Designing safety-critical devices – understanding user error to meet user needs

Safety-critical devices are those which can cause serious harm to a patient – even death – if used incorrectly, and range in scope and complexity from a robot-controlled surgical tool to an insulin pump. As more and more therapies, devices and interventions migrate from hospital clinic to doctor’s surgery – and then into the home – safety-critical devices are increasingly being used by both trained medical staff and patients.

Recent developments in electronics are accelerating progress in this sector, allowing much more sophisticated functionality to be incorporated even into hand-held or body worn devices. From a clinician’s point of view, electronics make devices much more intelligent, efficient and effective, providing greater levels of control and accuracy. The opportunity to log data across a huge range of parameters leads to a much better understanding of ongoing therapeutic use and efficacy, and can also be used to monitor user compliance and ease medical practitioner workload, improving efficiency even further.

Increasing user sophistication

Such impressive functionality is paralleled across a wide range of consumer products and as a result users across the healthcare spectrum – from hospital consultant to housebound patient – are increasingly technologically sophisticated. They now expect to see functionality such as touch screen operation or wireless connectivity on medical devices, features which undoubtedly improve user experience and user acceptance, driving market share for devices that meet user expectations in a desirable package.

But the use of electronics in safety-critical device design demands specialist expertise, and a thorough risk analysis, especially as some of these risks can have far more serious consequences than in similar non-critical devices. For example, electronic devices need power sources and as a power failure in a safety-critical device could result in death, battery technology has to be understood and contingencies identified if and when power is unavailable. Many devices now use wireless technology to enable continuous patient monitoring or data flow, irrespective of location. But what happens if the device enters a Wi-Fi blackspot – how will a loss of data transmission affect function? There are also risks when increasing functionality within the same device, especially when some functions are controlled by SOUPs – software of unknown provenance. Although using pre-written code is a perfectly valid strategy, especially for well established or proven functions, there can be unexpected consequences when different SOUPs work together, and these need to be identified and any adverse effects isolated.

Controlling user error

But over and above the many technological risks, the primary cause of electronic device malfunction is user error. An essential step in risk assessment is therefore to understand all the different ways users could interact with a device, and the associated risks. For example, it is highly unlikely – although not impossible – that a safety-critical device is exposed to extreme climatic conditions for any length of time; it is highly likely, however, that a user will push the wrong button when operating the device, and this risk increases dramatically as more functionality is provided, giving the user – to put it simply – more buttons to press.

This risk analysis soon shows that the GUI (graphical user interface) is one of the most important aspects of safety-critical device design. At one level, it must satisfy a whole raft of user demands while remaining relatively easy to understand and operate, especially when used by patients or staff with limited clinical or technical knowledge. Functionality must be clear, responses or results presented unambiguously, and the device must continue to work despite the many different patterns of operation users can adopt (as it’s not unusual for users to persistently operate a device incorrectly if the right result is eventually achieved). Understanding users is always important in device design, but in a safety-critical context it becomes an imperative, especially if impressive functionality actually makes the device more confusing, thereby almost guaranteeing human error.

At Team Consulting, we have responded to this issue by creating a design methodology which separates the GUI into two distinct function types – safety-critical medical functions and user-focused functions.

Safety-critical functions control aspects such as essential power and memory, crucial sensor operation, and vital outputs, such as drug delivery, pacemaker operation or location tracking. User-focused functions encompass all the non-critical added extras – extended data management, wireless connectivity, touch screen displays and so on.

Safety-critical functions are controlled by a minimum of unambiguous buttons, which only the most determined operator could by-pass to compromise patient safety, and these buttons are completely separated from user-focused functions. If wireless connectivity is lost, for example, or the touch screen fails to work, the safety-critical functions will not be affected, and nor will the patient. The result is a device which features all the functionality which users want, but which also protects them from potential errors.

As with all device design, many stages exist between concept and delivery, not least testing and regulatory approval. But by placing the user at the heart of the development process from the outset, the resulting safety-critical device will meet user expectations more effectively and in so doing, make faster progress towards regulatory approval. This in turn means a faster return on investment, but also – most importantly – results in a device better able to maintain patient safety during operation.