properties of the real-world system being modelled, e.g. temperature or fuel price. Value parameters are quantities such as discount rate or value of life. Probability is a good way to express uncertainty, however, Morgan and Henrion (1990) argue that only empirical quantities should be represented by probability distributions. Uncertainty can also be treated by parametric sensitivity analysis, where the sensitivity in the output from deterministic changes to the uncertain quantity is examined, or by stating the knowledge base and made assumptions in words. Standard scientific practice deals with the technical level uncertainty. According to Funtowicz and Ravetz (1990, 1992) the methodological and epistemological levels of uncertainty should be dealt with qualitatively. The methodological level concerns systematic error and the epistemological level concerns ignorance.

Uncertainty in risk analysis is often classified into randomness (aleatory), representing variations in samples, or uncertainty due to inadequacies in the knowledge base (epistemic). When the evidence base is small the epistemic uncertainty is large. A third type of uncertainty is introduced by the risk assessor. Despite the use of the same models on well-defined problems a large operational uncertainty remains. Operational uncertainty includes the following factors, relevant for most risk analysis (Lauridsen et al. 2002; Lauridsen et al. 2001a,b):

  • implicit or explicit assumptions about the nature of probability and choices among databases and within the same database,

  • system conceptualisation and hazard identification,

  • choice and use of models,

  • bias introduced by the context,

  • choice of boundaries, and

  • experience of the analysts.

Möller (2006) argues that any adequate concept of safety must include not only the measure of risk (including aleatory uncertainty), but also the measure of epistemic uncertainty. The epistemic uncertainty will be large for new or unknown risk since there are little or no statistical data. Then the risk should be judged to be high which is also how we intuitively perceive risks, e.g. we have an aversion against new or unfamiliar risks (Möller 2009). If probability distributions were known, probabilistic models could be used to estimate the epistemic uncertainty. However, probabilistic distributions are seldom known to any accuracy. In particular it is difficult to correctly model the tails of probabilistic distributions. Unfortunately, in QRA and engineering design it is often the tails that matter. Svensson and Johannesson (2013) call design through the use of such uncertain relationships ‘design by magic’. A more suitable method for estimating the epistemic uncertainty is Variation Mode and Effect Analysis (VMEA) which uses second order moment statistics which is more easily accessible. A more crude way to account for epistemic uncertainties is through the use of safety factors (Johannesson et al. 2013; Svensson and Johannesson 2013; Johansson et al. 2006).

In general there are two issues to consider when using statistics in order to estimate the likelihood of an event. Firstly, the amount of statistics should be as large as possible, secondly they should be relevant to this particular site or system. These two objectives often work against each other. It is further important to consider that failure frequencies and accidents are not primarily caused by technical but organisational factors (Davidsson et al. 2003). For tunnels, the collected data stretches over a few decades which mean the data relates to vehicles which have little relationship with modern vehicles in terms of heat release rates and other aspects of fire performance (Ferkl and Dix 2011).

Risk analysis reliability

The subjectivity and inherent uncertainty of risk assessment can be considerable. Surprisingly few comparative experiments have been performed to give an idea of the accuracy of risk assessments which is very surprising as risk assessment is being widely used by scientists and engineers alike. According to the scientific method, any theory that does not yield comparable results when repeated by others on the same problem, should be refuted.

In the early eighties a systems reliability round-robin exercise was performed including several European teams on the auxiliary feed water system of a nuclear power plant. The exercise showed that modelling uncertainties were considerable and in some cases overwhelm data uncertainties due to different understanding of key concepts, e.g. common cause failures and human factors, and the analyst general judgements, e.g. use of data and information, interpretation of the system and use of different approaches/philosophies. This introduces a significant subjectivity in the assessment (Amendola 1986).

In a round-robin exercise in 1990 eleven different teams of experts performed risk assessments on an ammonia storage facility given the same information and preconditions. The different methods applied, the different boundaries and hypothetical assumptions made for the accident sequences, and the different ways of calculating risk counters and presenting risk figures, made it very difficult to compare the final results on a common basis. Therefore, the authors argue that the comparative picture should not be taken as representative of the uncertainty in risk analysis in an absolute way. Large differences, one to several orders of magnitude, were found in the results and analysis by the different teams (Contini et al. 1991).

The spread in results could be traced both to a large variability in event frequencies used, as well as consequence modelling. A large number of assumptions must be made to narrow down the infinite amount of scenarios to a manageable and understandable set that can be modelled. A multidisciplinary and collective procedure is recommended for the hazard identification phase to yield a more complete picture as this is a critical step in the analysis. Comparing the frequencies obtained from fault trees and statistics suggests that the technique of using fault trees to obtain failure frequencies is neither robust nor accurate. Even though the same model is used, the result could widely differ because the models were used differently. The authors conclude that transparency in terms of all the assumptions that are introduced in all steps of the risk analysis must be explained together with the result as they are strongly dependent (Contini et al. 1991).

An interesting statement from one of the teams when operator reliability was assessed was that “what is actually quantified is the assessor’s knowledge of the situation” (Contini et al. 1991:146). The exercise did not allow for much interaction with any operators which partly explains the comment, however, engineering judgement is unavoidable as information is never complete and not all failure modes have been experienced by operators.

Another round-robin exercise on an ammonia storage facility was conducted in 1998–2001 by seven different teams. Again the intrinsic uncertainty present in risk assessment was significant and some of the main sources of uncertainty were identified as follows: the hazard identification phase, the estimation of scenario likelihood, and the calculation of consequences (Lauridsen et al. 2002). These are three key aspects of the risk assessment process which were also identified in the earlier studies.

The uncertainties found were significant for decisions concerning land use. For example, the safe distance from a process industry differed in the worst scenario between 65 and 10000 m (Lauridsen et al. 2002). Due to the intrinsic uncertainty in risk assessment, Fabbri and Contini (2009) argue that the resulting learning and increased understanding from performing QRA are more important than the actual risk estimate. This raise questions concerning todays tunnel fire design process since the risk analysis would often be carried out by an external consultancy and any lessons learned would not necessarily go into tunnel operational practice.

The reported uncertainties found in risk analysis may, however, be fundamental to any engineering model. In a round robin investigation covering 16 standard structural engineering calculations the results differed by several factors due to engineering modelling uncertainty (Fröderberg and Thelandersson 2014). Due to several stochastic variables and limited knowledge, the modelling of fire and human behaviour for tunnels will be highly uncertain (Beard and Cope 2007). Consequently any QRA on tunnel fire safety will be even more uncertain as large uncertainties concerning probabilities are multiplied with the consequence outcome of the modelling.

Beard (1997, 2005, 2007) has offered recommendations for acceptable fire model use. In particular, the model itself needs to have the potential to be valuable. Further, a generally acceptable methodology of use which encourages the user to be explicit needs to be followed, and the user needs to be knowledgeable. Since the conditions for reliable and acceptable use of complex computer models for tunnel fires do not yet exist, several models may only be valuable in a qualitative sense rather than quantitative (Beard 2012).

Fire safety engineering and performance-based design

Building on the ideas of risk analysis and risk-based design, Fire Safety Engineering (FSE) has evolved as a distinct research field in fire safety. One approach is to pursue the following steps. First, fire safety objectives are formulated qualitatively. Depending on the building and occupancy involved the fire safety objectives will be prioritized differently. The next step is to more precisely specify these goals according to the client’s loss objectives. For example, one loss objective could be “no loss of life outside room of origin”. For each objective one or more measurable functional requirement is formulated, and for each functional requirement, a performance criterion is specified. In other terms, the type and degree of fire stresses that equate to the stated loss objectives are specified. Such fire stresses could be a radiant heat flux or a rate of heat release. For example, the client loss objective of “no loss of life outside the room of origin”, requires maintaining tenable conditions in all egress paths until all occupants outside the room of origin have been evacuated to safety. In quantifiable engineering terms tenability may be expressed as CO concentration, distance of the smoke layer above floor or visibility. Once the functional requirements and performance criteria are defined design proposals can be evaluated. The common method for doing this evaluation for buildings as well as tunnels is through a scenario analysis (deterministic risk analysis including one or a few scenarios) or a QRA (involving all identified and relevant scenarios). An acceptable design should fulfil the agreed loss objectives and performance criteria (ISO 2009c; Meacham and Custer 1995; ISO 2012b; PIARC 2007). Gehandler et al. (2013, 2014b) have developed a performance-based design guide for road tunnel fire safety.

In scenario analysis a number of characteristic scenarios are selected to test the trial designs. The selection of scenarios is critical. The potential number of scenarios is infinite and a manageable set has to be identified. Each fire safety design objective has its own set of challenging scenarios. It is important that the resulting design solution is conservative (ISO 2006). The consequences for each scenario are evaluated against a pre-defined criterion. The scenario-based risk analysis is also a suitable method for the planning of tunnel emergency response measures (PIARC 2008).

The basis for deciding a performance-based acceptable level of risk is that the available safe escape time (ASET) is larger than the required safe escape time (RSET) by a margin of safety. The objective is often that all occupants should be able to escape without experiencing or developing serious health effects. The margin of safety depends on the chosen fire scenarios, the uncertainties in the calculations, and the fire safety objectives (ISO 2009b).

Bjelland and Njå (2012) find that current practice of ASET/RSET analyses in the Norwegian building industry are done to confirm that chosen solutions are sufficient while the analyses themselves have limited constructive value for engineering design. Out of 75 examined projects, none contained evaluations of more than one design alternative.

According to Babrauskas et al. (2010), the ASET/RSET concept is flawed precisely because it is used, as the example above illustrate, to verify fire safety to an “acceptable level”, rather than to maximise fire safety. Roughly half of all deaths and 2/3 of the injuries could be prevented if more time was available for escape. To try to save these people another method or concept seems to be necessary. Consequently Babrauskas et al. (2010) advise against the idea to define quantitative criteria as a measure of acceptable safety. Instead they propose a safety factor approach to be used.

FSE advocate performance based design in favour of prescriptive regulations. Standardisation aims to standardise the design and resist unique solutions. Both approaches have cost-efficiency and safety as an argument for their rationale. FSE proponents argue that if the solution is tailored to the situation the construction will be more effective and cheaper while standardisation argue that if solutions are standardised the wheel does not have to be reinvented (Johnson 2012; Ruijter 2012). Ruijter recognise that standardisation is not possible for all aspects of a tunnel but highlight safety demands and operational processes as highly appropriate for standardisation. One practical advantage would be that all tunnels and safety equipment would look and work the same way. Preferably the safety equipment should look and work the same in all regions within which drivers operate, e.g. in all of Europe.

Human error and organisational accidents

One drawback with technical risk analysis is that organizational aspects are excluded (Renn 1998, 2008). The starting point of this section is that, in order to improve safety, human error has to be understood. Three types of human strategies in problem-solving can be distinguished: skill-based, rule-based, and knowledge-based (Reason 1997). If possible the fast and skill-based strategy will be applied. If no suitable skill-based strategy is found, the problem is compared to similar rules and if a suitable rule which has been used several times before with success is identified it is applied. If no rule-based strategy can be found that works, an analytical and knowledge-based solution is generated. Depending on which problem-solving strategy that is used different error-types can be identified: slips and lapses are connected to the skill-based strategy, and mistakes to the other two strategies (Akselsson 2011). From a cognitive perspective, due to the mechanism of the human mind and its response to the environment, errors are unavoidable and should be seen as a consequence rather than a cause (Reason 1997).

Since evacuation in tunnels is an unfamiliar activity, a skill-based problem-solving strategy will not be adopted. A rule-based strategy may be adopted through finding the similar event of evacuating a public or private building during exercise or real emergencies. However, it is likely that no past situation and successful strategy is matched with the current situation which means that a more time-consuming knowledge-based strategy is initiated. The error type concerned with rule-based and skill-based strategies is mistakes, i.e. wrong action such as staying in the vehicle is carried out. A driver inside a tunnel needs all possible help to speed-up the knowledge-based strategy so that the correct action to evacuate is performed as fast as possible. Since we are aware of these factors surrounding evacuation, it is a design error not to support the road user correctly. As Reason says, human error is a consequence, not a cause. Due to the difficulty in achieving a fast human response in the event of fire, it may be wise to give obligatory information or even training in driver licence courses.

Reason (1997) further distinguishes error by active error whose effects are felt immediately and latent error whose adverse consequences may lie dormant within the system for a long time. In general active errors are associated with front-line operators while latent errors are caused by decision makers and management separated in time and space. Detailed analyses of accidents in complex systems such as nuclear power plants or industrial sites reveal that latent errors pose the greatest threat to safety. Examples of latent failures relevant to fire safety are the corroding sprinklers of Piper Alpha and the inability to realise the fire risk in London metro (Reason 1990; Akselsson 2011).

Reason (1997, 1990) offers a theoretical framework for accidents in complex systems. According to Reason, production systems (e.g. mass transportation) share several basic elements in common and can be generalised into the following five components:

  1. 1.

    decision makers (e.g. designers and high-level managers),

  2. 2.

    line management (e.g. maintenance, training),

  3. 3.

    preconditions (e.g. reliable equipment, safety culture),

  4. 4.

    productive activities (i.e. integration of human and mechanical elements), and

  5. 5.

    defences (i.e. safeguards)

There is a flow from #1 to #5: decisions from decision makers (#1) are implemented by line managers (#2), this in turn affect the preconditions (#3) and later the actual performance in delivering the right product at right time (#4). The defences (#5) prevent foreseeable injury, damage or outages in the product activities. Feedback loops return feedback to the line management and decision makers. Operators carry out their duties such as maintenance and production activities managed by the line management and affected by the preconditions of the workplace.

All of the five mentioned components of production can have human contributions to failures. These failures can either become latent system failures or they are active failures. For the corresponding component number above, errors can be categorized accordingly:

  1. 1.

    fallible decisions (latent),

  2. 2.

    line management deficiencies (latent),

  3. 3.

    psychological precursors of unsafe acts (latent),

  4. 4.

    unsafe acts (active), and

  5. 5.

    Inadequate defences (latent & active).

According to Reason (1990) system’s accidents have their primary origin in fallible decisions made by designers and high-level management. The key factors that contribute to fallible decisions are safety and production goals which in turn are affected by money, equipment, personnel, and available time. An accident occurs when an unsafe act is committed in the presence of a potential hazard for which latent failures from decision makers, psychological precursors, and the defence coincide. Reason uses the word unpredictable to describe the coincidence of latent and active errors that cause an accident, which suggest quantification is not very meaningful. Similarly a review of 1000 shipping accidents concluded that accidents resulted from highly complex coincidences which could rarely be foreseen by the people involved (Reason 1990).

Lately there have been several incidents in Norwegian road tunnels, e.g. Gudvanga 5 August (UPI 2013) and Storsand 22 August (Adressa 2013), one reason is that poorly maintained foreign trucks increase the risk of fire. In the incident in Gudvanga a fire started in a Polish truck. One political and societal factor responsible for this is the strive for larger markets and globalization. Transportation markets are enlarged within EU which means low salary countries enter the market of richer countries. The tough competition decreases the resources for safety, training and maintenance. This is a typical example of the struggle between production and protection in organizations (Reason 1997). It may be time for stricter regulation aiming at proper maintenance, quality management systems, and defensive driving culture. Another issue is that foreign drivers may not understand the culture, language and road signs in the country where they drive.

The human layer can be seen as the last layer of protection. Since we know the human element is dynamic and will always change, latent failures that are allowed in the other layers of protection will eventually be exposed by the human layer and cause an accident. Since we knew that the human element was variable, it was really the latent failures which caused the accident. To increase safety, latent failures must be minimized, identified, and monitored so that barriers can be constructed before them (Reason 1997).

In the tunnel-vehicle-driver system the front line operators are the drivers themselves. Reason highlights, among others, the importance of the front-line operators. From the review on road safety by Oppenheim and Shinar (2012) it is obvious that the human factor is a key factor causing road accidents. In particular this has to do with lapses, i.e. failure to respond to a threat. For tunnel fires the human factor is also a contributing factor. Fires may start as a result of crashes, but they can also start while driving e.g. overheated brakes or engines. Technical failures can be due to poor maintenance, poor design, or bad luck. Note that there is a human element behind the poor maintenance and poor design as well. A Canadian truck company managed to reduce the number of incidents through creating a culture of safety within the fleet. A Trucking philosophy was established which was to serve as a reminder of the drivers responsibilities. It was displayed around the facilities and on material distributed to the drivers. A safety committee was established where safety was discussed. Training on defensive driving was given bi-annually to the drivers. A rating system was introduced with personal incident ratings for each driver. The number of incidents was almost halved in four years (Menzies 2007). This shows that a safer culture can be engineered and improve road and tunnel safety.

This indicates that we can only reach high road tunnel safety by reaching out to all citizens, to establish a national and even international culture of road safety. As is noted by Holm (2007), the Swedish society has a poor road safety culture. It is difficult for authorities to take decisions such as lowered speed or traffic barriers aiming at improving safety when the citizens living there work against them and mainly prioritize high availability and accessibility. Several campaigns have been performed to alter the public perception into a more safety oriented perspective, not least safety belt, keeping speed limits, and ‘drinking equals no driving’ campaigns. Cultural beliefs and habits are naturally transferred from older to younger generations, as it becomes part of how we do things, resulting in safer roads in the long run.

Taking an even larger perspective, a certain company may have international organisations and national governments, regulators and associations on higher level, whose decisions affect their activities. Many nested levels of decision-making are thus involved in how, for example, a hazardous process is dealt with. Unfortunately this is seldom studied as a whole, instead several research disciplines study different levels so that, for example, management theories are independent of the context of a given organization. But the study of decision-making cannot be separated from the study of the social context and value system in which it takes place (Rasmussen and Svedung 2000).

To account for the nested levels of decision-making, Rasmussen and Svedung (2000) propose a framework called proactive risk management. The first step towards proactive risk management is to ensure operation within the design envelope. The mechanism generating the actual behaviour of decision-makers at all levels has to be understood. Their values and objectives as well as their need for information and feedback have to be clarified. This involves a top-down communication of values and objectives and a bottom-up communication of actual state of affairs. The method and framework necessary to maintain a high level of safety is a Total Quality Management (TQM) system (Rasmussen and Svedung 2000).

No matter how many improvements that are suggested from different efforts, improvements are dependent on the organisation’s ability to learn and to improve in reality. To support the process of learning a TQM system and Deming’s cycle, which aims at constant improvement through an iterative cycle: plan, do, study, and act (PDSA) can be applied (Akselsson 2011).

Tunnel operators have many tasks. They are monitoring the traffic flow and traffic situation, detect disturbances, closing the tunnel if necessary, communicate with users, communicate and assist the emergency service, reporting and evaluation. Since incidents and especially larger fires are rare, training and exercises of such situations is very important. Another parameter that affects their performance is their cognitive load depending on business and the complexity of their tasks. Cognitive over-load and under-load is believed to worsen performance (Martens and Jenssen 2012).

Systems safety

A central concept for understanding risk is that of a system, which Beard (2012) defines as: any entity, conceptual or physical, which consists of interdependent parts. In contrast to a purely reductionist approach, risk concerns the system as a whole, as it functions in reality. Since systems change and tunnel risk is complex and multi-faceted, any analysis will be incomplete (Beard and Scott 2012). This is, according to Hollnagel (2010), captured through the terms tractable and intractable systems. Typically a tractable system is simple to describe with few details, principles of functioning are known, the system does not change while being described and it is independent of other systems. An intractable system is the opposite. A metaphor for a tractable system is a clockwork and a metaphor for an intractable system is teamwork. According to Hollnagel (2010) most socio-technical systems are intractable. Current approaches to safety assume the system to be tractable and furthermore make the following assumptions (Hollnagel 2011):

  • Systems are well designed and scrupulously maintained

  • The procedures that are provided are complete and correct

  • People behave as they are expected to, and more important, as they are trained to

  • System designers have been able to foresee and anticipate every contingency

Under those assumptions humans are clearly a liability and a threat. Example of frequently used methods to control this liability includes training, standardisation, rules and regulation. This approach represents an ideal but is not practically achievable. The two main reasons for this are that most systems are intractable and that performance variability is inevitable (Hollnagel 2011). As an example, Lutz (1993) examined 209 safety-related software errors concerning two space crafts. He found that the main root causes for errors were discrepancies between documented requirement specifications and actual requirements needed for correct functioning of the system, and misunderstanding of the system interface with the rest of the system.

Acknowledging that precise procedures and instructions are not attainable, an alternative approach for intractable systems considers adaptation to meet functional goals as a necessary process. In this way performance variability is seen as an asset rather than a threat. In fact, according to Hollnagel, performance variability is on the whole the reason why socio-technical systems works as well as they do. Assessment methods must be able to capture the duality that human performance both can enhance and detract safety. From such a viewpoint systems work because (Hollnagel 2011):

  • people can learn to identify and overcome design flaws and functional glitches,

  • people can recognise the actual demands and adapt their performance accordingly,

  • when procedures must be applied people can interpret and apply them to match the conditions, and

  • finally people can detect and correct when something goes wrong or when it is about to go wrong, and hence intervene.

This is a more realistic description of work as actually done, rather than imagined, hence systems that are real rather than ideal. Since both failure and success depends on performance variability, failure is seen as opportunities for learning (Hollnagel 2011).

Kirytopoulos and Kazaras (2011) argue that QRA of tunnels suffer from the following limitations.

  • The probability of a fire starting in a tunnel cannot be reliably calculated.

  • The complexity of tunnel accidents is too large.

  • Large difficulties and assumptions in assessing human behaviour.

  • The influence of management and organizational aspects are often neglected despite that they are believed to be the key factor for safety in socio-technical systems.

Therefore, they propose a systems theory approach and a method called STAMP. In STAMP the accident model is viewed as interconnected networks rather than sequential events as in QRA. Furthermore, much analysis is made on management and organization to make it function well. It is largely a proactive approach to assess whether the organization is effective enough to keep the system within safety constraints. STAMP will not result in the same output as QRA why they could be used in parallel. (Kazaras et al. 2012).

The STAMP assessment process for tunnel safety proposed by Kazaras et al. (2012) begins by identifying hazardous system states and translate them into safety constraints. To achieve the safety constraints, a safety control structure over components and paths of control and feedback loops is defined (socio-technical). By using the safety control structure inadequate control actions are identified and used to determine necessary safety functions (Kazaras et al. 2012).

Santos-Reyes and Beard (2012) take a systemic approach to tunnel fire safety management. In their framework the systemic approach is compatible with QRA. The tunnel fire safety management model is also used by the authors as a template for comparison with an actual real world system in order to improve the existing management system (Santos-Reyes and Beard 2011; Santos-Reyes and Beard 2006; Santos-Reyes and Beard 2003).


Following the traditions of natural and technical sciences, safety engineering becomes an activity of structuring goals and performance criteria into mathematical language (Bjelland 2013; Meacham and Custer 1995). This approach assumes well-structured problems and leads to a narrow view on what is considered as relevant knowledge. In contrast, design science can be seen as a reflective conversation with the situation that highlight the skills and experience that designers and engineers bring to situations of uncertainty and value conflicts. Important designer skills are creativity, the ability to frame the design problems in different ways and to structure different solutions based on previous experience. Design processes are not linear and the stakeholders’ goals and values will be conceptualized and refined during the design process (Bjelland 2013).

According to Hollnagel (2006) there has been a technological bias in design in the sense that design for technology came first and design for humans at a distant second. However, putting the human at the centre of things is just as inadequate as machine-centred design since one part of the system is seen as opposed to the other. Design should therefore embrace a function-centred view and be problem-driven. For tunnels this means we should study the joint tunnel-vehicle-human system, and design should further the purposes or goals of this joint system, i.e. to be in control in a dynamic environment (Hollnagel 2006).

Ruland et al. (2012) takes a function-cantered systems approach to road tunnels. They incorporate Systems Engineering (SE) and other safety tools into the whole design process. SE highlights both validation (are we building the right thing according to the road users need?) and verification (are we building it right, are all specifications correctly implemented?). In the Netherlands the infrastructure authority use SE as a working method to administrate their contracts. Their design process includes the following steps. Clear and accurate specification of what the system is, does, and should handle. The specification process starts from top requirements and specifies lower level system requirements into finer and finer detail. Each subsystem, and its effect on the system as a whole, is analysed from four perspectives: Reliability, Availability, Maintainability and Safety (RAMS). Scenario-driven tools such as scenario analysis or table-top exercises validate that the system and subsystems offer the required functionality. Eventually, the specification is detailed enough to start the realisation. Each specification step is then validated and verified as the design is being realised, from smaller components to larger system parts (Gehandler et al. 2012; Ruland et al. 2012; Ruland and Snel 2010).

Safety culture

Pidgeon (1997) views culture as a system of symbols or meanings through which a given group understands the world. “Such a culture is itself created and recreated as members repeatedly behave and communicate in ways which seem to them to be natural, obvious and unquestionable, and as such will serve to construct a particular version of risk, danger and safety.” (Pidgeon 1997:7). A good safety culture can be supported by the following factors (Choudhry et al. 2007; Pidgeon 1997):

  • A shared care and concern for hazards.

  • Realistic and flexible norms and rules about hazards.

  • Continual reflection upon practice.

  • Work with attitudes and behaviour.

  • Management commitment (allocation of resources, to “walk the talk”, inspections).

  • Employee involvement (empowerment, involvement of employees).

  • Promotional strategies (mission statements, slogans)

  • Training and seminars.

  • Special campaigns (e.g. health week).

According to Reason (1997) a safe culture can be engineered through organizational characteristics like structures and systems which becomes a collective practice that an organization can have. The safety culture is the engine that drives the organization towards better safety, and its power is derived from ‘never forgetting to be afraid’. It consists of an informed culture, i.e. right information is collected and spread. It is dependent upon a reporting culture which relies upon a just culture, i.e. treating each other in a way that is morally right. Finally a safety culture must draw the right conclusions and have the will to implement changes, i.e. it must also be a learning culture.

Decision theory

According to Fischhoff and Kadvany “the foundations of risk lie in decision theory, which articulates concepts whose emergence must have begun with the first human thought about uncertain choices” (Fischhoff and Kadvany 2011:2). The logic of decision-making is to choose the option that promises most of what you want. Meacham (2004a) has written a review on decision-making for fire risk problems. Most decision theories are based on Bernoulli’s concept that choice depends on the likelihood of various outcomes and on the utility of those outcomes to the decision-maker, e.g. Expected Utility Theory. Social Choice Theory is a concept of rationality for synthesizing preferences among individuals affected by the decision, e.g. consensus building that takes into account primarily the facts and values of those participating in the development of fire safety regulation. Once a regulation is in place CBA plays a more central role when fire risk decisions are required for specific projects, see (Johansson 2001). In this case the decision-maker is less concerned with the “social good” than providing an “acceptable” level of safety at a minimum cost (Meacham 2004a). For tunnels the situation is quite different. Usually it is the state that develops fire safety regulations and plans, builds and owns tunnels. In all cases, safety and the social good have a high priority.

Decision making is fundamental to all fields. A general model called PrOACT which is applicable to any decision is offered by Hammond et al. (1999). The method consists of eight elements: problem, objectives, alternatives, consequences, trade-offs, uncertainty, risk tolerance, and linked decision. The essence of the method is to divide and conquer. By systematically breaking down the problem into smaller parts focus can be directed to the most critical aspects. In order to focus on the most important parts the process should rather be cyclic, i.e. iterative, than sequential.

The way the problem is stated frames the decision and determines what can be regarded as solutions, in fact posing the right problem drives everything else. By questioning the problem statement the root trigger can be identified and constraints that narrow the range of considered alternatives can be removed. Objectives specify the goal of the decision, and give the direction to strive for. Objectives can be identified by specifying all the concerns that the decision must address. To reach the fundamental objectives, ends are separated from means (potential decision alternatives) through why-questions. What-questions clarify each objective and increase the understanding of how to reach it (Hammond et al. 1999).

Alternatives are the different courses of action available to choose from. The decision can be no better than the best alternative. The objectives can identify decision alternatives by asking “how?” for each objective. Next, consequences from each alternative are evaluated for each objective. Often objectives conflict with one another, which is why trade-offs are inevitable. If an alternative is dominated by another on practically all objectives it can be eliminated. For tougher trade-offs the even swap method can be used to eliminate objectives for which all alternatives are equally good. In this sense both alternatives and objectives can be eliminated iteratively, resulting in more manageable decisions (Hammond et al. 1999).

The future is always uncertain and different outcomes will be more or less certain. Hammond et al. (1999) propose the usage of risk profiles to capture information about uncertainty. A risk profile answers the following questions.

  • Which are the key uncertainties?

  • What are the possible outcomes of these uncertainties?

  • What are the chances of occurrence of each possible outcome?

  • What are the consequences of each outcome?

This risk profile share many similarities with a risk analysis. The last two questions are included in the triple definition commonly used in risk analysis (Kaplan 1991; Kaplan and Garrick 1981). If the safety analysis is complemented by an explicit analysis of epistemic uncertainties, all four questions above are covered. Möller (2009, 2008) argue that epistemic uncertainty should be included in any concept of safety. The practical experience of Hammond et al. (1999) is that that all decisions involve uncertainties, but most uncertainties do not influence consequences enough to matter. By identifying the few uncertainties that influence the decision, analysis can be performed where it matters. The resulting risk profile can be expressed in the form of a decision tree where each fork represents an uncertainty and the branches the outcomes and likelihoods.

Depending on the risk tolerance, risk profiles will seem more or less beneficial. This can be quantified by a desirability scoring, which in essence has close similarities with expected utility used in economics. The desirability curve will reveal whether we in this case are risk aversive, risk neutral, or risk seeking. There are several means to re-shape the risk profile into a more desirable one, e.g. through risk sharing, to seek risk-reducing information, to diversify the risk, to hedge the risk, or to insure against the risk (Hammond et al. 1999).

Current FSE and risk analysis practice does not seem to acknowledge the decision problem context and the overall aim to find the best decision. Hammond et al. (1999) offers a comprehensive list of error types in decision making in which examples of poor fire safety decision-making from this review are given in parenthesis:

  • working on the wrong problem (e.g. rather than discussing safety, it is often a discussion of whether the design is better or worse than a prescriptive solution. This may include great emphasis on finding an appropriate prescriptive reference building (Bjelland 2013).),

  • failure to identify key objectives (e.g. to aim for an ‘acceptable’ design rather than ‘saving as many lives as possible’ (Babrauskas et al. 2010).),

  • failure to develop good and creative decision alternatives (e.g. to only develop and evaluate one design alternative (Bjelland and Njå 2012).),

  • overlooking crucial consequences (e.g. to ignore the risk of fire spread and multiple vehicle fires.),

  • giving inadequate thought to trade-offs (e.g. by having rigid regulations that does not allow for trade-offs),

  • disregarding uncertainty (e.g. to disregard considerable uncertainty in the Rogfast road tunnel risk assessment (Bjelland and Aven 2013).),

  • failure to account for relevant risk tolerance, and

  • failure to plan ahead when decisions are linked over time.

It is argued that these errors can be reduced if the decision-problem is acknowledged and systematically dealt with.


The different methods and perspectives of this review highlight different aspects of safety and risk. They all have the potential to be valuable for road tunnel fire safety. No single method or perspective can claim universal validity. Only through combining several methods and perspectives can an efficient approach to managing road tunnel fire safety be achieved.

Tunnel fire safety is largely a low probability-high consequence risk issue. Small fires (5–20 MW) are seldom any issue for life safety or business continuity. Larger fires occur rarely, but can mean both loss of lives as well as long tunnel closure and expensive repair costs. The uncertainty in estimating probabilities and modelling of fire and consequences is considerable. Decision stakes are often high in terms of investment costs and the risk of longer tunnel closure and life safety. The methodological framework of the fire safety community is too narrow for these problems to be efficiently addressed (Bjelland 2013). The limits of post-normal science are being reached (Meacham 2004a) and a broader group of stakeholders should now be included in the decision process. The realm of relevant knowledge should be extended to include other sciences, concepts and methods of ensuring safety. A risk decision is not merely about risk or cost, although these are two important factors, each risk decision have challenges, uncertainties and factors that society value, this should be reflected in the decision process and guide the process and trade-offs.

In practice this could mean putting more trust in tacit and prior experience rather than formalized risk assessment, although, for example, fire modelling should follow standard procedures of good practice. The concept of safety factors for different functional parameters should be used in qualitative and quantitative ways instead of an overall quantitative risk measure. Depending on data and modelling uncertainty, quantitative methods may only be valuable in a qualitative sense. In the words of Svensson and Johannesson (2013) this is a move towards enlightened engineering rather than design by magic. In the creative and cyclic process the design group frames and reframes the problem and potential solutions in negotiations with stakeholders. The design process should further be function centred and problem driven. Performance-based design offers a good starting point with a complete set of basic goals, objectives and functions of the tunnel system, e.g. (Gehandler et al. 2014b), but authorities and engineers need to make the best out of the new freedom offered by performance-based design. Several examples in this review show that better solutions or safer design does not come for free. Good examples can be found in the Netherlands with intrinsic safety efforts in early decision making and Systems Engineering in the design process, which enforces verification and validation of needed functions.

It is argued that decision-making should not be separated from design and evaluation as they are strongly dependent and iterative processes. Decision-making is fundamental to most reviewed methods, therefore we should acknowledge that we are dealing with a decision problem. Then the tools for decision-making, see section (Decision theory), can be used to structure the problem, to remove constraints and biases, to identify the basic objectives and potential solutions, to evaluate solutions and to perform trade-offs. It is likely a few factors will show up as the most important ones to evaluate further. Then a set of suitable methods that evaluate these aspects can be selected, taking into account their limitations, uncertainty and strengths. In light of new understanding along the iterative process the problem and potential solutions are reframed. Guidelines exist that have the potential to improve fire safety decision-making, e.g. Beard (2012) and Meacham (2004a, b).

Most tunnel fire safety measures focus on protection despite the fact that pro-active and preventive measures in general are more efficient. However, all aspects of the safety circle, see Figure 2, need to be included for safety to be managed efficiently. Intrinsic safety and fail-safe design are two efficient engineering principles. Acknowledging the nature of human error and the importance of a well-functioning organisation, latent errors should be analysed, reduced and controlled. A good safety culture within the tunnel organisation should be engineered. A TQM system can ensure improved safety during operation in the long run. Systems thinking can further remove safety constraints and faulty design in the real socio-technical system.


Road tunnel fire safety concerns high uncertainty and high-stake decisions. This means the decision process should include a wider group of stakeholders and include different types of knowledge, e.g. prior experience, safety engineering, decision theory, systems theory, social science and design science.

It is argued that the decision process should not be separated from the design and safety evaluation. Instead decision theory should be used to structure and drive the process; to identify the basic objectives, alternative solutions and key uncertainties, and prioritize resources for analysis where they matter the most.

An efficient pro-active safety measure would be to improve the safety culture of professional drivers and truck companies. Regulation ensuring proper maintenance, training and quality management may be necessary in a global competitive economy.


aFast, and Ultra-fast fire developments refers to the t-square model where the growth factor α is defined as 0.047 and 0.19 (kW/s2) respectively (Karlsson and Quintiere 1999).


  • Adams J (2000) Risk. Routledge, London

    Google Scholar 

  • Adressa. Omkom i ulykke i Storsandtunnelen - Et vogntog tok fyr inne i tunnelen på E39. 2013. (In Norwegian). Accessed 15 Jan 2014

  • Akselsson R (2011) Människa, teknik, organisation och hantering av risker (In Swedish), vol 2011. Institutionen för Designvetenskaper, LTH, Lund, Sweden

    Google Scholar 

  • Amendola A (1986) Uncertainties in systems reliability modelling: Insight gained through European Benchmark exercises. Nucl Eng Des 93(2–3):215–225,

    Article  Google Scholar 

  • Apostolakis GE (2004) How useful is Quantitative risk assessment? Risk Anal 24(3):515–520

    Article  Google Scholar 

  • Arends BJ, Jonkman SN, Vrijling JK, van Gelder, PHAJM (2005) Evaluation of tunnel safety: towards an economic safety optimum. Reliab Eng Syst Saf 90(2–3):217–228,

    Article  Google Scholar 

  • Babrauskas V, Fleming JM, Don Russell B (2010) RSET/ASET, a flawed concept for fire safety assessment. Fire Mater 34(7):341–355,

    Article  Google Scholar 

  • Baldwin R, Thomas PH (1974) Passive and active fire protection — The optimum combination. Fire Technol 10(2):140–146,

    Article  Google Scholar 

  • Bandle T (2007) Tolerability of Risk: The Regulator’s Story. In: Bouder F, Slavin D, Löfstedt RE (eds) The Tolerability of Risk: A New Framework for Risk Management. Earthscan, London, pp 93–104

    Google Scholar 

  • Beard AN (1983) A logic-tree approach to the St Crispin Hospital fire. Fire Technol 19(2):90–102,

    Article  Google Scholar 

  • Beard A (1992) Limitations of computer models. Fire Saf J 18(4):375–391,

    Article  Google Scholar 

  • Beard AN (1997) Fire models and design. Fire Saf J 28(2):117–138,

    Article  Google Scholar 

  • Beard AN (2002) We don’t know what we don’t know. In: 7th International symposium on fire safety science, Worcester, MA, USA. pp 765–775

  • Beard AN (2004) Risk assessment assumptions. Civ Eng Environ Syst 21:19–31,

    Article  Google Scholar 

  • Beard AN (2005) Requirements for acceptable model use. Fire Saf J 40(5):477–484,

    Article  MathSciNet  Google Scholar 

  • Beard AN (2006) A theoretical model of major fire spread in a tunnel. Fire Technol 42:303–328

    Article  Google Scholar 

  • Beard A (2012) Decision-making and risk assessment. In: Carvel R, Beard A (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 635–648

    Google Scholar 

  • Beard A, Cope D (2007) Assessment of the Safety of Tunnels - Study. Science and Technology Options Assessment. European Parliament, Brussels

    Google Scholar 

  • Beard A, Scott P (2012) Prevention and protection: overview. In: Carvel R, Beard A (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 67–88

    Google Scholar 

  • Bilson M, Purchase A (2014) Determining benefits of fixed fire fighting systems in road tunnels - A risk-based approach. In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 475–484

  • Bjelland H (2013) Engineering Safety with Applications to Fire Safety Design of Buildings and Road Tunnels. University of Stavanger, Norway, Stavanger

    Google Scholar 

  • Bjelland H, Aven T (2013) Treatment of uncertainty in risk assessments in the Rogfast road tunnel project. Saf Sci 55(0):34–44,

    Article  Google Scholar 

  • Bjelland H, Njå O (2012) Interpretation of safety margin in ASET/RSET assessments in the Norwegian building industry. Paper presented at the PSAM11 & ESREL 2012, Helsinki,

  • Blomqvist P (2005) Emissions from Fires - Consequences for Human Safety and the Environment. Report 1030. Lund University, Lund, Sweden

    Google Scholar 

  • Boer LC, van Zanten DW (2007) Behaviour on tunnel fire. Springer Berlin Heidelberg, Berlin, Heidelberg, pp 91–98,

    Google Scholar 

  • Bouder F, Slavin D, Löfstedt RE (eds) (2007) The Tolerability of Risk: A New Framework for Risk Management. Risk Society and Policy series. Earthscan, London

    Google Scholar 

  • BS (2001) Application of fire safety engineering principles to the design of buildings-Code of practice, vol 7974. British standards Institution, London

    Google Scholar 

  • Canter D, Breaux J, Sime J (1980) Domestic, Multiple Occupancy, and Hospital Fires. In: Canter D (ed) Fire and Human Behaviour. John Whiley & Sons, Ltd, pp 117–136

    Google Scholar 

  • Carvel R (2005) Fire protection in concrete tunnels. In: Carvel RO, Beard AN (eds) The Handbook of Tunnel Fire Safety. Thomas Telford Publishing, London, pp 110–126

    Chapter  Google Scholar 

  • Carvel R, Both K (2012) Passive fire protection in concrete tunnels. In: Beard A, Carvel R (eds) The Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 109–126

    Google Scholar 

  • Carvel RO, Beard AN, Jowitt PW, Drysdale DD (2001) Variation of heat release rate with forced longitudinal ventilation for vehicle fires in tunnels. Fire Saf J 36(6):569–596,

    Article  Google Scholar 

  • CEN (2004) Eurocode 2: Design of concrete structures - Part 1–2: General rules - Structural fire design, vol EN 1992–1–2:2004. European committee for standardization, Brussels

    Google Scholar 

  • Charters D (2012) Control volume modelling of tunnel fires. In: Beard A, Carvel R (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 347–364

    Google Scholar 

  • Checkland P (1985) Systems Thinking. Systems Practice, Wiley, Chichester

    Google Scholar 

  • Choudhry RM, Fang D, Mohamed S (2007) The nature of safety culture: A survey of the state-of-the-art. Saf Sci 45(10):993–1012,

    Article  Google Scholar 

  • Contini S, Amendola A, Ziomas I (1991) Benchmark Exercise on Major Hazard Analysis, vol 1. Description of the Project. Discussion of the Results and Conclusions, JRC

    Google Scholar 

  • CPR (2011) Regulation (EU) No 305/2011 of the European Parliament and of the Council of 9 March 2011 laying down harmonised conditions for the marketing of construction products. EUR-Lex, Brussels

    Google Scholar 

  • DARTS (2004) Durable and Reliable Tunnel Structures – The reports (CD Rom). CUR Gouda, The Netherlands

    Google Scholar 

  • Davidsson G, Haeffler L, Ljundman B, Frantzich H (2003) Handbok för riskanalys (In Swedish). Räddningsverket, Karlstad, Sweden

    Google Scholar 

  • EC (2004) Directive 2004/54/EC of the European parliament and of the council on minimum safety requirements for tunnels in the Trans-European Road Network. European Comission, Brussels

    Google Scholar 

  • EC (2007) Minimum levels of safety in European road tunnels. Accessed November 8 2012

  • Epstein W (2012) A PRA Practioner Looks at the Fukushima Daiichi Accident. Paper presented at the PSAM11 & ESREL 2012, Helsinki, 25–29 June

  • Epstein W, Yamaguchi A, Laaksonen J, Geller B, Cooke R, Pate-Cornell E, Kitamura M, Kuzmina I, Tappin D, Bot PL (2012) Fukushima – panel discussion. PSAM11 & ESREL 2012. Helsinki

  • Fabbri L, Contini S (2009) Benchmarking on the evaluation of major accident-related risk assessment. J Hazard Mater 162(2–3):1465–1476,

    Article  Google Scholar 

  • Fairman R (2007) What Makes Tolerability of Risk Work? Exploring the Limitations of its Aplicability to Othe rRisk Fields. In: Bouder F, Slavin D, Löfstedt RE (eds) The Tolerability of Risk: A New Framework for Risk Management. Earthscan, London, pp 119–136

    Google Scholar 

  • Ferkl L, Dix A (2011) Risk Analysis - from the garden of eden to its seven most deadly sins. Paper presented at the 14th International Symposium on Aerodynamics and Ventilation of Tunnels (ISAVT 14), Dundee, Scotland, May 11–13

  • Fischhoff B, Kadvany J (2011) Risk: A very short introduction. Oxford University Press, Oxford

    Book  Google Scholar 

  • Fischhoff B, Lichtenstein S, Slovic P, Derby S, Keeney R (1981) Acceptable Risk. Cambridge University Press, Cambridge

    Google Scholar 

  • Fischhoff B, Watson S, Hope C (1984) Defining risk. Pol Sci 17(2):123–139,

    Article  Google Scholar 

  • Forster C, Kohl B (2012) Ways of improvements in quantitative risk analyses by application of linear evacuation module and interpolation strategies. In: Ingason H, Lönnermark A (eds) Proceedings from the Fifth International Symposium on Tunnel Safety and Security (ISTSS 2012), New York, USA. SP Technical Research Institute of Sweden, pp 627–636

  • Fröderberg M, Thelandersson S (2014) Uncertainty caused variability in preliminary structural design of buildings. Struct Saf 52:183–193,

    Article  Google Scholar 

  • Funtowicz S, Ravetz J (1990) Uncertainty and Quality in Science for Policy. Kluwer Academic Publishers, Dordrecht, The Netherlands

    Book  Google Scholar 

  • Funtowicz S, Ravetz J (1992) Three Types of Risk assessment and the Emergence of Post-Normal Science. In: Ka G (ed) Social Theories of Risk. Praeger, Westport, CT, USA, pp 251–274

    Google Scholar 

  • Gandit M, Kouabenan DR, Caroly S (2009) Road-tunnel fires: Risk perception and management strategies among users. Saf Sci 47(1):105–114,

    Article  Google Scholar 

  • Garrick JB (1998) Technological stigmatism, risk perception, and truth. Reliab Eng Syst Saf 59:41–45,

    Article  Google Scholar 

  • Garrick BJ, Stetkar John W, Bembia Paul J (2010) Quantitative Risk Assessment of the New York State Operated West Valley Radioactive Waste Disposal Area. Risk Anal 30(8):1219–1230,

    Article  Google Scholar 

  • Gehandler J, Wickström U (2014) Estimation of tunnel temperature downstream a tunnel fire considering time dependent wall heat losses. In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 195–204

  • Gehandler J, Ingason H, Lönnermark A, Frantzich H (2012) Requirements and verification methods of tunnel safety and design. SP Technical Research Institute of Sweden. Borås, Sweden

    Google Scholar 

  • Gehandler J, Ingason H, Lönnermark A, Frantzich H, Strömgren M (2013) Performance-based requirements and recommendations for fire safety in road tunnels (FKR-BV12). SP Technical Research Institute of Sweden. Borås, Sweden

    Google Scholar 

  • Gehandler J, Eymann L, Regeffe M (2014a) Limit-based fire hazard model for evaluating tunnel life safety. Fire Technol 50(4):1–30,

    Google Scholar 

  • Gehandler J, Ingason H, Lönnermark A, Frantzich H, Strömgren M (2014b) Performance-based design of road tunnel fire safety: Proposal of new Swedish framework. Case Stud Fire Saf 1(0):18–28,

    Article  Google Scholar 

  • Gildersleeve C, Sherlock W (2014) Do modern fire and life safety standards and codes restrict innovation in urban multi entry and exit road tunnel design and cosntruction? In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 299–308

  • Grant G, Jagger S (2012) The use of tunnel ventilation for fire safety. In: Beard A, Carvel R (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 177–216

    Google Scholar 

  • Guen J-ML (2007) Applying the HSE’s Risk Decision Model: Reducing Risks, Protecting People. In: Bouder F, Slavin D, Löfstedt RE (eds) The Tolerability of Risk: A New Framework for Risk Management. Earthscan, London, pp 105–118

    Google Scholar 

  • Hadjisophocleous G, Jia Q (2009) Comparison of FDS Prediction of Smoke Movement in a 10-Storey Building with Experimental Data. Fire Technol 45(2):163–177,

    Article  Google Scholar 

  • Hammond JS, Keeney RL, Raiffa H (1999) Smart choices: a practical guide to making better decisions 2002 edn. Broadway Books, New York

    Google Scholar 

  • Hansen R, Ingason H (2011) An engineering tool to calculate heat release rates of multiple objects in underground structures. Fire Saf J 46(4):194–203,

    Article  Google Scholar 

  • Hansen R, Ingason H (2012) Heat release rates of multiple objects at varying distances. Fire Saf J 52(0):1–10,

    Article  Google Scholar 

  • Hansson SO (2003) Ethical criteria of risk acceptance. Erkenntnis 59(3):291–309,

    Article  Google Scholar 

  • Hermansson H (2005) Consistent risk management: Three models outlined. J Risk Res 8(7–8):557–568,

    Article  Google Scholar 

  • Hermansson H (2007) A three-party model tool for ethical risk analysis. Risk Management 9(3):129–144,

    Article  Google Scholar 

  • Hermansson H (2010) Towards a fair procedure for risk management. J Risk Res 13(4):501–515,

    Article  Google Scholar 

  • Hollnagel E (2006) A function-centred approach to joint driver-vehicle system design. Cognit Tech Work 8(3):169–173,

    Article  Google Scholar 

  • Hollnagel E (2010) Extending the scope of the human factor. In: Hollnagel E (ed) Safer Complex Industrial Environments. CRC Press, London

    Google Scholar 

  • Hollnagel E (2011) Prologue: the scope of resilience engineering. In: Hollnagel E, Pariès J, Woods DD, Wreathall J (eds) Resilience engineering in practice. Ashgate, Farnham, England, pp xxix-xxxix

    Google Scholar 

  • Holm L. Var är visionen? Tidningen Proffs: 2007. (In Swedish). Accessed 15 Jan 2014

  • Holman JP (2010) Heat Transfer, 10th edn. Mc Graw Hill, Boston, USA

    Google Scholar 

  • Holmgren Å, Thedéen T (2003) Riskanalys. In: Grimvall G, Jacbosson P, Thedéen T (eds) Risker i tekniska system (Swedish). Studentlitteratur, Lund, pp 253–274

    Google Scholar 

  • HSE (2001) Reducing risks, protecting people: HSE’s decision-making process. Health and Safety Executive, London

    Google Scholar 

  • IEC/ISO (2010) EN 31010:2010 Risk management - Risk assessment techniques. CENELEC, Brussels

    Google Scholar 

  • Ingason H (2003) Fire Development in Catastrophic Tunnel Fires (CTF). In: Ingason H (ed) International Symposium on Catastrophic Tunnel Fires (CTF). SP Swedish National Testing and Research Institute, Borås, Sweden, pp 31–47

    Google Scholar 

  • Ingason H (2005) Model Scale Tunnel Fire Tests - Longitudinal ventilation. SP Swedish National Testing and Research Institute. Borås, Sweden

    Google Scholar 

  • Ingason H (2008) State of the Art of Tunnel Fire Research. Fire Saf Sci 9:33–48,

    Article  Google Scholar 

  • Ingason H (2012) Fire dynamics in tunnels. In: Beard A, Carvel R (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 273–308

    Google Scholar 

  • Ingason H, Li YZ (2010a) Model Scale Tunnel Fire Tests- Point extraction ventilation. SP Technical Research Institute of Sweden. Borås, Sweden

    Google Scholar 

  • Ingason H, Li YZ (2010b) Model scale tunnel fire tests with longitudinal ventilation. Fire Saf J 45(6–8):371–384,

    Article  Google Scholar 

  • Ingason H, Li YZ (2014) Technical trade-offs using fixed fire fighting systems. In: Proceedings from the Seveth International Conference on Tunnel Safety and Ventilation, Graz, Austria. pp 90–97

  • Ingason H, Lönnermark A (2012) Heat Release Rates in Tunnel Fires: A Summary. In: Beard A, Carvel R (eds) In The Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 309–328

    Google Scholar 

  • Ingason H, Bergqvist A, Lönnermark A, Frantzich H, Hasselrot K (2005) Räddningsinsatser i vägtunnlar (In Swedish). Räddningsverket, Karlstad, Sweden

    Google Scholar 

  • Ingason H, Li YZ, Lönnermark A (2015) Tunnel Fire Dynamics. Springer, New York

    Book  Google Scholar 

  • IRCC (2010) Performance-Based Building Regulatory Systems. Inter-Jurisdictional Regulatory Collaboration Committee, Washington

    Google Scholar 

  • ISO (2006) 16733:2006 Fire safety engineering - Selection of design fire scenarios and design fires. International Organization for Standardization, Geneva

    Google Scholar 

  • ISO (2009a) Risk management - Vocabulary, vol 73. International Organization for Standardization, Geneva

    Google Scholar 

  • ISO (2009b) 2009(E) Fire-safety engineering: Technical information on methods for evaluating behaviour and movement of people, vol 6738. International Organization for Standardization, Geneva

    Google Scholar 

  • ISO (2009c) 23932:2009 Fire safety engineering - General principles. International Organization for Standardization, Geneva

    Google Scholar 

  • ISO (2012a) 13571 :2012 (E) Life threatening components of fire -- Guidelines for the estimation of time to compromised tenability in fires. International Organization for Standardization, Geneva

    Google Scholar 

  • ISO (2012b) 16732–1 Fire safety engineering - Fire risk assessment - Part 1: General. International Organization for Standardization, Geneva

    Google Scholar 

  • Johannesson P, Bergman B, Svensson T, Arvidsson M, Lönnqvist Å, Barone S, de Maré J (2013) A Robustness Approach to Reliability. Qual Reliab Eng Int 29:17–32,

    Article  Google Scholar 

  • Johansson H (2001) Decision Making in Fire Risk Management. Lunds Universitet, Lund

    Google Scholar 

  • Johansson P, Chakhunashvili A, Barone S, Bergman B (2006) Variation Mode and Effect Analysis: a Practical Tool for Quality Improvement. Qual Reliab Eng Int 22:865–876,

    Article  Google Scholar 

  • Johnson P (2012) Fire Safety Engineering: A Tool in Tunnel Design. In: Ingason H, Lönnermark A (eds) Proceedings from the Fifth International Symposium on Tunnel Safety and Security (ISTSS 2012), New York, USA. SP Technical Research Institute of Sweden, pp 57–68

  • Kaplan S (1991) The general theory of quantitative risk assessment. In: Haimes YY, Moser DA, Stakhiv EZ (eds) Risk-Based Decision Making in Water Resources V. British Library, Santa Barbara, California, United States, pp 11–39

    Google Scholar 

  • Kaplan S (1997) The Words of Risk Analysis. Risk Anal 17(4):407–417,

    Article  Google Scholar 

  • Kaplan S, Garrick JB (1981) On the quantitative definittion of Risk. Risk Anal 1(1):11–27,

    Article  Google Scholar 

  • Karlsson B, Quintiere JG (1999) Enclosure fire dynamics. CRC Press, London

    Book  Google Scholar 

  • Kazaras K, Kirytopoulos K, Rentizelas A (2012) Introducing the STAMP method in road tunnel safety assessment. Saf Sci 50(9):1806–1817,

    Article  Google Scholar 

  • Kim HK, Lönnermark A, Ingason H (2010) Effective fire fighting operations in road tunnels. Sweden, SP, Borås

    Google Scholar 

  • Kirytopoulos K, Kazaras K (2011) The need for a new approach in road tunnels risk analysis. In: Soares CG (ed) ESREL 2011, Troyes French. CRC Press, pp 2562–2569.

  • Kuligowski ED, Peacock RD, Hoskins BL (2010) A Review of Building Evacuation Models, 2nd edition. NIST, Frie Research Division, Technical Note 1680

  • Latané B, Darley L (1970) The unresponsive bystander: Why doesn’t he help? Meredith Corporation, New York

    Google Scholar 

  • Lauridsen K, Christou M, Amendola A, Markert F, Kozine I (2001a) Assessing the uncertainties in the process of risk analysis of chemical establishements: Part II. In: Zio E, Demichela M, Piccinini N (eds) Towards a Safer World - Proceedings of the ESREL Conference. Turin, Italy, pp 16–20

    Google Scholar 

  • Lauridsen K, Christou M, Amendola A, Markert F, Kozine I, Fiori M (2001b) Assessing the uncertainties in the process of risk analysis of chemical establishements: Part I. In: Zio E, Demichela M, Piccinini N (eds) Towards a Safer World - Proceedings of the ESREL Conference, Turin, Italy. pp 599–606

  • Lauridsen K, Kozine I, Markert F, Amendola A, Christou M, Fiori M (2002) Assessment of Uncertainties in Risk Analysis of Chemical Establishments: Final summary report. The ASSURANCE project, Risoe National Laboratory, Roskilde, Denmark

    Google Scholar 

  • Lille GH, Andersen T (1996) Acceptance of risks related to the transport of dangerous goods through road tunnels. In: OECD-ERS2 working group - Seminar on decision models for the tranportation of dangerous goods through road tunnels, Oslo, Norway.

  • Lönnermark A (2007) Goods on HGVs during Fires in Tunnels. In: 4th International Conference on Traffic and Safety in Road Tunnels, Hamburg, Germany.

  • Lönnermark A, Ingason H (2007) The Effect of Cross-sectional Area and Air Velocity on the Conditions in a Tunnel during a Fire. SP Report 2007:05. SP Technical Research Institute of Sweden, Borås, Sweden

    Google Scholar 

  • Lutz RR (1993) Analyzing software requirements errors in safety-critical, embedded systems. In: Proceedings of IEEE International Symposium on Requirements Engineering. SP Technical Research Institute of Sweden, Pasadena, CA, USA, pp 126–133

    Google Scholar 

  • Malmtorp J, Vedin P (2014) An alternative approach to safety in road tunnels. In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 309–316

  • Martens MH, Jenssen GD (2012) Human behaviour in tunnels what further steps to take? In: Ingason H, Lönnermark A (eds) Proceedings from the Fifth International Symposium on Tunnel Safety and Security (ISTSS 2012), New York, USA. SP Technical Research Institute of Sweden, pp 69–86

  • Mawhinney J (2011) Fixed Fire Protection Systems in Tunnels: Issues and Directions. Fire Technol 49(2):477–508,

    Article  Google Scholar 

  • Meacham BJ (2004a) Decision-Making for Fire Risk Problems: a Review of Challenges and Tools. J Fire Protect Eng 14(2):149–168,

    Article  Google Scholar 

  • Meacham BJ (2004b) Understanding risk: Quantification, perceptions, and characterization. J Fire Protect Eng 14(3):199–227,

    Article  Google Scholar 

  • Meacham BJ, Custer RLP (1995) Performance-Based Fire Safety Engineering: An Introduction of Basic Concepts. J Fire Protect Eng 7(2):35–53,

    Article  Google Scholar 

  • Menzies J (2007) Creating a culture of safety: Private fleets share tips on implementing safety programs. Transportation and logistics, Canadian

    Google Scholar 

  • Möller N (2006) Safety and decision-making. Stockholm, Royal Institute of Technology (KTH)

    Google Scholar 

  • Möller N (2009) Should we follow the experts' advice? Epistemic uncertainty, consequence dominance and the knowledge asymmetry of safety. Int J Risk Assess Manag 11(3–4):219–236,

    Google Scholar 

  • Möller N, Hansson SO (2008) Principles of engineering safety: Risk and uncertainty reduction. Reliab Eng Syst Saf 93(6):798–805,

    Article  Google Scholar 

  • Mooney GH (1977) The valuation of human life. Macmillan, London

    Book  Google Scholar 

  • Morgan MG, Henrion M (1990) Uncertainty. Cambridge University Press, New York

    Book  Google Scholar 

  • Nævestad T-O, Meyer S (2014) A survey of vehicle fires in Norwegian road tunnels 2008–2011. Tunnelling and Underground Space Technology 41(0):104–112,

    Article  Google Scholar 

  • Nilsen AR, Log T (2009) Results from three models compared to full-scale tunnel fires tests. Fire Saf J 44(1):33–49,

    Article  Google Scholar 

  • Nilsson D (2009) Exit choice in fire emergencies - Influencing choice of exit with flashing lights. Lund University, Lund

    Google Scholar 

  • Nilsson D, Johansson A (2009) Social influence during the initial phase of a fire evacuation - Analysis of evacuation experiments in a cinema theatre. Fire Saf J 44(1):71–79,

    Article  Google Scholar 

  • Noizet A (2012) Egress behaviour during road tunnel fires. In: Carvel R, Beard A (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 421–438

    Google Scholar 

  • NRC (1982) Risk and Decision Making: Perspectives and Research. National Research Council, Washington, DC

    Google Scholar 

  • Nývlt O, Prívara S, Ferkl L (2011) Probabilistic risk assessment of highway tunnels. Tunnelling and Underground Space Technology 26(1):71–82,

    Article  Google Scholar 

  • Oggero A, Darbra RM, Muñoz M, Planas E, Casal J (2006) A survey of accidents occurring during the transport of hazardous substances by road and rail. J Hazard Mater 133(1–3):1–7,

    Article  Google Scholar 

  • Oppenheim I, Shinar D (2012) A context-sensitive model of driving behaviour and its implications for in-vehicle safety systems. Cogn Tech Work 14(3):261–281,

    Article  Google Scholar 

  • Otway H (1992) Public Wisdom, Expert Fallability: Toward a Contextual Theory on Risk. In: Ka G (ed) Social Theories of Risk. Praeger, Westport, CT, USA, pp 215–228

    Google Scholar 

  • Paté-Cornell ME (1996) Uncertainties in risk analysis: Six levels of treatment. Reliab Eng Syst Saf 54(2–3):95–111,

    Article  Google Scholar 

  • PIARC (2007) Integrated approach to road tunnel safety (2007R07). World Road Association. La Défense cedex, France

    Google Scholar 

  • PIARC (2008) Risk analysis for road tunnels. World Road Association, La Défense cedex, France

    Google Scholar 

  • Pidgeon N (1997) The Limits to Safety? Culture, Politics, Learning and Man–Made Disasters. J Contingencies and Crisis Management 5(1):1,

    Article  Google Scholar 

  • Proulx G, Sime J (1991) To Prevent 'Panic' In An Underground Emergency: Why Not Tell People The Truth? Fire Saf Sci 3:843–852,

    Article  Google Scholar 

  • Purser D (2009) Hazards from toxicity and heat in fires. Hatford Environmental Research, Hatford

    Google Scholar 

  • Rasmussen J, Svedung I (2000) Proactive risk management in a dynamic society. Räddningsverket (Swedish rescue service agency), Karlstad, Sweden

  • Rattei G, Lentz A, Kohl B (2014) How frequent are fire in tunnels - Analysis from Austrian tunnel incident statistics. In: Proceedings from the Seveth International Conference on Tunnel Safety and Ventilation, Graz, Austria. pp 5–11

  • Reason J (1990) Human Error. Cambridge University Press, Cambridge

    Book  Google Scholar 

  • Reason J (1997) Managing the risks of organizational accidents. Ashgate, Farnham, England

    Google Scholar 

  • Rein G, Torero JL, Jahn W, Stern-Gottfried J, Ryder NL, Desanghere S, Lázaro M, Mowrer F, Coles A, Joyeux D, Alvear D, Capote JA, Jowsey A, Abecassis-Empis C, Reszka P (2009) Round-robin study of a priori modelling predictions of the Dalmarnock Fire Test One. Fire Saf J 44(4):590–602,

    Article  Google Scholar 

  • Renn O (1998) Three decades of risk research: accomplishments and new challenges. J Risk Res 1(1):49–71,

    Article  Google Scholar 

  • Renn O (2008) Risk gouvernance: coping with uncertainty in a complex world. Earthscan, London

    Google Scholar 

  • Rosmuller N, Beroggi GEG (2004) Group decision making in infrastructure safety planning. Saf Sci 42(4):325–349,

    Article  Google Scholar 

  • Ruijter HA (2012) Safety of Dutch tunnels guaranteed by standard approach. In: Ingason H, Lönnermark A (eds) Proceedings from the Fifth International Symposium on Tunnel Safety and Security (ISTSS 2012), New York, USA. SP Technical Research Institute of Sweden, pp 283–288

  • Ruland T, Snel A (2010) Determination and analysis of tunnel safety requirements from a functional point of view. In: Ingason H, Lönnermark A (eds) Proceedings from the Fourth International Symposium on Tunnel Safety and Security (ISTSS), Frankfurt, Germany. SP Technical Research Institute of Sweden, pp 557–560

  • Ruland T, Daverveld T, Duijnhoven Bv, Gelder Jv, Krouwel R, Teeuw J-M (2012) An integrated functional design approach for safety related tunnel processes. In: Ingason H, Lönnermark A (eds) Proceedings from the Fifth International Symposium on Tunnel Safety and Security (ISTSS 2012), New York, USA. SP Technical Research Institute of Sweden, pp 167–176

  • Santos-Reyes J, Beard AN (2003) A systemic approach to safety management on the british railway system. Civ Eng Environ Syst 20(1):1–21,

    Article  Google Scholar 

  • Santos-Reyes J, Beard AN (2006) A systemic analysis of the Paddington railway accident. Proceedings of the Institution of Mechanical Engineers, Part F. J Rail and Rapid Transit 220(2):121–151,

    Article  Google Scholar 

  • Santos-Reyes J, Beard AN (2011). A preliminary analysis of the 1996 Channel Tunnel fire. In: 3rd International Tunnel Safety Forum for Road and Rail, Nice, France.

  • Santos-Reyes J, Beard A (2012) A systemic approach to tunnel fire safety management. In: Carvel R, Beard A (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 485–508

    Google Scholar 

  • Shields J (2012) Human behaviour during tunnel fires. In: Carvel R, Beard A (eds) Handbook of Tunnel Fire Safety, 2nd edn. ICE Publishing, London, pp 399–420

    Google Scholar 

  • Sime J (1985) Movement toward the Familiar Person and Place Affiliation in a Fire Entrapment Setting. Environ Behav 17(6):697–724,

    Article  Google Scholar 

  • Sime J, Creed C, Kimura M, Powell J (1992) Human behaviour in fires. Joint Committee on Fire Research, London, ISBN 0-86252-621-3

    Google Scholar 

  • Sleich JB, Cajot LG, Pierre M (2002) Competitive steel buildings through natural fire safety concepts. Directorate-General for Research and Innovation Luxembourg, European Commission

    Google Scholar 

  • Slovic P (1987) Perception of Risk. Science 236(4799):280–285,

    Article  Google Scholar 

  • Slovic P (2000) The Perception of Risk. Routledge, London

    Google Scholar 

  • Stamatelatos M, Apostolakis G, Dezfuli H, Guarro S, Moieni P, Mosleh A, Paulos T, Youngblood R (2002a) Probabilistic risk assessment proceedure guide for NASA managers and Practitioners, 11th edn. NASA Office of Safety and Mission Assurance, Washington, DC

    Google Scholar 

  • Stamatelatos M, Vesely W, Dugan J, Fragola J, III JM, Railsback J (2002b) Fault tree handbook with aerospace aplications, 11th edn. NASA Office of Safety and Mission Assurance, Washington, DC

    Google Scholar 

  • Svensson T, Johannesson P (2013) Reliable fatigue design, by rigid rules, by magic, or by enlightened engineering. In: 5th Fatigue Design Conference, Fatigue Design, Senlis, France.

  • Thomas P (1958) The movement of buoyant fluid against a stream and the venting of underground fires. Fire Research Note 351. Fire Research Station, Borehamwood

    Google Scholar 

  • Thomas PH (1968) The Movement of Smoke in Horizontal Passages Against an Air Flow. Fire Research Note 723. Fire Research Station, Borehamwood

    Google Scholar 

  • Thomas P (1986) Design guide: Structure fire safety CIB W14 Workshop report. Fire Saf J 10(2):77–137,

    Article  Google Scholar 

  • Tong D, Canter D (1985) The decision to evacuate: a study of the motivations which contribute to evacuation in the event of fire. Fire Saf J 9(3):257–265,

    Article  Google Scholar 

  • UPI. Fire in Norwegian tunnel hospitalizes 70. 2013. Accessed 15 Jan 2014

  • Vaitkevicius A, Colella F, Carvel R (2014) Rediscovering the Throttling Effect. In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 373–378

  • Vareman N, Persson J (2010) Why separate risk assessors and risk managers? Further external values affecting the risk assessor qua risk assessor. J Risk Res 13(5):687–700,

    Article  Google Scholar 

  • Vrijling JK, van Hengel W, Houben RJ (1995) A framework for risk evaluation. J Hazard Mater 43(3):245–261,

    Article  Google Scholar 

  • Vrijling JK, van Hengel W, Houben RJ (1998) Acceptable risk as a basis for design. Reliab Eng Syst Saf 59(1):141–150,

    Article  Google Scholar 

  • Weerheijm J (2014) Berg Bvd Explosion risks and consequences for tunnels. In: Ingason H, Lönnermark A (eds) Proceedings from the Sixth International Symposium on Tunnel Safety and Security (ISTSS 2014), Marseille, France. SP Technical Research Institute of Sweden, pp 46–61

  • Wynne B (1992) Risk and Social Learning: Reification to engagement. In: Ka G (ed) Social Theories of Risk. Praeger, Westport, CT, USA, pp 275–297

    Google Scholar 

Download references


This study was funded as part of SP:s centre of excellence on tunnels and underground facilities (SP Tunnel). The author would like to thank his colleges Haukur Ingason, Anders Lönnermark, Margaret McNamee, Francine Amon and supervisor Håkan Frantzich for valuable comments and support. The author would also like to express his gratitude to the reviewers of this paper, their comments have enhanced this paper’s quality.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Jonatan Gehandler.

Additional information

Competing interests

The author declares that he has no competing intrests.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits use, duplication, adaptation, distribution, and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gehandler, J. Road tunnel fire safety and risk: a review. Fire Sci Rev 4, 2 (2015).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: