[trustable-software] [SystemSafety] Personal and corporate liabilities as a consequence of safety, security and other mistakes of similar importance

Martyn Thomas martyn at thomas-associates.co.uk
Thu Oct 4 13:30:47 BST 2018


Paul

This is a complex question because there are both civil and criminal
liabilities (and possibly contractual and professional ones to an
employer, client or professional society). Liability can be dependent on
the relevant legal jurisdiction and it may not be obvious which
jurisdiction(s) are relevant. I'm not a lawyer and what follows are
personal opinions about some aspects of the situation in the UK (with no
guarantees or liability! DYOR).

Staff working on safety-related activities have duties under the 1974
Health and Safety at Work Act
<https://www.legislation.gov.uk/ukpga/1974/37/contents>. Breach of these
duties is a criminal offence (and might also be used as evidence in a
civil lawsuit). The relevant sections of HSWA depend on the individual's
role, for example employers are likely to be the primary duty holder and
employees duties may be interpreted in the context of how the employer
has discharged the employer's duties. Section 3 of the Act is worth
particular attention, as it describes duties to the general public, and
so are Sections 6 and 7.

The critical phrase "reducing risks so far as is reasonably practicable
(SFAIRP) " has been interpreted by the courts to mean that an evaluation
must have been carried out to evaluate the costs and benefits of
reducing the risks further; to show that the risks have been reduced
SFAIRP, it is necessary to demonstrate that the additional costs would
be grossly disproportionate to the resulting benefits. The burden of
proof rests with the defendant (Section 40).

How might this apply to FOSS? In my opinion, if the FOSS may be used in
a safety-related application then the same duties apply. So if an
individual is unwilling to accept accountability for the consequences of
their work on FOSS, it may be necessary to do what is necessary to
reduce the risks that the FOSS is actually used in a safety-related
application SFAIRP. Explicitly prohibiting such use in the FOSS licence
conditions might be considered to be enough to transfer the duties under
HSWA to the person or organisation that chose to ignore the licence
conditions when deciding to incorporate the FOSS in a safety-related
application.

The liability carried by individual developers is probably extremely
low. I am not aware of any circumstances where individual engineers who
developed a component of a safety related system have been prosecuted
under HSWA for defects that they introduced into the component through
negligence. But in my opinion a professional software engineer should
always reduce the risks SFAIRP that their software might fail unsafely.

None of this constitutes advice or any statement of the policies of any
regulator - it's just a personal opinion.

Martyn


On 04/10/2018 12:23, Paul Sherwood wrote:
> Hi all,
> in recent discussions the topic of 'who goes to jail' has arisen in
> the context of fallout from software design/development/deployment
> mistakes.
>
> I'm hoping that I'm misunderstanding the situation, because the
> picture that is emerging for me seems to lead to a disconnect between
>
> - the need for evidence of what was done and
> - the need for people to be able to work in a safe environment,
> without fear
>
> It may be FUD, but I believe I heard recently that "any engineer
> contributing to an automotive project may ultimately be considered
> personally liable for impacts of their work". Impacts in automotive
> could include recalls and road accidents, obviously. If that's true,
> why would any sane engineer ever agree to contribute to an automotive
> project?
>
> And then there's the FOSS/public work consideration. I recently asked
> a colleague to contribute to a public project, and during spinup this
> question of liability arose, expressly phrased as
>
> "If I contribute, is there any possibility that I or Codethink might
> ultimately be liable for (say) harm resulting from road accidents?"
>
> In the ensuing discussion it was pointed out that:
>
> - if the contribution is to a project applying any of the common FOSS
> licences (Apache, MIT, ISC, GPL etc) then there is expressly NO WARRANTY
> - any subsequent application/distribution of that software by another
> party which attempts to enforce a warranty claim on the authors has
> expressly breached the licence, and has effectively stolen and misused
> the software
>
> While this reasoning is attractive, I'm not convinced it's enough to
> convince me that there's no potential liability for individuals.
>
> Are any readers able to guide me on existing literature/reasoning for
> this?
>
> br
> Paul
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.trustable.io/pipermail/trustable-software/attachments/20181004/b49910f4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.trustable.io/pipermail/trustable-software/attachments/20181004/b49910f4/attachment.sig>


More information about the trustable-software mailing list