For novel ideas about building embedded systems (both hardware and firmware), join the 40,000+ engineers who subscribe to The Embedded Muse, a free biweekly newsletter. The Muse has no hype and no vendor PR. Click here to subscribe.

Software Liability Laws - Part 2

Summary: A second installment about a proposed software liability law.

Last year a man was awarded $1.5 million in a suit against a tablesaw vendor. The fellow had removed all of the safety gear and was doing an unbelievably dangerous cut, and the saw cut back. He won, at least in part, because a different vendor has technology that senses flesh and stops the blade before serious harm can result. The court felt that the saw was defective since it didn't incorporate this flesh-detecting technology. Now the CPSC is considering mandating that all new tablesaws will be required to be safe no matter how dangerous the operator chooses to be.

The woodworking world is in an uproar. Some feel the Feds should take action, others decry the increasing presence of the government in our lives. I think that none of the arguments are particularly relevant since the vendors now know they are at risk in court. It doesn't take a rocket scientist to see that sooner or later, and probably sooner, they'll protect themselves from this exposure by voluntarily adding smarts to make saws safer. Or rather, to protect the vendors from lawsuits. This seems a better outcome than yet more laws and the bureaucracy needed to enforce them.

Recently Poul-Henning Kamp, writing in ACM Queue ( proposed a new set of laws to protect users from dangers from software. It is in three clauses, the first two of which I discussed last week here: .

Clause 2. In any other case, you are liable for whatever damage your software causes when used normally.

I completely agree with the sentiment expressed here. But, going back to the tablesaw discussion, here in the USA I believe that the courts will be increasingly called on to deal with the repercussions of software failures. Do we need a law?

Most accidents (if one cares to call them that) result from a series of problems, not a single failure. A bug in the code, weakness in the hardware, operator error and other factors generally combine to cause damage. Are we wise enough to write a law that somehow sorts all of that out?

I completely agree with Mr. Kamp that software today is in crisis. It's the most complex engineered artifact in history. The processes used to develop it are often ones that are known to be a problem. The resulting bugs and security issues are largely avoidable. Ironically, in no other industry can one get away with shipping known defective products. Will that state of affairs last? When the lawsuits start flying you can be sure management will take action.

Consider what will likely happen: the litigation will cause the tech world to waken, at least in part, from the software slumber. Publicly-traded companies will be compelled to list in the risks section of their annual report: "another potential risk area is that we have decided to use poor software development processes, and potential lawsuits could put us out of business." Companies are required to list those risks, and it's inconceivable to me that the CEO will tolerate a statement of that sort.

Product liability laws already exist, designed to give a plaintiff a route through the courts to address injury or costs associated with defective products. Does software need its own, special, law? There's a lot of debate about the nature of software, and some feel it is different from products that one can hold and feel. But in the context of embedded systems, I think it's clear that the firmware is an innate component of a product; without it, the device is roughly as feature-rich as a brick. Remove the firmware and all of the features, the things the customer paid for, disappear.

Ultimately, I think that fear of litigation will be the force that causes management to demand better code. The legal wrangling will be cataclysmic, but it will disappear once the software improves.

Published December 14, 2011