What Does it Mean for a Device to be Inherently Safe by Design?

By Charlotte Wickham  

Both the FDA’s Human Factors Engineering (HFE) guidance and the global HFE standard IEC-62366 list “inherent safety by design” as the most effective method of managing use-related risks associated with medical devices. In this article, we discuss what is meant by safety by design, provide examples of products that demonstrate it and explore how it can be implemented within medical device design.  

What does “inherent safety by design” mean?  

Risks are most effectively managed with inherent design safety. To consider how inherent design safety can be implemented, let’s first consider the different components of a use-related risk: use errors (actions or lack of actions), hazards (a potential source of harm), hazardous situations (a situation that exposes a person to the hazard) and harms (the outcome of the hazardous situation). These three elements interact: hazardous situations arise from the combination of a hazard and a use error. For example, if a product has an exposed needle (the hazard) and the user recaps the needle (a use error), the result could be the user touching the needle while it’s exposed (the hazardous situation). In turn, the exposed needle can then lead to a needlestick injury (the harm).  

Inherent design safety must therefore eliminate the use-related risk at some point within this journey from hazard to harm. In some situations, it might be possible to remove the hazard all together—e.g., by developing an oral version of an injected medication; by using an ultrasound (radiation free) instead of an x-ray (radiation emitting). In many situations, however, this simply isn’t possible, and a device’s hazardous elements are intrinsic to its operation. In these instances, inherent design safety can still be implemented and would consist of design features that (a) make a potential use error impossible, (b) prevent a use error from leading to a hazardous situation, or (c) prevent a hazardous situation from leading to harm. While this might seem challenging—given that risk mitigations alone can be difficult to implement in safety-critical domains—numerous products demonstrate that inherent safety is possible and does not need to burden the user. Here are some examples!   

Five examples of inherent safety by design 

One: United Kingdom (UK) electrical plugs  

While they might aggravate travellers by failing to align with the rest of Europe, UK plugs are an excellent example of safety by design. The deeper earth slot does not carry an electrical current and serves a safety purpose. When the earth prong is inserted, it opens shutters that guard the live and neutral ports. As such, it is incredibly difficult for someone to receive an electrical stock from a UK wall socket; the earth port does not carry a current, and the other ports cannot be accessed until the earth port is filled. Only by inserting a plug into the socket can the electricity be accessed. The use error “inserts object other than plug into socket” does not lead to the hazardous situation of contact between person, metal and live port. 

Two: Cover control systems  

I am frequently startled when, away from home, I reach for a light switch and accidentally turn on a dangerous and noisy in-sink waste disposal system. I much prefer cover control systems, where the blades can only be activated when the cover is firmly in place; the rotation of the cover is what turns the system on. This makes it is impossible for a person to injure themselves on the moving blades. The safety feature prevents the hazardous situation “user touches moving blades” from arising. Microwaves are another example of a cover control system: They only operate when the door is shut.  

Three: Operator presence controls  

This a switch that requires constant pressure from the operator. In many countries, including the United States (US), walk-behind lawn mowers must have an operator presence control. This is often located on the handlebar, and the levers in front of the handle must be continuously depressed for the blades to be activated. This makes it impossible for a lawn mower to run off by itself and into a person (a hazardous situation) and cause injury (a potential harm). If the user were to suddenly become incapacitated, they would release their grip on the levers, and the lawn mower would stop.  

Four: Cheques 

A potentially dated but interesting example of inherent safety is the redundant information required by paper cheques. In order for a cheque to be valid, the author must include the value in both numeral and written form (e.g., £100.00, one hundred pounds). This ensures that an incorrectly placed decimal or numerical error does not result in the inadvertent transfer of too much or too little money. Errors are much less likely to be repeated across two different formulations of a value—e.g., numerical and written form—and it is therefore highly unlikely that an incorrect value will appear twice on the same cheque. In this instance, the safety feature prevents the user from being able to proceed in the instance of a use error because any discrepancy between the values invalidates the cheque.  

Five: Platform screen doors  

Platform screen doors are an excellent safety feature being increasingly implemented within train stations, including underground lines. Within stations that use them, a floor-to-ceiling glass screen separates the platform (and the passengers) from the track. When the train has arrived at the platform, the location of the train doors aligns with the platform screen doors, which then automatically open. By only providing access to the train once it is stationary, platform screen doors protect passengers from the hazards of moving trains and empty tracks without hindering their ability to eventually board.  

Application to medical devices  

Similar safety features to those listed above can and have been applied to medical devices. Many medical devices include operator presence controls. In radiation-emitting machines, such as X-Rays and CT-scans, this ensures the operator is behind the radiation shield before the device is activated, preventing repeated exposure to radiation.  

How to implement inherent design safety  

To most effectively manage risks with inherent safety, aim to implement safety features that are:   

• Impossible to circumvent. Sometimes mitigations fail because users find shortcuts or workarounds. They skip through warnings without reading them. They write down their passwords, negating the effectiveness of security measures. They copy and paste entries that require repetition (e.g., “Confirm your email address”). Inherent safety measures should not be able to be bypassed.  

• Aligned with user goals. In many of the above examples, the safety measure is aligned with the user’s goal or the device’s mode of operation. Combining the waste disposal cover with the on/off switch is clever because placing the cover also limits mess and noise. Placing the lawn mower’s operator presence control on the handle is clever because the handle is used to push the lawn mower, and users will be gripping it anyway. These safety elements therefore do not burden the user with additional or seemingly unnecessary steps.  

• Apparent to the user. This is another reason why aligning safety measures with operation modes is beneficial—a user is unlikely to overlook the safety levers on a lawnmower’s handle because they must hold the handle to push the lawnmower. If the safety measure is inconspicuous or exists outside of the device’s workflow, users might overlook it. Safety features should not cause users to stare at their device, wondering why it is not working or will not turn on.  

Reflecting inherent safety within your use-related risk assessment 

The decision whether to reflect risks managed by inherent design safety within your use-related risk assessment (URRA) will depend on the point at which the safety-ensuring design feature prevents the harm from occurring. In the rarer instances where a hazard has been removed completely (i.e., by formulating the device to not require a hazardous component), this hazard no longer needs to be reflected within the URRA.  

However, if the design feature ensures safety by preventing a use error or preventing a use error from leading to a hazardous situation, we certainly recommend including these risks within your URRA. The safety feature can be listed as the mitigation for that risk. This is an area where columns for pre- and post-mitigation risk levels are beneficial, because you can reflect the significant reduction in risk likelihood ratings that the safety feature ensures. We encourage this approach because it allows you to:  

• Select your critical tasks appropriately. Regulatory guidance (e.g., the FDA’s, IEC 62366) asks you to identify your critical tasks based on severity, rather than likelihood. This is partly because the likelihood of use-related risks is difficult to accurately determine (people are unpredictable!) and partly because even very rare instances of harm should be prevented. In line with this approach—i.e., severity over likelihood—risks that have been eliminated should still be included within your URRA because depending on their severity, you might still need to include them as critical tasks within your HF validation test.  

• Evaluate your inherently safe design features. While it might seem clear to the designers and manufacturers that a risk has been eliminated by a design feature, you still need to demonstrate to yourselves and regulators that the design feature works as intended and cannot be circumvented by users. Including eliminated risks within your URRA ensures they are, when appropriate, included in your HF validation test, where you can validate their effectiveness.  

• Document your HF validation findings in full. Inherently safe designs can still lead to close calls and difficulties. A user might attempt an action that the safety feature prevents or have difficulty understanding the purpose or requirements of the safety feature. Including risks addressed with an inherent safety by design approach within your URRA allows for traceability between your URRA and the findings within your HF validation test, which regulators require.  

• Compile a complete record of your mitigations. Including a risk that has been eliminated or almost entirely eliminated through an inherent design safety approach within your URRA ensures that the associated design feature gets documented. As discussed, inherent safety by design is the best form of risk mitigation, and regulators view it as such. Demonstrating the presence of inherent design safety helps you tell a story of rigorous risk management, which is one of the things that regulators want to see. Moreover, if you have “designed-out” a certain risk, that is excellent practice, and you should take credit for it.  

Conclusion  

Inherent design safety is the most effective method of managing risks and can be integrated into devices in a manner that does not burden the user. Including such features supports compelling risk management documentation, reduces HF validation findings, simplifies residual risk analyses and—most importantly—eliminates or greatly reduces the chances of harm.  

Contact our team to learn more about managing your device’s use-related risks. Or, sign up for a complimentary account with OPUS, our team’s software platform that provides use-related risk tools, trainings and templates.  

Charlotte Wickham is a Senior Human Factors Specialist at Emergo by UL.