The DIY artificial pancreas: Who is liable if something goes wrong?

Published: Posted on

In this post we sketch out different parts of the ‘looping’ ecosystem and start to consider the issue of liability if something should go wrong.

In a series of posts, we have been looking at the use of DIY Artificial Pancreas Systems (DIY APS or ‘looping’). These systems – made up of an insulin pump, a continuous glucose monitor (CGM), and an app on a smartphone or small computer – have been developed in order to reduce the burden of living with type 1 diabetes. Users of DIY APS (‘loopers’) report a number of benefits, including reduced blood-glucose levels, improved time in range, reduced hypoglycaemic episodes, better overnight control, reduced anxiety surrounding sleep, and reduced time spent doing diabetes control-related tasks such as checking blood glucose levels and calculating insulin doses.

DIY APS are not produced by commercial companies nor have they been through the usual medical devices regulatory processes. DIY APS technologies are the result of a community of people with diabetes working collaboratively to write and share code with each other. The development of DIY APS takes place in an ecosystem or network of different actors contributing different amounts to the process. As is the case in many group projects, it is difficult to separate one person’s contribution from another’s.

Something we want to do in the coming months is to think about what the legal situation would be should something go wrong as a result of looping. Who, if anyone, would (should) be held liable for harms arising from using DIY APS? As will become apparent, answering this question is surprisingly difficult and we don’t even attempt to answer it here. Instead we simply begin to sketch and map out different parts of the looping ecosystem.

Tracing Liability

As already noted, the initial and continuing development of DIY APS is a collaborative community effort. It is driven and supported by highly motivated, expert, and technologically skilled people. In many situations, determining who has contributed to particular parts of technological projects may not be much of a problem. However, DIY APS development involves numerous actors at different stages. Some of these stages include the development of algorithms and code, testing the system, making the tools available to others to build the system, and the implementation and running of the final built system.


The first group who could potentially be held liable are the programmers who developed the code. There is some attempt by programmers to avoid the liability question by stating that people use the code at their own risk and that they will not be held liable for any harms that arise from using it. For example, the OpenAPS website says:

By proceeding to use these tools or any piece within, you agree to the copyright for more information; and the full README here and release any contributors from liability, and assume full responsibility for all of your actions and outcomes related to usage of these tools or ideas.

The problem is that it is not clear under UK law that people can absolve themselves of liability that easily. In order to think about this we need to ask some probing questions: Do developers have duties under tort law? If so, what might these be? How would a duty of care arise? What are the causation issues?

Distributors of code

As DIY APS is not an off the shelf solution, users need to download the instructions for setting it up from the internet. It could be argued that people who help to distribute the code by hosting it on their own websites ought to maintain partial responsibility for allowing others to use their platforms. Could any liability attach to software repositories such as GitHub where code, e.g. OpenAPS, is hosted? What about the APS websites themselves, which host code and extremely detailed build instructions?

Build Workshop Helpers

Building your own DIY APS is technically difficult. To help new users get started, members of the looping community host ‘build workshops’ where more experienced users are on hand to advise (but not physically help) new users on how to set up the system. Could the helpers at these workshops be liable for any harms that occur? If so, what would be the basis of such liability?


Loopers create their DIY APS using commercially available medical devices (i.e. insulin pumps and CGMs). There are potential issues of liability for manufacturers who do not take steps to stop users from using their devices in a way that they are not intended to be used (e.g., by issuing a recall, making the device communication protocols secure, or not making it explicit in device instructions whether or not their device can be used with 3rd party apps).

What liability, if any, could attach to the manufacturers of insulin pumps used for looping? What parallels are there with unintended use of other products within UK jurisdictions and within EU law? Can manufacturers just say ‘it ought not to be used for X’ and that’s it?

Clinicians and the NHS

Clinicians who provide care for DIY APS users and/or prescribe them the component parts could be held liable should something go wrong. Partially as a consequence of this, if it comes up in clinic, clinicians advise patients who are (thinking about) looping that they do so at their own risk. Could individual clinicians be held liable if they prescribe the technology (CGM and insulin pump) which patients may be using off-label (which depends on what the manufacturer instructions are for particular devices)? What about advising patients regarding the use of DIY APS, or even simply discussing the existence of the technologies with them?

Alternatively, we might think that liability for any harms that arise should vest in the institution who employs and manages those who care for DIY APS users. Could the NHS be vicariously liable for any harms experienced by DIY APS users?


As we mentioned earlier, most DIY APS users (at least currently) are highly motivated and technically skilled (or they become skilled in learning how to set up and use their chosen system). As such, we might think that given they are informed of the risks and they choose to loop anyway, they are responsible for any harms. ‘Volenti my dear volentias an old medical law professor used to say to one of us. This refers to the common law principle of volenti non fit iniuria (‘to one who volunteers, no harm is done’). But are users solely responsible for any harm(s) which might befall them from building and using DIY APS? Is the voluntary assumption of risk the whole story?

Parents/Carers of Users

In cases where the user themselves has not consented (e.g., because they are a child or incapable of giving consent), it would be inappropriate to hold them liable. In these cases liability might vest the parent or carer who chose to build and put their charge on DIY APS. What is the situation regarding liability when it comes to children or adults without capacity? How are these cases different to adult users who build DIY APS for themselves, and what factors need to be taken into account?

Who would or could be held liable?

The answer to this question, absent a test case, is unclear. Trying to find an answer requires looking at existing legal principles and cases to dissect out the numerous factors, arguments, and precedents which might be relevant. It also involves looking across multiple areas of law, such as tort, consumer protection, and health law (including clinical negligence and the regulation of medical devices). We have begun to explore these aspects and will share our findings (or confusion) in future posts.

Written by Victoria Moore, Muireann Quigley, and Joseph Roberts.


Work on this was generously supported by Wellcome Trust Investigator Award in Humanities and Social Sciences 2019-2024 (Grant No: 212507/Z/18/Z), an ESRC Impact Acceleration Award, and a Quality-related Research grant from Research England.