The CPSC Releases Framework of Safety for the Internet of Things

The rapidly developing technology of interconnected software allows consumers to reach new heights of convenience and efficiency. We can start our dinner remotely, listen to our music in every room in the house, track and log our heart rate and step count, and program our coffeepot to be ready for us in the morning. This technology sometimes is called the Internet of Things (IoT), which describes the interconnectedness of devices via the internet. These devices can exchange data between themselves to coordinate a variety of helpful functions. While this technology is exciting and signifies many positive new directions for consumer products, manufacturers should be aware of the potential risks that come with creating such products.

To that end, the U.S. Consumer Product Safety Commission (CPSC) released a Framework of Safety for the IoT (the CPSC Framework) in January 2019. The CPSC Framework provides “technology-neutral best practices to ensure consumer product safety” and to prevent “death, physical injury or illness” resulting from the use of IoT products. It is not intended to address privacy or confidentiality. While general in tone, the CPSC Framework is intended to assist with an “active approach” to safety rather than a reactive one in this quickly growing industry.

Components of the Framework

First, the CPSC Framework articulates the roles and responsibilities of manufacturers and retailers of IoT products, including a duty to perform “safety guidance activities and procedures” from concept through all major development milestones, and to anticipate safety concerns as new capabilities are added. Manufacturers and retailers also are expected to designate a “qualified safety supervisor” for every product, product component and software to monitor and encourage a culture of safety and security. The CPSC emphasizes that consumer safety “requires a coordinated effort among all professionals developing a product” and “requires a corporate receptivity to external reports of defects, flaws, vulnerabilities, malfunctions and compromises.”

Second, the CPSC Framework provides recommended steps for manufacturers to consider when developing IoT products. Chief among them, manufacturers should analyze the likelihood of injury, illness or death for each expected function a product will perform, including failure modes, power losses, foreseeable tampering or code defects, malfunctions and hacking. These assessments should include considerations of end users including children and the elderly, an assessment of the product’s expected installation environment (such as a home, a garage, etc.), and unintended interactions of the systems in their foreseeable installation environments. Further, the possibility of corruption of data, failure to load critical software updates, unintended activation of a system at an inappropriate time or failure to operate a critical safety function are all potential pitfalls that manufacturers should include in their risk assessments.

Another step to making necessary evaluations requires that each component part be evaluated for “safety criticality” – in other words, how critical they are to the safe operation of the product. Components identified as critical for safety must be “subjected to controls concomitant with their level of importance to safety.” In addition, such safety criticality evaluations should be documented throughout development so that changes to the design of software and/or hardware are not overlooked.

Recommended Countermeasures

If the safety evaluation reveals safety concerns, a manufacturer should address effective countermeasures. The CPSC Framework includes a number of recommended countermeasures, which are concomitant with the assessed risks of each product.

Countermeasures include:

  • Certification of components critical to safety through the appropriate industry standard, rule or best practice associated with it
  • Warnings should be relied upon only when elimination of a hazard or a guarding strategy is not feasible
  • Parental controls
  • User authentication and confirmation
  • Redundant safeguarding – physical rather than software safeguards when possible
  • Information security – follow best practices for data protection
  • Ensure consumers receive adequate information for competent tracking, so devices can be identified during recalls or product safety announcements
  • Transparency around consumer data collection
  • Transparency about expected lifespan.

Finally, the CPSC Framework addresses special product types that might require additional safeguarding. One special product type with a rapidly expanding market is “wearables” – devices that are worn on or in the body. Possible risks include sensitive health information security breaches, burns, toxic exposures, allergic reactions, ingestion hazards, sweat, environmental isolation of a user’s senses and potential for user distraction during safety-critical activities.

Summary

Addressing possible defects and vulnerabilities in a product that ultimately will be a part of the IoT will ensure that manufacturers minimize their own risk while keeping pace in a rapidly changing industry. The CPSC Framework is nonbinding, but represents “the beginning of a conversation about injury prevention in this area.” The CPSC does have authority to issue binding, formal rules under the Consumer Product Safety Act, and its Framework may be a precursor to more formal regulation in this growing industry.