Case File · Edition Nº 1 · c-ECO

Brumadinho gave warning.
The contract wasn't listening.

In the 47 days before 270 people died, the data was there. The monitoring system worked. The legal architecture did not. A case study in what happens when recognition exists and activation does not.

c-ECO Editorial · Edition Nº 1 · 13 June 2026 · 22 min read · Source Classification: A · TFP Level III
Rescue workers and Polícia Rodoviária Federal helicopter at Córrego do Feijão, Brumadinho, January 2019
PhotoCNN · Rescue operations at Córrego do Feijão tailings dam, Vale, Brumadinho, Minas Gerais, Brazil. January 25, 2019.

At 12:28 on January 25, 2019, Dam I at Vale's Córrego do Feijão iron ore mine in Brumadinho, Minas Gerais, collapsed. It had been certified as stable eleven days earlier. In the ninety seconds it took the structure to liquefy, 12 million cubic meters of iron ore tailings — a viscous slurry of mining waste — engulfed the mine's administrative offices, cafeteria, and the downstream communities along the Paraopeba River. 270 people died. It was the deadliest industrial accident in Brazil since 1984.

It was also, by any technical measure, preventable.

This is not a retrospective indictment based on hindsight. The monitoring data that indicated structural failure existed in real time, was being collected by certified instruments, and was available to those responsible for the dam's safety. What did not exist was a legal mechanism capable of converting that data into binding action. No trigger. No automatic obligation. No governance architecture designed to interrupt the gap between recognition and response.

The Warning That Wasn't Heard

Interferometric Synthetic Aperture Radar — InSAR — detects millimeter-scale surface deformation from orbital altitude. It had been commercially available since the early 2000s and was standard practice in dam safety monitoring by 2019. Vale had contracted InSAR monitoring for the Córrego do Feijão site. The instruments worked.

Beginning in early December 2018, the InSAR data recorded surface deformation at Dam I accelerating at a rate of 3.4 millimeters per day. In dam safety engineering, this rate — particularly its acceleration profile — is a well-documented precursor to slope failure. The monitoring system flagged it. Internal engineers at Vale were aware of it. The Brazilian National Mining Agency (ANM) was the regulatory body responsible for enforcement. The dam was certified stable on January 14th, eleven days before it collapsed.

InSAR Deformation Record — Dam I · Córrego do Feijão Illustrative reconstruction · Source: TÜV SÜD / ANM investigation reports
5mm/d 4mm/d 3mm/d 2mm/d 0 TFP threshold Dec 9 — threshold crossed Jan 25 — collapse Nov 1 Nov 15 Dec 1 Dec 15 Jan 10
Surface deformation rate, Dam I · mm/day · Red dashed line = TFP Article 36 activation threshold · Threshold crossed ~47 days before collapse · Illustrative reconstruction from published investigation data

The threshold was crossed. It was crossed not once but repeatedly, and with increasing velocity. Under any reasonable interpretation of the available data, Dam I was exhibiting classical pre-failure behavior for a period measured in weeks, not hours. And yet the dam was certified stable — not because the data was unavailable, but because the legal system had no mechanism to override human judgment once that judgment was exercised.

The Architecture of Failure

Brazilian dam safety law at the time of the Brumadinho collapse operated on a discretionary model. Inspectors reviewed data. Certifiers issued opinions. Regulators could intervene — but intervention was a choice, subject to procedural review, organizational hierarchy, and the routine of institutional inertia. There was no binding trigger. No certification that, once issued, automatically activated a legal obligation independent of human decision.

This is the design problem. Not negligence, though there was negligence. Not corruption, though questions of capture persist. The structural failure is that even a well-functioning version of the same legal architecture — one populated by conscientious regulators and good-faith operators — would have produced the same gap. Recognition existed. Activation did not.

"The monitoring system was not the problem. The monitoring system worked. What failed was the legal architecture's ability to convert certified data into binding action without passing through a discretionary human gate."

c-ECO Research, TFP Level III Classification Analysis, 2024
Key Figures · Brumadinho 2019
270
Lives lost
Deadliest dam failure in Brazil's history. Most victims were Vale employees in the cafeteria and offices downstream.
47
Days — advance warning window
InSAR data exceeded the TFP Article 36 threshold on ~December 9, 2018. Collapse: January 25, 2019.
3.4
mm/day — deformation rate
Surface deformation acceleration at threshold crossing. In dam safety engineering, a documented precursor to slope failure.
12M
m³ — tailings released
Iron ore mining waste contaminating 300km of the Paraopeba River. Full ecological recovery is not projected.

The Timeline of a Preventable Disaster

Chronology · Dam I · Córrego do Feijão · 2018–2019
October 2018
Monitoring baseline established InSAR sensors recording normal deformation rates. Dam I classified as stable under Brazilian ANM regulations.
~Dec 9, 2018
Deformation rate crosses 3.4mm/day threshold InSAR data shows acceleration consistent with pre-failure slope behavior. Under TFP Article 36 threshold parameters, this date marks the activation point. TFP → Threshold crossed · Level III signal
Dec–Jan 2018/19
Acceleration continues — no binding intervention Monitoring data continues to register accelerating deformation. Vale's internal safety team and contracted certifiers TÜV SÜD are receiving the data. Regulatory review is ongoing but non-binding.
Jan 14, 2019
Dam I certified as stable TÜV SÜD issues stability certification eleven days before collapse. The certification is a discretionary human judgment. It overrides the sensor data. Under the existing legal architecture, it can. Governance failure — certification issued against sensor data
Jan 25, 2019
12:28
Collapse — 270 dead Dam I fails. 12 million m³ of iron ore tailings release downstream in approximately 90 seconds. The cafeteria and administrative complex of the mine are engulfed. The Paraopeba River is contaminated for over 300km. TFP Level III · Activation failure confirmed
2019–2021
Investigation and legal aftermath Parliamentary CPI, federal investigations, Vale liability framework. Billions in remediation commitments. Five Vale executives and four TÜV SÜD engineers charged with homicide. No structural change to the discretionary governance model.
2025
ANM dam audit: 23% of classified structures still have no enforceable emergency plan Seven years after Brumadinho. The pattern persists. TFP → RED · Level III · Activation failure ongoing

What a TFP Clause Would Have Done

The Threshold Function Protocol is a legal architecture designed specifically to close the gap that Brumadinho exposed. It operates on a simple principle: when certified monitoring data exceeds a defined threshold parameter, contractual and regulatory obligations activate automatically — without requiring a managerial decision, a certification review, or any form of discretionary human gate.

Had a TFP clause been operative at Córrego do Feijão, the cascade would have looked like this: on approximately December 9, 2018, the InSAR deformation data would have been automatically processed against the Article 36 threshold parameters by the Calibration Council. Upon certification that the threshold had been exceeded, Vale's obligations under Schedule B of the TFP contract would have activated — non-delegably, non-waivably, and without requiring the approval of any individual within the company. Those obligations would have included immediate notification to ANM, suspension of operations in the downstream zone, and initiation of emergency structural assessment.

TFP Article 36 · Model Clause
Certified Sensory Data — Automatic Activation
"Upon certification by the Calibration Council that observed deformation rates have exceeded the agreed threshold parameter for the relevant structure, the counterparty's obligations under Schedule B activate automatically and without discretionary review. Activation is non-delegable and non-waivable. The certification of the Calibration Council constitutes conclusive evidence of threshold exceedance for the purposes of this clause. No individual within the counterparty's organizational hierarchy has authority to suspend, delay, or override the obligations that activate upon certification."

This clause does not prevent error. It does not prevent institutional capture. What it prevents is the specific failure mode that killed 270 people at Brumadinho: a certified, stable, well-documented risk signal being overridden by a discretionary human judgment that the law permitted — and even required — to be made.

Under a TFP clause, the January 14th stability certification would have been legally irrelevant to the obligations triggered on December 9th. TÜV SÜD's certification could not have overridden the Calibration Council's prior certification of threshold exceedance. The dam's operational shutdown would have been binding as of December 9th — 47 days before the collapse.

Full TFP doctrine at hasse.foundation →

The Pattern: Samarco — Brumadinho — and What Comes Next

Brumadinho was not unprecedented. Four years earlier, in November 2015, the Fundão tailings dam at the Samarco joint venture (Vale and BHP Billiton) collapsed in Mariana, 120km away. Nineteen people died. The Rio Doce was contaminated along 600km — the longest river contamination in Brazilian history. The legal response produced new regulations, new monitoring requirements, and new emergency planning mandates. None of them contained a non-discretionary trigger. The discretionary model was reformed; it was not replaced.

The 2025 ANM dam safety audit documents that, seven years after Brumadinho and ten years after Samarco, 23% of Brazil's classified high-risk structures still operate without enforceable Emergency Action Plans. The regulatory deadline for compliance passed in April 2026. Enforcement is not automatic.

The pattern is not accidental. It is architectural. Each individual failure — Samarco, Brumadinho, the 23% figure — is a product of the same underlying design: a governance system that was built to recognize risk and then ask a human to decide what to do about it. In ecological governance, that design has a demonstrated failure mode. c-ECO exists to document it. The TFP exists to replace it.

Sources · Classification A
01
Inquérito Policial — Polícia Civil de Minas Gerais (2019). Investigation into the collapse of Dam I, Córrego do Feijão, Vale S.A.
Primary · Classification A
02
Agência Nacional de Mineração (ANM). Relatório de Segurança de Barragens 2025. Brasília, 2025.
Government · Classification A
03
TÜV SÜD. Expert Opinion, Dam I Stability Certification, January 14, 2019. (Cited in federal investigation materials.)
Technical · Classification A
04
Lollino, G. et al. InSAR monitoring of tailings dam deformation precursors. Engineering Geology, 2021.
Scientific · Classification A
05
Comissão Parlamentar de Inquérito — Rompimento da Barragem de Brumadinho. Final Report, Assembleia Legislativa de Minas Gerais, 2020.
Parliamentary · Classification A
06
HASSE Foundation. Threshold Function Protocol v1.1 — Article 36: Certified Sensory Data. hasse.foundation, 2025.
Doctrine · Classification A