How Design Keeps You From Screwing Up—and Prevents Disaster When You Do Anyway

A look at defensive—or foolproof—product design.

By Lena Groeger

A coffee grinder that only works when the lid is on. An electrical plug that only fits into an outlet one way. Fire doors that stay unlocked in an emergency.

Lots of everyday objects are designed to prevent errors — saving clumsy and forgetful humans from our own mistakes or protecting us from worst-case scenarios. Sometimes designers make it impossible for us to mess up, other times they build in a back-up plan for when we inevitably do. But, regardless, the solution is baked right into the design.

This concept has a lot of names: defensive design, foolproof, mistake proof, fail-safe. None is as delightful as the Japanese poka-yoke.

The idea of the poka-yoke (which means literally, “avoiding mistakes”) is to design something in such a way that you couldn’t mess it up even if you tried. For example, most standard USB cables can only be plugged into a computer the correct way. Not to say you would never attempt to plug it in upside down, but if you do, it simply won’t fit. On the other hand, it’s easy to reverse the + and – ends of a battery when you replace them in your television remote. The remote’s design provides other clues about the correct way to insert the batteries (like icons), but it’s still physically possible to mess it up. Not so with the USB cable. It only fits one way, by design.

Many consumer coffee grinders are another example of a design that physically prevents you from messing up. Even if you wanted to, you could not chop your fingers on the blade, because the “on” switch for the grinder is triggered by closing the lid (as opposed to a blender, which leaves its blades easily accessible to stray fingers).

The humble coffee grinder that only works when it’s closed. (Photo: arvind grover/Flickr)

Foolproof design can also save your life. The mechanical diver’s watch is designed with a bezel that spins in only one direction. It functions as a simple timer that a diver can use to know how much oxygen is left in the tank.

In a blog post about resilient design, designer Steven Hoober describes how this smart design can prevent disaster:

If the ring were to get bumped, changing its setting, having it show less time might be inconvenient, but its going the other way and showing that you have more time than you do might kill you. You don’t even need to know how it works. It just works.

The diver watch will never show you more time than you actually have left underwater. (Photo: Naka7a/Flickr)

Foolproof measures can be found throughout Web design (although perhaps without the life-saving part). Ever fill out an online form incorrectly and only found out because you could not progress to the next step? That’s a conscious decision by a designer to prevent an error. In this case, from Yahoo, it’s even a chance to insert a little humor:

Yahoo’s humorous design prevents you from being born in the future. (Photo: UXmas)

Sometimes, design cannot prevent you from messing up (we humans somehow always figure out a way to do things wrong). But it can still make it harder for you to do the wrong thing. This type of design is not exactly foolproof — more like fool-resistant.

Child-resistant safety caps on medicine bottles, for example, keep kids from accidentally overdosing. A water dispenser that makes you push an extra button or pull up a lever to dispense hot water makes it harder for you to accidentally scald yourself. Neither of these designs are as foolproof as the coffee grinder. But they do put an additional step between you (or your child) and disaster.

We see these features quite often on our computers. Most of us are familiar with the “Are you sure?” messages before you empty the trash or the “Do you want to…” before you replace a file with another one by the same name. These alerts certainly don’t prevent us from making a mistake (in fact, we probably ignore them most of the time), but their purpose is to slow us down.

These pop-up messages put a small step between you and the loss of precious files.

Designers have also come up with more elaborate confirmation steps. For instance, Gmail will detect whether you’ve used the word “attached” in an email you’ve written and, if you try to send it without an attachment, will ask you if you meant to include one. Github, a popular website used by software developers to collaborate on code, forces you to type the full name of the project in order to delete it.

Github makes it harder for you to accidentally delete your projects, by design.

Most of these examples work by forcing your attention to the task at hand, breaking your autopilot behavior and making you really consider what you are about to do. Design details don’t make it impossible to screw up, but they certainly make it a little bit harder.

Still other designs revolve around keeping your information secure. Your computer may prompt you for a login if you’ve left it idle for a few minutes, preventing someone else from seeing or stealing sensitive information. Smartphones often do the same thing, requiring a passcode to re-enter. Some Web browsers will prevent you from downloading certain files, and your computer’s operating system may ask you if you are sure you want to open a program you got from the Internet. Connect a smartphone to a new computer and it may ask you to confirm that this computer can be trusted. These security measures don’t prevent you from doing dangerous things, but try to prevent a potential horrible outcome due to careless mistakes.

Let’s say it’s too late to prevent the error: The mistake has occurred, the failure has happened. What now? This is where fail-safe design comes in. Fail-safe design prevents failure from becoming absolute catastrophe.

In some cases, it’s the system (or environment) that has failed. In the event of a fire, fire doors are required by law to fail unlocked, so that people can escape a burning building. On the other hand, if you need to protect state secrets or cash in a bank vault, you’d probably want a fail-secure system for those doors, which would fail locked.

Circuit breakers cut the power if an electrical current gets too high. Elevators have brakes and other fail-safe systems that engage if the cable breaks or power goes out, keeping the elevator from plummeting to its passengers’ death.

In other instances, it’s our own human error that the fail-safe system is designed for. SawStop is a table-saw safety technology that automatically shuts off a spinning saw blade if it comes in contact with flesh. The blade has a sensor that can detect whether it’s a piece of wood or your finger, using the same property (electrical conductivity) that makes a touch screen sensitive to your bare fingers but not to your gloves. In less than one thousandth of a second, the saw blade will shut off, giving you in the worst case only a small nick (rather than removing your thumb). Don’t believe this could work so fast? Watch this video:

Some industrial paper cutters are designed to shut off if they detect motion nearby (presumably a hand getting too close to the blade). Similarly, many automatic garage doors will stop closing if they sense something, or someone, in the way.

Another well-known fail-safe measure is the dead man’s switch. The dead man’s switch kicks in when a human in charge lets go of the controls — or dies, as the name implies. In the event of an accident (say, a train operator has a heart attack), the dead man’s switch can prevent harm to all the passengers by stopping the train.

This actually happened a few years ago on the New York City subway, when an Metropolitan Transportation Authority employee had a heart attack on the G train. His hands lost grip of the controls, the brakes were activated, and the train slowed to a stop.

The dead man’s switch is also a common device in lawn mowers and other equipment that require you to continually hold down a lever or handle to operate. As soon as you let go, the motor stops. United States law actually specifies that all walk-behind lawn mowers come equipped with such a switch that stops the blade within three seconds of a user releasing her grip.

In software, absolute catastrophe often means losing your work, your files, that long heartfelt email you worked so hard on. So many fail-safe designs revolve around letting you undo actions or automatically saving work in the background as you go along. Auto-saving Google Docs are a vast improvement over other word-processing programs that can lose hours of work with a single crash or loss of power. Web browsers like Chrome can restore all your tabs if you accidentally close a window (even if you’d rather declare tab bankruptcy).

Finally, we have the last-ditch, 11th-hour design solution to keep you safe from the worst of the worst: The back-up.

A back-up parachute is perhaps the most dramatic of all back-up devices, but many things in the real world are designed to have similar built-in redundancies. Cars have two sets of brake circuits (not to mention a spare tire). Airplanes have multiple redundant control systems. Emergency stairwells have lights that work on battery power if the building’s electricity goes out. On computers, backing up your photos or making a copy of a file before editing it is just common sense.

Back-up parachutes: don’t leave home without ’em. (Photo: mopteek/Flickr)

In the end, nothing humans build or even touch will ever be free from error. Luckily, designers work tirelessly to save us from our mistakes. And in many cases, we don’t have to know how the poka-yoke works. It just works.

||

This story originally appeared on ProPublica as “Too Human (Not) to Fail” and is re-published here under a Creative Commons license.

Related Posts