What is the acceptable level of risk when human lives are at stake?

The tragic death of five people on board OceanGate’s experimental submersible Titan 1 hour and 45 minutes into its expedition to view the wreck of the Titanic has brought safety into focus, our appetite for risk and the companies and people who make it possible for us to expose ourselves to these risks for pleasure.

For me, as a functional safety professional, risk is an interesting subject based on societal moral concepts and mathematical probabilities, two subject areas that do not naturally exist comfortably together with the former being related to sociology and psychology and the latter being predominantly mathematical.

It is generally accepted that there is a balance between risk and reward and there is almost always a cost associated with reducing the risk to an acceptable level. These levels of acceptability are based on the norms of the societies in which we exist and are usually formalised in legislation and regulations.

OceanGate’s CEO outlined his opinion of the risk and reward balance stating “You know, at some point, safety is just pure waste. I mean, if you just want to be safe, don’t get out of bed, don’t get in your car, don’t do anything. At some point, you’re going to take some risk, and it really is a risk-reward question.”

When considering functional safety the question is: has the risk been reduced to a reasonable level such that the reward is proportionate.  Usually it is impossible to eliminate all risks but a common approach in all industries is do everything reasonably practicable to protect people from harm. This means balancing the level of risk against the measures needed to control the real risk in terms of money, time and effort.

In the automotive domain there are regulations for the type approval of vehicles that mandate functional safety compliance in order to manage the risk. These regulations relate to the vehicle and do not always stipulate a method to evidence compliance.

For automotive electronic and electrical systems the management of risk has been defined in the standard ISO 26262, for highly automated driving or autonomous vehicles there is a complimentary standard ISO 21448. These standards are defined as guidelines and as such there is no legal requirement to comply with them when deploying a product. That said, following these standards can be used as evidence of a functionally safety product.

And as a company producing a product, Eatron is bound by product liability law which stipulates a duty of care and due diligence in the production of a product. Additionally as professionals we are all bound by the articles of our professional bodies that stipulate our duty to safeguard public interest in matters of health, safety and the environment. Therefore both Eatron and its employees are responsible for preventing injuries our products could cause.

Standards and guidelines are usually created to help companies and individuals provide evidence of their due diligence and usually define best practice. These are agreed by industrial peers as being “state-of-the-art”. Following these standards does not absolve companies and individuals of their liabilities but does provide a documented argument that due diligence has been performed.

For experimental submersibles the standards landscape is more opaque. In maritime law a vessel’s country of registry or flag state determines the laws governing how the vessel operates. And if the vessel enters a country’s territorial waters it must also meet the regulations of that country. Compliance with these standards and regulations is usually evidenced through certification. Submersibles can be certified (and classed) by marine organisations such as Lloyd’s Register, the American Bureau of Shipping or DNV, an accreditation organisation. This type of certification would prove that certain standards relating to stability, strength, safety and performance have been met. But certification is not mandatory, especially if the submersible is transported on a vessel and subsequently operated in international waters outside the jurisdiction of any country.

OceanGate stated that annual independent classification and certification or the submersible would not ensure that safe dive operation procedures would be followed and that their rapid innovation cycle would be stifled if they had to educate the authorising body on every innovation. The Marine Technology Society, an ocean technology and industry group, voiced their concern that by not complying with the industry’s accepted standards the submersible’s occupants were at substantial risk.

Interestingly the autonomous vehicle manufacturers have a similar issue. The innovation cycle is high and current standards do not always cover the specifics of these innovations. The autonomous vehicle manufacturers have also employed the brightest individuals available to develop their autonomous systems leaving the assessment and audit industry lacking in skills and understanding. Even with simpler systems it is impossible for an assessor to investigate and audit every facet of the product and its development. The solution is to produce a compelling safety case outlining the product and its development and the reasoning as to why it is free from unreasonable residual risk. MISRA has produced “Guidelines for Automotive Safety Arguments” to provide clarity on how to develop safety arguments in line with existing standards. Auditors can investigate this disclosed reasoning through the documented argument and evidence.

Eatron is producing innovative products to improve battery performance and lifetime, whilst maintaining safety with advanced artificial intelligent features and cloud computing. The use of ISO 26262 is not completely aligned with the development and deployment of these types of applications or the methods used to assure their safe use. ISO 26262 focuses on vehicle level effects of failures and the controllability of the subsequent risk by a driver. Batteries are not actuators controllable by the driver, but their failure modes do effect vehicle controllability. New standards are being developed to rectify this miss-alignment such as ISO TR 9968 relating to rechargeable energy storage systems and ISO/AWI PAS 8800 relating to safety and artificial intelligence. Eatron continues to innovate using these standards and industry best practices to produce world class products that are robust, reliable and safe with safety case arguments outlining our rationale.

Gareth Price, Director Assurance & Safety @Eatron Technologies

At Eatron we develop intelligent Battery Management Software solutions that can be deployed on both the edge and the cloud. If you are interested in learning more about these click on ‘Talk to an Expert’ and fill in the contact form or email info@eatron.com directly.