PHIL/ENGR 482 Ethics and Engineering Risk, Safety and Liability Required reading: • Harris, Pritchard and Rabins, Engineering Ethics: Concepts and Cases, 2nd ed. Chapter 7, “Risk, Safety and Liability in Engineering” An engineering responsibility • Codes of ethics require the engineer to prevent exposure of the public to unacceptable risks. NSPE Code • “Hold paramount the safety, health and welfare of the public” design to “accepted engineering standards” • Do not “complete, sign, or seal plans and/or specifications that are not of a design safe to the public health and welfare in conformity with accepted engineering standards” • In “circumstances where the safety, health, property or welfare of the public are endangered” engineers must “notify their employer or client and such other authority as may be appropriate” Understanding and managing risks • What is risk? • How do we operate engineering systems to reduce risks? • How do we design engineering systems to reduce risks? • What are acceptable risks? What is risk? • One definition of “risk” is: • “Exposure to the chance of injury or loss; a hazardous or dangerous chance” * • This definition involves both • the probability of an event occurring • the consequences of the event * Webster’s Dictionary An engineering definition of risk: Risk (probability of event) (consequences) Risk is inherent in engineering • All engineering involves risk. • Innovation in design generally increases risk. More generally, any change (from proven practice) will often increase risk. • Examples: • Tacoma Narrows Bridge--1940 collapse • Three Mile Island Power Plant--1979 radiation release • Concorde airliner--2000 crash in Paris Probability of failure • A nuclear reactor will “meltdown” if the control rods fail and the cooling pump fails. What is the probability of this occurring? Event tree analysis of failure probability Engineering risk assessment Risk (probability of failure) (consequences) • Bridge foundation depths are often governed by the depth of scour, which is related to the size of the flood. A 100-year flood (a flood which has a 1% chance of occurring in any given year) is a common design flood level. • Consider a bridge footing designed to have a 210-3 annual probability of being undercut by scour in any given year. Engineering risk assessment... • Consider a a bridge that has an 210-3 annual probability of collapse due to scour. • If collapse occurs during a rush hour (1/24 probability), 10 lives will likely be lost. If collapse occurs during non rush hours (23/24 probability) 1 life will likely be lost. One way to measure this risk is… • (210-3)(1/24)(10) = 83310-6 (risk of death) • (210-3)(23/24)(1) =191710-6 (risk of death) • Total risk is 83310-6 + 191710-6 =275010-6 (risk of death) Problems with event-tree analysis: • assigned probabilities are sometimes conjectural • cannot anticipate all failure modes: • pipe rupture, • pipe corrosion, • terrorist attack, • human error, • etc... Safety: Operation of engineering systems to reduce risk • Many “engineering” failures involve, at least in part, an operations failure…consider the reactor failure at Three Mile Island: • The main feedwater pumps failed; a pressure relief valve automatically opened, but stuck open. Signals failed to show that the valve was stuck open. • Because of either administrative or human error, a critical valve in the emergency feedwater system was left closed, delaying the operation of that system for 8 minutes. • Systems are said to be tightly coupled when a failure in one system can adversely and rapidly affect operations in another system. Tightly coupled systems make failures more difficult to predict and control. Safety: Operation of engineering systems to reduce risk • The loss of the Space Shuttle Challenger is another example of an engineering system failure due to operations failure. • The practice of “normalizing deviance”, that is the acceptance of anomalies (unexplained leakages of the O-ring seals) in previous flights led to continued operation of a system that was dangerously close to it’s safe limit of operation. • Also, operational limits (launch temperature) were increased without appropriate study. Safety: Design of engineering systems to reduce risk to acceptable levels • Develop inherently low-risk designs • Incorporate redundancy in design • Design for failure modes that give warning before catastrophic failure (ductile structures) • Design for appropriate Factor of Safety • Structural design philosophies... • Allowable Stress Design (ASD or WSD) • Load Factor Design (LFD) • Probabilistic design methods (ex. LRFD) Factors of Safety Failure load FS Design load • To accommodate uncertainties in... • • • • • applied loads, material properties, simplified methods of analysis, construction quality, maintenance, ... • and, to reflect different consequences for different failure modes. Allowable (or Working) Stress Design philosophy • ASD design philosophy limits the stress to a certain “allowable” value, which is usually some fraction of the yield or ultimate stress. Design difficulties... • Different loadings may have different uncertainties • Different failure modes have different risk (uncertainty consequence), • Also the resistance (strength) of some modes may be affected more by construction quality, maintenance inspection interval, etc… • ...so different Factors of Safety may be appropriate for different loadings and failure modes. Load Factor Design philosophy • Expected loads are multiplied by Load Factors, which may have different values for different types of loads • Strength is reduced by a Strength Reduction Factor reflecting the variability in the strength • Factored loads must not exceed factored strength Load Factor Design example • Consider a bridge girder which carries its own weight plus the weight of the deck (DL) and traffic loads (LL). • Denote the moments caused by these loads as MDL and MLL, respectively. • Denote the calculated ultimate moment (which would cause fully plastic failure of the section) as Mult. Load Factor Design example • The LFD philosophy requires... F LL M LL FDL M DL M ult • where… • FLL and FDL are load factors for live and dead loads, typically specified to be 2.2 and 1.3 respectively, and • is a strength reduction factor, typically specified be 0.90 Probabilistic design philosophy (LRFD) • Load factors and resistance (strength) factors are not fixed, by a design code, but are chosen in each design based on the specifics of the case. • Factors are determined in such a way that the “probability of failure” of each limit state (failure mode) is maintained at some uniform value. AASHTO LRFD Bridge design example: design for vessel collision • Bridges in navigable waterways shall be designed for vessel impact, considering... • waterway geometry, • size, type, loading condition, and frequency of vessels using the waterway • water depth, • vessel speed and direction, and • structural response of the bridge to collision. Bridge design for vessel collision (cont’d) • Bridges are classified as “regular” or “critical”. • “Critical” bridges shall continue to function after more severe collisions than the collision limiting “regular” bridges Bridge design for vessel collision (cont’d) • An analysis of the annual frequency of collapse is performed for each pier or span component exposed to collision. • The design vessel is selected using a probability-based analysis procedure in which the predicted annual frequency of bridge collapse (AF) is compared to an acceptance criterion. Bridge design for vessel collision (cont’d) • The Annual Frequency of collapse (AF) is computed by… AF N PA PG PC • where... • • • • N=annual number of vessels, by type, size... PA=probability of vessel aberrancy PG=geometric probability of a collision by an aberrant vessel PC=probability of bridge collapse due to collision Bridge design for vessel collision (cont’d) • The Annual Frequency of collapse (AF) is limited to a specified acceptable risk... AF N PA PG PC AF 10 3 AF 10 4 for " regular" bridges for "critical" bridges Acceptable risk... • What is an acceptable risk? Some acceptable risks... • Note that the average American could, if he/she chose, reduce his/her annual risk of death by 17310-6 by avoiding travel in automobiles or on highways. Since the average American chooses to accept this risk (because of the advantages of automobile transportation), the risk of death associated with automobile travel could be considered an “acceptable risk”, that is one assumed by a reasonable person. • Similarly, the 810-6 risk of death in commercial aviation is accepted by most persons. Cost-benefit risk assessment example • The government is proposing legislation to limit formaldehyde emissions to 3 ppm. Industry estimates that to install and operate the necessary scrubbers will cost $300 million annually. Toxicologists estimate that this new standard will save 30 lives annually. Using cost/benefit analysis, should the new standard be implemented? • Cost = $300 million/yr • Benefit = (30 lives/yr)($ ??? / life) • What is the dollar value of human life? What is the value of human life ? • Some methods to place a value on human life • purchasing decisions involving safety (e.g. car purchase) • future earnings • extra pay needed for risky jobs (e.g. house painter vs. smokestack painter) Problems with using studies of purchasing decisions to determine the value of life... • wealthy people are willing to pay more • people will pay 7 times more to reduce risk of cancer than to reduce risk of death in an automobile • decisions are based on perceptions (values) • women value their lives more than men, i.e., men are more willing to engage in risky behavior • A 1984 study by Shualmit Kahn indicates that people typically valued their lives at $8 million (Note: this figure is higher than is typically used in public policy analysis. Also note that Ford used $0.2 million in the 1970’s Pinto case study.) Public Policy Expert’s Approach to Risk • His/her first priority is to protect the public. • Consider the consequences of an error in a study to determine whether a chemical is carcinogenic… • False Positive The chemical is banned as being carcinogenic, when in reality it is not. The producer loses potential profits from the sale of this chemical. • False Negative A dangerous chemical is approved as safe and sold to the general public. The death rate from cancer increases. • A public policy expert will choose to err on the side of public safety, when the facts are not clear Public policy expert approach (cont’d). • In a democracy, the government policy makers respond to the public’s wishes. The public tends to react to different risks in different, and sometimes irrational ways. As a result, we tend to allocate differing amounts of money to save lives by different measures... Allocation of Money Layman’s approach to risk • Respect for Persons Approach • Key Issues: • • • • is the risk distributed equitably? are those assuming the risk compensated? is the risk voluntary? does the person assuming the risk understand it? • does the person assuming the risk have control? Layman’s approach to risk... • Laymen often overestimate low probability risks • Willing to accept higher voluntary risks than involuntary risks (by factor of 103) • Laymen don’t compare a risk to already accepted risks • Laymen overestimate risks of human origin compared to risks of natural origin • Laymen’s approach more closely follows Respectfor-Persons approach than the Utilitarian approaches used by many experts An Acceptable Risk is one that is... • freely assumed with informed consent • equitably distributed • properly compensated Informed Consent • RP says we should treat people as “moral agents” (autonomous, self-governing individuals)…thus we should seek “informed consent” before assigning risk • Criteria for informed consent • consent must not be coerced* • person must be accurately informed* • person must be competent* to assess information *there are possible conceptual and applications issues to be resolved Problems with informed consent • difficulty getting informed consent • consent must be obtained before the risk is assumed • consent requires negotiation • holdouts or unreasonable preferences • parties must be well informed and reasonable • people are often hysterical regarding dramatic or catastrophic risk • people underestimate the consequences of risks that have never happened before When it isn’t possible to get informed consent... • Only expose people to risks they would consent to, if they were informed of all known risks. Or, ... • As an alternative to gaining consent from everyone affected by the risk, the group leaders can decide to accept the risk for the group. Problems with Informed Consent (cont’d.) • Some people may give informed consent to things that are not in their interests, because of... • misunderstanding information • immaturity • irrationality • Such consent isn’t autonomous. Problems with Informed Consent (cont’d.) • If consent is not autonomous, then you should find a way to make consent autonomous. Risk concepts--Example • The electric power company proposes to build a nuclear power plant near your neighborhood. Given the newly deregulated electricity market, the power probably will be sold out of state because prices are higher there. Risk concepts--Example (cont’d.) • Is the risk voluntary? • Does the person taking the risk understand it? • Does the person taking the risk have control? • Is the risk distributed equitably? • Do those taking the risk get the rewards? Informed Consent by Group Leaders-Example • The XYZ Chemical Company wants to build a new plant in Smallville. The chemical plant has a pollution effluent that may give one citizen cancer every five years. However, the plant will create 100 new jobs and a substantial tax base for Smallville, which will improve the local schools and hospital. The XYZ Chemical Company asks the town council for approval to build the plant in the industrial park. Informed Consent by Group Leaders (cont’d.) • Advantages: • simplifies decision-making process • Problems: • How do we compensate those individuals who suffer the consequences of the risk? • Approval of group leaders does not reflect the wishes of all individuals • Works okay for small risks, but large risks may need individual consent Paternalism • Paternalism: the exercise of power by one person or institution over another in order to help or prevent harm to the latter, when... • Weak paternalism--the latter is not exercising moral agency effectively. • Strong paternalism--there is no reason to believe the latter is not effectively exercising moral agency. Paternalism (cont’d) • Commonly-accepted criterion for acceptable paternalism: • A fully rational person informed of the relevant facts would consent to intervention in this case • Paternalism often causes resentment. • Paternalism (weak) is permissible if protected person is not autonomous • but people will disagree over who is autonomous. Summary • Be aware that experts tend to use a utilitarian approach and the lay public tends to use a respect-for-persons (RP) approach • Utilitarian and RP approaches each have their limitations • It is difficult to quantify risk • Peoples’ values differ regarding risk • Promote informed consent within your limits as an engineer For guidance... • “People should be protected from the harmful effects of technology, especially when the harms are not consented to or when they are unjustly distributed, except that this protection must sometimes be balanced against (1) our need to preserve great and irreplaceable benefits and (2) the limitations on our ability to obtain informed consent.” Harris, et al. Summary (cont’d.) • Some technologies provide valuable and irreplaceable benefits, yet are inherently risky (e.g. automobiles) • Engineers should be paternalistic and protect the public from harmful impacts of technology if: • Consequences are severe • Consequences are unjustly distributed • Informed consent is not possible Liability An engineer’s ethical dilemma... • All engineering involves some risk. • Protecting the public from all risks is not in the public’s best interest. • We must protect the public from unacceptable risks. • We may be liable for injuries caused when we misjudge the risks, as well as when we make errors. Different standards for tort law and science... • Tort (injury) law uses different standards for risk and liability than we have been discussing so far. • An engineer might not feel confident that action A had caused result B without strong statistical evidence (ie., 95% confidence) • Tort law requires proof by a “preponderance” of evidence (ie., 51%) Recommendations... • Work conscientiously, diligently, and ethically; make sure your designs are consistent with best engineering practice. • Document your actions and decisions in a Daily Log. • Liability insurance is commonly purchased by design engineers. Costs can be high, depending on the work you do. Representative costs for liability insurance policies • Chemical Engineers (with PE designations, signatory authority, plant-scale involvement) • $1million coverage, $5000 deductible, premium=$900/yr • Architects/Engineers • $75million coverage, $15,000 deductible, premium=$10,000/yr