2.1.1 Product defect
EU Directive regulates liability for defective products on the approximation of Laws, Regulations and Administrative Provisions of the Member States for Defective Products.
4 [transposed in the UK as the Consumer Protection Act (CPA) 1987]. The directive applies to all types of products including agricultural products. Under the law, “product” is defined as all movables even if incorporated into another movable or an immovable (See art 2 of amendment to directive). A producer means the manufacturer of a finished product, the producer of any raw material or the manufacturer of a component part. A producer also includes any person who, by putting his trademark or other distinguishing feature on the product presents himself as its producer (art three directive).
The Directive lays down the principle of liability without fault or strict liability which means a person injured by a defective product can claim damages even if the defect was not due to the producer/manufacturers negligence. A defective product is one which does not provide the safety which a person is entitled to expect, considering, all circumstances including, the presentation of the product, such as adequacy of the warning,
5 the use to which it could reasonably be expected that the product would be put and the time when the product was put into circulation are factors (art 6). The standard of the defect is, therefore, an objective one. For example, a product is defective if its safety is not such as persons generally (everyone and not the particular claimant injured by the product) are entitled to expect. Also, the law does not infer defect from the fact that a better or safer product was subsequently put into circulation or permit persons to expect standards of safety that are unknown or which do not exist at the relevant time (art 6, 7 Directive, s 3 CPA).
Moreover, to succeed in an action for damages, the claimant or injured person must prove the damage and the defect in the product as well as the causal relationship between the damage and the defect (art 4). In other words, the claimant must prove that he suffered damage, that there was a defect in the product and that the defect caused the damage. Presumably, therefore, if a claimant is unable to prove defect, he cannot prove that loss or damage resulted from such defect. However, in cases where the causal link is established, the law also provides for defences which are of particular relevance to the manufacturer of the agribot. As examples, it is a defence that the producer (or manufacturer) did not put the product into circulation or that the defect did not exist at the time the product was put into circulation (art 7). These arguably cover instances where someone caused the fault after the manufacturer supplied the agribot or where interference with software causes the agribot to malfunction or where the agribot has been used for a purpose for which it was not intended (See notes on dual-use below).
Other grounds for avoiding liability include a claim that the safety fault was an inevitable result of obeying the law (e.g., the agribot could be safer but for provisions of the law which excludes the use of certain technology). Also, it is a defence that the manufacturer could not have made the product more secure or safer given the state of knowledge in science and technology (‘development risk defence’) (art 7(e)). Therefore, it is a defence under the law that the state of scientific or technical knowledge at the relevant time is such that the manufacturer could not have known the defect in the product. This suggests that the law does not expect manufacturers or designers to wait until a safer technology is available before introducing their products. All that is required is that the standard of safety corresponds to state of the art in scientific or technological knowledge at the relevant time. However, the Directive makes this defence optional, and it would, therefore, only avail the manufacturer where it is provided for under national law.
6
It is important to stress that requirement for proof, and indeed the definition of a defect under the law is not intended to undermine consumer protection. Rather, it is intended to strike a reasonable balance between the obligation to protect consumers and the need to promote innovation in a fast-evolving technology environment. For example, while owing to the complexity, technicality and probabilistic behaviour of products like an agribot, it may be difficult and expensive for claimants to prove a defect, it must also be assumed that developments in artificial intelligence, robotics and machine learning would mean that safety standards become outdated fairly quickly. Therefore, unless the law limits the liability of manufacturers to safety standards based on the state of scientific and technical knowledge, their liability could be indeterminable or infinite, and this may adversely affect innovation and development.
It is also relevant to note that damage includes damage caused by death or personal injury and damage or destruction caused to property other than the defective product itself (art 9). Liability imposed by the law cannot be excluded or limited by contract and can be joint and several.
7 However, member states may provide for the limitation of liability for damage resulting from death or personal injury provided that the amount shall not be less than 70 million ECU (art 5,12).
2.1.2 Accidents and health and safety law
In the UK, health and safety law is implemented through the provision of the Health And Safety At Work etc Act (HASAWA) 1974. The Act enables the enforcement body, the Health and Safety Executive (HSE) to bring criminal prosecutions under Section 33 of the Act against organizations deemed to have breached the statutory duties it imposes.
The primary duties imposed by the act are described in Sect.
2 and Sect.
3 of the Act. The former imposes duties on employers to ensure the safety and health at work of employees; the latter on employers (and self-employed persons) to ensure the safety at work of those persons
other than their employees who could be harmed by the employers’ undertaking. An
undertaking is defined by the set of activities carried out by an organization; this extends to the design and manufacture of products such as agribots and includes their use. Therefore, an accident whereby a member of the public is injured by an agribot could result in a criminal prosecution against the owner/user of the agribot, and/or the designer/manufacturer. The balance of this prosecution depending mainly on the nature of the accident.
Section 6 of HASAWA1974 imposes duties on the manufacturers etc. (including designers) for the safety of articles used at work. Therefore, prosecutions could hypothetically also be initiated for a breach of this Section; however, in reality, this is seldom the case.
8 Further, the duties of designers and manufacturers of agribots are better described under the Consumer Protection Act 1987, and / or the Supply of Machinery (Safety) Regulations 2008.
Prosecutions for breach of duties under Sections 2–6 of HASAWA1974, if elevated to the Crown Court, invoke a potential maximum penalty of two (2) years imprisonment, and / or an unlimited fine. In all cases described above, the duty is qualified and limited by the term ‘so far as is reasonably practicable’ (SFAIRP). This is also commonly phrased as the duty to reduce risk to a level that is ‘As Low as Reasonably Practicable’ (ALARP). These terms are largely interchangeable, the former used in legislation, the latter commonly used in engineering communities.
The key element is the concept of reasonable practicability. This was defined in common law decades before
9 the implementation of HASAWA1974 and provides a fundamental means to both limits the duty imposed by the Act and mitigate the liability incurred following an accident and resultant prosecution. If the defendant(s) can demonstrate that all reasonably practicable measures were taken to reduce the risk, they thereby demonstrate that they fully discharged their duties under HASAWA1974.
Demonstration that all reasonably practicable measures have been taken (often termed ‘demonstration of ALARP’) requires the following measures be taken
10:
1)
Identification of reasonably foreseeable hazards and assessment of risk;
2)
Adoption of authoritative good practice for control of risk;
3)
Identification of further practicable risk reduction measures;
4)
Implementation of identified risk reduction measures unless it can be demonstrated that the sacrifice (cost, time, effort) associated with doing so is grossly disproportionate to the safety benefit gained from the measure.
The above steps (2)–(4) are further predicated on the assumption that the overall risk to the safety and health of persons affected by the activity/product/system under assessment is in general,
tolerable. If the risk is assessed as
intolerable, then the owner of the duty to reduce that risk must do so regardless of any consideration of sacrifice. HSE guidance R2P2 provides a quantitative baseline definition of intolerable and tolerable risk.
11
Where risks are well understood and defined by an industry body of knowledge, completion of steps (1) and (2) above will be sufficient to demonstrate ALARP. This can include compliance with legislation, approved codes of practice (ACOP) and in some cases engineering standards, where these can be shown to be directly and fully applicable and correctly applied.
Where such compliance is not possible, for example, because the technology associated with activity/product/system is new or novel, or because it is not possible to fully comply with relevant standards, further effort will need to be expended on risk assessment and/or engineering study, to determine what can be practically done to reduce the risk.
Demonstration of gross disproportion relies upon the assessment of the benefit of the risk reduction measure and consideration of the sacrifice (e.g., financial cost) of implementation of the measure. The concept of gross disproportion ensures that this is not a straightforward cost–benefit analysis, whereby the owner could demur if the sacrifice simply exceeds the benefit; rather the sacrifice must grossly exceed the benefit before the duty to implement the measure is discharged.
The above assessment can often be carried out qualitatively, for example, through use of a continuous matrix (such as the Boston Square), placing the effectiveness of a risk reduction measure on one axis, and difficulty involved in implementing the measure on the other axis. Potential improvement measures are then ranked relatively against each other. There are also a number of simplified screening tools in general use that highlight qualitatively those measures that should be implemented, should not be implemented, and those which require further study. In all cases, these qualitative methods will need to take account of the requirement to demonstrate gross disproportionality between the sacrifice and the safety benefit.
Where sufficient information is available, and where the resolution of the cost/benefit decision is less clear (for example, an initial screening tool results in the requirement for further study), a full quantitative assessment can be undertaken. This requires the quantification of the full lifecycle risk without further mitigation (sometimes termed the
vanilla risk), for example, in terms of Potential Loss of Life (PLL) or Fatalities and Weighted Injuries Rate (FWI); similar quantification of the risk reduction measure(s); and combination of these values with a Value for Preventing a Fatality (VPF).
12 The sacrifice associated with implementing these measures is then calculated, and the measure implemented unless the sacrifice is found to be grossly disproportionate to the safety benefit.
Definitions of gross disproportion vary dependent on context; however, a useful rule of thumb is to consider the initial level of risk. Where that initial risk is tolerable but high, i.e., close to the border with the intolerable region, the gross disproportion factor should be similarly high. Where the risk is tolerable but low, the gross disproportion factor may also be lower. In some industries, in some circumstances, a sacrifice that is 3 × the benefit may be considered grossly disproportionate; whereas in other cases, a factor of 10 × may be required before a measure should be considered not reasonably practicable to implement.
The Management of Health and Safety at Work Regulations 1999 impose a duty on employers to undertake a suitable and sufficient risk assessment in support of the duties placed upon them by Sections 2 and 3 of HASAWA1974. However, even were this not the case, a demonstration that risk has been reduced ALARP is challenging to achieve without carrying out such an assessment. In fact, the requirement for risk assessment has arguably been part of UK common law since 1949.
13
The requirement for risk assessment, should not be confused with a requirement for risk
analysis. For a risk assessment to be suitable and sufficient, it must demonstrate that appropriate action has been taken to reduce the risk. Where sufficient information is available, a detailed analysis in support of this action may be beneficial. However, this is often not required, and sometimes not justifiable. For example, where there are high levels of uncertainty associated with a particular hazard, which render conventional risk assessment techniques unreliable, a
precautionary principle14 should be adopted. This principle requires that the assessment and action were taken to be based more on the putative consequences of a risk, rather than the likelihood.
In the case of agribot use/design/manufacture, where authoritative good practice is still primarily to be defined, compliance with health and safety law will depend on the suitability and sufficiency of the risk assessments carried out by duty holders. Further, whereas the balance of prosecutions in the UK as a whole tends to focus more on immediate causation
15 (i.e., who are the persons/organizations who ‘last touched the risk’), the nature of the autonomous robots may largely necessitate a greater focus on the prosecutions of designers and manufacturers. They may be more frequently called upon to present formal safety justifications of their autonomous products that demonstrate anterior identification, consideration and management of relevant hazards and risks. Complete justification will necessarily include the documentation of critical design decisions, the identified practicable risk reduction measures, and reasonable justifications for the measures rejected, as well as those, adopted.
For users/owners to discharge their safety and health duties, they may be largely dependent on the decisions are taken autonomously by the agribots. In corollary, the extent to which they can be held liable for those autonomous decisions is limited by the extent to which they can train/teach the agribot before full operations; this is in turn limited by the safeguards and risk reduction measures defined by the designer as a result of their risk assessment. As with all risk reduction measures, a hierarchy of control
16 should be adopted by designers.
Elimination of hazards during the early phases of design should be prioritized; where hazards cannot be eliminated they should be controlled primarily be engineering means, for example, safety functions
17 that bring the agribot into a safe state upon detection of a failure or the presence of a member of the public in close proximity. Lower levels of this hierarchy will necessarily include the provision of instructions for use, informed by the suitable and sufficient designer risk assessment. In effect, the users will be responsible for management of the
residual risk associated with the agribot, i.e., those risks which could not be designed and engineered away.
Notwithstanding the above, there is guidance available that will be partly applicable to the use of agribots and may assist users of agribots with the implementation of safe systems of work. This will necessarily include appropriate traffic management arrangements
18, including measures to ensure exclusion of the public, route planning, lighting and visibility, where necessary, as guided by manufacturer-provided instructions for use in combination with suitable and sufficient user risk assessment.
Health and Safety law in the UK is primarily goal-setting and requires a regime of self-regulation to ensure compliance with the HASAWA1974, particularly Sections 2 and 3. Therefore, the measures, guidance, and techniques outlined above are applicable, regardless of whether any specific, prescriptive regulation exists. In all cases, applicable good practice should be sought, and the duty owner(s) should determine appropriate measures to reduce the risk to a demonstrably ALARP level using an appropriate hierarchy of risk control measures.
For example, in the event that an agribot may be used in low-visibility environments, such as mist/fog, or nighttime working, the designers would need to consider the measures that could be designed into the system to reduce the risk. For example, a designer could not demonstrate that risk had been reduced ALARP by recommending in the instructions for use that the agribot wear hi-visibility clothing, regardless of how humanoid in appearance the agribot may be! Firstly, this is because Personal Protective Equipment (e.g., hi-vis jackets) always forms the lower ranks of any hierarchy of risk control measures; correct use of PPE is always subject to human error or violation. Secondly, hi-visibility clothing is used primarily to protect the wearer, whereas in this scenario, persons most at risk would likely be those driving other vehicles that could potentially impact the agribot. It should be clear to a designer that, even in the event of a hypothetical stipulation in the instructions for use that the agribot should not be used in periods of low visibility or nighttime; use in such conditions would certainly constitute reasonably foreseeable misuse. As such, the designer has an obligation to ensure that the agribot is provided with reasonably practicable measures to increase visibility (e.g., lights) and / or other measures to avoid collision (e.g., horns / audible warnings). For example, practicable measures could include (but not limited to): collision detection systems based on radar scanning and autonomous avoidance; built-in lighting systems, potentially with safety systems that prevent operation in low-visibility environments when lighting systems are non-functional; hi-visibility paintwork; reflective strips, reflectors. A combination of these elements would likely be necessary to demonstrate that risk is reduced ALARP, subject to assessment as described in the paragraphs above.
A further example, is the use of agribots on public highways. From the above discussion and example, it should be clear that no agribot should be used on public highways unless reasonably practicable risk reduction measures are implemented. Inherent in the definition of reasonable practicability is the concept of proportionality; measures taken to reduce the risk should be proportional to the risk. Therefore, in the event that an agribot is required to autonomously travel on or across public roads then collision avoidance safety systems must be designed-in, similar in extent to those required for autonomous road vehicles. However, in the event that an agribot can be supervised across a road crossing in manual mode or remote mode the exposure to risk is lower, and it is reasonable for the designed-in safeguards to be less onerous (of course providing that suitable controls are designed-in to prevent inadvertent agribot access to public roads).
For the scenario of an agribot crossing a road in a supervised/manual/remote mode, the extent to which risk reduction measures can be designed-in would be firstly dependent on the extent to which risk reduction measures are practicable, i.e., technically feasible. For example, crashworthiness/impact absorption, to prevent damage in passenger carrying vehicles, and/or collision avoidance systems that effectively distinguish between vehicle hazards, users, members of the public, and livestock (which may be crossing simultaneously with the agribot). Secondly, the designers would need to be assured that they are not introducing additional hazards that are potentially higher risk than the hazard they are trying to control. For example, designer risk assessment may determine that any collision detection system should be deactivated, while in manual or remote mode to avoid risks to the local user—such as autonomous avoidance resulting in the robot reversing into a manual remote controller walking closely behind it—or risks increased by non-execution or delays to command responses. In this case, the system would not be effective for mitigating risk of vehicle impact when crossing roads. In such a scenario, complete with supporting risk assessment, it may be that the designer is able to reasonably discharge their responsibility for further reduction of risk. This is providing that: suitable arrangements are provided in design for agribot visibility as discussed above; the manual/remote mode is generally and demonstrably safe and reliable; a Safe System of Work can be adopted by the user that follows the highway code, providing suitable warning to other road users that a crossing is taking place, and controlling/excluding traffic, where necessary.
2.1.3 Accidents and negligence
Legal action in tort for negligence may also be taken against manufacturers, agricultural contractors, operators and farmers and their agents for injuries, loss or damages resulting from negligence or accidents involving the agribot. However, unlike strict liability or liability without fault, a claim in negligence requires the claimant to prove fault on the part of the manufacturer or other person being sued. The following must be established; the defendant(s) (such as manufacturer/designer, contractor or farm owner) owes a duty of care to the claimant, there was a breach of that duty (the defendant failed to take care), the claimant was harmed (that is personal injury, or damage or loss of property resulted).
Liability for negligence may fall on any of the parties depending on the cause of the accident, and who owes or is owed a duty of care in the circumstances of each case. For example, the position of the law is that the manufacturers owe a duty of care to persons who use their products and manufacturers would be deemed to have breached this duty where there is a defect in the product. A cause of action (the basis for suing the manufacturer) arises where injury or loss results from the defect. For liability, it is immaterial that the claimants did not purchase the product themselves. Therefore, suppliers, farmers, contractors and their agents or other users who may be injured by any defect in the agribot would be entitled to sue the manufacturer for negligence. From the perspective of the consumer, an action in negligence provides additional protection as product defect may raise a
prima facie case of negligence.
19
Apart from defects, liability for negligence may arise in cases of misuse mainly where manufacturers fail to provide instructions or where the instructions are inadequate or misunderstood. Under the EU Machine Directive,
20 [transposed in the UK as the Supply of Machinery (Safety) Regulations 2008] the manufacturer or his authorized representative is required to provide necessary information such as instructions before putting machinery on the market and/or putting it into service (art 5 Machine Directive). Regarding the general principles for drafting instructions, the Directive provides that instructions must be drafted in one or more official Community languages (of the EU), and the case of machinery intended for use by non-professional operators, the wording and layout of the instructions for use must take into account the level of general education and acumen that can reasonably be expected from such operators (Machinery Directive item 1.7 annex 1).
It is, therefore, a question of fact depending on the circumstances of a case whether warning or instruction is sufficient and whether the manufacturer is liable or not. For example, instructions and warnings full of probabilities and equations provided to intermediaries (such as agricultural contractors) may be sufficient if the contractor is learned in and has a good understanding of the agribot. Conversely, the same instruction addressed to farmers who (presumably) have the less technical knowledge, may need to be more basic. Therefore, in a hypothetical scenario where a farmer misunderstands the instructions and assumes the agribot is safer than it actually is and thereby causes the agribot to malfunction and kill a walker, a brochure full of probabilities may be deemed too complicated, and the manufacturer may be held liable for accident caused by the farmer’s misuse. The key principle is, therefore, that instructions must be pitched at the level at which both technical other non-technical users of the agribot can understand them.
Other provisions of the Machinery Directive particularly relevant to the agribot include the requirement that the contents of the instructions must cover both intended use of the machinery and any reasonably foreseeable misuse. Also, where applicable, the instruction manual must contain warnings concerning ways in which the machinery must not be used that experience has shown might occur (item 1.7.4 annex 1 to the Machinery Directive). These provisions suggest the manufacturers would still be deemed to have complied with the law if they fail to give warnings on use and misuse which were not known at the time of manufacture or design but subsequently becomes known due to self-learning, the processing artificial intelligence (AI) or repurposing of the robot. They also suggest that apart from the manufacturer, other users of the agribot could be liable if they ignore clear instructions and warnings or continue to use the agribot after discovering that it has malfunctioned due to failure to follow instructions. However, to benefit from the presumption of conformity with the health and safety requirements under the Directive, manufacturers are required to affix CE marking on their product and comply with a declaration of conformity (arts 5,7).
2.1.4 Accidents caused by agents, employees and contractors
Liability for accidents caused by third parties depends on whether the person who caused the accident is an agent or an independent contractor. Under the law, a principal is vicariously liable for the acts and omissions of his agent when the agent is acting within the scope of his authority. The scope of an agent’s authority is defined by a contract between the agent and the principal. As an example, therefore, liability for acts or omissions of the operator of the agribot will depend on whether he is an agent of the manufacturer or the agricultural contractor or whether he is an independent contractor. Similarly, if there is a franchise agreement, the franchisor’s liability will depend on whether the franchiSee acts in the capacity of an agent. Therefore, while the law does not automatically infer an agency relationship from a franchise, the agency can be inferred from the contract and the circumstances of the case.
As also noted above, liability might depend on whether third parties, such as employees, agents or contractors, receive adequate instructions on the use of the product. As an example, under the Provision and Use of Work Equipment Regulations (PUWER) 1998 (UK), businesses which either use or hire out work equipment are required to manage the risks from the equipment. Risk management includes ensuring that all people who use or manage work equipment receive adequate instructions and appropriate training. Therefore, apart from the manufacturer, operators of the agribot, agricultural contractors and farmers are also legally obliged to assume liability for accidents caused by third parties due to misuse.
Furthermore, under the Occupiers Liability Act 1957 and 1984, an occupier, that is a person in control of land, premises or buildings can be held liable for injury or harm to another person on the land. Such persons can include workmen, residents, visitors, strangers or even trespassers. One of the conditions for the assumption of liability is that the harm is caused by a person over whom the occupier has control or over which he could exercise some degree of control. It is, however, important to note that this liability can be excluded by contract.
Finally, damage caused by the escape of things likely to cause mischief is borne by the owner of the land provided the damage be NIL a reasonably foreseeable consequence of the escape (this is the rule in Rylands v Fletcher).
21 In practice, this might mean a farm owner or farm manager could be liable if he (or his agent or anyone under his control) allows the agribot or things used by the agribot such as herbicides to ‘escape’ to adjourning lands or farms and for damages resulting from such escape. This position poses a little problem when the agribot is operated in manual mode as the operator is deemed to be in control. However, when operating autonomously, the risk of ‘escape’ may heighten, and farmers or other users of the agribot may have to adopt additional measures to avoid liability. This may include closing escape routes and putting warning signs at different ends of a road when the agribot is in operation. Although this is not a legal requirement, in the UK, farmers routinely close local roads to move herds of animals by placing signs and/or people at both ends before releasing the animals. The Health and Safety Executive (HSE) has also issued a number of advice on public access for livestock which would be relevant to the operations of the agribot.
22 It is, however, important to note that the Animals Act 1971(UK) impose strict liability on keepers of animals which are of a dangerous species.
23
The outstanding challenge from the above liability allocation regimes relates to how to resolve the attribution problem. For example, despite the clear provisions of the law, it might be difficult to ascertain whether damage, injury or loss was caused by a defect in the product or misuse such as failure to follow instructions. It is conceivable for instance that contractors or farmers would tend to attribute loss or damage to product defect rather their misuse of the agribot. It is also conceivable considering the complex and technical nature of the agribot and the fact that law imposes liability on the manufacturer for insufficient and unclear instructions, that courts might be more inclined to hold manufacturers liable in negligence rather than hold users liable for misuse. One solution to the possible dilemma is to design the robot with detailed data logging system. This would create a form of ‘liability by design’ which enables the agribot to keep detailed logs of events and incidents including possibly replaying an accident to establish if was caused by a sensor failure or user command. A data logging system may, therefore, assist in identifying where liability falls where there is a dispute as to whether accidents are due to manufacturer defect or user misuse.