Safely unplug mounted USB device without first unmounting?

I've started working with Linux two months ago so I'm pretty new to it.
Google didn't help me much so I'm asking here.

I'm working on a project running embedded Linux. USB devices are supported and the user can plug and unplug whenever he/she wants.
When the device is plugged in it is auto mounted, but the device could be unplugged at any time, which could lead to device malfunction. I'm not sure if it is possible to protect from damage if device is disconnected during read/write, but I suppose there is a way at least to let the user disconnect the device safely when it is not in use (there is no way provided for the user to select some "Safely remove device" option).

What I observe is:
1. Plug USB device (mass storage device mainly) - Working properly
2. Unplug without unmounting or ejecting
3. Plug it again - "FAT: Filesystem error... Invalid access to FAT" messages are displayed
4. I found that fsck.msdos should be able to repair it, so I plugged it to a Linux PC and run it - went OK
5. I repeat steps 1-3 and the same results
6. Now even fsck.msdos cannot help because it says it has repaired it but my embedded Linux still displays errors
7. I've tried with a couple of different USB mass storage devices with the same results

I have not tried yet if I umount it before unplug, but I suppose it will work fine then (I make many assumptions...)

You can use automount tool to automaticaly mount just before access by user and unmount device after specified, short time (if user remove device before this time it still can corrupt data).

Second option is add action to udev (if you have installed) and force unmounting device after udev detect disconnecting of device (but written data still may be corrupted). Also FAT is not very resistant to errors, there are better filesystems.

Maybe you can bypass cache, then your user will known when coping has really ended, but I believe pendrives has also own caching. Or inform user when automatic unmount is done by some LED if you have free.

The "flush" mount option may reduce the chance of damage by flushing the cache earlier.

Thank you for your comments.
I was told that we need to mount manually with readonly and that would also solve my problem.

Well, yeah, that would be (relatively) safe. As long as you're only reading from the drive, there's no danger of messing it up.

But it's pretty much impossible to do what you want otherwise. Any drive that gets suddenly removed in the middle of a write operation is subject to filesystem corruption. There's no way to prevent it that I know of. And because most systems do transfers in asynchronous mode, the write operation may still be in progress and half of the data still sitting in a buffer somewhere, even though the display says it's finished.

You might try using the sync mount option, which will keep it from doing asynchronous transfers as in the above, and the system won't report the operation as finished until it's actually finished. The sync command likewise forces an immediate flushing of the buffers, after which the drive should be safe to remove. Although even then, just yanking it out wouldn't automatically inform the system that the drive is gone.

It might also be a good idea to use a filesystem on the drive that's less easily corrupted than fat, as mentioned before.

Again, though, the most important thing really is to educate the users as to just how important it is to remove the drive properly.