[SystemSafety] "Serious risks" in EC 765/2008

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Mon Apr 8 16:09:08 CEST 2013 

Asking EC 765/2008 to define "risk" is inappropriate. It is a proto-law, and the word is supposed to 
be used here in its everyday meaning, whatever that is. Let's go with that.

On 4/8/13 2:24 PM, peter.sheppard at uk.transport.bombardier.com wrote
> There is probably as much chance of finding a definition of "serious risk" in the IEC standards as
> there is in defining what a "significant change" is in the European Railway Authority, Common Safety
> Method!

It seems to me that a serious risk is a risk for which the combination of severity with probability 
is relatively high in comparison with other risks that are not regarded as "serious". An easy case 
is if the risk is higher than for some example already deemed to have been a "serious risk". There 
is of course a definition of "risk" in IEC 61508 for example, but oddly enough it doesn't turn up in 
the Electropedia, the on-line version of IEC 60050. The IEC should really get it in there!


> *<Thierry.Coq at dnv.com>*	
> .........
> In EC 765/2008, what is considered a "serious risk"? Is there a reference?

First: see above. Second: no.

> How are the "serious risk" mitigations assessed, especially when "The feasibility of obtaining
> higher levels of safety or the availability of other products presenting a lesser degree of risk
> shall not constitute grounds for considering that a product presents a serious risk."?

It is a law, not an algorithm.

> This standard also mandates that the product should be recalled when the serious risk has
> materialized... and there is wording here to update the risk assessment with field reports.
> So is a "serious risk" in this standard in fact a materialized danger...?

Not necessarily. If someone identifies lead-based paint on a children's toy then it will be 
withdrawn because of precedent before any kid chews on it - the analysis already exists and there is 
prior case.

But if there is something for which there does not exist an obvious prior, then maybe one has to 
wait until something untoward happens. If someone or some people get hurt or killed because a 
product functioned in such a way as to cause it, the lawyers step in. Lawyer for the prosecution 
says that this was normal use or reasonably foreseeable misuse and the manufacturer's hazard 
analysis was clearly insufficient. Lawyer for the defence says that it was an anomaly essentially 
related to the unforeseeable deleterious behaviour of the operator or victims or weather or someone 
or other. One of those guys wins, or the judges decide it was a bit of both. So either the product 
will be recalled, or the manufacturer will stick a sign on the product to stop similar things coming 
to court again ("Warning: this refrigerator is not an edible substance either in whole or in part. 
Damage to teeth, mouth and gums may result from an attempt to eat it"). You can't say in advance of 
such proceedings how they will turn out, so you can't specify what a "serious risk" is in advance of 
having tested it in court. But once a court has so decided, then the product is off the market 
because the law says it must be. And if someone doesn't already have a ready-made risk analysis, 
then the court will do one/have one done, because it has to, in order to determine "serious 
risk"-hood, because Article 20 says that is how you decide.

The stuff about what does not constitute a serious risk seems to be a way of saying that ALARP as a 
principle does not necessarily apply here.

To Doug: there are a whole lot of conventions and precedents saying how risk must be evaluated in 
engineered systems, and medical technology, and aerospace, and so on. The "trade offs" you speak of 
are largely specified. IEC 61508 has one set of procedures; civil aerospace certification another, 
medical technology a third; nuclear power a fourth; now there are the automobile people with one. 
And so on. You can argue about whether any set is efficacious, and we do. But they are often, even 
mostly, there.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

More information about the systemsafety mailing list