Professional Documents
Culture Documents
net/publication/263504693
CITATIONS READS
0 65
4 authors, including:
Ann Blandford
University College London
533 PUBLICATIONS 9,661 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Huayi Huang on 26 July 2022.
file: WP206.pdf
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
ABSTRACT
The use of critical i fo atio is u i uitous i toda s world, and often distributed across multiple
participants of a socio-technical work-system. However, incidents sometimes unfortunately happen,
because the dual constraints of using correct, and consistent information were not fully satisfied. To
support investigation, and learning from such incidents, we propose and illustrate one way to frame
investigative hypotheses. The approach proposed is called the Information Safety Framework, and is
based on Distributed Cognition in its design and conceptualisation. Through explicitly modelling, and
understanding the factors shaping the progression of such i fo atio al incidents, we hope to
reduce their reoccurrence in future. Two patient safety incidents are used to illustrate our approach.
Highlights:
Keywords:
1
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
1. Introduction
1.1 Motivation and overview
[ISF-p1]
I toda s information-rich world, socio-technical work-systems often rely on the consistent use of
correct information. This is however not always possible, and incidents may subsequently occur,
leading to loss of life or property. In the patient safety area, using the wrong information may lead
to various kinds of medication errors (e.g., Cohen 2007).
[ISF-p2]
To reduce the chances of such i formatio al i ide ts f o reoccurring, we need to understand
how aspects of the work-system may or may not support the use of correct information in each case.
We propose an approach for this purpose, in the context of supporting incident investigation. Unlike
existing approaches in the mainstream safety literature, our approach is developed using the notions
of information representation, and system of Distributed Cognition (Hollan et al. 2000; Hutchins
1995a, 2001). These two concepts are applied to incidents, to help understand how the use of
correct and consistent information may be facilitated.
[ISF-p3]
The main contributions of this paper are twofold. In particular, we:
Propose, and illustrate a new approach to understand how information was used in an
incident, called the Information Safety Framework (ISF);
Show how Distributed Cognition may be used as a theoretical basis in designing such
an approach.
[ISF-p4]
Our first contribution extends an area of investigative methodology which has not been yet well
explored. Reviews, such as those by Sklet (2004) and Katsakiori et al. (2009), show that few existing
approaches focus on systematically understanding, and explicit modelling of the patterns of
information use in an incident. As a systems-based approach, ISF is intended to address this
methodological gap, in modelling information use at a relatively fine-grained level of detail. Like
Leveson (2004, 2011), we aim to introduce a new conceptual tool to help improve safety. In focusing
on supporting safer information use through incident investigation, ISF is based on Distributed
Cognition, instead of systems theory. Our approach is intended primarily for dealing with loosely
coupled, and less tractable systems, for which few approaches currently exist (Hollnagel and Speziali,
2008).
[ISF-p5]
Our second contribution aims to raise the visibility of Distributed Cognition, as a theoretical basis in
the safety community. In particular:
1. the otio of i fo atio used i I“F is de eloped f o a Distributed Cognition
perspective (Section 4.2.1);
2. the flexible and dynamic unit of systems analysis of Distributed Cognition is adopted
(Section 4.2.2); and
3. the outputs of ISF are intended to be of use across multiple investigations, as well as
useful within a single one; The models generated through using ISF are intended to
facilitate the active distribution of investigative cognition, and understanding across
different locales and times.
2
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
[ISF-p6]
As an established general perspective on cognition, there is inherent theoretical value in attempting
to apply Distributed Cognition ideas to support incident investigation. Moreover, Distributed
Cognition has at least one major common concern with the field of safety – in adequately supporting
human activity.
[ISF-p7]
The rest of this paper will be structured as follows. In Section 2, we provide a technical introduction
to Distributed Cognition, focusing on aspects of particular relevance to this paper. Section 3 then
outlines the conceptualisation of investigative process adopted in this paper, highlighting the
inherently uncertain nature of investigative hypotheses generation and refinement. Section 4
presents the first principles of the Information Safety Framework – describing both its conceptual
(Sections 4.1 – 4.5), and more practical aspects (Sections 4.6 – 4.8). Section 5 presents the results
from experimentally applying ISF to understand two patient safety incidents, which are then
discussed in Section 6. Finally, in Section 7 we summarise this paper, and outline further work to be
done in the ongoing development of ISF.
An undesired pattern of system performance which may be used to actively learn about,
and further enhance its safety – in the form of interventions to achieve more desirable
patter s of s ste perfor a e i the future.
[ISF-p9]
Like Wright et al. (2000), we use the te odel here, to capture the idea that our approach is a
systematic and bounded one. Somewhat analogously, we also provide a generic set of concepts, in
the form of ISF. These ideas are intended to support safety researchers and practitioners, in
constructively thinking about aspects of safer information use in detail. We refer loosely to the
informational aspects of safety as information safety throughout. In the case of an incident
investigation, the a al st using ISF could be an incident investigator. More generally, ISF may also
be of interest to others in the safety value chain (Saleh and Pendley 2012).
3
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
4
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
included as a basic premise of our modelling approach, and the semantics of the models thus
constructed.
[ISF-p15]
The I foFlo f a e o k of Tang (2009, Chapter 5) also focusses on issues of information flow,
during shift change in nursing. At an abstract level, both our frameworks focus on the core concerns
of:
i. the particular information used,
ii. the people involved in using this information,
iii. the artefacts mediating the information flow process,
iv. the spatial distribution of information,
v. the temporal distribution of information, and
vi. how information is communicated between participants.
[ISF-p16]
Tang (2009) elaborates on these ideas, to support deeper understanding of the shift change part of
the care process. ISF instead embeds these abstract concerns, into a o e lo gitudi al app oach to
description and analysis. To support an analyst in articulating both the proximal, and more latent
parts of the information flows, systems- odels of this aspect of the work-system (at the time of an
incident) are constructed. In contrast to Tang (2009), an explicit model of how latent factors may
affect the correctness and consistency of information use and flow, is pa t of the ethod of the
approach we propose (Section 4.4).
5
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
The first principle concerns the unit of analysis, which is conceived and scoped functionally. In
pa ti ula , the ou da of a specific cognitive syste is not predefined – varying substantively,
depending on the particular temporal-spatial relationships, and participants relevant to such a
process (which is the cog iti e s ste ). For example, Hutchins (1995a) gives a detailed
ethnographic account of how a moving ship is accurately located, investigating how this is done
under both the Western, and Micronesian navigation traditions. Hutchins found that Western
culture has evolved to rely heavily on man-made artefacts, such as the navigation chart and alidade
for example. In contrast, the Micronesians needed only to make use of a number of familiar natural
landmarks – which are contingently encountered en route, and used more naturalistically to
6
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
correspondingly o pute thei u e t positio . I oth a al ses, the unit of analysis centres on
an inductive, and holistic understanding of the form and function of the dist i uted a igatio
og iti e s ste . Both the Western and Micronesian navigation traditions are treated as such a
system, evolved to achieve the common cognitive goal of locating a ship in its journey.
[ISF-p21]
The second principle concerns the range of mechanisms that are assumed to be relevant in
supporting cognitive activity. Unlike the classical approach, Distributed Cognition is relatively
agnostic, and not human-centric about who, and/or what may participate in a particular cognitive
system (Halverson 2002). The treatment of both human and non-human1 participants start from a
point of equal theoretical emphasis – distinguished only in terms of their specific roles and
contributions in supporting the overall process. Under the Distributed Cognition perspective, man-
made artefacts – such as the navigation chart and alidade – are also p i a pa ti ipa ts i the
cognitive process of ship navigation, in addition to its human participants. Distributed Cognition
highlights how different forms of externalised representations may support different kinds of
computation , emphasising the additional interaction possibilities consequently afforded (Hollan et
al. 2000). It does not reject outright the assumptions of internal representation underpinning
classical approaches to cognitive science. But simply de-emphasises the mediating role of
internalised cognition, in the interests of foregrounding the role, and contributions of externalised
representations in human activity.
[ISF-p22]
When the two central principles of Distributed Cognition are applied to the observation of human
a ti it in the wild , at least three types of distribution of cognition become apparent through
analysis (Hollan et al. 2000, our emphasis):
3. distribution of cognition through time, such that the products of earlier events can
transform later ones.
1
The te non-human is used throughout this paper to include artificially constructed artefacts, as well as
naturally occurring ones – which may both in principle be used to support work. Hut hi s a des iptio
of Micronesian navigation provides an example of how naturally-occurring artefacts may be repurposed, and
invested with interpretative meaning to support ship navigation.
7
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
8
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 1: A perspective of investigative process according to ESReDA (adapted from ESReDA, Figure 7, 2009).
This perspective emphasises the non-trivial role of a priori analyst knowledge, in informing the course of
investigation. Here we have simplified the redundant work-flow arrows of the original figure.
Figure 2: A perspective of investigative process according to Johnson (adapted from Johnson, Figure 5.1, 2003).
This perspective emphasises the role of detection and reporting in investigating incidents. He e a
oc u e e efe s to a i ident.
In both Figures 1 and 2, the arrows denote an approximation of the general workflow and process in
investigation. We have indexed each phase in these figures to facilitate references to them. For
example, in Figure 1 E-A stands for ESReDA, phase A, and in Figure 2 J-A stands for Johnson, phase A.
[ISF-p26]
Both Figures 1 and 2 show that a substantive part of an investigation is iterative, across multiple
phases. This is in the form of collecting facts about an incident (i.e., E-C/E-D E-B, J-C J-B), as
well as the sense-making of these facts (i.e., the various loops involving E-C, E-D, J-C, J-D). Following
each ou d of sense-making, the state of investigative understanding may then either be
9
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
determined to be sufficient (i.e., moving on to E-E/J-E), or further data collection may occur to
satisfy any new investigative needs arising out of the sense-making attempt (i.e., potentially loopi g
a k all the way to E-B and J-B respectively in each figure). This iterative process, of data gathering
and sense-making, helps to generate and refine investigative hypotheses. These hypotheses aim to
describe and explain an incident under the following rationale, where an investigation is done to
diagnose:
10
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
A. Many incidents have a significant informational aspect to them, where one or more
critical pieces of wrong information was used to inform safety-critical work;
patterns of information flow, and the related factors that may significantly shape the consistency,
and correctness with which such flows occur.
[ISF-p32]
Like Hollan et al. (2000), our research was motivated by the attempt to answer the following
questions2:
[ISF-p34]
In line with the Distributed Cognition perspective, here we treat any representations that are
informative to work as an information representation in ISF – which aims to help explicitly
understand how such representations were propagated and coordinated in an incident. Liu et al.
(2008) understands such information representations to be propagated as:
representation states across a series of representational media that are brought into
coordination ith o e a othe Liu et al. 2008, original emphasis).
[ISF-p35]
Such representation states exist in both unobservable and observable form. These correspond
respectively to the internalised and human, and the externalised aspects of cognitive process (which
are often artificially constructed). Both the human and non-human participants in a work-process
are the representational media that are brought into coordination with one another, through the
particular information used4.
[ISF-p36]
An example of the coordination of such information representations is described by Hutchins
(1995b), who provides a stylised account of the use of airspeed information representations within
the cockpit of a commercial airliner. In this case, the functional task was to appropriately coordinate
ongoing changes to the wing configuration, with changes in airspeed in manoeuvring for the
2
Where the idea of representation is synonymous with our notion of model and investigative hypotheses (as
mentioned at the end of Section 3).
3
Which is a general perspective on all of (human-related) cognition (Hollan et al. 2000).
4
Like Wright et al. (2000), here we consider these ep ese tatio al states as i dividual physical realisations of
some abstract information representation.
12
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
approach to landing. The Distributed Cognition based description of this task, explicitly accounted
for the wide variety of representations of airspeed, used to inform the safe landing of the plane.
Amongst other artefacts, representations of airspeed existed in the form of look-up tables, booklets
and speed bugs . These tables and booklets are externalised, and indirect physical representations
of the airspeed, through defining generic relations between different airspeeds and aircraft loads.
The speed bugs are small adjustable slider devices around the rim of the airspeed indicator; which
may be dynamically adjusted by pilots, to partition the analogue airspeed indicator into an
alternative, yet still conceptually meaningful representation – in terms of discrete regions of speed-
spa e for different parts of a flight. These information representations are all used to help avoid
i g stall in the approach to landing – which is a dangerous condition where a particular wing
configuration no longer generates sufficient lift to keep the plane in the air.
[ISF-p37]
In the context of patient safety investigation, an analogous example is in the attempt to safely
deliver a particular drug at a particular rate. In this case the successful coordination of both the
identity of the drug, and an appropriate rate of administration, are two of the many typical
prerequisites for delivering safe care. Amongst others, representations of both these pieces of
information may be distributed across entries in patient care charts, computerised patient
information systems, nurses, and doctors.
[ISF-p38]
Operationally, a substitutive heuristic may help, in distinguishing between which i fo atio
representations are suitable to understand and model using ISF, and which ones are not. In
particular, candidate information representations for ISF modelling may be sanity-checked, through
assessing whether they can be meaningfully substituted within the following selection heuristic. For
e a ple, d ug a e a e such a candidate information representation to be substituted, in
place of the <?> symbol.
[ISF-p39]
Information representation selection heuristic:
propagation of <?> information as representation states across a series of
representational media that are brought into coordination ith o e a othe adapted
from Liu et al. 2008, original emphasis).
[ISF-p40]
If one cannot coherently substitute any candidate information representations in an incident into
the sentence above, ISF pro a l should t e used. In practice, abstract information
representations, such as drug na e , often ought to ideally remain consistent and correct
throughout its use in patient care; However, the p a ti al opies of such an abstract information
representation, may actually not have remained consistent and correct for all participants (in the
reality of an incident). This logical juxtaposition forms part of the theoretical motivation for
developing ISF, to help systematically investigate the closely-related representation states – of the
same abstract information representation – throughout the socio-technical work-system.
[ISF-p41]
Three scenarios for potentially applying ISF are provided in the appendix, where we explicitly relate
each to the Distributed Cognition notion of information representation. We would consider using ISF
to model specific aspects of all three cases, due to the inherently wide-scoped Distributed Cognition
notion of informative representation adopted here. Two illustrative patient safety incidents are
discussed in detail later (in Section 5), to help give a better operational understanding for readers
13
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
seeking to use ISF. ISF models of incidents are themselves also intended to be informative
representations. Where their construction is intended to inform investigative-work distributed
across both contemporary and future investigative contexts.
14
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
5
Hutchins generally uses the more correct terminology of information coordination in his writing. However,
on occasion, he also seems to suffer from the constraints of the English language, as we see by his relatively
unqualified usage of the normative metapho of i fo atio flo i Hut hi s , o pa ed ith the
elati e dea th of su h etapho i la guage of i fo atio flo i Hut hi s a.
15
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 3: A visualisation of two diffe e t o eptualisatio s of i fo atio flo . 3a and 3b depict the
metaphor of flo /t a sfe of i fo atio et ee participants; 3c depicts the arguably more realistic,
coordinative nature of most such flows in reality.
[ISF-p49]
Figure 3 depicts the conceptual difference, between the e e da etapho of information flo
(Figure 3a and 3b), and the Distributed Cognition conceptualisation of such flows in terms of
information coordination (Figure 3c). Each grey box in this figure denotes an information
representation. Figure 3a and 3b show the consequences of what is termed by Artman and Garbis
(1998) as the transfer fallacy6. This fallacy is in the fact that the use of information is usually
reconstructive and coordinative in reality, rather than in the form of a passive i fo atio -parcel
being passed between participants. I ‘edd s te s, there is typically no actual unit of
i fo atio i side a participant which gets packed up, ejected into a subject-i depe de t ideas
spa e , and se t to another. Taking this paper as an example, the information representation of the
details of ISF, flo s f o the ite s, through the medium of the text, to you the reader – hopefully
consistently with respect to the correct rep ese tatio s of I“F i te alised ithi the autho s i ds.
Amongst other factors, the consistency with which this flow occurs, will depend partly on the set of
prior biases and assumptions you bring to the interpretation, and reconstruction of meaning from
this text. The symbols and marks making up the text in this paper have no a priori meaning, beyond
that assigned to them by each reader (Reddy 1979, p309). In reality, the particular information
representations, existing in a participant, also does not usually immediately disappear on
communication to another (i.e., Figure 3c)7. For practical purposes, adopting the metaphorical
intuition of information flo may often not make any difference, to the form and structure of the
6
Hut hi s a, p also o e o li uel iti ises this i fo atio t a sfe etapho . I the ase of two
non-human participants, such as two computers in a network for example, in principle the copy of information
se t a e deleted o se di g, to closely approximate the metaphorical transfer of information.
7
This is another way in which the normative conduit notions, of information flow and transfer, is misleading.
16
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
17
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 4: The se a ti s of i fo atio flo used i I“F, sho i g how an information representation within
participant A is induced in participant B.
[ISF-p53]
In using ISF, an analyst should state such a I“F i fo atio flow , based on the precondition that an
information representation is perceived to be i du ed into another participant at a later point in
time. In Figure 4, this is through a corresponding coordination of information with participant B at
some later point in time, corresponding to the situation depicted in Figure 3c. Figure 4 corresponds
to the case where an analyst has judged such an induction process to have occurred, thus linking the
two participants with a uni-directional arrow. Such a perceived relationship between two
participants is asymmetric, and according to normal chronological ordering. In general, the analyst
should not be limited to only modelling such exchanges at a one-to-one, highly accurate, and highly
detailed level of abstraction. Each arrow like the one shown in Figure 4 may stand abstractly, for
more than a single actual informational coordination or exchange in reality. Such a unidirectional
link may be stated, so long as each pairwise relationship between participants is perceived to change
– between some antecedent and consequent point in time in the way shown in Figure 4.
[ISF-p54]
In the case of the non-human participants in these information exchanges, assessing the existence of
an information representation within a participant may be directly possible – through inspecting
device-usage logs for example. In the case of human participants, more indirect means will be
necessary, through interviews for example. These judgements – about the existence of a particular
information representation within participants – should be informed by what is known about the
incident.
18
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
8
As Harms-Ringdahl (2009) implies, there is no single standard definition of safety function widely accepted
in the safety literature.
19
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
information representation in each participant if the checking protocol had t ee there. Also,
multiple safety functions acting on the same part of the flow of information may not always act at
the same time. An example of this is presented later on, in the form of safety functions 5 and 7 (see
Table 4), where safety function 5 was in fact mostly overridden at the time of the incident. This
possibility of non-concurrent functional impact is reflected in the specific wording chosen, in
defining our four types of ISF safety functions.
[ISF-p58]
In some cases, it may be more convenient to model a participant directly as a safety function,
instead of as part of the flows of information. This choice is intentionally left underspecified in ISF,
and up to the analyst. Old safety functions from previous ISF models may also be applied to new
incidents, and their corresponding ISF models. The scope of such safety functions – across incidents
– is dependent on the informed assessment of the analyst. Such an assessment is again based on the
known facts, representing the analyst s informed judgement of whether each safety function is
applicable to each new case.
20
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 5: An illustration of a generic ISF information trajectory, with related generic safety functions.
[ISF-p60]
Using the ideas described so far in Section 4, Figure 5 shows some possible configurations of
participants, information flows and safety functions that may be found through ISF modelling. The
sorts of relationships shown in this figure may be identified, through modelling the coordination of a
single information representation in a single incident. Five generic safety functions (labelled A to E),
and five unique human and non-human participants (labelled S1 to S5) are shown.
[ISF-p61]
In terms of the four types of safety functions discussed in Section 4.4:
- B is a correctness-enhancing safety function,
- C is a correctness-reducing safety function,
- D is a consistency-enhancing safety function,
- E is a consistency-reducing safety function.
Here safety function A provides an example, of a safety function perceived as acting both positively
and negatively, on both the correctness and consistency of information at different parts of the
information trajectory. In this case safety function A may reduce the correctness of information in S2
and S4, and the consistency of the flow of information from S4 to S1. Safety function A may also
simultaneously enhance the consistency of the flow of information from S2 to S4, and the
correctness of information in S1. Different flows of information between two participants may also
be compactly represented as a pair of uni-directional arrows – shown between S1 and S2 in Figure 5.
In principle, different safety functions may be perceived to act separately and independently, on
such a pair of flows. Though not shown in Figure 5, safety functions from one ISF model may also be
explicitly linked with one or more other ISF models, depending on their perceived applicability, and
degree of generality in each specific case. A concrete example is presented later in this paper, in the
form of safety function 3 (see Table 2 and Figure 11).
21
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
[ISF-p62]
We have so far presented the basic concepts needed for modelling incidents using ISF. We also
briefly illustrated how these concepts relate to each other – in the generic ISF model shown in Figure
5. Such representations form partially homogenised descriptions of perceived functional
relationships in an incident, about key aspects of information use across different investigative
contexts and systems. These models are structured statements of investigative understanding –
about issues relating to ensuring the use of correct and consistent information. In the remainder of
Section 4, we discuss how such ISF models may be constructed and used, throughout the process of
investigation. In particular, we include suggestions for how ISF models may be systematically
exploited – both during (Section 4.7.1), as well as on conclusion of an investigation (Section 4.7.2).
22
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
<PARTICIPANT> pa t should be substituted for each of the already identified participants in turn,
with <?> again substituted for the particular information representation of interest:
Where did the <?> information in <PARTICIPANT> go to? for do strea e ploratio of
an information trajectory)
[ISF-p66]
When either of these two questions seem no longer applicable or relevant, a natural stopping point
in exploring a particular part of the information flows may have been reached, where no further use
of an information representation is perceived to have occurred. The point at which to stop mapping
these flows is largely a discretionary decision by the analyst. Sometimes, either of the two questions
above may not be clearly answerable, due to a lack of existing investigative knowledge. In such cases
attempts should be made to seek out this additional knowledge where possible. In terms of our
running example, we assume that the user reads their current account balance off the screen
displaying this information. This may be identified as a flow of information in terms of ISF, indicated
i Figu e . Under the ISF semantics of such flows (Section 4.3.2), the analyst has in this case
identified a representation of the account balance information to have been induced in the user of
the ATM as a result of this interaction. Similarly, a converse flow of account balance information may
be perceived to have subsequently taken place, from the user to the ATM. Here we assume that the
user takes money out of their account, i di ated in Figure 6 (informed by their knowledge of
the existing account balance). Through this second action, the new, and wrong account balance
information representation is updated to the ATM (and also updated for the user). To keep the
running example simple, we do not account here for the propagation of account balance
information representations upstream of its existence in the ATM – omitting the related supporting
infrastructure of ATMs and banks.
Figure 6: A simple ISF model illustrating part of an account balance information trajectory, using the same
notation as in Figure 5.
[ISF-p67]
The situation on which Figure 6 is based, is one where the notio of o e t i fo ation
ep ese tatio would normally legitimately change – from a old correct value to a new o e t
alue (as part of routine money withdrawals). A more extreme example would be in attempting to
model the flows of speed information between a car driver, and the potentially continuously
changing speedometer monitored whilst driving. Such dynamic, yet legitimate changes – in what the
orrect information representatio is – have not been accounted for in the development of ISF thus
far. For now we suggest that such cases should be avoided, and the use of ISF restricted to cases
23
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
he e the otio of o e t i fo atio should in principle remain constant, with respect to the
scope of the ISF analysis done9. For now we continue to use our account balance running example,
simply for convenience in illustration and explanation.
9
Note that we do not need to know what the orrect information value actually is, to be able to
constructively apply ISF.
24
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Question 1: Which parts of the information flows have neither positive (i.e.,
correctness/consistency-enhancing) nor negative (i.e., correctness/consistency-reducing)
safety functions acting on them?
Question 2: Which parts of the information flows have only negative safety functions
acting on them?
Question 3: Which parts of the information flows have both positive and negative safety
functions acting on them?
Question 4: Which parts of the information flows have only positive safety functions
acting on them?
25
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
26
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
4.8 Summary
[ISF-p76]
During the ongoing formative stages of investigation, the focus ought to be on how the construction
of ISF models (Section 4.6), and operations on the models constructed (e.g., Section 4.7.1) may aid in
more deeply understanding the informational aspects of work-systems (through analysing the
incident). Latter stages of investigation typically involve more summative and evaluatory responses,
to try to improve the safety of the underlying work-system. Here the fi al ISF models may then be
used as a reasoned basis for constructive debate and discussion. As structured investigative
hypotheses, these ISF models may change and evolve, along with the developing understanding
gained through the process of investigation.
[ISF-p77]
ISF focusses on understanding the functional mechanisms through which correctness and consistency
of information flow may be maintained. It encourages investigators to look for specific kinds of
relationships in an incident, described throughout the earlier parts of Section 4. It is the information
encoded within these patterns of relationships which are key, rather than the particular visualisation
used to represent the relationships. As a way to support investigation, ISF is not intended to replace,
but to complement the expertise, and craft skill of investigators. In the next section, we describe,
and present the results from an illustrative case study, applying the theoretical ideas of ISF to two
patient safety incidents (where the wrong information was used as part of the care provided). These
results are then discussed in Section 6.
27
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
10
See Burns (Section 1.1.7, 2000) for a summary of some of the weaknesses of such reports in facilitating
accurate communication between report writer and reader.
28
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
the lead developer of ISF. He had some prior familiarity with the Fluorouracil incident (Section 5.1),
but no prior familiarity with the Vincristine incident (Section 5.2). This prior familiarity seems to have
had little obvious e t a effect in shaping the findings obtained.
A Root Cause Analysis investigation was conducted by the Institute for Safe Medication Practices
Canada (ISMP Canada), using the investigative guidance provided in ISMP (2006). The full account of
both the incident, and its investigation is found in ISMP (2007), which was used as the data source to
inform our first ISF analysis (i.e., Sections 5.4.1 and 5.4.2).
11
Fluorouracil and Cisplatin are both drugs used in treating cancer.
12
Vincristine and Cytosine are both drugs used in treating cancer.
29
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
To advise the Chief Medical Officer on the areas of vulnerability in the process of
intrathecal injection of these drugs and ways in which fail-safes ight e uilt i . (Toft
2001)
[ISF-p85]
Four clinical experts were also appointed to assist this investigation, each highly regarded in their
respective fields. As in the investigation of the Fluorouracil incident, a chronological reconstruction
was also apparently used here, as the primary basis for supporting investigative inference. However,
there is no information in the report (Toft 2001) as to whether the investigative reasoning was
supported by a systematic method, methodology and/or model; or based solely on the expertise and
experience of the participating investigators and experts. Unlike in the Fluorouracil investigation,
neither the description of aspects of the incident, or the investigative reasoning were supported by
graphical representations in this report, where incident and investigation information was conveyed
mostly through a synthesised textual narrative. The full account of both the incident and its
investigation is found in Toft (2001), which was used as the data source to inform our second ISF
analysis (i.e., Sections 5.4.3 and 5.4.4).
The a al st s p io fa ilia it ith the Fluo ou a il incident, which could potentially
have facilitated an o ergeneration of ISF findings for this case – in comparison with
the Vincristine one. Here the keyword-search used helped to partially homogenise,
and systematise the method by which incident data was collected for the two
incidents, going beyond a purely heuristic approach.
30
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
The first is an assumption of the keyword-search strategy used, which ideally relies on
the fact that all references to entities in each report are both unique, and consistent
throughout. In retrospect, the natural usage of alternative forms of reference, through
pronouns, or abstract refe e e to olle ti es su h as the staff , was perhaps
inadequately accounted for by the keyword-search strategy used. This may have led to
undergeneration of participants, flows of information, and safety functions – where
some of the entities described in each report were in principle compatible with the ISF
framing of incidents (as described in Section 4), but inadvertently missed by the
analyst. Reinspection of each report after the ISF analyses was unable to satisfactorily
resolve these issues of referential ambiguity.
A second potential limitation is that the extra contextual information, provided by the
major formal structuring of each report, may not have been fully accounted for. In
particular, information conveyed by the major headings of each report was not
explicitly taken into account, as part of the simple data gathering methodology used.
Neither were these structural aspects deliberately omitted, however, in understanding
31
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
A third potential limitation is that the scope of reading around each keyword match
was rather ad hoc, based purely on the analyst being heuristically satisfied with the
sense-making of the text. Different analysts could have scoped such readings
differently, thus reducing the potential reliability/replicability of the detailed forms of
the two ISF models constructed (Sections 5.4.1, 5.4.3). Like Johnson et al. (2012), the
lack of methodological reliability is not perceived as inherently bad here, but as
instead enriching. This is a pluralistic, and basically constructivist perspective on issues
of methodological reliability. Despite the potential for variability in the specifics of the
ISF models constructed, we hypothesise that the reliability of the main issues
highlighted by the ISF analyses (discussed later in Section 6), will likely remain
relatively stable across different analysts, and ISF analyses of the same two reports.
In drafting this paper, we also discovered that the graphics presented in the report of
the Fluorouracil incident would have been missed by the simple keyword-search used.
This approach would have effectively skipped over the textual information contained
in these embedded graphics. Therefore reducing the chance that the information
within would be fully accounted for in each ISF analysis. However, this potential
limitation has little practical effect on the validity of our findings. As the graphics
missed were either otherwise described as part of the text searched (in the case of the
chronology graphic in ISMP, p16, 2007), or clearly inferential rather than factual (i.e.,
ISMP, p23-p29, 2007) – and thus not the kind of descriptive incident data we were
looking for.
32
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 8: Final ISF model identified for the flow of rate of infusion information in the Fluorouracil incident.
[ISF-p91]
Tables 1 and 2 summarise each constituent of this model. Table 1 summarises each of the links in
the information trajectory shown in Figure 8, describing the associated action for each. Table 2
summarises each of the safety functions in Figure 8 – identified by the numberings given.
Table 1: A summary of links in the rate of infusion information trajectory identified in Figure 8. The semantics
of these flows were discussed earlier in Section 4.3.
Links in the information Summary of associated action
trajectory
(i.e., rate of infusion information
flowed from A to B)
33
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Computerized Prescriber Order Pharmacy staff transcribed information from the CPOE
Entry (CPOE) system to pharmacy into the pharmacy information system.
technician.
Pharmacy technician to pharmacy Pharmacy staff transcribed information from the CPOE
information system into the pharmacy information system.
Table 2: A summary of safety functions identified to act on the rate of infusion information trajectory shown in
Figure 8. The semantics for relating these (negative) safety functions to the information trajectory was
described earlier in Section 4.4.
Safety Function identified Brief description
(the numbering corresponds to
the identifiers shown in Figure 8.
In this case all three were
negative safety functions)
1: Low index of suspicion for The relative lack of familiarity of RN #1 with the operating
unusual rate of infusion for new context and medication administration meant that RN #1
nurse would be less likely to be able to assure the correctness of
the rate of infusion i fo atio i eithe : a ‘N # s head,
or b) the infusion pump whilst programming.
2: Complex workload and Nurses in this work-context were routinely expected to deal
multitasking for nurses with complex workloads, and multitask between them. This
situation may reduce chances for consistent
communication to/from each nurse, as well as reducing the
chances of the rate of infusion information remaining
correct (through forgetting for example).
34
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 9: The subset of the ISF model shown in Figure 8 which answers Question 1 from Section 4.7.
Highlighting the parts of the information flows which have neither positive (i.e., correctness/consistency-
enhancing) nor negative (i.e., correctness/consistency-reducing) safety functions acting on them.
35
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 10: The subset of the ISF model shown in Figure 8 which answers Question 2 from Section 4.7.
Highlighting the parts of the information flows which have only negative safety functions acting on them.
36
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 11: Final ISF model identified for the flow of route of administration information in the Vincristine
incident.
[ISF-p94]
Tables 3 and 4 summarise each constituent of this model. Table 3 summarises each of the links in
the information trajectory shown in Figure 11, describing the associated action for each. Table 4
summarises each of the safety functions in Figure 11 – identified by the numberings given. Here
safety function 3 – from the Fluorouracil incident – was judged to be also relevant to the Vincristine
incident, under the same semantics as described in Table 2 earlier. For us, there were insufficient
contextual details to support the generalisation of safety functions 1 and 2, about infusions and
nurses respectively, to the Vincristine incident.
Table 3: A summary of links in the route of administration information trajectory identified in Figure 11. The
semantics of these flo s e e dis ussed earlier in Section 4.3.
Links in the information Summary of associated action
trajectory
(i.e., route of administration
information flowed from A to B)
37
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Syringe packaging label to Dr Dr Mulhem took the package containing the syringe
Mulhem with the Vincristine drug from Nurse Vallance. We
assumed that he also looked at the syringe packaging
label at this point.
Syringe label to Dr Mulhem Dr Mulhem read from the syringe label prior to handing
the syringe to Dr Morton.
Syringe label to Dr Morton Dr Morton read from the syringe label before
administering the Vincristine injection.
Table 4: A summary of safety functions identified to act on the route of administration information trajectory
shown in Figure 11. The semantics for relating these (positive and negative) safety functions to the information
trajectory was described earlier in Section 4.4.
Safety Function identified Brief description
(the numbering corresponds to the
identifiers shown in Figure 11, continuing
the numbering used in Table 2)
13
The syringe label is directly attached to the syringe containing the Vincristine drug, and different from the
syringe packaging label – which is attached to the packaging containing one or more syringes.
38
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
5: Physical and temporal separation of the The practice of separating the packaging
packaging and supply of drugs to the and supply of intrathecal and non-
wards intrathecal drugs reduced the chance of
inadvertent mix-ups. Therefore increasing
the chances that the route of administration
information displayed on the syringe and
syringe packaging label would be correct.
8: Lack of a rigorous checking procedure The doctors here did not have an explicit
for the doctors checking protocol to follow. This reduced
the likelihood that the route of
administration information in their heads
would be correct. Dr Musuka was not
included as being affected by this safety
function, because he was not directly
involved in the drug delivery process.
39
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 12: The subset of the ISF model shown in Figure 11 which answers Question 1 from Section 4.7.
Highlighting the parts of the information flows which have neither positive (i.e., correctness/consistency-
enhancing) nor negative (i.e., correctness/consistency-reducing) safety functions acting on them.
Figure 13: The subset of the ISF model shown in Figure 11 which answers Question 2 from Section 4.7.
Highlighting the parts of the information flows which have only negative safety functions acting on them.
40
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 14: The subset of the ISF model shown in Figure 11 which answers Question 3 from Section 4.7.
Highlighting the parts of the information flows which have both positive and negative safety functions acting
on them.
Figure 15: The subset of the ISF model shown in Figure 11 which answers Question 4 from Section 4.7.
Highlighting the parts of the information flows which have only positive safety functions acting on them.
41
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
14
It is o l pa tiall lea hat appi g eans from the report – which refers to the i fo atio a aila le,
se ue e of i fo atio , use of o o te i olog as e a ples of this apping.
42
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
that Dr Musuka was the Locum Consultant Haematologist responsible for the patient s edi al
maintenance programme (Toft, p10, p24, 2001). It is in this capacity, that we assume Dr Musuka to
have been the original prescriber of the Vincristine drug, intended to be given via the correct,
intravenous route of administration15. However, knowledge about other parts of the information
trajectory of the route of administration information remains relatively unknown, and incomplete.
[ISF-p99]
These discussions show how ISF may help to highlight more distal knowledge gaps in the flow, and
use of information. Each of the two information representations analysed were significant to their
respective incidents. As such the relatively incomplete knowledge of their information flow patterns
is perhaps surprising. One explanation may be through appealing to the What-You-Look-For-Is-What-
You-Find principle (Lundberg et al. 2009), where the specific approach used in engaging with an
incident situation, could significantly shape the salient subset of its underlying features investigated.
In both investigations, it would appear that the approach used did not facilitate a specific focus – on
the more distal progression, and use of either of the two information representations analysed. If
the two ISF analyses described in this paper were conducted as part of an ongoing investigation,
further data collection would be needed to better understand these latent aspects. This argument is
a specific form, of the widely recognised need to go beyond an account of only the proximal issues in
understanding incidents (e.g., Reason 1990). Here we suggest that a deeper understanding of the
latent aspects of information flow and use, is likely to enhance our chances of effectively intervening
to improve the information safety of work-systems.
[ISF-p100]
These discussions are not intended to disparage the efforts of the original investigators and
investigations. But only to illustrate one way in which ISF may enrich investigative understanding.
Incidents are often inherently complex, and it is helpful to have systematic methodological support
in dealing with their various aspects. Here the relatively sparse nature of each of the ISF models
identified, helped to highlight gaps in distal investigative knowledge about the flow, and use of both
the information representations analysed.
15
A copy of the original prescription chart, demonstrating this correctly prescribed route of administration by
Dr Musuka, is included in Toft (Appendix 7, 2001).
43
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Criti al i for atio as ot learl apped a o g the edi atio order, the
edi atio ad i istratio re ord MA‘ , the phar a la el, a d the i fusio pu p
(ISMP, p19, 2007)
[ISF-p104]
This is another version of the same information given on (ISMP, p39, 2007 . He e the edi atio
order see s to e o efe i g to a spe ifi artefact, rather than a collection of related orders for
supporting the giving of medication. Similar usage of both the collective, and singular style of
reference is distributed throughout other places in the report used. This may be confusing to
understand for a reader. In this case the analyst was eventually unable to commit to what/which
pa ti ipa t a edi atio o de a tuall efe s to, with respect to the Fluorouracil incident. This
artefact was therefore not eventually included as a participant in the ISF model constructed. The
identification of specific i fo atio al participants (i.e., Section 4.6.2), has here necessitated the
related decision, of whethe a edi atio o de ought to e i luded as one of the participants in
the information trajectory identified. This helped to highlight a particular point of ambiguity, in
understanding the relevant informational participants of the incident. Such referential ambiguity
may be purely communicative, but may also reflect an area of ambiguous incident understanding. In
the second case, further investigative clarification may help better understand the use of rate of
infusion information in the Fluorouracil incident.
[ISF-p105]
In the case of the Vincristine incident, nurse Vallance remarked to Dr Morton about an intrathecal
injection (Toft, p26, 2001). This link in the information flow was represented in Figure 11 (i.e., the
nurse Vallance to Dr Morton link in the figure). This part of the ISF model represents the
investigative hypothesis, that u se Valla e s e a k – about the intrathecal route of
administration – informed Dr Morton in his work. In an investigation, it would be useful to confirm
hethe this o e t did i fa t ha e a effe t o D Mo to s actions. On re-inspecting the
report, there was little support found either for, or against this particular hypothesis. Here the
commitment to a particular information trajectory has highlighted another point of ambiguity, which
may have further enriched incident understanding if resolved. In the general case, further
discussions with incident participants may help to clarify the validity of each link in an ISF
information trajectory.
44
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Question 1: Which parts of the information flows have neither positive (i.e.,
correctness/consistency-enhancing) nor negative (i.e., correctness/consistency-reducing)
safety functions acting on them?
Question 2: Which parts of the information flows have only negative safety functions
acting on them?
Question 3: Which parts of the information flows have both positive and negative safety
functions acting on them?
Question 4: Which parts of the information flows have only positive safety functions
acting on them?
Figures 9, 10, 12, 13, 14 and 15 provide objective answers16 to these questions, in the form of
subsets of the ISF models highlighted by these figures. The more subjective interpretations of these
objective answers, offered as part of the ISF description in Section 4.7, are intended to be neither
prescriptive, nor exhaustive in nature.
[ISF-p107]
Treating the two illustrative ISF models (i.e., Figures 8 and 11) formatively, they represent semi-
certain investigative hypotheses to be finalised, for instance perhaps during the initial part of an
investigation. Under the formative interpretations suggested in Section 4.7.1, we ought to double-
check the completeness of investigative understanding – through trying to identify the other safety
functions acting on the subset of the information trajectory highlighted, in both Figures 9 and 10. In
the case of the Vincristine incident, the same point applies for the subsets of the flows highlighted in
Figures 12, 13 and 15. This is one way in which ISF may help to partly guide the formative stages of
investigation.
[ISF-p108]
Treating the two ISF models summatively, they represent relatively certain investigative hypotheses.
Under the summative interpretations suggested in Section 4.7.2, the following implications follow.
Figures 9 and 12 are the subsets of each ISF model answering Question 1 (i.e., no positive or
negative safety functions acting), highlighting places where substantive system performance
variability may exist. The apparent lack of perceived, or actual s ste ontrol – in the form of no
safety functions – suggest that the use, and flow of correct and consistent information is likely to be
largely uncontrolled (both artificially, or more naturally); and unpredictable in future in these parts.
The lack of actual control potentially leads to unforeseen breakdowns in the use of information
16
These a s e s a e o je ti e , in a similar sense to the minimal-cutsets available after the more subjective
initial step of creating the fault-tree in fault tree analysis; or other similar o je ti e structure-based
operations and manipulations, in the context of a particular mathematical-logical formalism.
45
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
(re)occurring. For these parts, it may be worthwhile to consider if, and how positive safety functions
may be designed and implemented. Such safety functions could help assure the use of correct and
consistent information in future, thus improving information safety in these parts.
[ISF-p109]
Answers to Question 2 (i.e., only negative safety functions acting) are shown in Figures 10 and 13.
These suggest areas of particular priority, in considering where the work-system needs to be
improved. In these areas there are no positive safety functions to offset the effects of the negative
safety functions. This indicates where information representations are particularly likely to become
incorrect, or be inconsistently propagated in future. Here it may be useful to consider what positive
safety functions are necessary, to offset the negative ones. In addition, it may be useful to also
consider whether any of the negative safety functions identified may be so eho emoved , or
how their negative impact on the information trajectory may be reduced.
[ISF-p110]
In answer to Question 3 (i.e., both positive and negative safety functions acting), Figure 14 highlights
an area of a work-system, where informed judgement and expertise is particularly needed from
investigators – to weigh up whether information may become incorrect, or inconsistently
propagated again in the future. In the case of limited time and resources for investigation, the
answer to this question provides a way to selectively prioritise the application of investigative
expertise, to the more difficult areas of incident understanding requiring heuristic judgement and
intuition. Relatedly, Figure 15 shows the answer to Question 4 (i.e., only positive safety functions
acting). This subset of the ISF model highlights where investigators may assess whether the set of
positive safety functions acting are sufficiently safe for supporting work – bearing in mind the
particular forms, and degree of ephemerality of each positive safety function identified for these
parts of the information trajectory.
46
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 16: Using semantics similar to the information trajectory shown in Figure 5, this figure shows a
generalisation of three-participant comparative checking to arbitrary numbers of participants. In each case P1,
P2 etc. denote different participants, and P1 is the participant who could potentially do a s h o ised heck
between the incoming information representations. In principle, any combination of human/non-human
participants may be involved in this generic checking process.
[ISF-p112]
In the Fluorouracil incident for example, nurse RN #2 did a passing check to confirm the rate of
infusion programmed by nurse RN #1 (RN #2 to RN #1 link); In the same case, Nurse RN #1 also read
the pharmacy label (Pharmacy label to RN #1 link). Such an ISF model fragment corresponds to
Figure 16a. If these two flows occurred at basically the same time in future, then any discrepancies
found in comparing between these two sources of information, would invariably indicate that one of
the t o i o i g i fo ation representations must be wrong. So long as we know that the rate of
infusion ought to ideally remain the same, then a temporal synchronisation of these two flows is in
principle a generic means of improving information safety – regardless of the specific rate used. In
this case RN #1 would compare between these two incoming flows, to check that the rate of infusion
is indeed identical between them.
[ISF-p113]
A larger example from the Vincristine incident, is in terms of the four flows of information identified
as goi g i to D Mo ton. Such an ISF model fragment corresponds to Figure 16b. The flows were
the following, from left to right in Figure 11:
47
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
[ISF-p114]
Based on the account provided in the report, these actions were in the following chronological
order:
1st action: Nurse Vallance remarked to Dr Morton about an intrathecal injection (Link 4);
2nd action: Dr Morton confirmed the route of administration with Dr Mulhem (Link 2);
3rd action: Dr Morton read from the syringe label before administering the Vincristine
injection. (Link 3);
4th action: Dr Morton consulted the prescription chart (Link 1).
[ISF-p115]
In this case, if it were possible to temporally synchronise two or more of these four incoming flows
of information, and compare between them, we may increase the chances of catching errors in the
flow and use of route of administration information. In principle, Dr Morton could compare between
these incoming flows, to check that the route of administration is indeed the same between them. In
general, larger number of incoming sources to the same i fo atio al participant , inherently
affords greater potential for error detection, since additional paths of redundancy are available for
checking. When one or more of the incoming flows disagree, about an information representation
which ought to be the same, one or more of their respective sources is necessarily wrong. In such
cases, the participant doing the checking need not have any knowledge of the right information
representation, in order to comparatively check for identity, and potential error.
[ISF-p116]
To summarise, each single branch of an ISF model represents one part of the flow of a particular
information representation. Although ISF imposes normal chronological ordering between pairs of
participants in the overall flow (see Section 4.3.2)17, there are no specific restrictions on the
chronological relationship between multiple branches of an ISF model. In the case that multiple such
a hes a e ide tified to e i o i g ith espect to a particular participant, an explicit
synchronisation of (previously) temporally dispersed actions, may facilitate extra error-detection
opportunities in future. In the context of the wide-scoped Distributed Cognition notion of
information representation used in this paper, this kind of checking process is potentially useful –
regardless of the specific information being checked, and the human, or non-human nature of the
participants i its flo . One simply needs to s h o ise the multiple incoming flows, such that
the pa ti ipa t e ei i g these flo s are able to explicitly compare between each incoming source.
For humans, this checking may need to be done within a limited time-window, due to natural
cognitive, and memory limitations. In the case of non-human participants who are coordinating this
checking (implemented in a computer participant for example), such human limitations do not apply
in the same way. In the context of the Vincristine incident, one can in principle imagine a
counterfactual situation; where a comparison by Dr Morton between the route of administration
information provided by Nurse Vallance, Dr Mulhem, the syringe label, and prescription chart could
perhaps have reduced the chances of the Vincristine being administered via the wrong intrathecal
route18. Neither the original investigations of each of the two patient safety incidents, or an
independent analysis of the Vincristine one by Reason (2004), identified the generic class of
17
And by consequence also imposes chronological ordering throughout the entirety of a single branch of the
information trajectory identified.
18
We would obviously need to consult with the original incident site, to know the extent to which such a
change to the existing work-flow may or may not be practical.
48
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
interventions discussed in this section (afforded by the ISF models constructed). This is presumably
because of the different perspectives of incident, system and interactions used in those three
analyses.
19
Part of this issue also relates to the relative lack of systematic (Lindberg et al. 2010), and standardised
(Ziedelis and Noel 2011) evaluation of proposed tools.
20
We do not suggest that all investigations are theoretically unsound, but only that this is a possibility in some
cases.
49
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
1) the need for sound theoretical rationale in conceptualising an incident, and systematic
methodology for supporting investigation, and
2) the need for the approach proposed to be potentially usable in investigative practice.
[ISF-p121]
In this paper we do not discuss the usability of ISF models in investigative practice, to be explored as
part of future research. For now, we focus on explaining the advantages which we perceive ISF
models to have, over two simple representational structures used in patient safety investigation.
These are the chronology and causal tree/net, often suggested as part of some variant of Root Cause
Analysis – in this emerging area of research and practice (Vincent and Hewett 2013). In terms of
directing investigative attention, theoretically informed representations help to more clearly
distinguish, between aspects of an incident which are more, or less important to consider. The
deductive utility of their underpinning rationale, can also in principle be better inspected, and
constructively critiqued. As suggested by Lindberg et al. (2010), we pay close attention to the
underlying conceptualisations of approaches in the discussions that follow.
Figure 17: A partial reproduction of the chronology figure from ISMP (2007, p16). The dotted arrows here
depict other parts omitted due to space limitations. The box on the top left of this figure is the first event
identified in this chronology.
50
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
[ISF-p123]
As a representational structure, such chronologies are consistent with our intuitions about history
and narrative. However, as part of a theoretical basis for systematically understanding incidents (as
suggested in ISMP, p23-25, 2006), a simple chronology provides only weak support for distinguishing
between the more and less important aspects of incidents. The determination of the relevance of
the various aspects of an incident is left as an informed, yet highly subjective judgement. With only
the constraint of temporal precedence to be satisfied, in formulating the chronological
representations thus obtained.
[ISF-p124]
Picking a somewhat arbitrary example from Figure 17, why is the fact that the patient was seen at a
Head & Neck clinic (on Friday, July 28) of significant relevance to the evolution of the Fluorouracil
incident? Why is this particular interaction of more significance, than any of the many other
interactions which must have been occurring at the same time in this incident setting? In focusing
specifically on the informational aspects of incident evolution, ISF supports a more selective
approach to investigation. In particular, ISF models provide a clear direction for understanding what
ought to be investigated next, by encouraging the analyst to map out only the i fo atio al parts
of an incident, directly relevant to the informational issues being investigated. An active role for such
externalised representations is proposed as part of ISF, to help investigators systematically focus on
critical informational issues in investigation. In light of the complexities of patient safety incidents,
and the often limited time and resources for their investigation, our ISF models may help more
clearly distinguish the parts of an incident that are highly relevant, from the mass of other
(chronological) details that may plausibly be of some interest. While we do not claim that
chronologies have no useful role, we do suggest that their limited theoretical utility needs to be
carefully considered.
Figure 18: A reproduction of part of the causal tree identified, as part of the Root Cause Analysis described in
ISMP (2007, p25). The dotted arrows/line depicts links to other parts of the tree (omitted due to space
limitations).
Figure 18 shows a small extract from the root-cause tree, identified as part of the investigation
described in ISMP (2007). As it stands, such representational structures form highly ambiguous
statements about the causal relationships perceived, and have significantly divergent plausible
interpretations. For example, the representation shown in Figure 18 does not require an analyst to
51
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
commit to a specific causal relationship, perceived between the three factors/causes shown.
Amongst other possibilities, the two causes on the right hand side of Figure 18 can be plausibly
interpreted both conjunctively (i.e., as necessary causes), or disjunctively (i.e., as individually
sufficient causes), to cause the la el to e ot i a o d ith i fo atio eeded the nu ses .
These two interpretations would lead to quite different logical consequences for effective
intervention. Here the original causal understanding is represented in a form that is under-qualified,
and difficult to retrieve, negatively impacting on the usability of such representations, in informing
the safety work of other investigators and practitioners. Such ambiguity is further compounded, by
the relatively imprecise natural language constructs used to describe each of the three causes. Note
that we are not discussing issues of validity in causal inference here, but issues of interpretative, and
communicative precision. ISMP (2006) provides only loose guidance on how such causal
representations should be interpreted.
[ISF-p126]
Another potentially subversive feature of such representations is in their potential for
communicating causal-certainty. A naïve, yet plausible reading is to treat the representation shown
in Figure 18 as a stable causal relationship – holding irrespective of context. Such a reading is both
difficult to justify in theory, and gain scientific and/or investigative evidence for.
[ISF-p127]
In contrast, the safety functions aspect of ISF (e.g., Section 4.4, Figures 8 and 11) recognises, and
explicitly represents the inherent uncertainties in approximating causal relationships, and their
partly contingent nature. An analyst is encouraged to describe causality in terms of four types of
relationships, defined specifically in terms of increases and reductions to probabilities, in assuring
the flow of correct and consistent information. The semantics of ISF are intended to avoid painting a
critically oversimplified picture, of the complex and often subtle causal relations of reality. Through
explicit representation of the uncertainties in causal inference, the ISF safety function definitions will
hopefully help reduce the potential to overlook as many u k o -u k o s Le eso –
these are causal factors, or facilitating conditions that may be overlooked in investigation, yet are
actually critical to improving safety in reality. In comparison with representations like the one shown
in Figure 18, the arguably more precise formulation of causal understanding encouraged by ISF, is
likely to act as a positive safety function, in supporting the consistent coordination of causal
information representations across different investigative settings.
52
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Like McDonald et al. (2010), we believe that methodological transparency in investigation is a good
idea in principle, irrespective of the degree to which particular lines of investigative reasoning are
adequate simplifications of reality. Our early thinking and design emphasis has focussed on a
rational theoretical framing of incidents and systems, rather than on the many other aspects of
investigation. One of these aspects is in supporting the analyst in making an explicit, and transparent
connection between incident data, and the inferences made. This is not yet well-supported in ISF,
thus potentially limiting the degree of success for inter-subjective reasoning using it. Addressing
these issues of transparency in representing reasoning, is likely to help improve the potential for the
products of investigations to effectively inform others. Such explicit contextualisation of
investigative reasoning is also likely to more broadly help progress the science of safety.
[ISF-p131]
The pote tial fo u de ge e atio , in identifying salient issues, is another common problem not yet
addressed in detail in ISF. Due to natural cognitive limitations, it is always difficult to be certain of
identifying all the issues, that are in principle compatible and consistent with the particular approach
used21. In terms of the findings presented in this paper, the inherent and significant ambiguities of
the incident data sources used, partly explains the relatively sparse nature of the ISF models
21
This point is applicable to any approach, irrespective of its ad hoc, or more systematic nature.
53
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
identified. However, additional t igge i g ta o o ies – similar to the six categories suggested in
ISMP (2006, Appendix C) – could perhaps help to ensure better coverage of the candidate safety
functions of ISF.
[ISF-p132]
Hollan et al. (2000) makes the point that:
[END OF MARKUP]
54
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Article 2 – Secret council files found on Morse set (Dunne 2012, summary)
This article reported on a case where dozens of confidential files were found at an abandoned town
hall in London. These confidential files included sensitive social services reports, which should not
have been left in this abandoned town hall by the local council responsible for the safekeeping of
these files.
How does this case relate to the Distributed Cognition notion of information representation?
From reading this article, it is possible that an accidental propagation of the wrong location
information representation may have occurred – with respect to the files left in the abandoned town
hall. Assuming that understanding the use of location information was a substantive consideration in
the investigation subsequently done, ISF could be used to model and understand its flow through
the socio-technical work-system of the local council, together with the related safety functions
which may have shaped this flow.
55
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
and poor communications as the two main contributory factors. This i ide t as a high-profile
and well-publicised one, especially in the UK media.
How does this case relate to the Distributed Cognition notion of information representation?
There are potentially many information representations which may be worth looking at in this case.
Without knowing more about the precise details, we can only tentatively suggest one for illustrative
purposes here.
A potentially useful line of inquiry here may be to look at the flow of the availability-status
information representation through the socio-technical management system of G4S (and perhaps
also their counterparts in the form of the London Organising Committee of the Olympic and
Paralympic Games). Here ISF could potentially be used to investigate the various safety functions
that may or may not have supported the correct and consistent flow of this availability-status
information – for each candidate security officer provisionally recruited by G4S in the time leading
up to the Olympics.
56
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
References
Artman, H., Garbis, C., 1998. Team communication and coordination as Distributed Cognition. In: Proceedings
of 9th Conference of Cognitive Ergonomics: Cognition and cooperation, pp.151-156.
Burns, C.P., 2000. Analysing accident reports using structured and formal methods. PhD thesis, University of
Glasgow.
Cohen, M.R. (Ed.), 2007. Medication Errors, 2nd Edition. American Pharmacists Association, Washington, USA.
Dechy, N., Dien, Y., Funnemark, E., Roed-Larsen, S., Stoop, J., Valvisto, T., Arellano, A.L.V., 2012. Results and
lesso s lea ed f o the E“‘eDA s A ide t Investigation Working Group: Introducing a ti le to “afet
“ ie e spe ial issue o I dust ial E e ts Investigation . “afet “ ie e 50(6), 1380-1391.
Dunne, J., 2012. Secret council files found on Morse set. London EVENING STANDARD, 3 October 2012: 23.
(http://www.standard.co.uk/news/secret-council-files-containing-private-personal-data-found-on-morse-
set-8195506.html, accessed 10/9/2013)
ESReDA Working Group on Accident Investigation, 2009. Guidelines for safety investigations of accidents.
European Safety, Reliability and Data Association.
Federico, F., 2011. The Five Rights of Medication Administration. Institute for Healthcare Improvement
(http://www.ihi.org/knowledge/Pages/ImprovementStories/FiveRightsofMedicationAdministration.aspx,
accessed 26/7/2013)
Furniss, D., Blandford, A., 2006. Understanding emergency medical dispatch in terms of distributed cognition:
A case study. Ergonomics 49(12-13), 1174-1203.
Galliers, J., Wilson, S., Fone, J., 2007. A method for determining information flow breakdown in clinical systems.
International Journal of Medical Informatics 76(Supplement 1), S113-S121.
Giere, R., 2002. Scientific cognition as distributed cognition. In: Carruthers, P., Stich, S., Siegal, M. (Eds.), The
cognitive basis of science, pp. 285-299. Cambridge University Press.
Halverson, C.A., 2002. Activity Theory and Distributed Cognition: Or what does CSCW need to DO with
theories? Computer Supported Cooperative Work 11(1-2), 243-267.
Harms-Ringdahl, L., 2009. Analysis of safety functions and barriers in accidents. Safety Science 47(3), 353-363.
Hollan, J., Hutchins, E., Kirsh, D., 2000. Distributed Cognition: Toward a new foundation for Human-Computer
Interaction research. ACM Transactions on Computer-Human Interaction 7(2), 174-196.
Hollnagel, E., 2004. Barriers and accident prevention. Ashgate Publishing Limited.
Hollnagel, E., 2008. Risk + barriers = safety? Safety Science 46(2), 221-229.
Hollnagel, E., Speziali, J., 2008. Study on developments in accident investigation methods: A survey of the
“tate-of-the-A t . ‘epo t : , “KI.
Home Affairs Committee, 2012. Seventh Report, Olympics security.
(http://www.publications.parliament.uk/pa/cm201213/cmselect/cmhaff/531/53102.htm, accessed
10/9/2013)
Hopkins, A., 2013. Issues in safety science. Safety Science. In Press, Corrected Proof, DOI:
http://dx.doi.org/10.1016/j.ssci.2013.01.007.
Huang, H., Ruksenas, R., Ament, M.G.A., Curzon, P., Cox, A., Blandford, A., Brumby, D., 2011. Capturing the
distinction between task and device errors in a formal model of user behaviour. Electronic
Communications of the EASST 45.
Huang, H., Curzon, P., White, G., Blandford, A., 2013a. Building up conceptual models of two patient safety
incidents using the Information Safety Framework. (see the supplementary paper on pp61 - 69)
Huang H., Curzon P., White G., Blandford, A., 2013b. Learning from iatrogenic incidents: A novel framework for
investigating, understanding and communicating information-based medical error. Oral presentation,
Communicating Medical Error, Ascona, Switzerland (http://www.come.usi.ch/, no proceedings).
Hutchins, E., 1995a. Cognition in the Wild. The MIT Press.
Hutchins, E., 1995b. How a cockpit remembers its speeds. Cognitive Science 19(3), 265-288.
57
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Hutchins, E., 2000. The cognitive consequences of patterns of information flow. Intellectica 1(30), 53-74.
Hutchins, E., 2001. Cognition, Distributed. International Encyclopedia of the Social & Behavioral Sciences,
2068-2072.
ISMP Canada, 2006. Canadian Root Cause Analysis Framework: A tool for identifying and addressing the root
22
causes of critical incidents in healthcare . (http://www.ismp-canada.org/rca.htm, accessed 28/9/2012)
ISMP Canada, 2007. Fluorouracil Incident Root Cause Analysis. (http://www.ismp-
canada.org/download/reports/FluorouracilIncidentMay2007.pdf, accessed 12/9/2013).
Johnson, C.W., 2003. Failure in Safety-Critical Systems: A Handbook of Accident and Incident Reporting.
University of Glasgow Press.
Johnson, C.W., Oltedal, H.A., Holloway C.M., 2012. Comparing the identification of the recommendations by
different accident investigators using a common methodology. In: Proceedings of the 7th IET Conference
on Systems Safety and CyberSecurity, Edinburgh, Scotland.
Katsakiori, P., Sakellaropoulos, G., Manatakis E., 2009. Towards an evaluation of accident investigation
methods in terms of their alignment with accident causation models. Safety Science 47(7), 1007-1015.
Leveson, N., 2004. A new accident model for engineering safer systems. Safety Science 42(4), 237-270.
Leveson, N., 2011. Engineering a safer world: Systems thinking applied to safety. The MIT Press.
Lindberg, A.-K., Hansson, S.O., Rollenhagen, C., 2010. Learning from accidents – What more do we need to
know? Safety Science 48(6), 714-721.
Liu, Z., Nersessian, N.J., Stasko, J.T., 2008. Distributed Cognition as a theoretical framework for information
visualization. IEEE Transactions on Visualization and Computer Graphics 14(6), 1173-1180.
Lundberg, J., Rollenhagen, C., Hollnagel, E., 2009. What-You-Look-For-Is-What-You-Find – The consequences of
underlying accident models in eight accident investigation manuals. Safety Science 47(10), 1297-1311.
Masci, P., Huang, H., Curzon, P., Harrison, M.D., 2012. Using PVS to investigate incidents through the lens of
distributed cognition. In: Goodloe, A.E., Person, S. (Eds.), Proceedings of the 4th NASA Formal Methods
Symposium, Lecture Notes in Computer Science 7226, pp. 273-278. Springer.
METRO, 2012. Free f i g pa s lea e egg o fa e. METRO, 3 October 2012: 21.
(http://e-edition.metro.co.uk/home.html, accessed 10/9/2013).
McDonald, T.B., Helmchen, L.A., Smith, K.M., Centomani, N., Gunderson, A., Mayer, D., Chamberlin, W.H.,
2010. Responding to patient safety incidents: the se e pilla s . Quality and Safety in Health Care 19(6):
e11.
Nardi, B.A., 2002. Coda and Response to Christine Halverson. Computer Supported Cooperative Work 11(1-2),
269-275.
Nersessian, N.J., 2009. How do engineering scientists think? Model-based simulation in biomedical engineering
research laboratories. Topics in Cognitive Science 1(4), 730-757.
Rajkomar, A., Blandford, A., 2012. Understanding infusion administration in the ICU through Distributed
Cognition. Journal of Biomedical Informatics 45(3), 580-590.
Reason, J., 1990. Human Error. Cambridge University Press.
Reason, J., 2004. Beyond the organisational accident: the eed fo e o isdo o the f o tli e. Quality
and Safety in Health Care 13(Suppl II), ii28-ii33.
Reddy, M.J., 1979. The conduit metaphor: A case of frame conflict in our language about language. In: Ortony,
A. (Ed.), Metaphor and thought, 2nd Edition, pp. 164-201. Cambridge University Press.
Roelen, A.L.C., Lin, P.H., Hale, A.R., 2011. Accident models and organisational factors in air transport: The need
for multi-method models. Safety Science 49(1), Pages 5-10.
22
This document was updated in 2012, readers interested in the 2006 version should contact ISMP directly, or
contact us for a copy.
58
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Saleh, J.H., Pendley, C.C., 2012. From learning from accidents to teaching about accident causation and
prevention: Multidisciplinary education and safety literacy for all engineering students. Reliability
Engineering and System Safety 99, 105-113.
Sellberg, C., Susi, T., 2013. Technostress in the office: A Distributed Cognition perspective on human-
technology interaction. Cognition, Technology & Work.
Sklet, S., 2004. Comparison of some selected methods for accident investigation. Journal of Hazardous
Materials 111(1-3), 29-37.
Snijders, C., van Lingen, R.A., Klip, H., Fetter, W.P.F., van der Schaaf, T.W., Molendijk, H.A., 2009. Specialty-
based, voluntary incident reporting in neonatal intensive care: Description of 4846 incident reports.
Archives of Disease in Childhood – Fetal and Neonatal Edition 94(3), F210-F215.
Stoop, J., Roed-Larsen, S., 2009. Public safety investigations – A new evolutionary step in safety enhancement?
Reliability Engineering & System Safety 94(9), 1471-1479.
Svenson, O., 2000. Accident Analysis and Barrier Function (AEB) Method: Manual for incident analysis. SKI
report 00:6, Swedish Nuclear Power Inspectorate project number 97176.
Sweeney, D.E., 2009. The aetiology of error: Cognitive profiling events within the mining industry. PhD thesis,
The University of British Columbia.
Ta g, C.“.C., . “tud i g u ses i fo mation flow to inform technology design. PhD thesis, University of
Calgary.
Toft, B., 2001. E te al I ui i to the ad e se i ide t that o u ed at Quee s Medi al Ce t e, Nottingham,
4th January 2001. United Kingdom Department of Health.
Underwood, P., Waterson, P., 2013. Systemic accident analysis: Examining the gap between research and
practice. Accident Analysis and Prevention 55, 154-164.
Vincent, C., Hewett, D., 2013. The investigation and analysis of clinical incidents. In: Youngberg, B.J. (Ed.),
Patient safety handbook, 2nd Edition, pp. 111-123. Jones & Bartlett Learning, LLC.
Wimmer, R.D., Dominick, J.R., 2012. Mass media research: An introduction (10th Edition). Cengage Learning.
Wright, P.C., Fields, R.E., Harrison, M.D., 2000. Analyzing Human-Computer Interaction as Distributed
Cognition: The Resources Model. Human-Computer Interaction 15(1), 1-41.
Xu, L., Clarke, D., 2012. What does Distributed Cognition tell us about student learning of science? Research in
Science Education 42(3), 491-510.
Ziedelis, S., Noel, M., 2011. Comparative analysis of nuclear event investigation methods, tools and techniques.
European Commission, Joint Research Centre, Institute for Energy.
Zotov, D.V., 2006. Grappling with complexity: Finding the core problems behind aircraft accidents. PhD thesis,
Massey University, New Zealand.
59
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
60
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
(Supplementary paper)
Building up conceptual models of two patient safety incidents
using the Information Safety Framework
1
Huayi Huang, 1Paul Curzon, 1Graham White, 2Ann Blandford
1
Cognitive Science Research Group, Queen Mary University of London.
{huayi.huang, p.curzon, graham.white}@qmul.ac.uk
2
UCL Interaction Centre, University College London.
a.blandford@ucl.ac.uk
1. Introduction
This document reconstructs the ‘final’ line of reasoning taken by the first author, in
constructing conceptual models of incidents using a prototypical version of the Information
Safety Framework (ISF). ISF was used to help understand and reframe incident data, drawn
from the investigation reports for two independent incidents. This document is based on
notes taken as part of the ISF analyses done between late May and early July 2012. These
earlier notes include other less certain lines of reasoning not presented here.
The first of the two incidents analysed involved an overdose of Fluorouracil [1], and the other
involved an injection of Vincristine via the wrong route of administration [2]. Inline citations to
the two reports are used throughout this document, to explicitly link the reasoning described
to incident data from the reports. The specific references presented are indicative rather than
exhaustive.
not know whether either of the nurses did, or did not in fact use the handwritten MAR to
inform them specifically of the rate of infusion information. We do not know whether this rate
information was available as part of the electronic signing off done by nurse RN #1. We do
not know whether nurse RN #2 was primarily responsible for the infusion given to the patient.
Nurse RN #2 did a passing check only at the request of RN #1 [1, p13]. Nurse RN #2 clearly
had to have obtained information about the rate of infusion from somewhere in order to be
able to do this checking. Here we assumed that the handwritten MAR was used to inform
nurse RN #2’s knowledge of the correct rate (prior to her signing off on it). It was unclear to
us where the information in the handwritten MAR came from. This therefore formed one
stopping point for modelling the flow of information, due to a perceived lack of further clear
incident knowledge. Since RN #1 seemed to have used the pharmacy label to inform her
knowledge of the rate of infusion, it was unnecessary for us to make a similar assumption of
RN #1 also using the handwritten MAR to gain knowledge of the rate information.
We found insufficient incident data to fully and clearly trace back the flow of rate of infusion
information – from the pharmacy label to its source and ‘creator’. It was also unclear who
prescribed the chemotherapy order used in the first place. The chemotherapy order was
entered into the pharmacy information system by a pharmacy technician [1, p12-13]. We
assumed that the rate of infusion information was included as part of this order. Pharmacists
were also involved in this part of the information flow, but it was unclear whether multiple
pharmacists were involved, and how their involvement related to the rate of infusion
information specifically [1, p12-13]. The pharmacy technician clearly transcribed the rate
information from somewhere else into the pharmacy information system. In this case a
computerized prescriber order entry (CPOE) system seemed to exist separately from the
pharmacy information system. The CPOE system was used to inform the pharmacy staff as
to what must be entered into the pharmacy information system [1, p33]. We conjectured that
the pharmacy label was generated by the pharmacy information system. Figure 1 shows the
ISF model of the information flows identified.
62
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Safety function 1: Low index of suspicion for unusual rate of infusion for new nurse
We know that nurse RN #1 was new to the day care unit where the patient was being cared
for. This was the first time RN #1 administered a 4-day Fluorouracil infusion [1, p18]. The
rate of infusion calculated was apparently not so unusual for other similar infusions in the
clinic [1, p18]. The report holistically summarised these contributory factors, as resulting in a
‘low index of suspicion’ regarding the high infusion rate calculated. A reported consequence
of RN #1’s relative unfamiliarity with the work-setting and particular administration protocol
used, was that no subsequent mental approximation of the calculated rate was done [1, p18].
function may potentially apply to all such ‘new’ nurses, in a position similar to RN #1 at the
time of this incident.
Nurses in the day care unit where the patient was being cared for were expected to deal with
complex workloads, and often multitask between different parts of this workload
simultaneously [1, p20]. In this situation, information (such as the rate of infusion) may
potentially be communicated both to and from such nurses inconsistently (through
misreading/mishearing for example). The additional cognitive load that may be induced
through routinely needing to simultaneously manage the individual subtasks of these
complex workloads, also reduces the chances for information representations to remain
correct within the nurses’ heads (through an increased chance of forgetting for example).
This contextual aspect of the system was interpreted by us as reducing the probability of the
rate of infusion information being consistently transmitted either to or from the nursing staff
involved in this incident (i.e., RN #1 and RN #2). This aspect was also interpreted as
reducing the probability of the rate of infusion information remaining correct in these nurses’
heads.
As part of the events leading up to the incident, the report notes that human transcription of
information affords the potential for errors to inadvertently occur [1, p33]. In this particular
case a mistranscription of the volume of Fluorouracil to be infused apparently occurred as
part of the drug preparation activities in the pharmacy part of the work-system (although it is
unclear precisely how this particular mistranscription occurred) [1, p33]. ‘Fallible human
transcription’ was conjectured as an aspect of the work-context that was readily applicable in
a general way, as it is clearly in general unrealistic to expect human transcription to occur
routinely with 100% accuracy. This contextual aspect was assumed to reduce the probability
of the rate of infusion information being consistently transmitted either to or from any human
participants in such a system. The patient did not ‘transcribe’ information, due to being the
passive destination for the rate information, so was not included in the functional scope of
this particular safety function.
64
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 2: An ISF model of the safety functions affecting the flow of the rate of infusion
information representation in the Fluorouracil incident. The numbered circles correspond to
how the safety functions identified relate to the flows shown in Figure 1.
earlier about the (intrathecal) route of drug administration for the patient [2, p26]. Dr Musuka
wrote out the patient’s prescription chart [2, p24] (it was unclear who the original prescriber
of the patient’s chemotherapy treatment was). Dr Mulhem consulted the prescription chart [2,
p28]. Dr Mulhem also read from the syringe label prior to handing the syringe to Dr Morton [2,
p28]. We assumed that when Dr Mulhem took the packet containing the syringe with the
Vincristine drug from Nurse Vallance [2, p27] he also looked at the syringe packaging label.
The pharmacy database was used to generate both the syringe label, as well as the syringe
packaging label [2, p13].
The report states that the pharmacy database was constrained, such that only the three
drugs used for intrathecal chemotherapy could be labelled for intrathecal use [2, p13]. Since
the pharmacy database automatically generates both the syringe, and syringe packaging
labels [2, p13], this aspect of the work-system was interpreted as a safety function that helps
to preserve the consistency of the route of administration information – between its
representation in the pharmacy database, and the two types of labels generated. Further
specific details about how this constraint was achieved is not provided by the report, though
66
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
a relatively strong enforcement mechanism is implied for preserving the consistency of route
of administration information at this point in the overall flow.
Safety function 5: Physical and temporal separation of the packaging and supply of
drugs to the wards
The intrathecal and non-intrathecal drugs (prepared in the Sterile Production Unit) are
physically and temporally separated [2, p16], to help ensure that the route of administration
displayed on both the syringe, and syringe packaging labels would always correctly reflect
the intended route of administering the drugs prepared. This separation minimises the
chances of inadvertent mix-ups between the labelling of drugs intended for different routes,
and was interpreted as a safety function which increases the probability that the route of
administration information displayed on these two types of labels would be correct.
In this incident, drugs intended for administration via different routes were in fact sent to the
ward at the same time, to avoid compromising patient care [2, p36]; thus directly
contradicting the temporal aspect of the normative temporal-spatial separation protocol of
safety function 5. This was a ‘workaround’ employed by the pharmacy staff, who may have
had to prepare the drugs on shorter notice than usual. Conditions existing at the time of the
incident may have indirectly exerted pressure, to send these intrathecal and non-intrathecal
drugs at the same time. In particular, we know that:
1) The patient’s treatment information had not been entered into the ward manager’s
chemotherapy diary. As a result, the patient’s chemotherapy had not, as was normal practice,
been ordered in advance [2, p10];
2) The patient missed his planned appointment to see Dr Musuka on the morning of the 4th
January 2001, and did not notify Ward E17 of his intention to arrive that afternoon [2, p10].
This ‘workaround’ directly negated the intended purpose of the normative temporal-spatial
separation protocol, as described in safety function 5; thus representing an aspect of the
system which increased the probability that inadvertent mix-ups between the labelling of
drugs intended for different routes may occur.
While the nurses had an explicit protocol to follow for checking the correctness of the route
of administration information, the doctors did not [2, p35]. This lack of formalised checking
procedure for the doctors, was interpreted as an aspect of the system that reduced the
probability that the route information representation in the doctors’ heads would be correct
67
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
(i.e., they are less likely to self-correct). Dr Musuka was excluded from the functional scope
of this safety function, because he was not directly involved in the drug delivery process.
Figure 4: An ISF model of the safety functions affecting the flow of the route of administration
information representation in the Vincristine incident. The numbered circles correspond to
how the safety functions identified relate to the flows shown in Figure 3.
- Low index of suspicion for unusual rate of infusion for new nurse (safety function 1),
- Complex workload and multitasking for nurses (safety function 2),
- Fallible human transcription (safety function 3).
From reading the Vincristine investigation report it was unclear to us the extent to which
safety functions 1 and 2 were generalisable to this incident. There were insufficient
contextual details for a clear judgment of the applicability of these two safety functions, about
infusions and nurses respectively. We judged safety function 3 to be sufficiently generic to
be applicable to this Vincristine incident also. The model including safety function 3 (Figure
5) was considered to be the ‘final’ ISF model of the Vincristine incident.
68
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
Figure 5: An ISF model of the safety functions affecting the flow of the route of administration
information representation in the Vincristine incident. This figure includes the generalisation
of safety function 3 from Section 2.3.
References
[1] ISMP Canada, 2007. Fluorouracil Incident Root Cause Analysis. (http://www.ismp-
canada.org/download/reports/FluorouracilIncidentMay2007.pdf, accessed 20/11/2013).
[2] Toft, B., 2001. External Inquiry into the adverse incident that occurred at Queen’s Medical Centre,
Nottingham, 4th January 2001. United Kingdom Department of Health.
(http://www.who.int/patientsafety/news/Queens%20Medical%20Centre%20report%20(Toft).pdf,
accessed 20/11/2013)
69