Design Principles for Manual Safety Systems

March/April 2013
alt

Human Factors

Design Principles for Manual Safety Systems

Safety systems can be added to a wide variety of medical devices ranging from relatively simple sharps protection for scalpels and syringes to the most complex systems, such as multi-parameter monitors and ventilators. In general, added safety takes one of two forms. The first is when the technology is made inherently safer as a result of eliminating or mitigating hazards at the most fundamental level. The second is when technological safety elements are added to the design in order to prevent a variety of use errors. This second category includes designs in which safety procedures are made an integral and more-or-less unavoidable part of the design of the device. One example is an interlock or lock-out system in which a step in a procedure cannot be accomplished unless the added safety-related step is done first. A pump might have a design in which a “flush” button cannot be pressed while an infusion rate is set to other than zero. This would prevent the flush function from being operated when the pump was running. Note here that “more-or-less unavoidable” leaves open the possibility that users, for whatever reason, might be able to defeat an interlock if they were determined to do so.

Another kind of safety feature is one in which the operation of the safety element is technically optional in that the device can be used even if the safety step is skipped. This type of design is fundamentally less desirable than an automatic safety feature, yet it is often what is provided. When this is the case, it is essential that the design of the device facilitate proper and consistent use of the safety mechanism, without unduly interfering with the clinical use of the device, and without introducing new hazards. Manually set alarm limits are one example of this type of device, as is the consistent and safe use of a manually operated sharps safety system. In this regard, it must not only be theoretically possible to include the safety related steps, this must also be practically realizable in the real world of device utilization given all of the challenges that beset healthcare workers.

Features that Facilitate Proper Use
Important features of manually operated safety devices include the overlapping attributes of intuitiveness, obviousness of activation, consistency with means of use, consistency with the environment of use, consistency with performance of primary task, and ease of use.

Intuitiveness. The best manual safety devices are ones in which the means to achieving safety is obvious to the user because it is intuitively clear. This both minimizes training requirements and facilitates effective use. Here, intuition should be based on realistic, general experience and at least some specific training, rather than being thought of as an inherent and reliable human capability. In addition, the design should not be contrary to general human expectations, and the remaining hazards or new hazards should also be clearly discernible and easily controlled. Truly intuitive design allows what needs to be done to be clear and practically applied. When this is the case, proper use will be remembered and applied for every application of the device. In this regard, compliance with the activation of safety mechanisms has sometimes been found to be a problem with some designs, including users not activating or even removing safety features when they perceive them to be in the way and not otherwise helpful. Another aspect of intuitiveness applied to safety syringe design is that activation of the safety mechanism is best accomplished without direct visualization.

Obviousness of activation. When a safety feature of a device has been activated, it is good design if this can be determined with minimal effort both by the direct user and by others. A culture of expectation around the proper use of safety measures, associated observations, and a willingness to speak up when lack of safety is perceived are all supported by the obviousness of safety or the lack thereof. In addition, a culture of accepting, if not welcoming, others’ observations can add to the actual achievement of safety. It also should be noted that obviousness helps protect against false reliance on a safety system that has not actually been activated.

Consistency with means of use. Safety features can be broadly divided into 1) those that are consistent with and a natural part of using the device, and 2) those that require some new, unrelated action in order to activate the safety feature. The closer a design is to the former, the greater is the expectation that the safety feature will be consistently and properly used. In addition, such consistency minimizes training needs and the temptation to skip or avoid extra and different steps necessary to activate the safety mechanism.

Consistency with the environment of use. The design of a safety feature should take into account how the device is actually used in practice, including what other tasks the user will be engaged in at more-or-less the same time that they are trying to activate the safety feature. Multitasking under demanding conditions is often the reality of the clinical use and cannot be ignored if actual safety is to be achieved. Here also the existence of a safety feature that could be used must be distinguished from a safety feature that will actually be used.

Consistency with performance of primary task. The device, along with its safety features, has to be reasonably easy to use to perform its primary task, and it must perform this task consistently. If the safety feature interferes with primary performance, as it can with ill-conceived add-ons, then the overall hazard might be increased rather than decreased. If such a safety feature can be removed, the likelihood increases that this “work-around” will occur. This would eliminate any actual achievement of increased safety, even though a so-called safety device had been provided.

Ease of use. It is certainly desirable that medical devices be as easy to use as their complexity allows. If a safety feature is difficult to activate, then it is less likely to be used. When the use of an overly difficult safety feature does not occur, it is not helpful to simply admonish the user and note what they could—and should—have done.
Many safety features are added to devices to address errors made during use of the device and, therefore, reflect adding safety rather than simply blaming the user for mistakes. Thus, there has been a shift from blaming the user to recognizing that new designs were needed to overcome use issues. In short, blame was discarded in favor of actually mitigating the hazard. This is consistent with the general hierarchy of the preferred means for addressing system hazards. The first choice is eliminate the hazard, followed by guard against the hazard, or where appropriate, add automated warnings about the hazard. The last choice is to train and retrain the workers. This is the last choice because it is known to be relatively ineffective.

Assessment
The above principles are applicable to the designers of medical devices in that they should be applied during product development in order to create devices that are truly capable of being used safely, and which actually will be used safely. The principles are equally applicable during the selection of devices as a check against the design performance of the vendor. In particular, it is important to distinguish between what the design is capable of if used to theoretical perfection, and what will be the realistically expected performance. For this purpose, a checklist format is shown in Table 1.

Table 1. Design Attributes

Actual Use Experience
Having provided or purchased a design with a feature intended to mitigate a hazard, it is then appropriate to determine if this feature is properly used and actually does reduce that hazard. This question is distinct from whether it might reduce the hazard if perfectly and consistently performed. In addition, it is appropriate to determine if the safety feature itself has introduced new hazards.

If injuries, close calls, or non-use are identified with a device that is supposed to have a safety feature, it is then appropriate to determine why the safety device failed to provide the intended protection. If the conclusion is that it was the user’s fault as a result of not using the safety feature correctly, then we are back to blaming the user for the problem that the design was supposed to prevent. If users could overcome the hazard without the need for a safety feature, then the unprotected device would be as safe as the protected one. But because this is presumably not the case, which is the basis for the new design and its expected use, it is illogical and counter-productive to assume that users should always use the new design perfectly regardless of the design of its use.

What may be a better conclusion in many cases is that the design of the manually operated, functionally optional safety feature is such that it is an unrealistic expectation that it can and will be actually used as intended, unless there is very strict and controlling supervision. However, here also, if there were such supervision, the safety feature would not be needed in the first place.

Conclusion
Medical devices with manually operated safety features that can be skipped over without preventing the function of the device present a specific human factors challenge with respect to real-world usability of the intended safety feature. This challenge is to make the use of the safety feature simple, intuitive, and safe. Merely creating a safety feature that could potentially be used is not adequate and presents a superficial appearance of safety without its actuality.

William Hyman is professor emeritus of biomedical engineering at Texas A&M University. He now lives in New York where he is adjunct professor of biomedical engineering at The Cooper Union. Hyman may be contacted at w-hyman@tamu.edu.