What does a reasonable risk mean?

For those familiar with ISO26262, I think the standard does not depict very well the link between the notion of reasonable risk to functional safety achieved as implementation of risk reduction measures …and this is important, because functional safety is defined as:

the absence of unreasonable risk

IEC61508 describes somehow better this connection, especially in Annex A from part 5 (SIL determination), by clarifying about risk and safety integrity notions, and especially by pointing to the concept of ALARP. So, what reasonable refers to, or tolerable in the context of IEC61508, is to some great extent related to a cost-benefit trade-off for a certain organization or society, given that risk=0 is unachievable. Therefore the safety principle of ALARP proposes three "regions" of tolerance:

  • Broadly acceptable region (what could mean QM, in the context of ISO26262)

  • Tolerability region (where risk analysis and consequently risk reduction measures need to be put implemented)

  • Intolerable region (which needs to be lowered as much as possible).

The essential aspect here is that ALARP is concerned with the total risk resulting from all hazards and situations an E/E system (ISO26262) or an EUC (equipment under control – IEC61508) can face. A safety engineer when doing hazard analysis and calculating SILs or ASILs, deals with individual hazards, this is an important difference.

Consequently, it is fundamental to underline the key role that the tolerable (or reasonable) risk limit sets as a global safety target. This does not necessarily have to rely only on state-of-art measures described in an industry standard, like the technical measures mentioned in ISO26262 tables, but can include:

  • Discussions and agreements with different parties involved in the application

  • International discussions and agreements

  • Best independent industrial, expert and scientific advice from advisory bodies

  • legal requirements

There is a difference between SIL (or ASIL, for automotive) determination, which is done for each hazard separately, and the general reasonable risk, which is about “the most exposed person” to all existing risks and I think this article is conclusive in illustrating this. Of course, same safety goal (or safety objective) can apply to many hazardous events. Essential is here to keep in mind that when applying the risk reduction measures for each SIL level, those will, ultimately, reduce the risk below the overall reasonable risk. The trickiest part here is how to determine what is tolerable or reasonable.

Which typical value to take as safety target for an application, let’s say highway pilot (as automotive example)? Should we take the minimum number of accidents on highways around the globe? Surely we’ll do our best in applying the measures prescribed by the ISO26262 for the corresponding criticality, add on top measures from "other technologies" and from "external risk reduction facilities", but when should we stop? I think this aspect will become increasingly important the more semi- and autonomous driving will be deployed, because safety engineers will have to take more care on other aspects than strictly “safety-related systems”.