1. The transformer
Isolation is very easy using magnetic coupling. Consider the GM Magnecharge EV charging system. The entire paddle was lined with plastic. The inside of the slot was entirely lined with plastic. There were no metal surfaces at all. Yet, it could charge the car at 7kW or 50kW.
So this type of magnetic isolation is very easy. Simply have a "primary winding" around an iron core attached to AC mains, and at the other end of the core, a "secondary winding" at a much lower voltage. Power gets between them as magnetic flux which has no voltage at all. And as demonstrated by the EV1 charge paddle, it doesn't even need to be continuous iron! So a seventh insulation gap could be added.
The winding wires have insulation individually (mostly to insulate them from each other to keep the winding from shorting). Then the entire winding is wrapped or put in a plastic cage. Then the iron core itself is dipped in enamel. Just within this transformer, six insulations would have to fail:
- primary winding wire insulation
- primary wrapping or cage
- transformer enamel at primary
- tranformer enamel at secondary
- secondary wrapping or cage
- secondary winding wire insulation
Granted, an extreme electrical spike could blow a hole through all three in one place, but it would have to do that twice in two different places. It will get stopped at the iron core, because.....
2. Earthing the iron core allows fault detection
Before hazardous voltage can reach the secondary winding, it must reach the iron core. An additional safety layer can be added by earthing the iron core. That is, tying it to the earth/ground pin on the 3-wire electrical supply - the wire that is yellow w/green stripe.
That wire is bonded to the actual earth, but it's also bonded to supply neutral. This means the blowout from primary winding to iron core will cause some "live" 230V current to leak onto the ground wire and back to source. In sufficient volume (Dead short) this will trip the circuit breaker. Remember the secondary hasn't been affected yet.
But European installations have a feature called "RCD". Current should go out the 230V live wire (brown) and return on the neutral (blue) and these currents should be identical. The RCD compares the two currents and if they are not identical, it trips, disconnecting live and neutral. The detection threshold is 30mA on any random European home, 6mA on the more sensitive per-circuit RCDs used in America, and I presume a hospital uses this more sensitive level. It is VERY difficult to die from 6mA of leakage for a few milliseconds, which is all it takes for SNAP! Even dying at 30mA would be hard. These are not lethal currents.
The fairly dumb way that Europe provides earthing to homes provides some vulnerability, but mainly for people who are outdoors with their bare feet on the ground and holding a machine plugged into mains, like a hedge clipper or an EV.(it's a vexation for EV charging). Not so much a problem for a person inside a home, and definitely not a problem in a medical facility where the earthing is going to be first rate.
3. No limit to the number of transformers.
You can simply repeat transformers over and over, for as much isolation as you choose to pay for. After the first transformer, all the transformers are low-voltage on both sides, so no conceivable failure could hurt you.
You can also just buy an isolation transformer, that plugs into the wall and has a normal socket on the side. So you can add more isolation transformers at home.
Small amounts of power can also have opto-isolation, think "LED shining on solar panel".
4. Or, just run it on batteries.
And lastly, the equipment which actually energizes you can be run on batteries. Now it is fully isolated from AC mains.
