1 / 60

Using SE Technology to Improve Medical Safety

Using SE Technology to Improve Medical Safety. Lori A. Clarke, Leon J. Osterweil, and George Avrunin Department of Computer Science University of Massachusetts, Amherst clarke, ljo, avrunin @cs.umass.edu http://laser.cs.umass.edu. Medical Errors.

julio
Download Presentation

Using SE Technology to Improve Medical Safety

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using SE Technology to Improve Medical Safety Lori A. Clarke, Leon J. Osterweil, and George Avrunin Department of Computer Science University of Massachusetts, Amherst clarke, ljo, avrunin @cs.umass.edu http://laser.cs.umass.edu

  2. Medical Errors • Result in approximately 98,000 deaths per year in the United States • Avoidable deaths! • One of the leading causes of death • Some estimate that the figure is at least twice as large • Appears to be a world-wide problem • Larger problem if avoidable adverse outcomes, pain and suffering,and added costs are considered

  3. The Setting • Multiple, interdependent, entities • Physicians, Fellows, Nurses, beds, MRIs, EHRs • Collaborating in performing processes • Work is intense and fast-paced, each person is doing many tasks at once • Frequent interruptions • Frequent exceptional situations • Numerous synchronization points Complex, Distributed System!

  4. Our Approach: Technology Support for Continuous Process Improvement • Define processes • Evaluate them • Using a wide variety of analysis techniques • Propose modifications • Deploy them: Process-guided support • Reevaluate in the clinical setting and iterate

  5. Approach: Employ SE Technologies • Process programming to define medical processes • Little-JIL process programming language (coordination, agent assignment, resource management) • Requirements engineering to capture properties • PROPEL (property elucidation system) • Finite-state verification to detect errors • FLAVERS (Flow Analysis for Verifying Systems) and SPIN • Fault-tree analysis to reveal vulnerabilities • Simulation to improve efficiency • Process-guided execution • Continuous process improvement

  6. Case-study Evaluations • In-Patient Blood Transfusion Process • Beth Henneman, UMass School of Nursing • Emergency Department Patient Flow • Phil Henneman, Baystate Medical Center (BMC) ED physician, former director • Breast Cancer Chemotherapy • Wilson Mertens, Director, BMC Oncology Dept

  7. Process Elicitation • Teamed medical professionals (MP) with computer scientists (CS) • Held regular meetings to define processes • MPs described their process and answered questions (recorded meetings) • CSs encoded the process definition, created list of unresolved issues, defined agenda for the next meeting, distributed documents • High premium on suitable process language

  8. The Little-JIL Process Language • Exploring language abstractions to support • Reasoning (rigorously defined) • Automation (execution semantics) • Understandability (visual) • Supported by tools • Visual-JIL graphical editor • Interpreter • Analyzers • Evaluation by application to broad domains • A third-generation process language • A “work in progress”

  9. Little-JIL Process Definition • Has four components • Coordination diagram • Artifact space • Resource repository • Agents, both human and automated • Rigorously defined • Finite state machines • Intended to be clear to domain experts • They read, but don’t write

  10. Language pays attention to SE principles: e.g. Scoping, Abstraction • Coordination definition is a hierarchical decomposition • Think of steps as procedure invocations • They define scopes • Accept and pass arguments • Encourages use of abstraction • Eg. process fragment reuse

  11. “Step” is the central abstraction Interface Badge (parameters, resources, agent) Prerequisite Badge Postrequisite Badge TheStepName X Handlers Substep sequencing Exception type Artifact flows continuation

  12. Simple Blood Transfusion Process

  13. Top Level Chemotherapy Process

  14. 3. Order Test(s) 3.1 order test(s) on computer 3.1.1 log into computer 3.2.1select patient record3.2.1.1 look for patient name on the alphabetical list 3.2.1.2 match additional info as needed (age, gender, complaint, location...) … 1. Chemotherapy Process The medical professionals involved should, in no required order, prepare for and administer first cycle of chemotherapy and create and process consult note. The medical professionals, however, cannot start create and process consult note before perform patient consultation (a substep of perform consultation and assessment) has completed. 2. Prepare for and Administer First Cycle of Chemotherapy (substep of Chemothereapy Process) The medical professionals involved must have the biopsy, the pathology report and the patient chart. To prepare for and administer first cycle of chemotherepy, the medical professionals involved should perform, in order, each of the following steps: a. Perform consultation and assessment b. Perform initial review of patient records c. Perform pharmacy tasks d. Perform patient teaching e. Perform final tasks (day before chemo) f. Perform first day of chemo tasks Combined with Table of Contents

  15. Order Test(s)(part ofperform Blood Specimen Labeling process) To perform this step theProvider must have the patient-name. The Provider should firstorder test(s) on computer, and thenorder test(s) on patient chart. During any of these steps, if the required resources are not available, order test(s) is considered to have failed. z Many views of the same story

  16. Process Modeling Observations • Processes are not well-understood • Individuals know their processes, often don’t know how they relate to otherse.g., Artifacts created but not used • Important to tie down terminology • Use the same term in different wayse.g., “transfuse blood” • Use different terms to mean the same thinge.g., verify, check, confirm, match • Takes many iterations to define a process • Must determine upper and lower bounds of the scope • Must determine granularity of tasks

  17. Process Modeling Observations • Medical professionals • Think in terms of war stories (negative scenarios), not in terms of the general process • Initially are scared by the language but end up discussing the lowest-level details “comfortably” • Love the natural language representation • Even “simple” processes can be very complex • E.g., identify patient process • Need abstraction • a hierarchical representation that can hide context and low-level details

  18. Process Modeling Observations • There is no best process modeling representation • Large graphical representations are hard to comprehend • Large textual representations are hard for following complex flow • Want a representation that will • Be the basis for answering questions about the model • Support the creation of other representations • E.g., dependency matrix, data flow diagram, role-based descriptions, textual description, scenarios… • Currently do not automatically create all theses representations, but we could

  19. Validating and Verifying Process Definitions • How do we know that a process definition has correctly described the process? • Review textual/graphical descriptions • Examine scenarios (could be automatically generated) • How do we know that a process, as described, satisfies its goals? • Show that all traces through the process definition satisfy important properties • But, need to represent these properties

  20. PROPEL: Property Elicitation • Extends the Property Pattern work of Dwyer, Avrunin, and Corbett • Provides more detailed templates that explicitly indicate the options associated with each pattern • Three coordinated representations • Disciplined Natural Language • Extended Finite-State Automaton • Question Tree

  21. EVENT: verify-patient-ID EVENT: transfuse-blood Example Property The patient’s identification must be verified prior to transfusing each unit of blood product.

  22. After verify-patient-ID occurs, transfuse-blood is required to occur • transfuse-blood cannot occur until after verify-patient-ID has occurred Question Tree View How many events of primary interest are there? • One: event verify-patient-ID • Two: events verify-patient-ID and transfuse-blood

  23. Precedence FSA Template verify-patient-ID verify-patient-ID transfuse-blood transfuse-blood or verify-patient-ID or (verify-patient-ID, transfuse-blood) or transfuse-blood or verify-patient-ID or (verify-patient-ID, transfuse-blood) (verify-patient-ID, transfuse-blood)

  24. Precedence FSA Template verify-patient-ID verify-patient-ID transfuse-blood transfuse-blood or verify-patient-ID or (verify-patient-ID, transfuse-blood) or transfuse-blood or verify-patient-ID or (verify-patient-ID, transfuse-blood) (verify-patient-ID, transfuse-blood)

  25. Example Behavior verify-patient-ID transfuse-blood (verify-patient-ID, transfuse-blood) (verify-patient-ID, transfuse-blood) transfuse-blood transfuse-blood cannot occur unless verify-patient-ID has already occurred. It is acceptable for verify-patient-ID to not occur, but if it does not occur then transfuse-blood can never occur. Even if verify-patient-ID does occur, transfuse-blood is not required to occur. Before the first verify-patient-ID occurs, the events in the alphabet of this property, other than transfuse-blood, can occur any number of times. After verify-patient-ID occurs and before the first subsequent transfuse-blood occurs: • the events in the alphabet of this property, including verify-patient-ID but not transfuse-blood, can occur any number of times. After the first subsequent transfuse-blood occurs: • the events in the alphabet of this property, other than verify-patient-ID or transfuse-blood, could occur any number of times; • neither verify-patient-ID nor transfuse-blood can occur again.

  26. Finite-State Verification of Process Definitions • Determines if the process definition is consistent with a property • Considers every trace through the process • If a property does not hold, the verification tool will provide a counterexample trace • Process improvement: change process, property, or both • Re-verify until satisfied

  27. Finite-State Verification Property Translator Property Property Representation Process Definition Process Model Reasoning Engine System Translator Property Holds on All Paths Through the Model Property Does Not Hold: Counterexample

  28. Observations about FSV • Helped find errors in the processes • E.g., Event sequence errors, Deadlock errors • Helped determine if the modified process addresses the problems • Helped find errors in the property specifications and in the process definition • Correcting these is important if they are going to be used for decision making

  29. Approach: Employ SE Technologies • Process programming to model medical processes • Little-JIL process programming language (coordination, agent assignment, resource management) • Requirements engineering to capture properties • PROPEL (property elucidation system) • Finite-state verification to detect errors • FLAVERS (Flow Analysis for Verifying Systems) and SPIN • Fault-tree analysis to reveal vulnerabilities • Simulation to improve efficiency • Process-guided execution • Continuous process improvement

  30. Fault Tree Analysis (FTA) • A well accepted and widely practiced hazard analysis technique • Systematically identifies and reasons about all possible events that could lead to a given hazard • Create fault tree for a hazard • Analyze each fault tree • Analysis results can be used to improve the process => process improvement

  31. Fault Tree A fault tree captures all the combinations of events that could lead to a given hazard

  32. Our Approach • Automatically develop fault trees from process definitions • requires the process be formally defined • Identify process vulnerabilities using FTA • Cut set - a set of basic events and/or undeveloped events whose occurrence ensures that the TOP event occurs • Minimum Cut Set - a cut set that cannot be further reduced • automatically calculated from a fault tree using Boolean algebra • Evaluate this approach by applying it to real-world processes

  33. Simple Blood Transfusion Process

  34. Calculate MCSs Each gate corresponds to an equation 1: E1 = E2 2: E2 = E3 + E4 3: E3 = E5 + E6 4: E5 = E7  E8 5: E6 = E9  E13 6: E7 = E11 + E12 7: E9 = E11 + E10

  35. Calculate MCSs Derive an equation for E1 by eliminating and substituting the other intermediate events: E1 = ( E4 ) + ( E11 ) + ( E12  E8 ) + ( E10  E13 )

  36. Observations about FTA • Automatically deriving fault trees from Little-Jil helps address a major weakness of FTA • Manually creating FTs is • Time-consuming and error prone • Requires deep understanding of the process • Medical Community is familiar with FTA • In our case studies found some single points of failure

  37. Blood Transfusion Example: Generated Fault Tree

  38. Approach: Employ SE Technologies • Process programming to model medical processes • Little-JIL process programming language (coordination, agent assignment, resource management) • Requirements engineering to capture properties • PROPEL (property elucidation system) • Finite-state verification to detect errors • FLAVERS (Flow Analysis for Verifying Systems) and SPIN • Fault-tree analysis to reveal vulnerabilities • Simulation to improve efficiency • Process-guided execution • Continuous process improvement

  39. Discrete-Event Simulation • Use the Little-JIL process models, combined with a resource manager to drive discrete-event simulation • Evaluate alternative resource models • More doctors, more nurses, or more beds

  40. Little JIL Simulator Architecture Simulation Results Resource Manager Parameter Manager Outputs Who does it? Which step next? What is it done to? Agenda Manager Step Sequencer Arrival Distribution Specification Agenda Item Event Arrivals Next Event TimeLine User Agendas Events Agent Behaviors Specification Agent Behaviors Non-Simulated Simulated Non-Human Agents Simulated Human Agents

  41. Finite-State Verification Order Test(s)(part ofperform Blood Specimen Labeling process) To perform this step theProvider must have the patient-name. The Provider should firstorder test(s) on computer, and thenorder test(s) on patient chart. During any of these steps, if the required resources are not available, order test(s) is considered to have failed. Fault-TreeAnalysis z Discrete-Event Simulation Role-Based Analysis Continuous Process Improvement Environment

  42. Overall Project Observations • Appears to be a promising approach • All the various activities helped find process errors: process modelling, property specification, FSV, FTA, simulation • Have found important errors • Single point of failure (e.g. surface body area) • Inconsistent interfaces (e.g., lbs/inches versus kg/cm) • Deadlock

  43. Overall Project Observations • Processes, Process Models and Properties need to be validated • All are very error prone • If a process is worth modeling, then the model requires significant validation

  44. Future Work • Process-guided execution • Recognize relevant and non-relevant events • Resynchronize after process deviation • Guidance with support for overrides • Rigorous approach to continuous process improvement • Human-intensive processes • Suite of evaluation tools and methodologies

  45. Conclusion • There is nothing health-care specific in our approach • Deals with complex, human-intensive systems • Humans provide creative insight • Complex human and device/computer interactions • Could be applied to medical processes or to SE processes • Using software engineering technology to develop a rigorous and effective approach to the improvement of human-intensive processes

  46. Thank you

  47. Not used

  48. Hyperlinked Representation 3. Order Test(s) (part ofperform Blood Specimen Labeling process) To perform this step the Provider must have the patient-name. The Provider should first order test(s) on computer, and thenorder test(s) on patient chart. During any of these steps, if the required resources are not available, order test(s) is considered to have failed. Upon successful completion of this step, continueto perform Blood Specimen Labeling process by proceeding to the next step in the sequence. 3.1 Order Test(s) on Computer (part of order test(s)) To perform this step the Provider must have the patient-name and the CIS system. To order test(s) on computer the Provider should perform, in order, each of the following: log into computer select patient record in DB verify the selected patient exactly matches desired patient select test to order at least once digitally sign the order(s) During any of these steps, if the required resources are not available, order test(s) on computer is considered to have failed. Upon successful completion of this step, continue order test(s) by proceeding to the order test(s) on patient chart step.

  49. RE Phases • State Initial Goals • Often inconsistent, incomplete, ambiguous,… • Refine into definitive, natural language statements and informal models • Develop structural organization of the collection • Define glossary • Refine into mathematically precise properties that can be used as the basis for validation • Drives testing and verification • Bridge between the abstract goals and the process model

  50. Precedence DNL Template

More Related