The Complexity of Defending Computers and Software

Product liability is one of the most important U.S. legal developments in the last 100 years for consumers, product users, manufacturers and others who produce and sell products, government regulators, insurance companies who insure the defendants in these claims and lawsuits, and, of course, lawyers for the plaintiffs and defendants. This liability has bankrupted manufacturers and insurance companies and caused manufacturers to stop making and selling certain products. It has also created an entire industry consisting of parties who seek compensation for injuries and loss and those who seek to make money prosecuting or defending the parties in these claims and lawsuits. (And, of course, those who actually seek to make products safer!)

As products do more things, it becomes an incredibly complex task to figure out how to make a safe product, identify the risks and determine how a manufacturer or someone else in the supply chain can reduce the risk.

The types of products that have been at the forefront of technological developments have been in the news recently: autonomous cars, 3D printing, artificial intelligence and the Internet of Things. But I would argue that there have been many other complex products over the years that consumers rely on to work safely and correctly. Therefore, all the product liability legal theories that have developed over the years are mostly applicable to these new products, and the methods to minimize risk are well known and well developed.

This article will first discuss the legal basis for product liability, and then relate it to these new technologies and see what attempts are being made to identify and reduce future risk.

Negligence and Strict Liability

Product liability is the liability of someone in the chain of production or chain of distribution for personal injury, property damage or economic loss arising out of the purchase and use of a product. Negligence is the original theory of liability and continues to be one of the main theories used in product liability cases.

Negligence, which has been in existence for hundreds of years, is judged on three variables: 1) the probability that injury would result from the manufacturer’s conduct; 2) the gravity of the harm that could be expected to result should injury occur; and 3) the burden of taking adequate precautions to avoid or minimize the injury.

In other words, if the probability of harm and the gravity of the harm are greater than the burden of taking precautions to reduce the risk, then the manufacturer could be deemed negligent if they do not minimize the risk. Another way to state it is that the manufacturer failed to exercise reasonable care in manufacturing its product and that this failure was the proximate cause of the injury.

In the 1960s, the new concept of strict liability was adopted for all products. Strict liability eliminates the third requirement of proof for negligence. No longer did the plaintiff have to prove negligence and who was responsible for it. All they had to prove was that there was a defect, that the defect was in existence at the time the product left the manufacturer’s or seller’s control, and the defect caused injury.

Under strict liability, the injured party did not have to prove fault or negligence and the manufacturer was liable even if their quality control and manufacturing procedures were reasonable and not negligent. In other words, even if they did not do a bad job of manufacturing the product, the product turned out to be defective and dangerous and it injured a consumer.

Defects

Product liability focuses on defects in products that exist at the time of sale. Over the years, there have been three clearly defined kinds of defects.

Manufacturing Defects

A manufacturing defect exists if the product “departs from its intended design even though all possible care was exercised in the preparation and marketing of the product.” In other words, even if the manufacturer’s quality control was the best in the world, the fact that the product as manufactured departed from its intended design meant that it had a manufacturing defect. The plaintiff need not prove that the manufacturer was negligent, just that the product was defective. The focus is on the product, not on the conduct of the manufacturer.

Common examples of manufacturing defects are products that are physically flawed, damaged or incorrectly assembled, or that do not comply with the manufacturer’s design specifications. The product turned out differently from that intended by the manufacturer. If that difference caused injury, the manufacturer will be liable. There are very few defenses.

Design Defects

With manufacturing flaws, usually there are only a handful of products that have the problem. And it is usually proven that someone made a mistake or was negligent. With design defects, it is different. The manufacturer intended for the product to be designed and manufactured in a certain way. And the product was manufactured in the way in which it was designed. The problem was that there was something deficient with the design. And the deficiency affected all the products.

A product is deemed to be defective in design if a foreseeable risk of harm posed by the product “could have been reduced or avoided by the adoption of a reasonable alternative design,” and the failure to use this alternative design makes the product not reasonably safe. With this definition, the jury could conclude that the product could have been and should have been made safer.

This test is much more subjective than the test for manufacturing defects, and this subjectivity is the cause of most of the problems in product liability today. Manufacturers cannot easily determine how safe is safe enough, and cannot predict how a jury will judge their products based on these tests. It is up to the jury to decide whether the manufacturer was reasonable or should have made a safer product.

Warnings and Instructions

The third main kind of defect involves inadequacies in warnings and instructions. The definition is similar to that of design defect and says that there is a defect if foreseeable risks of harm posed by the product “could have been reduced or avoided by …reasonable instructions or warnings,” and this omission makes the product not reasonably safe.

Again, this is an extremely subjective test that uses negligence principles, even if strict liability is also alleged, as a basis for the jury to decide. As with design, it is difficult for a manufacturer to know how far to go to warn and instruct about safety hazards that remain in the product.

Liability of Supply Chain

The law of product liability applies to every entity in the chain of production and distribution. This starts with the raw material and component part suppliers and can go all the way to the retailer, installer, programmer or anyone else involved in the manufacture, sale, use and maintenance of the finished product and all its component parts.

While everyone who supplied raw materials and component parts to a final product may be liable in product liability, as a rule, such sellers are not liable when the component or raw material is not defective. To do so would put an undue burden on such suppliers to scrutinize another’s products that they had no part in designing or manufacturing.

In the normal situation, a final product manufacturer (OEM) buys raw material and component parts from manufacturers and sellers without disclosing what they are to be used for. The OEM may supply specifications to such sellers, but usually the seller does not know how their products will be used. And they generally have no duty to ask.

However, there is an exception to this rule of no liability, which occurs when the supplier participates in the selection of and integration of the component into the design of the product and this causes the product to be defective and to cause harm. Thus, the supplier really becomes part of the OEM’s design team and is rightfully subject to liability for giving bad advice that results in a defect and injury.

The other exception to the rule of no liability is when the component is defective and that defect causes harm. The defect can be any of the three main defects – manufacturing, design, and warnings and instructions. These kinds of cases can get very complex since the OEM and parts supplier will fight over who knew what and who was at fault.

Contracts

The problems that can arise involve injury, damage or economic loss to product users, and liability can be imposed on anyone in the supply chain. While product liability theories of liability will be alleged, breach of contract and breach of warranty claims can also be brought.

Each transfer of raw material, components or products will be governed by a contract, implied or expressed. Therefore, contracts can have a significant impact on the liability of all entities in the chain of production and distribution.

Every entity that buys a device, component, raw material or service is a purchaser and needs to consider what risks it is willing to assume and what obligations it wants to try to impose on the seller. However, every buyer is also a seller and, when they are a seller, they have different interests. As a result, the buyer and seller in a particular purchase are adverse to each other and there may not be a meeting of the minds as to the duties and obligations involving this purchase/sale.

It is hard enough for courts to interpret clear contracts that have been agreed to by both sides. However, when there is no clear agreement between the parties, it is difficult to know whose contract governs the purchase. In that situation, the courts have a much more difficult time.

Therefore, the surest way to understand the deal is to have a clear contract that has been signed by both parties. Unfortunately, this is not realistic for many companies. Either one side issues a purchase order and the seller simply agrees to it, or the seller sends their terms and conditions and the buyer agrees to it by paying the invoice.

Software

Given the above legal summary, the first interesting question concerning technology is whether software is a product and subject to the product liability laws discussed above. Most courts have held that software is not a product and therefore not subject to strict liability. However, software is subject to negligence, and the difficulty is proving that negligence. Therefore, it is much harder for someone to impose liability on a software manufacturer.

It is impossible to learn about all problems with software during the development and testing phase. Therefore, all software has some type of defect in it when initially released. And since software is incorporated into other products, it sometimes is difficult to determine whether the problem is software- or hardware-related, which manufacturer may have created the defect, and what kind of defect exists in the software. And, if it was a software issue, maybe the hardware manufacturer that incorporated the software should have identified the problem and had it fixed before selling the product.

While software sold within the supply chain is governed by the applicable terms and conditions, software sold directly to consumers usually include license agreements that make it almost impossible for the software manufacturer to be liable for a software problem resulting in injury, damage or loss.

There have been cases where deficient software has contributed to injuries or deaths and these manufacturers have been held liable. Between 1985 and 1987, six patients were seriously injured or killed as a result of receiving excessive radiation doses attributable to the Therac-25 medical electron accelerator and its defective software. The problem was that the software controlling the machine contained defects which proved to be fatal. And, the design of the machine relied solely on the controlling computer for safety. There were no hardware interlocks or supervisory circuits to ensure that software defects wouldn’t result in catastrophic failures.

Another example involved software for cars. In 2013, there was a jury verdict against Toyota in the unintended acceleration cases. After reviewing Toyota’s software engineering process and the source code for the 2005 Toyota Camry, experts retained by the plaintiffs testified that the system was defective and dangerous and was riddled with defects and gaps in its failsafes that led to the root cause of the crash.

And, of course, the most recent example is the software for the Boeing 737 MAX. Investigators in the Lion Air crash suspect it may have been caused by an angle of attack (AOA) sensor on the outside of the plane which transmitted incorrect data that could have triggered automated flight software that forced the plane’s nose down.

Therefore, there is a history of culpability, usually against the hardware or equipment manufacturer, where software malfunctions and causes the hardware or equipment to injure or kill someone. Even if software is not subject to strict liability, the finished product that uses the software is, thus making it easier to hold such entities liable.

And software is also subject to problems that arise after the product is in use. This risk could result from a loss or degradation of a product’s safety features through a malfunction or a change in performance due to software updates, a loss of connectivity and a corresponding loss of function, the corruption of data used to support a safety feature, potential physical harms from wearable devices, or the risks of a device being orphaned, abandoned or “bricked” by the manufacturer.

Products that Use Software

Given the complexity of software, whether it is installed in the product or accessed over the Internet, any product that could be unsafe or create a problem due to software malfunctions must be subjected to extra precautions to analyze the risk and the ways to minimize it. A study by the IEEE concluded that peer reviews of software would catch 60 percent of all coding defects. Unfortunately, few, if any, companies subject their programming to such review.

The Internet of Things (IoT)

The hot new category of products that uses software and the Internet is referred to as the Internet of Things (IoT). This is the network of physical devices, vehicles, appliances and other items embedded with electronics, software, sensors, actuators and connectivity that enables them to connect and exchange data. There are four broad categories of consumer goods and services that rely on IoT technologies. They are wearables, smart home devices and applications, toys and childcare equipment, and connected automobiles.

The IoT involves potential legal issues that could result in injury, death, damage or economic loss, due to hardware defects, software defects, failure of artificial intelligence (AI) algorithms, connectivity issues, false information or malicious access/hacking.

While the same kinds of products and parties are involved as with software, these products create more difficult issues since they rely on Internet connectivity, greater connections between multiple products, and are subject to hacking. As with software, there will be difficulties in assessing liability among the various parties involved in the development, manufacture and use of such products. Risk assessments that should be performed by any manufacturer of such products must be broadened to also consider the additional risks that may arise from these issues.

The U.S. Consumer Product Safety Commission (CPSC) is working on a template for a risk assessment for IoT products. In addition, the Organization for Economic Co-operation and Development (OECD) issued a paper in March 2018 entitled “Consumer Product Safety in the Internet of Things” that explores the benefits and risks of the IoT and policy considerations for countries to consider that will result in safe products. The University of Chicago has also developed a very useful IoT Risk Manager Checklist for products sold in the U.S.

Another group, the Agelight Advisory Group, has worked with stakeholders in the public and private sectors to create the IoT Safety and Trust Design Architecture and Risk Toolkit (ISTA). Developed on the foundation of seven guiding tenets, the ISTA harmonizes dozens of industry and governmental efforts focusing on forty-five principles, which provide prescriptive guidance to increase the trustworthiness of connected devices.

3D Printers

3D printers have been around for a fairly long time and manufacturers of such printers were very concerned about additional liability being assessed against them for defects resulting from some problem with the printer or its software or program.

These problems do not appear to have created significant issues, probably because not many people are printing safety critical parts with these printers. But the other reason is that there are a variety of other entities to blame. The printer just prints what the software tells it to print. The programmer for the software could have created the problem. Other potentially culpable parties include the software installer, the printer installer, the company that designed the part and inputted that into the software, the person that ran the printer and the OEM that installed the component part.

Proving who was at fault would be very difficult given the mass of evidence and multiple complex interactions between various parties. And if the employer created the problem because of incorrect installation, programming, training or operation by employees, then it is even more complex since, in most situations, the employer cannot be sued in product liability.

Autonomous Vehicles

We have all read about autonomous vehicles and wondered who would be responsible for an accident in which the software malfunctioned. Again, the law discussed above would apply, but involves another scenario that is difficult to prove. The Toyota unintended acceleration cases illustrate the difficulty that courts and juries have had in determining liability between the hardware (i.e., the car), the components (i.e., the brakes and accelerator), and the software that controls many of these parts.

Artificial Intelligence

The Oxford Living Dictionary defines artificial intelligence as follows:

“The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.”

As with software in general and in all its uses, the more people rely on computers and software to do things, perform tasks and help make decisions, the more problems can arise if something goes wrong. And the complexity of the products and the number of people involved make it imperative that each entity in the supply chain of such products develops best practices in risk assessment and analysis, and be able to predict problems with its products and with other products that will work in conjunction with their products.

Much work must be done in this area to be sure that it is appropriate for a computer system to control certain activities. Sometimes, manufacturers will decide that the function to be controlled is too critical to rely on, and therefore is not something that should be controlled by such a system.

And then decisions must be made as to what extra precautions need to be undertaken to feel comfortable that the risk that remains is acceptable to the manufacturer and others in the supply chain, as well as product users. Consumer groups, the government, industry, academia and lawyers will be considering how best to do these things.

Whatever happens, it is clear that basic product liability law will apply, and someone will be responsible for injury, damage or loss arising from a defect in the product or any of its components.

Conclusion

Product liability law has been in existence for hundreds of years. But in the last 55 years, it has grown and flourished. Technological advances have been occurring for almost the entire time and have evolved to accommodate new and more complex products and uses. As a general matter, technology develops much faster than the law. And therefore, manufacturers and others who are involved in such developments must guess about where the law is going and where it will wind up.

It is almost certain that the law will evolve in a way that will result in injured parties continuing to have the ability to find someone to sue and to compensate them for their injuries. There certainly is a bias in favor of providing a remedy, even if it is difficult to determine who the responsible party will be. However, the law and other entities are also interested in not stifling innovation, especially for useful technology that can make everyone’s life better. Balancing these competing interests will be challenging and interesting to follow.