First Principles Information Safety

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/263504693
The First Principles of the Information Safety Framework
Technical Report · February 2014
CITATIONS READS
0 65
4 authors, including:
Huayi Huang Graham White

The University of Edinburgh Queen Mary, University of London
17 PUBLICATIONS 187 CITATIONS 93 PUBLICATIONS 152 CITATIONS
SEE PROFILE SEE PROFILE
Ann Blandford
University College London
533 PUBLICATIONS 9,661 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Critical Cognitive Science View project
Medieval Thought View project
All content following this page was uploaded by Huayi Huang on 26 July 2022.
The user has requested enhancement of the downloaded file.

EPSRC Programme Grant EP/G059063/1
Public Paper no. 206
The First Principles of the Information Safety

Framework
Huayi Huang, Paul Curzon, Graham White & Ann Blandford
Huang, H., Curzon, P., White, G., & Blandford, A. (2014).

The first principles of the Information Safety Framework.
Technical report.
PP release date: 11 February 2014
file: WP206.pdf
CHI+MED technical report: Information Safety Framework v1.00 (24 Nov 2013)
The first principles of the Information Safety Framework

1
Huayi Huang, 1Paul Curzon, 1Graham White, 2Ann Blandford
1
Cognitive Science Research Group, Queen Mary University of London.
{huayi.huang, p.curzon, graham.white}@qmul.ac.uk
2
UCL Interaction Centre, University College London.
a.blandford@ucl.ac.uk
ABSTRACT
The use of critical i fo atio is u i uitous i toda s world, and often distributed across multiple
participants of a socio-technical work-system. However, incidents sometimes unfortunately happen,
because the dual constraints of using correct, and consistent information were not fully satisfied. To
support investigation, and learning from such incidents, we propose and illustrate one way to frame
investigative hypotheses. The approach proposed is called the Information Safety Framework, and is
based on Distributed Cognition in its design and conceptualisation. Through explicitly modelling, and
understanding the factors shaping the progression of such i fo atio al incidents, we hope to
reduce their reoccurrence in future. Two patient safety incidents are used to illustrate our approach.
Highlights:
 A new modelling framework for understanding information use.

 Use Distributed Cognition as a basis for design.
 Show how some limitations of chronologies and causal trees are overcome.
Keywords:
Information use, Incident investigation, Distributed Cognition.
Corresponding author: Huayi Huang

Address: Cognitive Science Research Group
School of Electronic Engineering and Computer Science
Queen Mary, University of London
E1 4NS
1
1. Introduction
1.1 Motivation and overview
[ISF-p1]
I toda s information-rich world, socio-technical work-systems often rely on the consistent use of
correct information. This is however not always possible, and incidents may subsequently occur,
leading to loss of life or property. In the patient safety area, using the wrong information may lead
to various kinds of medication errors (e.g., Cohen 2007).
[ISF-p2]
To reduce the chances of such i formatio al i ide ts f o reoccurring, we need to understand
how aspects of the work-system may or may not support the use of correct information in each case.
We propose an approach for this purpose, in the context of supporting incident investigation. Unlike
existing approaches in the mainstream safety literature, our approach is developed using the notions
of information representation, and system of Distributed Cognition (Hollan et al. 2000; Hutchins
1995a, 2001). These two concepts are applied to incidents, to help understand how the use of
correct and consistent information may be facilitated.
[ISF-p3]
The main contributions of this paper are twofold. In particular, we:
 Propose, and illustrate a new approach to understand how information was used in an
incident, called the Information Safety Framework (ISF);
 Show how Distributed Cognition may be used as a theoretical basis in designing such
an approach.
[ISF-p4]
Our first contribution extends an area of investigative methodology which has not been yet well
explored. Reviews, such as those by Sklet (2004) and Katsakiori et al. (2009), show that few existing
approaches focus on systematically understanding, and explicit modelling of the patterns of
information use in an incident. As a systems-based approach, ISF is intended to address this
methodological gap, in modelling information use at a relatively fine-grained level of detail. Like
Leveson (2004, 2011), we aim to introduce a new conceptual tool to help improve safety. In focusing
on supporting safer information use through incident investigation, ISF is based on Distributed
Cognition, instead of systems theory. Our approach is intended primarily for dealing with loosely
coupled, and less tractable systems, for which few approaches currently exist (Hollnagel and Speziali,
2008).
[ISF-p5]
Our second contribution aims to raise the visibility of Distributed Cognition, as a theoretical basis in
the safety community. In particular:
1. the otio of i fo atio used i I“F is de eloped f o a Distributed Cognition
perspective (Section 4.2.1);
2. the flexible and dynamic unit of systems analysis of Distributed Cognition is adopted
(Section 4.2.2); and
3. the outputs of ISF are intended to be of use across multiple investigations, as well as
useful within a single one; The models generated through using ISF are intended to
facilitate the active distribution of investigative cognition, and understanding across
different locales and times.
2
[ISF-p6]
As an established general perspective on cognition, there is inherent theoretical value in attempting
to apply Distributed Cognition ideas to support incident investigation. Moreover, Distributed
Cognition has at least one major common concern with the field of safety – in adequately supporting
human activity.
[ISF-p7]
The rest of this paper will be structured as follows. In Section 2, we provide a technical introduction
to Distributed Cognition, focusing on aspects of particular relevance to this paper. Section 3 then
outlines the conceptualisation of investigative process adopted in this paper, highlighting the
inherently uncertain nature of investigative hypotheses generation and refinement. Section 4
presents the first principles of the Information Safety Framework – describing both its conceptual
(Sections 4.1 – 4.5), and more practical aspects (Sections 4.6 – 4.8). Section 5 presents the results
from experimentally applying ISF to understand two patient safety incidents, which are then
discussed in Section 6. Finally, in Section 7 we summarise this paper, and outline further work to be
done in the ongoing development of ISF.
1.2 Incidents, models and information safety

[ISF-p8]
Throughout this paper, we refer to the notion of i ide t in a widely inclusive sense. This choice of
terminology is intended to reflect our theoretical position – that minor accidents and near-misses
are as valuable to investigate as more serious ones. Due to their lesser perceived and actual
consequences, such incidents are arguably more likely to generate accurate incident data for
informing constructive change. In particular, the following working definition may be helpful to bear
in mind, where an incident is conceptualised as:
An undesired pattern of system performance which may be used to actively learn about,
and further enhance its safety – in the form of interventions to achieve more desirable
patter s of s ste perfor a e i the future.
[ISF-p9]
Like Wright et al. (2000), we use the te odel here, to capture the idea that our approach is a
systematic and bounded one. Somewhat analogously, we also provide a generic set of concepts, in
the form of ISF. These ideas are intended to support safety researchers and practitioners, in
constructively thinking about aspects of safer information use in detail. We refer loosely to the
informational aspects of safety as information safety throughout. In the case of an incident
investigation, the a al st using ISF could be an incident investigator. More generally, ISF may also
be of interest to others in the safety value chain (Saleh and Pendley 2012).
3
1.3 Relating ISF to existing research

[ISF-p10]
As a primarily inductive approach, ISF is intended to help frame, and structure investigative
hypotheses about information safety. It encourages analysts to look for two generic kinds of
relationships in an incident. These are in terms of:
1) the patterns and trajectories of information use, and

2) the related latent factors, which may affect the correct and consistent flow of
information along these trajectories.
[ISF-p11]
Through investigation, these generic relatio ships a e i te ded to e o phologi all i sta tiated
(Sklet 2004). Where the analyst moves from the abstract conceptualisations and definitions
proposed (i.e., Section 4), to the information trajectories a d safety functions of a specific incident.
This conceptual move is the main deductive aspect, of an otherwise inductive ISF approach. The
specific, descriptive investigative hypotheses thus generated, are constrained by what is known
about the incident.
[ISF-p12]
Unlike the morphological approach of AEB (Sklet 2004, Svenson 2000), we do not focus on the
notion of human and technical error events (Svenson 2000) here. ISF is ot a e e t- ased
approach, but an information-based one. A bilateral characterisation of causation is adopted, for
the ways in which latent factors may affect the use of information. This characterisation, referred to
as safet fu tio s for convenience (Section 4.4), is somewhat related to the concept of barrier
functions (as described in Hollnagel 2008 for example). In addition to the safety enhancing
functional effects recognised by barrier-functional conceptualisations, ISF safet fu tio s also
recognises the complement notion of potentially reductive functional effects. In comparison, this
bilateral view provides a more balanced description of cause and effect.
[ISF-p13]
In comparison to other s ste s approaches such as CAST/STAMP (e.g., Leveson 2004, 2011), and
FRAM (e.g., Hollnagel 2004), ISF is intended to support descriptions at a finer-grained level of detail.
Unlike STAMP, ISF encourages investigation of an incident process in terms of its specific
combinatorics, rather than modelling the constraint-hierarchy which may or may not have
adequately controlled these combinatorics. Compared with the si fu tio al pa a ete s of F‘AM,
work-processes are understood at a much lower level of abstraction in ISF. These design choices
were in part motivated, by the contingent, and combinatoric nature of incident occurrence and
causation (Reason 1990). This perspective suggests a need for detail, and specificity in describing,
and reasoning about the actual incident process. We do not claim that ISF is theoretically ette ,
but suggest that it fills a niche as yet unfilled, thus potentially enabling additional insights into the
information safety of incidents and work-systems. A more detailed comparison will be presented
later, explaining how ISF improves on aspects of two common incident representations used in the
patient safety area (Section 6.5).
[ISF-p14]
In focusing on the flow of information (in healthcare), our proposal complements the research of
Galliers et al. (2007) and Tang (2009). In particular, the focus of ISF overlaps with that of the checklist
analysis stage of Galliers et al. (2007, Section 3.1.3). Like them, we use the concepts of incorrect and
inconsistent information in querying the models constructed. These two concepts are additionally
4
included as a basic premise of our modelling approach, and the semantics of the models thus
constructed.
[ISF-p15]
The I foFlo f a e o k of Tang (2009, Chapter 5) also focusses on issues of information flow,
during shift change in nursing. At an abstract level, both our frameworks focus on the core concerns
of:
i. the particular information used,
ii. the people involved in using this information,
iii. the artefacts mediating the information flow process,
iv. the spatial distribution of information,
v. the temporal distribution of information, and
vi. how information is communicated between participants.
[ISF-p16]
Tang (2009) elaborates on these ideas, to support deeper understanding of the shift change part of
the care process. ISF instead embeds these abstract concerns, into a o e lo gitudi al app oach to
description and analysis. To support an analyst in articulating both the proximal, and more latent
parts of the information flows, systems- odels of this aspect of the work-system (at the time of an
incident) are constructed. In contrast to Tang (2009), an explicit model of how latent factors may
affect the correctness and consistency of information use and flow, is pa t of the ethod of the
approach we propose (Section 4.4).
5
2. A distributed perspective on cognitive activity

[ISF-p17]
As a general perspective on human cognition, Distributed Cognition (Hollan et al. 2000; Hutchins
1995a, 2001) departs su sta ti el f o lassi al app oa hes to og iti e s ie e. Like ost of
cognitive science, it seeks to understand and explain the organisation of situations in which
cognition occurs. However, Distributed Cognition applies normative ideas about cognitive process –
such as memory, decision making, inference, reasoning, learning etc. – to a wider unit of analysis
beyond that of the individual. The classical inside out pe spe ti e assu es a elati el context-
independent view, of cognition driven largely by domain-i depe de t e t al logi e gi es ,
internalised within human minds. Under this initial assumption, memory was treated in terms of a
stored internal database, problem solving represented as internal logical inference, and the various
different environs of human reasoning understood simply as domains of application for this general
human p o le sol e . The role of the body, was thus reduced, solely to that of an input/output
interface for supporting internalised cognition.
[ISF-p18]
As a reactive response against this classical inside out view, Distributed Cognition aspires to start
outside i i stead. Under this perspective, the ole of the e te alised , and situated socio-material
context of cognitive activity, is deemed to be more than of marginal interest. This is an inherently
context-sensitive approach; and its strongly inductive origins – in the ethnography of Hutchins
(1995a) for example – provides an arguably more realistic, and parsimonious approach to
understanding, and describing human cognition. In contrast to the classical view, the Distributed
Cognition perspective does not assume that externalised representations play only a minimal role in
supporting human cognition.
[ISF-p19]
Philosophically, Distributed Cognition s recognition of the situated aspects of human activity is
broadly consistent with contemporary thinking about safety. Both emphasise the importance of
understanding the situated, as well as the more context-independent aspects of human reasoning
(e.g., Hutchins 1995a; Reason 1990).
2.1 Key principles and observations from Distributed Cognition

[ISF-p20]
Two theoretical principles are distinguishing, and central to Distributed Cognition.
The first principle concerns the unit of analysis, which is conceived and scoped functionally. In
pa ti ula , the ou da of a specific cognitive syste is not predefined – varying substantively,
depending on the particular temporal-spatial relationships, and participants relevant to such a
process (which is the cog iti e s ste ). For example, Hutchins (1995a) gives a detailed
ethnographic account of how a moving ship is accurately located, investigating how this is done
under both the Western, and Micronesian navigation traditions. Hutchins found that Western
culture has evolved to rely heavily on man-made artefacts, such as the navigation chart and alidade
for example. In contrast, the Micronesians needed only to make use of a number of familiar natural
landmarks – which are contingently encountered en route, and used more naturalistically to
6
correspondingly o pute thei u e t positio . I oth a al ses, the unit of analysis centres on
an inductive, and holistic understanding of the form and function of the dist i uted a igatio
og iti e s ste . Both the Western and Micronesian navigation traditions are treated as such a
system, evolved to achieve the common cognitive goal of locating a ship in its journey.
[ISF-p21]
The second principle concerns the range of mechanisms that are assumed to be relevant in
supporting cognitive activity. Unlike the classical approach, Distributed Cognition is relatively
agnostic, and not human-centric about who, and/or what may participate in a particular cognitive
system (Halverson 2002). The treatment of both human and non-human1 participants start from a
point of equal theoretical emphasis – distinguished only in terms of their specific roles and
contributions in supporting the overall process. Under the Distributed Cognition perspective, man-
made artefacts – such as the navigation chart and alidade – are also p i a pa ti ipa ts i the
cognitive process of ship navigation, in addition to its human participants. Distributed Cognition
highlights how different forms of externalised representations may support different kinds of
computation , emphasising the additional interaction possibilities consequently afforded (Hollan et
al. 2000). It does not reject outright the assumptions of internal representation underpinning
classical approaches to cognitive science. But simply de-emphasises the mediating role of
internalised cognition, in the interests of foregrounding the role, and contributions of externalised
representations in human activity.
[ISF-p22]
When the two central principles of Distributed Cognition are applied to the observation of human
a ti it in the wild , at least three types of distribution of cognition become apparent through
analysis (Hollan et al. 2000, our emphasis):
1. distribution of cognition across members of a social group,
2. distribution of cognition among both internal and external structures (including

material/environmental ones), and
3. distribution of cognition through time, such that the products of earlier events can
transform later ones.
2.2 Other theoretical and practical issues

[ISF-p23]
As a general perspective on the situated, and collective aspects of cognition, Distributed Cognition
affords a variety of interpretations and debates – both about its precise nature and scope, and its
potential value in particular areas of application. In the area of Computer Supported Cooperative
Work for example, Nardi (2002) interprets the Distributed Cognition otio of o putatio i a
strongly mechanistic way. She argues that it is difficult to see how the more creative human qualities
1
The te non-human is used throughout this paper to include artificially constructed artefacts, as well as
naturally occurring ones – which may both in principle be used to support work. Hut hi s a des iptio
of Micronesian navigation provides an example of how naturally-occurring artefacts may be repurposed, and
invested with interpretative meaning to support ship navigation.
7
– such as interpretation and imagination – are reducible to (a dehumanising interpretation of)

Distributed Cognition. In this paper we do not adopt such a mechanistic interpretation, and aim to
demonstrate how under a more humanistic interpretation, Distributed Cognition may also be used
to open up, rather than limit our understanding of the generative aspects what it mea s to e
hu a i all its ess , fuzz , sti k o ple it Na di . Here we approach investigative
reasoning from a Distributed Cognition perspective, as a cognitive process ideally distributed across
participants from different locales and times. In particular, here the social group is that of incident
investigators; the internal and external structures are respectively the personal, and externalised
models of incidents and systems – which may be used and produced as part of investigation; and
such products of individual investigations will ideally better inform, and positively transform later
ones, depending on the specifics of prior cases.
[ISF-p24]
Because Distributed Cognition is a theoretical perspective encompassing all of cognition (Hollan et al.
2000), its potential scope for facilitating useful analysis is correspondingly wide in principle. For
example, it has been applied as a theoretical lens for analysing student learning in a classroom (Xu
and Clarke 2012), as one way to describe scientific and engineering research process (Giere 2002;
Nersessian 2009 respectively), to inform information visualisation design (Liu et al. 2008), and as a
way to help make sense of the stresses of working within a technology rich world (Sellberg and Susi
2013). Distributed Cognition has also been used as theoretical motivation for other safety-related
research, in aviation (Hutchins 1995b) and healthcare (Furniss and Blandford 2006; Rajkomar and
Blandford 2012) for example. However, no Distributed Cognition based approach yet exists to
support detailed investigation, and explicit modelling of the flows of information in an incident
process.
8
3. Iterative hypotheses generation and

refinement in incident investigation
[ISF-p25]
The investigation of incidents is a work-process that is not particularly linear in practice. Figures 1
and 2 show two existing perspectives demonstrating aspects of this non-linearity, from ESReDA
(2009), and Johnson (2003) respectively:
Figure 1: A perspective of investigative process according to ESReDA (adapted from ESReDA, Figure 7, 2009).
This perspective emphasises the non-trivial role of a priori analyst knowledge, in informing the course of
investigation. Here we have simplified the redundant work-flow arrows of the original figure.
Figure 2: A perspective of investigative process according to Johnson (adapted from Johnson, Figure 5.1, 2003).
This perspective emphasises the role of detection and reporting in investigating incidents. He e a
oc u e e efe s to a i ident.
In both Figures 1 and 2, the arrows denote an approximation of the general workflow and process in
investigation. We have indexed each phase in these figures to facilitate references to them. For
example, in Figure 1 E-A stands for ESReDA, phase A, and in Figure 2 J-A stands for Johnson, phase A.
[ISF-p26]
Both Figures 1 and 2 show that a substantive part of an investigation is iterative, across multiple
phases. This is in the form of collecting facts about an incident (i.e., E-C/E-D  E-B, J-C  J-B), as
well as the sense-making of these facts (i.e., the various loops involving E-C, E-D, J-C, J-D). Following
each ou d of sense-making, the state of investigative understanding may then either be
9
determined to be sufficient (i.e., moving on to E-E/J-E), or further data collection may occur to
satisfy any new investigative needs arising out of the sense-making attempt (i.e., potentially loopi g
a k all the way to E-B and J-B respectively in each figure). This iterative process, of data gathering
and sense-making, helps to generate and refine investigative hypotheses. These hypotheses aim to
describe and explain an incident under the following rationale, where an investigation is done to
diagnose:
u k o situatio s through a iterati e reaso i g le in which a temporary and

conditional adaptation of the hypothesis under investigation takes place. One way of
looking at the investigation is that it is about reducing uncertainty about what happened,
why it happened and what should be done about it by applying the knowledge available
to the i estigator s ased o the e ide e o tai ed duri g the i estigatio . (ESReDA
2009)
[ISF-p27]
This rationale is the one adopted in this paper, highlighting the dynamic, and potentially non-
monotonic nature of the investigative reasoning process. In particular, this rationale recognises the
inherently uncertain nature of investigati e easo i g. “u h i estigati e h potheses are simply
informed best-guesses, at effectively explaining an incident in light of the known facts of the case,
facilitated by the prior knowledge and expertise of the analysts involved. As a means of
approximating reality, the accuracy and validity of any representations used to support such
reasoning will always remain uncertain to a degree, irrespective of the specific theoretical basis used.
In this paper we use the terms odel a d investigative hypotheses interchangeably, to refer
synonymously to such representations in the rest of our discussions.
10
4. A new modelling framework for investigating

information use
4.1 Introduction
[ISF-p28]
The outputs of our Information Safety Framework are intended to be of use across multiple
investigations, as well as useful within a single one; Thus facilitating the distribution of investigative
understanding across different locales and times. In searching for common concerns that remain
more or less invariant across different incidents and investigations, the development of this
framework was motivated by the following two observations. These were made in the context of
engaging with the literature relating to patient safety incidents, but are likely of relevance to other
safety areas too:
A. Many incidents have a significant informational aspect to them, where one or more
critical pieces of wrong information was used to inform safety-critical work;
B. To increase our chances of preventing such information safety incidents in future, it

may be helpful to understand how the information travelled through the socio-
technical work-system. In addition, we need to account for the factors which may or
may not assure that such information remains consistently right in its journey.
[ISF-p29]
Medication errors (Cohen 2007) often have a significant informational aspect to them. For example,
Snijders et al. (2009, Table 4) presents a number of issues in the context of neonatal intensive care,
including the wrong product being used, and patient misidentification. Here we describe a way to
explicit understand and model such incidents from first principles, developing our approach from a
Distributed Cognition perspective of information representation and system. These contributions
from Distributed Cognition are explained later, in Sections 4.2.1 and 4.2.2 respectively.
[ISF-p30]
In terms of the process of investigation, our Information Safety Framework is intended to be of some
use throughout most phases of an investigation (see Figures 1 and 2). In particular, the constructed
ISF models are the developing investigative hypotheses, about aspects relevant to the use of correct
and consistent information. As a representational structure, such ISF investigative hypotheses ideally
become increasingly certain as the investigation progresses. These ISF models may be of use both
formatively (e.g., during E-C, E-D, J-C, J-D), as well as more summatively (e.g., as part of E-E, E-F, J-E,
J-F). Some ideas for how this can be done are presented later in Section 4.7. Any prior ISF models
may also be useful to supplement the a priori mental models used at the beginning of investigation
(i.e., E-A). We do not suggest that ISF is the only tool that should be used to support investigation,
but only that our approach may usefully complement and enrich existing investigative practice.
[ISF-p31]
We do not label ISF as a ethod , e ause it is o ly loosely prescriptive. It is also not called a
odel , e ause we also suggest ways of systematically exploiting the structural commonalities of
the ISF models generated (Section 4.7), on top of providing some concepts with which to construct
these models. The main novelty of ISF is not in the creation of new concepts, but in the unique
combination, and synthesis of existing concepts into a cohesive framework for supporting
investigative reasoning. In synthesising ISF, we encourage explicit identification and consideration of
11
patterns of information flow, and the related factors that may significantly shape the consistency,
and correctness with which such flows occur.
[ISF-p32]
Like Hollan et al. (2000), our research was motivated by the attempt to answer the following
questions2:
 How can we design representations to facilitate their flexible use?

 How can we make representations more active so that they help users see what is
most relevant to deciding what to do next?
 How can we shift the frame of interpretation so as to achieve a better
conceptualisation of what is going on and what ought to be done?
4.2 Contributions from Distributed Cognition

4.2.1 Distributed information representations
[ISF-p33]
As a specific kind of cognitive activity, any use of information may in principle be understood using
Distributed Cognition3. In particular, Distributed Cognition emphasises the distributed nature of the
various representations used to inform human activity – asking what information is represented,
where and how it is represented, and what patterns of information flow are formed (Hutchins 2000).
[ISF-p34]
In line with the Distributed Cognition perspective, here we treat any representations that are
informative to work as an information representation in ISF – which aims to help explicitly
understand how such representations were propagated and coordinated in an incident. Liu et al.
(2008) understands such information representations to be propagated as:
representation states across a series of representational media that are brought into
coordination ith o e a othe Liu et al. 2008, original emphasis).
[ISF-p35]
Such representation states exist in both unobservable and observable form. These correspond
respectively to the internalised and human, and the externalised aspects of cognitive process (which
are often artificially constructed). Both the human and non-human participants in a work-process
are the representational media that are brought into coordination with one another, through the
particular information used4.
[ISF-p36]
An example of the coordination of such information representations is described by Hutchins
(1995b), who provides a stylised account of the use of airspeed information representations within
the cockpit of a commercial airliner. In this case, the functional task was to appropriately coordinate
ongoing changes to the wing configuration, with changes in airspeed in manoeuvring for the
2
Where the idea of representation is synonymous with our notion of model and investigative hypotheses (as
mentioned at the end of Section 3).
3
Which is a general perspective on all of (human-related) cognition (Hollan et al. 2000).
4
Like Wright et al. (2000), here we consider these ep ese tatio al states as i dividual physical realisations of
some abstract information representation.
12
approach to landing. The Distributed Cognition based description of this task, explicitly accounted
for the wide variety of representations of airspeed, used to inform the safe landing of the plane.
Amongst other artefacts, representations of airspeed existed in the form of look-up tables, booklets
and speed bugs . These tables and booklets are externalised, and indirect physical representations
of the airspeed, through defining generic relations between different airspeeds and aircraft loads.
The speed bugs are small adjustable slider devices around the rim of the airspeed indicator; which
may be dynamically adjusted by pilots, to partition the analogue airspeed indicator into an
alternative, yet still conceptually meaningful representation – in terms of discrete regions of speed-
spa e for different parts of a flight. These information representations are all used to help avoid
i g stall in the approach to landing – which is a dangerous condition where a particular wing
configuration no longer generates sufficient lift to keep the plane in the air.
[ISF-p37]
In the context of patient safety investigation, an analogous example is in the attempt to safely
deliver a particular drug at a particular rate. In this case the successful coordination of both the
identity of the drug, and an appropriate rate of administration, are two of the many typical
prerequisites for delivering safe care. Amongst others, representations of both these pieces of
information may be distributed across entries in patient care charts, computerised patient
information systems, nurses, and doctors.
[ISF-p38]
Operationally, a substitutive heuristic may help, in distinguishing between which i fo atio
representations are suitable to understand and model using ISF, and which ones are not. In
particular, candidate information representations for ISF modelling may be sanity-checked, through
assessing whether they can be meaningfully substituted within the following selection heuristic. For
e a ple, d ug a e a e such a candidate information representation to be substituted, in
place of the <?> symbol.
[ISF-p39]
Information representation selection heuristic:
propagation of <?> information as representation states across a series of
representational media that are brought into coordination ith o e a othe adapted
from Liu et al. 2008, original emphasis).
[ISF-p40]
If one cannot coherently substitute any candidate information representations in an incident into
the sentence above, ISF pro a l should t e used. In practice, abstract information
representations, such as drug na e , often ought to ideally remain consistent and correct
throughout its use in patient care; However, the p a ti al opies of such an abstract information
representation, may actually not have remained consistent and correct for all participants (in the
reality of an incident). This logical juxtaposition forms part of the theoretical motivation for
developing ISF, to help systematically investigate the closely-related representation states – of the
same abstract information representation – throughout the socio-technical work-system.
[ISF-p41]
Three scenarios for potentially applying ISF are provided in the appendix, where we explicitly relate
each to the Distributed Cognition notion of information representation. We would consider using ISF
to model specific aspects of all three cases, due to the inherently wide-scoped Distributed Cognition
notion of informative representation adopted here. Two illustrative patient safety incidents are
discussed in detail later (in Section 5), to help give a better operational understanding for readers
13
seeking to use ISF. ISF models of incidents are themselves also intended to be informative
representations. Where their construction is intended to inform investigative-work distributed
across both contemporary and future investigative contexts.
4.2.2 A Distributed Cognition notion of system

[ISF-p42]
As described earlier (Section 2.1), the Distributed Cognition unit of analysis is not predefined.
Practically, Distributed Cognition based analyses do not typically begin with a precise and fixed
notion of the constituents, and limits of a socio-technical system. These specifics only become more
concrete and apparent through understanding the particulars of a specific situation.
[ISF-p43]
In Hutchins (1995a), the goal of location, in a ship navigation task, is used as a main analytical locus.
For ISF, we instead use the one or more particular information representations selected for
investigation as the main locus for Distributed Cognition based analysis. In terms of patterns of
information flow (Hutchins 2000), the selection of specific information representations (in using ISF)
impli itl a s e s the hat information is represented question. The rest of ISF aims to facilitate
one way of framing the remaining issues: of where and how particular information is represented,
and what patterns of information flow are formed in the activity of using such representations. The
ISF conceptualisation of system, and its participants adopts both the central principles of Distributed
Cognition (Section 2.1). We develop additional elaborations – in terms of everyday notions of correct
and consistent information – to operationalise the Distributed Cognition theoretical basis, to support
incident investigation.
4.2.3 Roles and contributions of internalised and external representations

and mediums
[ISF-p44]
Distributed Cognition refers to the idea of internalised and externalised (representational) structures
(Section 2.1); this marks one theoretical distinction between the human, and other participants of
cognitive process. However, making such a distinction is not the same as adopting the human-centric
theoretical premise for analysis (of lassi al og iti e s ie e). This distinction simply acknowledges
the differing roles and contributions of humans and other mediums, in supporting the overall
process. E te al ediu s fo suppo ti g og itio a e ore objectively inspectable, in terms of
the potential for examining their underlying i te al e hanisms. People are often less predictable,
and perhaps necessarily variable in their behaviour and performance (Hollnagel 2004). We are also
potentially prone to different forms of error (Reason 1990), compared with mediums that are
constructed, or repurposed for supporting our cognition.
[ISF-p45]
For these reasons, in ISF we suggest that it makes sense to distinguish the functional participants in
flows of information, according to human and non-human subsets. Other such taxonomic
distinctions may also be used at the a al st s dis etio .
14
4.3 Assuring the use and coordination of the right information

[ISF-p46]
Information flow within medical environments is ubiquitous, and essential for coordination and
collaboration among spatially and temporally distributed multidisciplinary clinicians for achieving
medical work (Tang 2009). In particular, most health care professionals learn the fi e ights of
medication use (Cohen 2007) – which are to ensure that the right patient, drug, time, dose, and
route of administration information is used in giving care. However, although these five rights
provide a common set of goals for safe care delivery, they say very little about how such goals may
be achieved (Cohen 2007; Federico 2011). The continued (re)occurrence of patient safety incidents
involving the use of the wrong information is perhaps one of the consequences, and ISF may be seen
as a way toward systematically discharging these goals. Both of the illustrative medication incidents,
discussed later in Section 5, are cases where the use of wrong information occurred.
[ISF-p47]
In order to ensure that the right information is used throughout the distributed work-system of
caregivers, devices and other artefacts, it is also helpful to ensure that it remains identical during
various parts of its flow. There is however a subtle modelling issue with the metaphorical notion of
i fo atio flo commonly used. We go on to clarify this subtlety, and discuss how it relates to our
ISF approach.
4.3.1 Deconstructing the metaphor of information flow

[ISF-p48]
In ISF, the otio of i fo atio flo is i te ded i the oordinative, and (re)constructive sense of
Distributed Cognition, rather than the intuitive, but metaphorical sense of transfer. As Reddy (1979)
poi ts out, su h o duit etapho s a e u fo tu atel uilt i to u h of the E glish la guage5, and
sometimes conflates the subsequent thinking and communication.
5
Hutchins generally uses the more correct terminology of information coordination in his writing. However,
on occasion, he also seems to suffer from the constraints of the English language, as we see by his relatively
unqualified usage of the normative metapho of i fo atio flo i Hut hi s , o pa ed ith the
elati e dea th of su h etapho i la guage of i fo atio flo i Hut hi s a.
15
Figure 3: A visualisation of two diffe e t o eptualisatio s of i fo atio flo . 3a and 3b depict the
metaphor of flo /t a sfe of i fo atio et ee participants; 3c depicts the arguably more realistic,
coordinative nature of most such flows in reality.
[ISF-p49]
Figure 3 depicts the conceptual difference, between the e e da etapho of information flo
(Figure 3a and 3b), and the Distributed Cognition conceptualisation of such flows in terms of
information coordination (Figure 3c). Each grey box in this figure denotes an information
representation. Figure 3a and 3b show the consequences of what is termed by Artman and Garbis
(1998) as the transfer fallacy6. This fallacy is in the fact that the use of information is usually
reconstructive and coordinative in reality, rather than in the form of a passive i fo atio -parcel
being passed between participants. I ‘edd s te s, there is typically no actual unit of
i fo atio i side a participant which gets packed up, ejected into a subject-i depe de t ideas
spa e , and se t to another. Taking this paper as an example, the information representation of the
details of ISF, flo s f o the ite s, through the medium of the text, to you the reader – hopefully
consistently with respect to the correct rep ese tatio s of I“F i te alised ithi the autho s i ds.
Amongst other factors, the consistency with which this flow occurs, will depend partly on the set of
prior biases and assumptions you bring to the interpretation, and reconstruction of meaning from
this text. The symbols and marks making up the text in this paper have no a priori meaning, beyond
that assigned to them by each reader (Reddy 1979, p309). In reality, the particular information
representations, existing in a participant, also does not usually immediately disappear on
communication to another (i.e., Figure 3c)7. For practical purposes, adopting the metaphorical
intuition of information flo may often not make any difference, to the form and structure of the
6
Hut hi s a, p also o e o li uel iti ises this i fo atio t a sfe etapho . I the ase of two
non-human participants, such as two computers in a network for example, in principle the copy of information
se t a e deleted o se di g, to closely approximate the metaphorical transfer of information.
7
This is another way in which the normative conduit notions, of information flow and transfer, is misleading.
16
ISF models generated in an analysis. We now go on to discuss some exceptions of theoretical

interest.
[ISF-p50]
In the case where there is miscommunication, a repurposing of information, or substitution of
missing information, the metaphoric treatment of information flo become potentially
problematic for the logic of our modelling approach. For example, Figure 3c may correspond to a
situation, where participant B goes on to use the information they (wrongly) thought they received
for further work. Intuitively, it is reasonable to want to understand how this information was in fact
subsequently used fu the do st ea . However, an approach based on the transfer fallacy would
lead to modelling the flow of the u it of i fo atio as not flowing into participant B, with the
information going no further through the system (i.e., Figure 3b). This metaphorical treatment of
information flow contradicts our intuition in such cases, of wanting to understand how the
information progressed beyond its use by participant B. The alterative coordinative notion of
i fo atio flo suggested by Distributed Cognition (as shown in Figure 3c) is arguably more
realistic, avoiding this model scoping problem by being more consistent with reality. The non-
identical nature of the two grey boxes in Figure 3c, is intended to show how the co-ordination of
information representations may not always occur with absolute identity, but e e theless flo s
through the system, via a fallible process of replication, reproduction, and/or reconstruction.
[ISF-p51]
Despite the conceptual drawbacks in using the metaphor of i fo atio flo , we continue to use
this o duit- etapho i la guage in the rest of this paper. This is in part because militant
avoidance of this kind of language use may be somewhat awkward, due to inherent limitations of
the English language (Reddy 1979). Readers should however refer back here, to all of Section 4.3, for
the definitive coordinative otio of i fo atio flo intended for ISF modelling. Compared with
the term i fo ation coo di atio , talki g a out info atio flo also helps to preserve the
emphasise on temporal asymmetricity, which we want to convey. We further elaborate on the ISF
semantics of information flow in the next section.
4.3.2 The semantics of information flow in ISF

[ISF-p52]
The semantics of information flo i te ded for ISF is shown in Figure 4, and applies to both human
and non-human participants. In this figure we show how the generic conceptualisation of directed
graphs is appropriated in ISF, to de ote information flow :
17
Figure 4: The se a ti s of i fo atio flo used i I“F, sho i g how an information representation within
participant A is induced in participant B.
[ISF-p53]
In using ISF, an analyst should state such a I“F i fo atio flow , based on the precondition that an
information representation is perceived to be i du ed into another participant at a later point in
time. In Figure 4, this is through a corresponding coordination of information with participant B at
some later point in time, corresponding to the situation depicted in Figure 3c. Figure 4 corresponds
to the case where an analyst has judged such an induction process to have occurred, thus linking the
two participants with a uni-directional arrow. Such a perceived relationship between two
participants is asymmetric, and according to normal chronological ordering. In general, the analyst
should not be limited to only modelling such exchanges at a one-to-one, highly accurate, and highly
detailed level of abstraction. Each arrow like the one shown in Figure 4 may stand abstractly, for
more than a single actual informational coordination or exchange in reality. Such a unidirectional
link may be stated, so long as each pairwise relationship between participants is perceived to change
– between some antecedent and consequent point in time in the way shown in Figure 4.
[ISF-p54]
In the case of the non-human participants in these information exchanges, assessing the existence of
an information representation within a participant may be directly possible – through inspecting
device-usage logs for example. In the case of human participants, more indirect means will be
necessary, through interviews for example. These judgements – about the existence of a particular
information representation within participants – should be informed by what is known about the
incident.
18
4.4 Relating latent factors to the ‘flows’ of information

[ISF-p55]
In an incident, many contextual factors may impact on the information safety of the underlying
work-system. The identification of such aspects is often partially dependent on the particular analyst.
In ISF we encourage the analyst to look for four specific ways, in which these factors may relate to
the information flows identified. These are defined below, and collectively la elled safety
fu tio s 8 for convenient subsequent reference. We use the terms correctness and consistency to
refer to the two everyday ideas of the right information being used, and identical information flo
respectively. This is because to our mind, terms such as rightness-enhancing, or identicalness-
reducing sounded somewhat clumsy. Here the interaction context refers to the interactions of an
incident:
[ISF-p56]
Type 1 - A correctness-enhancing safety function:
Is an aspect of an interaction context that can increase the probability of a correct
information representation in one or more interacting participants.
Type 2 - A correctness-reducing safety function:

Is an aspect of an interaction context that can reduce the probability of a correct
information representation in one or more interacting participants.
Type 3 - A consistency-enhancing safety function:

Is an aspect of an interaction context that can increase the probability of consistent
information flow between two interacting participants.
Type 4 - A consistency-reducing safety function:

Is an aspect of an interaction context that can reduce the probability of consistent
information flow between two interacting participants.
[ISF-p57]
Together, these four types of safety functions express the totality of the ISF perspective, of how
particular aspects of systems may functionally impact on the flows of information. Any aspect, at any
level of abstraction may be related to the flows of information in this way. In principle, both
constructed (e.g., an artefact design feature), and more naturally arising issues (e.g., various latent
conditions) may be described as ISF safety functions. Such a judgement should be inductively based,
on the facts of an incident as much as possible, and not through unconstrained speculation. A single
safety function may act in several of these four capacities simultaneously, across different parts of
information flows. For example, a particular checking protocol may act as a correctness-enhancing
safety function for particular nurses, who routinely follow such a protocol faithfully; At the same
time, the same protocol may be perceived as an unnecessary bureaucratic burden by others in the
information flows – thus perhaps acting negatively (as a correctness-reducing safety function), to
reduce the likelihood of serendipitous self-checking and self-correction. In this case the same safety
function – of the particular checking protocol used – may simultaneously have two converse, and
opposite effects when compared with the prior likelihoods; in terms of the prior likelihood of correct
8
As Harms-Ringdahl (2009) implies, there is no single standard definition of safety function widely accepted
in the safety literature.
19
information representation in each participant if the checking protocol had t ee there. Also,
multiple safety functions acting on the same part of the flow of information may not always act at
the same time. An example of this is presented later on, in the form of safety functions 5 and 7 (see
Table 4), where safety function 5 was in fact mostly overridden at the time of the incident. This
possibility of non-concurrent functional impact is reflected in the specific wording chosen, in
defining our four types of ISF safety functions.
[ISF-p58]
In some cases, it may be more convenient to model a participant directly as a safety function,
instead of as part of the flows of information. This choice is intentionally left underspecified in ISF,
and up to the analyst. Old safety functions from previous ISF models may also be applied to new
incidents, and their corresponding ISF models. The scope of such safety functions – across incidents
– is dependent on the informed assessment of the analyst. Such an assessment is again based on the
known facts, representing the analyst s informed judgement of whether each safety function is
applicable to each new case.
4.5 Illustrating some ‘valid’ configurations of information flows and

ISF safety functions
[ISF-p59]
To show how the various concepts introduced so far fit together, Figure 5 illustrates some of the
kinds of relationships which could be found through applying ISF, in terms of a generic ISF model.
The relationships depicted are not exhaustive. Since in principle, infinite different combinations of
such relationships may be identified as part of concrete ISF models, depending on the particulars of
the incident analysed. Throughout the rest of this paper, we refer to the patterns of information
flow – associated with a particular abstract information representation – as its information trajectory.
This term excludes the safety functions perceived to impact on these flows. Together, these flows
and safety functions define the limits of specific ISF models, and the informational systems they
describe. In the interests of concise generic illustration, not all of the relationships shown in Figure 5
necessarily have a realistic gloss in terms of a real situation.
20
Figure 5: An illustration of a generic ISF information trajectory, with related generic safety functions.
[ISF-p60]
Using the ideas described so far in Section 4, Figure 5 shows some possible configurations of
participants, information flows and safety functions that may be found through ISF modelling. The
sorts of relationships shown in this figure may be identified, through modelling the coordination of a
single information representation in a single incident. Five generic safety functions (labelled A to E),
and five unique human and non-human participants (labelled S1 to S5) are shown.
[ISF-p61]
In terms of the four types of safety functions discussed in Section 4.4:
- B is a correctness-enhancing safety function,
- C is a correctness-reducing safety function,
- D is a consistency-enhancing safety function,
- E is a consistency-reducing safety function.
Here safety function A provides an example, of a safety function perceived as acting both positively
and negatively, on both the correctness and consistency of information at different parts of the
information trajectory. In this case safety function A may reduce the correctness of information in S2
and S4, and the consistency of the flow of information from S4 to S1. Safety function A may also
simultaneously enhance the consistency of the flow of information from S2 to S4, and the
correctness of information in S1. Different flows of information between two participants may also
be compactly represented as a pair of uni-directional arrows – shown between S1 and S2 in Figure 5.
In principle, different safety functions may be perceived to act separately and independently, on
such a pair of flows. Though not shown in Figure 5, safety functions from one ISF model may also be
explicitly linked with one or more other ISF models, depending on their perceived applicability, and
degree of generality in each specific case. A concrete example is presented later in this paper, in the
form of safety function 3 (see Table 2 and Figure 11).
21
[ISF-p62]
We have so far presented the basic concepts needed for modelling incidents using ISF. We also
briefly illustrated how these concepts relate to each other – in the generic ISF model shown in Figure
5. Such representations form partially homogenised descriptions of perceived functional
relationships in an incident, about key aspects of information use across different investigative
contexts and systems. These models are structured statements of investigative understanding –
about issues relating to ensuring the use of correct and consistent information. In the remainder of
Section 4, we discuss how such ISF models may be constructed and used, throughout the process of
investigation. In particular, we include suggestions for how ISF models may be systematically
exploited – both during (Section 4.7.1), as well as on conclusion of an investigation (Section 4.7.2).
4.6 Main steps in identifying ISF models

[ISF-p63]
There are three main steps to identifying ISF models in practice. Although these steps are presented
sequentially, in practice their specific ordering is likely to be interleaved and somewhat iterative,
rather than in the necessarily linear ordering of their textual representation here. ISF is not mutually
exclusive with the use of other approaches in supporting investigative process. However, we
continue to discuss ISF as the sole approach used, to keep the discussions simple. ISF focusses
specifically on modelling patterns of information use and flow, and related issues of correctness and
consistency along these flows. In cases where these concerns are deemed largely irrelevant, ISF
should not be used.
4.6.1 Selecting an information representation

[ISF-p64]
The selection of particular information representations to model and analyse, is done at the
discretion of the analyst. This selection step determines the scope and bounds of the ISF models
constructed – through the perceived information trajectories and safety functions associated with
each information representation. These trajectories and safety functions will be yet to be uncovered
at the initial stages of a particular investigation, and the information representation selection
heuristic presented earlier (Section 4.2.1) may help with this step. Three illustrative information
representations are also briefly described in the appendix. To help clarify some operational issues,
we develop a small running example here, focusing on an account balance information
representation throughout the next sections. The simple scenario is that of an incident in a single
pe so s interaction with an ATM cash machine to withdraw money, where they have inadvertently
withdrawn the wrong amount without noticing.
4.6.2 Identifying the associated information trajectories

[ISF-p65]
For each information representation selected, the analyst should identify how it was used, in terms
of its related interactions, in the form of its information flo s i an incident. A directed-graph
based representation structure should be used to express the flows perceived (as shown in Figures 4
and 5). Starting with any participant in the information trajectory, answers to the following two
questions may help to map out the other parts of these flows. In applying these questions, the
22
<PARTICIPANT> pa t should be substituted for each of the already identified participants in turn,
with <?> again substituted for the particular information representation of interest:
Where did the <?> information in <PARTICIPANT> come fro ? for upstrea e ploration

of an information trajectory)
Where did the <?> information in <PARTICIPANT> go to? for do strea e ploratio of
an information trajectory)
[ISF-p66]
When either of these two questions seem no longer applicable or relevant, a natural stopping point
in exploring a particular part of the information flows may have been reached, where no further use
of an information representation is perceived to have occurred. The point at which to stop mapping
these flows is largely a discretionary decision by the analyst. Sometimes, either of the two questions
above may not be clearly answerable, due to a lack of existing investigative knowledge. In such cases
attempts should be made to seek out this additional knowledge where possible. In terms of our
running example, we assume that the user reads their current account balance off the screen
displaying this information. This may be identified as a flow of information in terms of ISF, indicated
i Figu e . Under the ISF semantics of such flows (Section 4.3.2), the analyst has in this case
identified a representation of the account balance information to have been induced in the user of
the ATM as a result of this interaction. Similarly, a converse flow of account balance information may
be perceived to have subsequently taken place, from the user to the ATM. Here we assume that the
user takes money out of their account, i di ated in Figure 6 (informed by their knowledge of
the existing account balance). Through this second action, the new, and wrong account balance
information representation is updated to the ATM (and also updated for the user). To keep the
running example simple, we do not account here for the propagation of account balance
information representations upstream of its existence in the ATM – omitting the related supporting
infrastructure of ATMs and banks.
Figure 6: A simple ISF model illustrating part of an account balance information trajectory, using the same
notation as in Figure 5.
[ISF-p67]
The situation on which Figure 6 is based, is one where the notio of o e t i fo ation
ep ese tatio would normally legitimately change – from a old correct value to a new o e t
alue (as part of routine money withdrawals). A more extreme example would be in attempting to
model the flows of speed information between a car driver, and the potentially continuously
changing speedometer monitored whilst driving. Such dynamic, yet legitimate changes – in what the
orrect information representatio is – have not been accounted for in the development of ISF thus
far. For now we suggest that such cases should be avoided, and the use of ISF restricted to cases
23
he e the otio of o e t i fo atio should in principle remain constant, with respect to the
scope of the ISF analysis done9. For now we continue to use our account balance running example,
simply for convenience in illustration and explanation.
4.6.3 Identifying the safety functions acting on an information trajectory

[ISF-p68]
In addition to identifying the information trajectory associated with each information representation
(Section 4.6.2), the analyst should also identify the safety functions acting on these flows of
information. Any aspect of an incident, perceived to satisfy one or more of the four safety function
definitions given earlier (in Section 4.4), should be reified as a safety function. These aspects should
be explicitly related to the flows of information identified – in terms of their perceived effects on the
correctness and consistency of parts of these flows.
[ISF-p69]
As shown in Figure 5 (and described in Section 4.4), safety functions may affect the correctness of
parts of the information trajectory, through affecting one or more of the interacting participants
identified. Their perceived effect on consistency, is defined in ISF to be between pairs of participants
in an incident. The same safety function may in principle be simultaneously related to one or more
information trajectories, in terms of the four possibilities: of its correctness-enhancing, correctness-
reducing, consistency-enhancing and consistency-reducing effects. The identification of safety
function should be based on factual incident knowledge as much as possible – as part of an inductive
process which minimises deductive speculation not directly based on the incident data available.
[ISF-p70]
The identification of information flows (Section 4.6.2) and safety functions (Section 4.6.3) may occur
in any order, as well as being interleaved. This identification process should continue until no more
safety functions are perceived. Assuming that other ISF models have been previously developed in
other investigative contexts, the analyst should also consider whether any of the previously
identified safety functions are also relevant, and generalise to the current ISF model being
constructed. In the case of our account balance running example, the ATM used may have been
designed with a fixed set of denomination choices for withdrawing money. An analyst could
potentially assume this to be a safety function, as an aspect of an interaction context that can
increase the probability of consistent information flow, between the user and the ATM. This
interpretation is based on the assumption that these fixed denomination choices are a less error-
prone number entry mechanism, than if the user had been required to enter each digit in turn.
Figure 7 depicts this particular interpretation of the user/ATM system. In the case of our account
balance incident, this proved to be insufficient to prevent the wrong amount of money from being
inadvertently withdrawn. In this hypothetical case, additional correctness-enhancing, and/or
consistency-enhancing safety functions could perhaps be helpful.
9
Note that we do not need to know what the orrect information value actually is, to be able to
constructively apply ISF.
24
Figure 7: A consistency-enhancing safety function, using the same notation as in Figure 5.
4.7 Systematically exploiting the ISF models generated to support

formative and summative investigative reasoning
[ISF-p71]
The identification of information flows and safety functions will generate ISF models, similar to the
ones shown in Figures 5, 6 and 7. Once created, we suggest the following four questions, which may
be useful to ask of such models. We also suggest some interpretations, for the subsets of the ISF
models identified through answering these four questions. These questions and interpretations are
suggested as a starting point for systematically exploiting the ISF models constructed, and will be
illustrated later as part of the case study described in Section 5. Other questions and interpretations
may also be applied to I“F odels at the a al st s dis etio .
Question 1: Which parts of the information flows have neither positive (i.e.,
correctness/consistency-enhancing) nor negative (i.e., correctness/consistency-reducing)
safety functions acting on them?
Question 2: Which parts of the information flows have only negative safety functions
acting on them?
Question 3: Which parts of the information flows have both positive and negative safety
functions acting on them?
Question 4: Which parts of the information flows have only positive safety functions
acting on them?
25
4.7.1 Interpreting an ISF model to support iterative hypotheses generation

and refinement
[ISF-p72]
As a way to support formative understanding in investigation, answers to Questions 1, 2 and 4 may
identify areas particularly needing further investigation. Areas of apparent interactional simplicity
are systematically identified through answering these three questions; in terms of how the use of
correct, and consistent information is shaped in these parts of the work-system. The absence of (i.e.,
through answering Question 1), or very unbalanced (i.e., through answering Questions 2 and 4)
safety functions identified, help highlight where investigative understanding of information safety
may perhaps be particularly incomplete. The analyst may wish to double-check the completeness of
their incident understanding, in these areas of apparent simplicity in the work-system. Further data
collection may help to give a more thorough understanding of these parts of an incident.
4.7.2 Interpreting an ISF model on conclusion of an investigation

[ISF-p73]
When the answers to these same questions are interpreted summatively, Question 1 (i.e., no
positive or negative safety functions acting) helps to localise places where there may be substantive
system performance variability. If the investigative understanding encoded in the ISF models is a
relatively accurate abstraction of reality, then there is a total lack of contextual shaping factors in
these parts. This implies only weak enforcement of information safety in these parts. Under a
summative interpretation, the answers to Question 1 indicate where system performance is
apparently predisposed neither to a ds good , o ad patte s – and is likely to be largely
uncontrolled and unpredictable. Viewed as a control problem (e.g., Leveson 2011), the information
safety of the underlying system clearly cannot be assured with confidence, in the absence of actual
controls and constraints (either artificial or more naturally arising ones), and/or knowledge of these
constraints. Future similar breakdowns in the use of information is thus likely to unpredictably
(re)occur in these under-controlled parts of the work-system.
[ISF-p74]
Answers to Question 2 (i.e., only negative safety functions acting) helps to localise areas of obvious
weakness in assuring information safety. The fact that there are negative safety functions, yet
apparently no positive safety functions to offset them, indicate where information representations
may easily become incorrect, or be inconsistently propagated through the work-system. These are
areas of high priority, for understanding how information safety may be further improved for the
future.
[ISF-p75]
Answers to Question 3 (i.e., both positive and negative safety functions acting) helps to localise
areas of high complexity. The answers to this question highlight where multiple competing shaping
factors may or may not concurrently act, in shaping the ideally correct and consistent flow of
information. For these areas of a work-system, reasoned judgment and expertise is particularly
needed from investigators. To weigh up the on-balance likelihood, of information becoming
incorrect, or inconsistently propagated again in the future. Relatedly, investigators may also wish to
assess whether areas with only positive safety functions acting are sufficiently safe, in answer to
Question 4 (i.e., only positive safety functions acting) – bearing in mind the particular forms, and
degree of ephemerality of each positive safety function identified.
26
4.8 Summary
[ISF-p76]
During the ongoing formative stages of investigation, the focus ought to be on how the construction
of ISF models (Section 4.6), and operations on the models constructed (e.g., Section 4.7.1) may aid in
more deeply understanding the informational aspects of work-systems (through analysing the
incident). Latter stages of investigation typically involve more summative and evaluatory responses,
to try to improve the safety of the underlying work-system. Here the fi al ISF models may then be
used as a reasoned basis for constructive debate and discussion. As structured investigative
hypotheses, these ISF models may change and evolve, along with the developing understanding
gained through the process of investigation.
[ISF-p77]
ISF focusses on understanding the functional mechanisms through which correctness and consistency
of information flow may be maintained. It encourages investigators to look for specific kinds of
relationships in an incident, described throughout the earlier parts of Section 4. It is the information
encoded within these patterns of relationships which are key, rather than the particular visualisation
used to represent the relationships. As a way to support investigation, ISF is not intended to replace,
but to complement the expertise, and craft skill of investigators. In the next section, we describe,
and present the results from an illustrative case study, applying the theoretical ideas of ISF to two
patient safety incidents (where the wrong information was used as part of the care provided). These
results are then discussed in Section 6.
27
5. Using the Information Safety Framework to

understand two patient safety incidents
[ISF-p78]
To explore how the theory described in Section 4 may perform in practice, we used the Information
Safety Framework to analyse, and so extend, the investigation of two patient safety incidents. In this
case the extension is in the re-understanding, and reframing of the progression of these incidents
using ISF, without collecting additional incident data. The formal investigation report of each
incident was used as our source of incident data . The first incident involved an overdose of the
Fluorouracil drug, and the second involved the Vincristine drug being administered via the wrong
route.
[ISF-p79]
The ISF analysis of the Vincristine incident was supported by the ISF model constructed for the
Fluorouracil incident. In particular, each safety function identified fo the fi st I“F i estigatio into
the Fluorouracil incident was considered in turn, with respect to whether they generalise to the
Vincristine incident. Like in many real investigations, the time available for each analysis was limited.
We estimate that at least one full working-week (over a period of a month) was spent on the ISF
analysis of each incident, leading to the models presented in Section 5.4. A full reconstruction of the
final line of investigative reasoning leading to these ISF models is described in Huang et al. (2013a).
[ISF-p80]
Due to the exploratory nature of the research, the first principles of ISF (Section 4) were fully written
up and consolidated after the ISF analyses described here. The results presented should therefore be
regarded as a detailed empirical proof-of-concept, rather than a methodologically clea empirical
evaluation of ISF. These results are not artificially constructed, but represent real outcomes from the
application of ISF. In working with the natural language representations of the two investigation
reports used, we found significant interpretative ambiguities 10 . From a positivist perspective
(Wimmer and Dominick 2012, Chapter 5), the range of plausible alternative interpretations thus
possible, confound to an extent the two ISF analyses presented. One may also argue that both the
li ited ti e fo a al sis, a d u e tai t a d essi ess in the data used, perhaps inadvertently
approximated some of the similar practical constraints faced in real investigations. The
interpretative ambiguities encountered could potentially be better resolved, through further
collaboration and conversation with the original investigators, and access to the original incident
setting and evidence. Both these activities were beyond the scope of the work presented here.
[ISF-p81]
We first briefly overview the incidents, and their respective investigations (Sections 5.1 and 5.2). We
then describe how the incident data was accessed (Section 5.3), to construct the two ISF models
identified (presented in Sections 5.4.1 and 5.4.3 respectively). Both incidents involved breakdowns in
the information used to treat a patient, and an ISF analysis of a single information representation
was done for each. Although both incidents relate to cancer treatments, this was not a deliberate
choice, but simply due to the limited availability of publically accessible, yet detailed descriptions of
the interactions of a patient safety incident. Both ISF analyses were done by the first author, who is
10
See Burns (Section 1.1.7, 2000) for a summary of some of the weaknesses of such reports in facilitating
accurate communication between report writer and reader.
28
the lead developer of ISF. He had some prior familiarity with the Fluorouracil incident (Section 5.1),
but no prior familiarity with the Vincristine incident (Section 5.2). This prior familiarity seems to have
had little obvious e t a effect in shaping the findings obtained.
5.1 A summary of the Fluorouracil incident and investigation

[ISF-p82]
On August 22nd, 2006, a 43 year old patient died after a medication incident that occurred whilst
receiving outpatient care. The patient had received an infusion of Fluorouracil over 4 hours that was
intended to be administered over 4 days, and the cause of death as determined by the coroner was
se uelae of Fluo ou a il to i it . I pa ti ula , to i it f o the incorrect dose of Fluorouracil given
was found to be cumulative with Cisplatin – which was correctly administered as per the standard
medication protocol used11. The patient was being treated for advanced nasopharyngeal carcinoma,
which is a type of cancer. The incident was recognised within 1 hour of the infusion completing, and
the patient admitted to hospital 4 days after the incident occurred. Profound mucositis and
pancytopenia developed, and the patient experienced hemodynamic collapse and multi-organ
failure before death.
A Root Cause Analysis investigation was conducted by the Institute for Safe Medication Practices
Canada (ISMP Canada), using the investigative guidance provided in ISMP (2006). The full account of
both the incident, and its investigation is found in ISMP (2007), which was used as the data source to
inform our first ISF analysis (i.e., Sections 5.4.1 and 5.4.2).
5.2 A summary of the Vincristine incident and investigation

[ISF-p83]
At approximately 17.00hrs on Thursday 4th January 2001, a day case patient on Ward E17 at the
Quee s Medi al Ce t e Notti gha QMC as p epa ed for an intrathecal (i.e., spinal)
ad i ist atio of he othe ap . This he othe ap as gi e as pa t of the patie t s edi al
maintenance programme following successful treatment of leukaemia, which is a type of cancer.
After correctly administrating a cytotoxic drug (Cytosine), a second drug was administered to the
patient. However, this second drug, Vincristine, should never be administered by the intrathecal
route – which is almost always fatal to the patient12. Unfortunately, whilst emergency treatment was
provided quickly in an attempt to rectify this error, the patient died at 8.10am on the 2nd of
February 2001.
[ISF-p84]
Following an internal inquiry at QMC into the circumstances surrounding this death, Professor Brian
Toft was commissioned by the Chief Medical Officer for England and Wales to hold an external
investigation, with a remit:
11
Fluorouracil and Cisplatin are both drugs used in treating cancer.
12
Vincristine and Cytosine are both drugs used in treating cancer.
29
To investigate the circumstances leading up to an intrathecal, rather than intravenous

i je tio of Vi risti e i to a patie t at the Quee s Medi al Ce tre Notti gha (QMC)
on 4 January and to report findings to the Chief Medical Officer.
To advise the Chief Medical Officer on the areas of vulnerability in the process of
intrathecal injection of these drugs and ways in which fail-safes ight e uilt i . (Toft
2001)
[ISF-p85]
Four clinical experts were also appointed to assist this investigation, each highly regarded in their
respective fields. As in the investigation of the Fluorouracil incident, a chronological reconstruction
was also apparently used here, as the primary basis for supporting investigative inference. However,
there is no information in the report (Toft 2001) as to whether the investigative reasoning was
supported by a systematic method, methodology and/or model; or based solely on the expertise and
experience of the participating investigators and experts. Unlike in the Fluorouracil investigation,
neither the description of aspects of the incident, or the investigative reasoning were supported by
graphical representations in this report, where incident and investigation information was conveyed
mostly through a synthesised textual narrative. The full account of both the incident and its
investigation is found in Toft (2001), which was used as the data source to inform our second ISF
analysis (i.e., Sections 5.4.3 and 5.4.4).
5.3 Gathering incident data from each investigation report

5.3.1 How incident data was accessed
[ISF-p86]
In applying ISF to understand and reframe the incident data from each report, we accessed
information about each incident using a simple and lightweight approach. A si ple ke o d-sea h
selection process was used as a basis for olle ting data fo each ISF analysis, using ad hoc
keywords of interest as the analyses progressed. For example, in order to locate relevant
information about the patient in the Fluorouracil incident, we did a keyword-search through the
report using the keywo d patie t . We then read around each match to this keyword in the text, to
identify information on incident progression relevant to the ISF models being built up in this case.
For the Vincristine incident, the e ui ale t as to sea h fo the ke o d Jo ett , si e that as
the predominant referent used throughout that report to refer to the patient. This data access
strategy was applied equally, to identify the participants, flows of information, and safety functions
eventually modelled.
[ISF-p87]
This semi-systematic data access strategy was perhaps helpful, in reducing various biases potentially
gained through a normal, heuristic reading of each report. Such biases include:
 The a al st s p io fa ilia it ith the Fluo ou a il incident, which could potentially
have facilitated an o ergeneration of ISF findings for this case – in comparison with
the Vincristine one. Here the keyword-search used helped to partially homogenise,
and systematise the method by which incident data was collected for the two
incidents, going beyond a purely heuristic approach.
30
 I ad e te t o ta i atio f o the p io i estigati e easo i g p ese ted i ea h

report. I oth the epo ts used, the fa ts of the ase , a d the investigative reasoning
based on these facts were not always cleanly separated in their presentation. This is
despite the implication of such clean separation, in terms of the major section
headings of each report. Compared with the report on the Vincristine incident, the
analyst found it easier to distinguish between fact and inference for the report on the
Fluorouracil incident. It was particularly difficult to distinguish between fact and
inference in the Vincristine case, as these were sometimes integrated into the
synthesised narrative in a difficult to separate way. The keyword-search used was
intended to minimise the uncritical regurgitation of the existing investigative
inferences presented as part of each report. In particular by focusing the analyst s
attention on the details of the facts actually presented to support the points made,
before (re)framing investigative hypotheses using ISF.
 The inadvertent accretion of unfounded, or weakly founded assumptions about

incident progression. The keyword-based selection process meant that each candidate
pie e of i ide t data was carefully examined, relatively free of the wider
contextualisation of the prior narrative and text. This meant that it was less likely for
the analyst to inadvertently build up, and make use of a set of unfounded, or weakly
founded assumptions – about what was fact, and what was not. Ea h pie e of i ide t
data – distributed throughout each report – had to be made sense of more or less
anew; without the benefit of assumptions which may or may not have been
inadvertently accumulated through a normal egi i g to e d eadi g.
5.3.2 Potential limitations of the data access strategy used

[ISF-p88]
In addition to the potential benefits outlined in the previous section, the simple keyword-search
approach to incident data gathering also has potential limitations:
 The first is an assumption of the keyword-search strategy used, which ideally relies on
the fact that all references to entities in each report are both unique, and consistent
throughout. In retrospect, the natural usage of alternative forms of reference, through
pronouns, or abstract refe e e to olle ti es su h as the staff , was perhaps
inadequately accounted for by the keyword-search strategy used. This may have led to
undergeneration of participants, flows of information, and safety functions – where
some of the entities described in each report were in principle compatible with the ISF
framing of incidents (as described in Section 4), but inadvertently missed by the
analyst. Reinspection of each report after the ISF analyses was unable to satisfactorily
resolve these issues of referential ambiguity.
 A second potential limitation is that the extra contextual information, provided by the
major formal structuring of each report, may not have been fully accounted for. In
particular, information conveyed by the major headings of each report was not
explicitly taken into account, as part of the simple data gathering methodology used.
Neither were these structural aspects deliberately omitted, however, in understanding
31
each incident. Explicit systematic reflection, on whether each individual piece of

i ide t data as under a more fa tual , o i fe e tial major heading may have
helped to better distinguish between these two aspects. However, as mentioned in
Section 5.3.1, fact, and inference were not always readily separable in either of the
two reports used. Making this limitation a theoretically difficult one to resolve, based
solely on the reports used.
 A third potential limitation is that the scope of reading around each keyword match
was rather ad hoc, based purely on the analyst being heuristically satisfied with the
sense-making of the text. Different analysts could have scoped such readings
differently, thus reducing the potential reliability/replicability of the detailed forms of
the two ISF models constructed (Sections 5.4.1, 5.4.3). Like Johnson et al. (2012), the
lack of methodological reliability is not perceived as inherently bad here, but as
instead enriching. This is a pluralistic, and basically constructivist perspective on issues
of methodological reliability. Despite the potential for variability in the specifics of the
ISF models constructed, we hypothesise that the reliability of the main issues
highlighted by the ISF analyses (discussed later in Section 6), will likely remain
relatively stable across different analysts, and ISF analyses of the same two reports.
 In drafting this paper, we also discovered that the graphics presented in the report of
the Fluorouracil incident would have been missed by the simple keyword-search used.
This approach would have effectively skipped over the textual information contained
in these embedded graphics. Therefore reducing the chance that the information
within would be fully accounted for in each ISF analysis. However, this potential
limitation has little practical effect on the validity of our findings. As the graphics
missed were either otherwise described as part of the text searched (in the case of the
chronology graphic in ISMP, p16, 2007), or clearly inferential rather than factual (i.e.,
ISMP, p23-p29, 2007) – and thus not the kind of descriptive incident data we were
looking for.
5.4 Findings from the two ISF analyses

[ISF-p89]
In this section we present the results from using ISF to understand the two patient safety incidents.
In each case we first present the final ISF model identified, representing our investigative hypotheses
– based on the incident data presented within each respective report. This is followed by a pair of
tables summarising the information flows, and safety functions identified respectively. The full
details of the summaries in these tables are given in Huang et al. (2013a). For each ISF model, the
answers to the four questions described in Section 4.7 are subsequently presented in graphical form
(in Sections 5.4.2, and 5.4.4 respectively). These findings are discussed in Section 6.
32
5.4.1 Final ISF model identified for the Fluorouracil incident

[ISF-p90]
Figure 8 presents the final investigative hypotheses identified using ISF. This represents our attempt
to understand how the rate of infusion information representation (for the Fluorouracil drug) was
coordinated and used in this incident. In this and the following section, MAR stands for Medication
Administration Record, RN stands for registered nurse, and CPOE stands for Computerized Prescriber
Order Entry system.
Figure 8: Final ISF model identified for the flow of rate of infusion information in the Fluorouracil incident.
[ISF-p91]
Tables 1 and 2 summarise each constituent of this model. Table 1 summarises each of the links in
the information trajectory shown in Figure 8, describing the associated action for each. Table 2
summarises each of the safety functions in Figure 8 – identified by the numberings given.
Table 1: A summary of links in the rate of infusion information trajectory identified in Figure 8. The semantics
of these flows were discussed earlier in Section 4.3.
Links in the information Summary of associated action
trajectory
(i.e., rate of infusion information
flowed from A to B)
Handwritten MAR to RN #2 Nurse RN #2 signed off on the Handwritten MAR.
RN #2 to RN #1 Nurse #2 did a passing check, confirming the rate of

infusion nurse RN #1 programmed into the infusion
pump.
33
RN #1 to infusion pump Nurse RN #1 programmed the infusion pump (with the

wrong rate of infusion).
Infusion pump to the patient I fusio ate gi e to the patie t.
Computerized Prescriber Order Pharmacy staff transcribed information from the CPOE
Entry (CPOE) system to pharmacy into the pharmacy information system.
technician.
Pharmacy technician to pharmacy Pharmacy staff transcribed information from the CPOE
information system into the pharmacy information system.
Pharmacy information system to Pharmacy label generated by the pharmacy information

pharmacy label system.
Pharmacy label to RN #1 Nurse RN #1 read the pharmacy label.
Table 2: A summary of safety functions identified to act on the rate of infusion information trajectory shown in
Figure 8. The semantics for relating these (negative) safety functions to the information trajectory was
described earlier in Section 4.4.
Safety Function identified Brief description
(the numbering corresponds to
the identifiers shown in Figure 8.
In this case all three were
negative safety functions)
1: Low index of suspicion for The relative lack of familiarity of RN #1 with the operating
unusual rate of infusion for new context and medication administration meant that RN #1
nurse would be less likely to be able to assure the correctness of
the rate of infusion i fo atio i eithe : a ‘N # s head,
or b) the infusion pump whilst programming.
2: Complex workload and Nurses in this work-context were routinely expected to deal
multitasking for nurses with complex workloads, and multitask between them. This
situation may reduce chances for consistent
communication to/from each nurse, as well as reducing the
chances of the rate of infusion information remaining
correct (through forgetting for example).
3: Fallible human transcription Hu a t a s iptio of information is a fallible process.

Any information flows to/from humans will be potentially
affected by this.
34
5.4.2 Querying the Fluorouracil model

[ISF-p92]
Figures 9 and 10 show the answers from asking Questions 1 and 2 (described in Section 4.7) – based
on the final ISF model shown in Figure 8. Answers to these questions highlight subsets of the ISF
model, indicated in orange in these two figures. In this Fluorouracil incident no parts of the ISF
model were identified as having both positive and negative safety functions acting on them, thus
resulting in the empty set in answer to Question 3. Similarly, no positive safety functions were
identified here (in answer to Question 4).
Figure 9: The subset of the ISF model shown in Figure 8 which answers Question 1 from Section 4.7.
Highlighting the parts of the information flows which have neither positive (i.e., correctness/consistency-
enhancing) nor negative (i.e., correctness/consistency-reducing) safety functions acting on them.
35
Highlighting the parts of the information flows which have only negative safety functions acting on them.
5.4.3 Final ISF model identified for the Vincristine incident

[ISF-p93]
Figure 11 presents the final investigative hypotheses identified using ISF. This represents our
attempt to understand how the route of administration information representation (for the
Vincristine drug) was coordinated and used in this incident:
36
Figure 11: Final ISF model identified for the flow of route of administration information in the Vincristine
incident.
[ISF-p94]
Tables 3 and 4 summarise each constituent of this model. Table 3 summarises each of the links in
the information trajectory shown in Figure 11, describing the associated action for each. Table 4
summarises each of the safety functions in Figure 11 – identified by the numberings given. Here
safety function 3 – from the Fluorouracil incident – was judged to be also relevant to the Vincristine
incident, under the same semantics as described in Table 2 earlier. For us, there were insufficient
contextual details to support the generalisation of safety functions 1 and 2, about infusions and
nurses respectively, to the Vincristine incident.
Table 3: A summary of links in the route of administration information trajectory identified in Figure 11. The
semantics of these flo s e e dis ussed earlier in Section 4.3.
Links in the information Summary of associated action
trajectory
(i.e., route of administration
information flowed from A to B)
Dr Musuka to prescription chart D Musuka ote out the patie t s p es iptio ha t.
Prescription chart to Dr Dr Mulhem consulted the prescription chart.

Mulhem
Prescription chart to Dr Morton Dr Morton consulted the prescription chart.
37
Dr Morton to the patient Dr Morton administered the Vincristine drug

intrathecally (i.e., via the spine) – which was the wrong
route of administration.
Pharmacy database to the Pharmacy database generates syringe packaging label.

syringe packaging label
Syringe packaging label to Dr Dr Mulhem took the package containing the syringe
Mulhem with the Vincristine drug from Nurse Vallance. We
assumed that he also looked at the syringe packaging
label at this point.
Dr Mulhem to Dr Morton Dr Morton confirmed the route of administration with

Dr Mulhem.
13
Pharmacy database to the Pharmacy database generates syringe label .
syringe label
Syringe label to Dr Mulhem Dr Mulhem read from the syringe label prior to handing
the syringe to Dr Morton.
Syringe label to Dr Morton Dr Morton read from the syringe label before
administering the Vincristine injection.
Nurse Vallance to Dr Morton Nurse Vallance remarked to Dr Morton about an

intrathecal injection.
Table 4: A summary of safety functions identified to act on the route of administration information trajectory
shown in Figure 11. The semantics for relating these (positive and negative) safety functions to the information
trajectory was described earlier in Section 4.4.
Safety Function identified Brief description
(the numbering corresponds to the
identifiers shown in Figure 11, continuing
the numbering used in Table 2)
4: Constraints on the pharmacy database The pharmacy database automatically

generated both the syringe, and syringe
packaging labels. This helped to ensure that
the route of administration information
remained consistent between its
representation in the pharmacy database,
and the two labels.
13
The syringe label is directly attached to the syringe containing the Vincristine drug, and different from the
syringe packaging label – which is attached to the packaging containing one or more syringes.
38
5: Physical and temporal separation of the The practice of separating the packaging
packaging and supply of drugs to the and supply of intrathecal and non-
wards intrathecal drugs reduced the chance of
inadvertent mix-ups. Therefore increasing
the chances that the route of administration
information displayed on the syringe and
syringe packaging label would be correct.
6: Physically bi-compatible syringe Syringes containing intravenous drugs may

connection also be successfully connected to the spinal
needles – intended only for intrathecal
administration. This lack of physical
discrimination reduced the likelihood that
the route of administration gi e to the
patient is assured to be correct.
7: Avoiding compromising patient care In this particular incident, both intravenous

and intrathecal drugs were in fact sent at
the same time to the wards. This directly
contradicted the purpose of safety function
5. In the report not much more details is
provided about this workaround, other than
that it happened in the interests of not
compromising patient care. This safety
function increased the chances that
inadvertent mix-ups between the labelling
of drugs intended for different routes of
administration may occur.
8: Lack of a rigorous checking procedure The doctors here did not have an explicit
for the doctors checking protocol to follow. This reduced
the likelihood that the route of
administration information in their heads
would be correct. Dr Musuka was not
included as being affected by this safety
function, because he was not directly
involved in the drug delivery process.
5.4.4 Querying the Vincristine model

[ISF-p95]
Figures 12, 13, 14 and 15 show the results of asking the questions described in Section 4.7, on the
final ISF model shown in Figure 11. The answers to these questions highlight subsets of the final ISF
model, indicated in orange in these figures. In contrast to the ISF model for the Fluorouracil incident,
a subset of this model has both positive and negative safety functions acting on it (Figure 14). There
are also parts where only positive safety functions are acting, as shown in Figure 15.
39
Highlighting the parts of the information flows which have neither positive (i.e., correctness/consistency-
enhancing) nor negative (i.e., correctness/consistency-reducing) safety functions acting on them.
Highlighting the parts of the information flows which have only negative safety functions acting on them.
40
Highlighting the parts of the information flows which have both positive and negative safety functions acting
on them.
Highlighting the parts of the information flows which have only positive safety functions acting on them.
41
6. Discussion of the ISF findings obtained

6.1 Using ISF to help highlight gaps in the distal knowledge of the
flow and use of information
[ISF-p96]
The ISF analysis of the Fluorouracil incident (e.g., Figure 8) was unable to identify how the rate of
infusion information was used – prior to the handwritten MAR, and Computerized Prescriber Order
Entry system (CPOE) participants. Similarly, Figure 11 shows that in the case of the Vincristine
incident, the ISF analysis failed to identify the prior progression of route of administration
information – beyond the Dr Musuka, pharmacy database, and nurse Vallance participants. Based on
these findings, we hypothesise that the existence of a substantively incomplete state of knowledge
about the patterns of flow, and use of these two information representations, will remain a reliable
finding – with respect to the incident understanding presented in both the reports used as a source
of incident data here.
[ISF-p97]
In the case of the Fluorouracil incident, the handwritten MAR was mentioned several times
throughout the report. We know that both RN #1 and RN #2 did sign off on this artefact (ISMP, p13,
p64, 2007), and that the critical information needed by nurses in administering medications correctly
is ot apped 14 between the medication order, the medication administration record, the
pharmacy label and the pump; thus increasing the complexity of programming the infusion pump
(ISMP, p39, 2007). Prompted by the ISF analysis done, we repeatedly re-inspected the report used,
but found relatively few specific details reporting on the progression, and use of rate of infusion
information in this incident – beyond those parts of the work-system represented in the information
trajectory shown in Figure 8. These re-inspections did however reveal that the rate of infusion
information needed to program the pump was not included on the MAR, because it was not part of
the medication order (ISMP, p19, 2007). This would explain the relatively few details of the use of
this rate of infusion information beyond the handwritten MAR. Nevertheless, at least two
substantive gaps in investigative knowledge remains: the first regarding what information
representation(s) were in fact used by RN #2 to do the he o- he k e uested ‘N # ISMP, p13,
2007); the second regarding the details of the progression of this rate of infusion information
between the CPOE, and its original prescription – which presumably took place elsewhere in the
work-system. There were few details on either of these issues in the report. Yet both are relevant to
understanding how rate of infusion information was used in this incident.
[ISF-p98]
Similar issues were raised as part of the ISF analysis of the Vincristine incident, this time in terms of
the use of route of administration information. Here there are relatively few clear details, beyond
the parts of the work-system represented in the information trajectory shown in Figure 11. For
example, only a cursory description of the role of the pharmacy database, in producing the syringe,
and syringe packaging labels (Toft, p13, 2001), formed the extent of the distal understanding of that
part of the information trajectory. In contrast to the Fluorouracil incident, here the report details
14
It is o l pa tiall lea hat appi g eans from the report – which refers to the i fo atio a aila le,
se ue e of i fo atio , use of o o te i olog as e a ples of this apping.
42
that Dr Musuka was the Locum Consultant Haematologist responsible for the patient s edi al
maintenance programme (Toft, p10, p24, 2001). It is in this capacity, that we assume Dr Musuka to
have been the original prescriber of the Vincristine drug, intended to be given via the correct,
intravenous route of administration15. However, knowledge about other parts of the information
trajectory of the route of administration information remains relatively unknown, and incomplete.
[ISF-p99]
These discussions show how ISF may help to highlight more distal knowledge gaps in the flow, and
use of information. Each of the two information representations analysed were significant to their
respective incidents. As such the relatively incomplete knowledge of their information flow patterns
is perhaps surprising. One explanation may be through appealing to the What-You-Look-For-Is-What-
You-Find principle (Lundberg et al. 2009), where the specific approach used in engaging with an
incident situation, could significantly shape the salient subset of its underlying features investigated.
In both investigations, it would appear that the approach used did not facilitate a specific focus – on
the more distal progression, and use of either of the two information representations analysed. If
the two ISF analyses described in this paper were conducted as part of an ongoing investigation,
further data collection would be needed to better understand these latent aspects. This argument is
a specific form, of the widely recognised need to go beyond an account of only the proximal issues in
understanding incidents (e.g., Reason 1990). Here we suggest that a deeper understanding of the
latent aspects of information flow and use, is likely to enhance our chances of effectively intervening
to improve the information safety of work-systems.
[ISF-p100]
These discussions are not intended to disparage the efforts of the original investigators and
investigations. But only to illustrate one way in which ISF may enrich investigative understanding.
Incidents are often inherently complex, and it is helpful to have systematic methodological support
in dealing with their various aspects. Here the relatively sparse nature of each of the ISF models
identified, helped to highlight gaps in distal investigative knowledge about the flow, and use of both
the information representations analysed.
6.2 Clarifying the nature of participant involvement in an incident

[ISF-p101]
In Section 6.1, we described how the investigation into the Fluorouracil incident found that critical
information needed by nurses to administer medications corre tl is ot apped – between the
medication order, the medication administration record, the pharmacy label and the pump,
increasing the complexity of programming the infusion pump (ISMP, p39, 2007). Here we highlighted,
in italics, the four material artefacts which may have participated in the flow, and use of rate of
infusion information. While three of these were accounted for in the ISF model constructed (e.g.,
Figure 8), the medication order was not. This was mainly due to considerable ambiguity in
understanding hat a edi atio o de was referring to in the report used. This ambiguity was
o pou ded the fa t that edi atio o de , as a referent, is not well-defined. This term is often
15
A copy of the original prescription chart, demonstrating this correctly prescribed route of administration by
Dr Musuka, is included in Toft (Appendix 7, 2001).
43
used generically and loosely, in reference to different forms of verbal/written/electronic artefact(s)

describing some aspect of the medication prescribed (see Cohen, Chapter 9, 2007 for some
examples).
[ISF-p102]
One part of the report used, referred to both:
Medi atio orders, la s, height a d eight re ie ed li i urse. and

Medi atio orders re ie ed agai st edi atio profile, dose al ulatio s o pleted
a phar a ist. (ISMP, p64, 2007)
[ISF-p103]
This part of the report seems to be referring to such orders in the collective, rather than singular
sense, suggesting multiple orders relating to the medication given. However, another part of the
same report talks about how:
Criti al i for atio as ot learl apped a o g the edi atio order, the
edi atio ad i istratio re ord MA‘ , the phar a la el, a d the i fusio pu p
(ISMP, p19, 2007)
[ISF-p104]
This is another version of the same information given on (ISMP, p39, 2007 . He e the edi atio
order see s to e o efe i g to a spe ifi artefact, rather than a collection of related orders for
supporting the giving of medication. Similar usage of both the collective, and singular style of
reference is distributed throughout other places in the report used. This may be confusing to
understand for a reader. In this case the analyst was eventually unable to commit to what/which
pa ti ipa t a edi atio o de a tuall efe s to, with respect to the Fluorouracil incident. This
artefact was therefore not eventually included as a participant in the ISF model constructed. The
identification of specific i fo atio al participants (i.e., Section 4.6.2), has here necessitated the
related decision, of whethe a edi atio o de ought to e i luded as one of the participants in
the information trajectory identified. This helped to highlight a particular point of ambiguity, in
understanding the relevant informational participants of the incident. Such referential ambiguity
may be purely communicative, but may also reflect an area of ambiguous incident understanding. In
the second case, further investigative clarification may help better understand the use of rate of
infusion information in the Fluorouracil incident.
[ISF-p105]
In the case of the Vincristine incident, nurse Vallance remarked to Dr Morton about an intrathecal
injection (Toft, p26, 2001). This link in the information flow was represented in Figure 11 (i.e., the
nurse Vallance to Dr Morton link in the figure). This part of the ISF model represents the
investigative hypothesis, that u se Valla e s e a k – about the intrathecal route of
administration – informed Dr Morton in his work. In an investigation, it would be useful to confirm
hethe this o e t did i fa t ha e a effe t o D Mo to s actions. On re-inspecting the
report, there was little support found either for, or against this particular hypothesis. Here the
commitment to a particular information trajectory has highlighted another point of ambiguity, which
may have further enriched incident understanding if resolved. In the general case, further
discussions with incident participants may help to clarify the validity of each link in an ISF
information trajectory.
44
6.3 Formative and summative implications of the two ISF models

identified
[ISF-p106]
In Section 4.7, we suggested four generic questions to ask of an ISF model. Both formative (Section
4.7.1) and summative (Section 4.7.2) interpretations were provided – for the subsets of each ISF
model identified through answering these questions. The questions were the following:
Question 1: Which parts of the information flows have neither positive (i.e.,
correctness/consistency-enhancing) nor negative (i.e., correctness/consistency-reducing)
safety functions acting on them?
Question 2: Which parts of the information flows have only negative safety functions
acting on them?
Question 3: Which parts of the information flows have both positive and negative safety
functions acting on them?
Question 4: Which parts of the information flows have only positive safety functions
acting on them?
Figures 9, 10, 12, 13, 14 and 15 provide objective answers16 to these questions, in the form of
subsets of the ISF models highlighted by these figures. The more subjective interpretations of these
objective answers, offered as part of the ISF description in Section 4.7, are intended to be neither
prescriptive, nor exhaustive in nature.
[ISF-p107]
Treating the two illustrative ISF models (i.e., Figures 8 and 11) formatively, they represent semi-
certain investigative hypotheses to be finalised, for instance perhaps during the initial part of an
investigation. Under the formative interpretations suggested in Section 4.7.1, we ought to double-
check the completeness of investigative understanding – through trying to identify the other safety
functions acting on the subset of the information trajectory highlighted, in both Figures 9 and 10. In
the case of the Vincristine incident, the same point applies for the subsets of the flows highlighted in
Figures 12, 13 and 15. This is one way in which ISF may help to partly guide the formative stages of
investigation.
[ISF-p108]
Treating the two ISF models summatively, they represent relatively certain investigative hypotheses.
Under the summative interpretations suggested in Section 4.7.2, the following implications follow.
Figures 9 and 12 are the subsets of each ISF model answering Question 1 (i.e., no positive or
negative safety functions acting), highlighting places where substantive system performance
variability may exist. The apparent lack of perceived, or actual s ste ontrol – in the form of no
safety functions – suggest that the use, and flow of correct and consistent information is likely to be
largely uncontrolled (both artificially, or more naturally); and unpredictable in future in these parts.
The lack of actual control potentially leads to unforeseen breakdowns in the use of information
16
These a s e s a e o je ti e , in a similar sense to the minimal-cutsets available after the more subjective
initial step of creating the fault-tree in fault tree analysis; or other similar o je ti e structure-based
operations and manipulations, in the context of a particular mathematical-logical formalism.
45
(re)occurring. For these parts, it may be worthwhile to consider if, and how positive safety functions
may be designed and implemented. Such safety functions could help assure the use of correct and
consistent information in future, thus improving information safety in these parts.
[ISF-p109]
Answers to Question 2 (i.e., only negative safety functions acting) are shown in Figures 10 and 13.
These suggest areas of particular priority, in considering where the work-system needs to be
improved. In these areas there are no positive safety functions to offset the effects of the negative
safety functions. This indicates where information representations are particularly likely to become
incorrect, or be inconsistently propagated in future. Here it may be useful to consider what positive
safety functions are necessary, to offset the negative ones. In addition, it may be useful to also
consider whether any of the negative safety functions identified may be so eho emoved , or
how their negative impact on the information trajectory may be reduced.
[ISF-p110]
In answer to Question 3 (i.e., both positive and negative safety functions acting), Figure 14 highlights
an area of a work-system, where informed judgement and expertise is particularly needed from
investigators – to weigh up whether information may become incorrect, or inconsistently
propagated again in the future. In the case of limited time and resources for investigation, the
answer to this question provides a way to selectively prioritise the application of investigative
expertise, to the more difficult areas of incident understanding requiring heuristic judgement and
intuition. Relatedly, Figure 15 shows the answer to Question 4 (i.e., only positive safety functions
acting). This subset of the ISF model highlights where investigators may assess whether the set of
positive safety functions acting are sufficiently safe for supporting work – bearing in mind the
particular forms, and degree of ephemerality of each positive safety function identified for these
parts of the information trajectory.
6.4 Synchronising temporally dispersed information flows for error-

checking and detection
[ISF-p111]
ISF models, such as the ones shown in Figures 8 and 11, explicitly represent coordinative patterns of
information used in an incident. One way to detect error in information flow, can be through
comparing amongst representations of the same thing, developed from different sources or via
different processes (Hutchins 2000). This error-detection mechanism is predicated on the knowledge
that a particular information representation ought to ideally remain the same – throughout its
progression in a socio-technical work-system. When this assumption is valid, this comparative
checking mechanism is useful, regardless of the particular information representation used (in terms
of any specific rate of infusion, or route of administration for example). Figure 16 illustrates how
such comparative checking, between two incoming information representations (16a), may be
generalised to cases of arbitrary numbers of participants (16b). Where Figures 16a and 16b
correspond to structures found in parts of the ISF models identified, for the Fluorouracil and
Vincristine incident respectively. The dashed arrows represent other parts of a generic information
trajectory, omitted from this figure.
46
Figure 16: Using semantics similar to the information trajectory shown in Figure 5, this figure shows a
generalisation of three-participant comparative checking to arbitrary numbers of participants. In each case P1,
P2 etc. denote different participants, and P1 is the participant who could potentially do a s h o ised heck
between the incoming information representations. In principle, any combination of human/non-human
participants may be involved in this generic checking process.
[ISF-p112]
In the Fluorouracil incident for example, nurse RN #2 did a passing check to confirm the rate of
infusion programmed by nurse RN #1 (RN #2 to RN #1 link); In the same case, Nurse RN #1 also read
the pharmacy label (Pharmacy label to RN #1 link). Such an ISF model fragment corresponds to
Figure 16a. If these two flows occurred at basically the same time in future, then any discrepancies
found in comparing between these two sources of information, would invariably indicate that one of
the t o i o i g i fo ation representations must be wrong. So long as we know that the rate of
infusion ought to ideally remain the same, then a temporal synchronisation of these two flows is in
principle a generic means of improving information safety – regardless of the specific rate used. In
this case RN #1 would compare between these two incoming flows, to check that the rate of infusion
is indeed identical between them.
[ISF-p113]
A larger example from the Vincristine incident, is in terms of the four flows of information identified
as goi g i to D Mo ton. Such an ISF model fragment corresponds to Figure 16b. The flows were
the following, from left to right in Figure 11:
Link 1: Dr Morton consulted the prescription chart (Prescription chart to Dr Morton);

Link 2: Dr Morton confirmed the route of administration with Dr Mulhem (Dr Mulhem to Dr
Morton);
Link 3: Dr Morton read from the syringe label before administering the Vincristine injection
(Syringe label to Dr Morton);
Link 4: Nurse Vallance remarked to Dr Morton about an intrathecal injection (Nurse Vallance
to Dr Morton).
47
[ISF-p114]
Based on the account provided in the report, these actions were in the following chronological
order:
1st action: Nurse Vallance remarked to Dr Morton about an intrathecal injection (Link 4);
2nd action: Dr Morton confirmed the route of administration with Dr Mulhem (Link 2);
3rd action: Dr Morton read from the syringe label before administering the Vincristine
injection. (Link 3);
4th action: Dr Morton consulted the prescription chart (Link 1).
[ISF-p115]
In this case, if it were possible to temporally synchronise two or more of these four incoming flows
of information, and compare between them, we may increase the chances of catching errors in the
flow and use of route of administration information. In principle, Dr Morton could compare between
these incoming flows, to check that the route of administration is indeed the same between them. In
general, larger number of incoming sources to the same i fo atio al participant , inherently
affords greater potential for error detection, since additional paths of redundancy are available for
checking. When one or more of the incoming flows disagree, about an information representation
which ought to be the same, one or more of their respective sources is necessarily wrong. In such
cases, the participant doing the checking need not have any knowledge of the right information
representation, in order to comparatively check for identity, and potential error.
[ISF-p116]
To summarise, each single branch of an ISF model represents one part of the flow of a particular
information representation. Although ISF imposes normal chronological ordering between pairs of
participants in the overall flow (see Section 4.3.2)17, there are no specific restrictions on the
chronological relationship between multiple branches of an ISF model. In the case that multiple such
a hes a e ide tified to e i o i g ith espect to a particular participant, an explicit
synchronisation of (previously) temporally dispersed actions, may facilitate extra error-detection
opportunities in future. In the context of the wide-scoped Distributed Cognition notion of
information representation used in this paper, this kind of checking process is potentially useful –
regardless of the specific information being checked, and the human, or non-human nature of the
participants i its flo . One simply needs to s h o ise the multiple incoming flows, such that
the pa ti ipa t e ei i g these flo s are able to explicitly compare between each incoming source.
For humans, this checking may need to be done within a limited time-window, due to natural
cognitive, and memory limitations. In the case of non-human participants who are coordinating this
checking (implemented in a computer participant for example), such human limitations do not apply
in the same way. In the context of the Vincristine incident, one can in principle imagine a
counterfactual situation; where a comparison by Dr Morton between the route of administration
information provided by Nurse Vallance, Dr Mulhem, the syringe label, and prescription chart could
perhaps have reduced the chances of the Vincristine being administered via the wrong intrathecal
route18. Neither the original investigations of each of the two patient safety incidents, or an
independent analysis of the Vincristine one by Reason (2004), identified the generic class of
17
And by consequence also imposes chronological ordering throughout the entirety of a single branch of the
information trajectory identified.
18
We would obviously need to consult with the original incident site, to know the extent to which such a
change to the existing work-flow may or may not be practical.
48
interventions discussed in this section (afforded by the ISF models constructed). This is presumably
because of the different perspectives of incident, system and interactions used in those three
analyses.
6.5 Addressing issues of representational structure in patient

safety investigation
[ISF-p117]
Investigations into incidents are effectively case studies (Hopkins 2013; Zotov 2006), which are not
desig ed as such, and thus somewhat ad hoc. Afterall, incidents happen independently, of the need
to support or refute particular theories and models proposed to explain them. A consequence of the
existing theory-practice gap (Underwood and Waterson 2013), is that investigators may not always
be aware of, or necessarily apply the most appropriate tools 19. In particular, few investigators have
general training in conducting incident investigations, and even less on the more recent systemic
and organisational approaches advanced in the safety literature (Dechy et al. 2012) – such as
CAST/STAMP or FRAM. Considerable research exists on both the systems under investigation, and
the work-products from investigative approaches, but relatively little attention has been devoted to
the process, and methodological aspects of investigation (Stoop and Roed-Larsen 2009). Together,
these wider issues suggest that the conduct of investigations may not always be particularly well
principled, and theoretically sound in practice20.
[ISF-p118]
Irrespective of their ad hoc, or more systematic nature, the use of representations is nevertheless
necessary for informing the course of investigations. In particular, a common representational
structure is helpful for facilitating the distribution of investigative cognition, in supporting
investigators and investigations across different locales and times. Idiosyncratic and internalised
representational structures i.e., lo ated solel ithi i estigato s i ds ay not always be
effective, easily communicable, readily generalisable, or wholly rational to others. On the other hand,
more sophisticated and nuanced predeterminations – of notions of systems and causality, are
perhaps conceptually too far-removed at the moment, from the predominantly lo -tech
approaches to incident representation in current investigative practice (Roelen et al. 2011).
[ISF-p119]
In addition to exploring more sophisticated approaches to supporting investigation, it makes sense –
from a design point of view – to also explo e the use of elati el lo -te h ep ese tatio al
structures. Although simpler representations are potentially more accessible and usable, their
supposed advantages should not be overestimated. The limitations of simpler tools need to be taken
into account in their use (Ziedelis and Noel 2011).
[ISF-p120]
In designing ISF, we bore in mind this complexity/simplicity trade-off, reflected in the tension
between:
19
Part of this issue also relates to the relative lack of systematic (Lindberg et al. 2010), and standardised
(Ziedelis and Noel 2011) evaluation of proposed tools.
20
We do not suggest that all investigations are theoretically unsound, but only that this is a possibility in some
cases.
49
1) the need for sound theoretical rationale in conceptualising an incident, and systematic
methodology for supporting investigation, and
2) the need for the approach proposed to be potentially usable in investigative practice.
[ISF-p121]
In this paper we do not discuss the usability of ISF models in investigative practice, to be explored as
part of future research. For now, we focus on explaining the advantages which we perceive ISF
models to have, over two simple representational structures used in patient safety investigation.
These are the chronology and causal tree/net, often suggested as part of some variant of Root Cause
Analysis – in this emerging area of research and practice (Vincent and Hewett 2013). In terms of
directing investigative attention, theoretically informed representations help to more clearly
distinguish, between aspects of an incident which are more, or less important to consider. The
deductive utility of their underpinning rationale, can also in principle be better inspected, and
constructively critiqued. As suggested by Lindberg et al. (2010), we pay close attention to the
underlying conceptualisations of approaches in the discussions that follow.
6.5.1 Improving on the weak theoretical support from simple chronological

representation
[ISF-p122]
Figure 17 shows an extract from the chronological representation, used as part of the investigation
of the Fluorouracil incident. This investigation was supported by the Root Cause Analysis approach
described in ISMP (2006). Although we do not know if, or what specific methodology was used to
support the investigation into the Vincristine incident, a broadly similar chronological
conceptualisation seems to also have been used. In using such a representation, both the particular
incident data collected, and the investigative inferences made, may be significantly affected.
Figure 17: A partial reproduction of the chronology figure from ISMP (2007, p16). The dotted arrows here
depict other parts omitted due to space limitations. The box on the top left of this figure is the first event
identified in this chronology.
50
[ISF-p123]
As a representational structure, such chronologies are consistent with our intuitions about history
and narrative. However, as part of a theoretical basis for systematically understanding incidents (as
suggested in ISMP, p23-25, 2006), a simple chronology provides only weak support for distinguishing
between the more and less important aspects of incidents. The determination of the relevance of
the various aspects of an incident is left as an informed, yet highly subjective judgement. With only
the constraint of temporal precedence to be satisfied, in formulating the chronological
representations thus obtained.
[ISF-p124]
Picking a somewhat arbitrary example from Figure 17, why is the fact that the patient was seen at a
Head & Neck clinic (on Friday, July 28) of significant relevance to the evolution of the Fluorouracil
incident? Why is this particular interaction of more significance, than any of the many other
interactions which must have been occurring at the same time in this incident setting? In focusing
specifically on the informational aspects of incident evolution, ISF supports a more selective
approach to investigation. In particular, ISF models provide a clear direction for understanding what
ought to be investigated next, by encouraging the analyst to map out only the i fo atio al parts
of an incident, directly relevant to the informational issues being investigated. An active role for such
externalised representations is proposed as part of ISF, to help investigators systematically focus on
critical informational issues in investigation. In light of the complexities of patient safety incidents,
and the often limited time and resources for their investigation, our ISF models may help more
clearly distinguish the parts of an incident that are highly relevant, from the mass of other
(chronological) details that may plausibly be of some interest. While we do not claim that
chronologies have no useful role, we do suggest that their limited theoretical utility needs to be
carefully considered.
6.5.2 Improving on the under-qualified specification of causal

understanding
[ISF-p125]
Figure 18: A reproduction of part of the causal tree identified, as part of the Root Cause Analysis described in
ISMP (2007, p25). The dotted arrows/line depicts links to other parts of the tree (omitted due to space
limitations).
Figure 18 shows a small extract from the root-cause tree, identified as part of the investigation
described in ISMP (2007). As it stands, such representational structures form highly ambiguous
statements about the causal relationships perceived, and have significantly divergent plausible
interpretations. For example, the representation shown in Figure 18 does not require an analyst to
51
commit to a specific causal relationship, perceived between the three factors/causes shown.
Amongst other possibilities, the two causes on the right hand side of Figure 18 can be plausibly
interpreted both conjunctively (i.e., as necessary causes), or disjunctively (i.e., as individually
sufficient causes), to cause the la el to e ot i a o d ith i fo atio eeded the nu ses .
These two interpretations would lead to quite different logical consequences for effective
intervention. Here the original causal understanding is represented in a form that is under-qualified,
and difficult to retrieve, negatively impacting on the usability of such representations, in informing
the safety work of other investigators and practitioners. Such ambiguity is further compounded, by
the relatively imprecise natural language constructs used to describe each of the three causes. Note
that we are not discussing issues of validity in causal inference here, but issues of interpretative, and
communicative precision. ISMP (2006) provides only loose guidance on how such causal
representations should be interpreted.
[ISF-p126]
Another potentially subversive feature of such representations is in their potential for
communicating causal-certainty. A naïve, yet plausible reading is to treat the representation shown
in Figure 18 as a stable causal relationship – holding irrespective of context. Such a reading is both
difficult to justify in theory, and gain scientific and/or investigative evidence for.
[ISF-p127]
In contrast, the safety functions aspect of ISF (e.g., Section 4.4, Figures 8 and 11) recognises, and
explicitly represents the inherent uncertainties in approximating causal relationships, and their
partly contingent nature. An analyst is encouraged to describe causality in terms of four types of
relationships, defined specifically in terms of increases and reductions to probabilities, in assuring
the flow of correct and consistent information. The semantics of ISF are intended to avoid painting a
critically oversimplified picture, of the complex and often subtle causal relations of reality. Through
explicit representation of the uncertainties in causal inference, the ISF safety function definitions will
hopefully help reduce the potential to overlook as many u k o -u k o s Le eso –
these are causal factors, or facilitating conditions that may be overlooked in investigation, yet are
actually critical to improving safety in reality. In comparison with representations like the one shown
in Figure 18, the arguably more precise formulation of causal understanding encouraged by ISF, is
likely to act as a positive safety function, in supporting the consistent coordination of causal
information representations across different investigative settings.
52
7. Conclusions and further work

[ISF-p128]
In this paper, we have proposed, and illustrated a new modelling framework for understanding
information use in an incident, called the Information Safety Framework. In articulating this
approach, we have shown how Distributed Cognition may be used as a theoretical basis, for
informing the design of investigative methodology. This addresses the relative paucity of
methodology in the treatment of Distributed Cognition, within contemporary system accident
theory, for which it naturally lends itself (Sweeney 2009). We have also discussed some limitations of
simple chronologies and causal trees/nets, and how they may be overcome; explaining how ISF helps
to selectively guide investigation, and encourage a more circumspect formulation of causal
investigative understanding (Section 6.5).
[ISF-p129]
Through focusing on the nature of representations, and how people use representations to do work
(Hollan et al. 2000), Distributed Cognition informs our understanding of how work, in the systems
investigated, may be safely supported. Its olle ti e theoretical emphasis also offers a new
perspective on investigation methodology and process. We have illustrated how ISF helps to
highlight gaps in distal knowledge of the flow and use of information (Section 6.1), and help clarify
the nature of incident participant involvement (Section 6.2). We have also discussed its formative
and summative uses in investigation (Section 6.3), as well as the potential for deriving generic error-
checking possibilities from the information flows represented by ISF models (Section 6.4). In
reframing each of the two incidents analysed using ISF, we originally expected only to gain insight
into whether its theoretical ideas can indeed lead to concrete incident models in practice.
[ISF-p130]
Like other research-based approaches, ISF is under ongoing development. In particular, two aspects
of ISF methodology may benefit from further development.
Like McDonald et al. (2010), we believe that methodological transparency in investigation is a good
idea in principle, irrespective of the degree to which particular lines of investigative reasoning are
adequate simplifications of reality. Our early thinking and design emphasis has focussed on a
rational theoretical framing of incidents and systems, rather than on the many other aspects of
investigation. One of these aspects is in supporting the analyst in making an explicit, and transparent
connection between incident data, and the inferences made. This is not yet well-supported in ISF,
thus potentially limiting the degree of success for inter-subjective reasoning using it. Addressing
these issues of transparency in representing reasoning, is likely to help improve the potential for the
products of investigations to effectively inform others. Such explicit contextualisation of
investigative reasoning is also likely to more broadly help progress the science of safety.
[ISF-p131]
The pote tial fo u de ge e atio , in identifying salient issues, is another common problem not yet
addressed in detail in ISF. Due to natural cognitive limitations, it is always difficult to be certain of
identifying all the issues, that are in principle compatible and consistent with the particular approach
used21. In terms of the findings presented in this paper, the inherent and significant ambiguities of
the incident data sources used, partly explains the relatively sparse nature of the ISF models
21
This point is applicable to any approach, irrespective of its ad hoc, or more systematic nature.
53
identified. However, additional t igge i g ta o o ies – similar to the six categories suggested in
ISMP (2006, Appendix C) – could perhaps help to ensure better coverage of the candidate safety
functions of ISF.
[ISF-p132]
Hollan et al. (2000) makes the point that:
Culture is a process that accumulates partial solutions to frequently encountered

problems. Without this residue of previous activity, we would all have to find solutions
from scratch. We could not build on the success of others. Accordingly, culture provides
us with intellectual tools that enable us to accomplish things that we could not do
without them. This is tremendously enabling. But it is not without cost. For culture may
also blind us to other ways of thinking, leading us to believe that certain things are
impossible when in fact they are possi le he ie ed diffe e tl .
[ISF-p133]
In developing ISF, we aim for a balance – between the potentially myopic approach of being too
presuming about the generalisable aspects of incidents and their investigations, and the alternative
extreme of treating every incident completely anew. In offering a structured framing of some
informational aspects of incidents, we are developing an intellectual tool to hopefully allow a
gradual accumulation of partial understanding, and potential solutions – within a common approach
to informational incident representation. Through building up, and calibrating an interconnected
web of representations, of information trajectories and safety functions across different times and
locales, we hope to enrich both contemporary and future investigations. At this relatively formative
stage of its development, we hope that the first principles of ISF – as outlined in this paper – will be
further elaborated on, and developed by the safety community; in other enriching ways, additional
to our own further research and development. Such distributed efforts could lead to significant gains,
in addressing the difficult, and open problem of ensuring safe information use in society.
[END OF MARKUP]
Broader research background and acknowledgements

Discussions leading up to the paper presented for the fourth NASA formal methods symposium
(Masci, Huang et al. 2012), was an important precursor in the development of the framework
proposed here. We are grateful to the organisers of COME 2013 (http://www.come.usi.ch/) for
facilitating useful discussions, where a short oral presentation was given on some of the ideas
presented in this paper (Huang et al. 2013b, no associated proceedings). Insights gained as part of
Huang et al. 2011 directly inspired the part of ISF described in Section 4.7. Conversations and
correspondence with Michael Harrison, Ludwig Benner Junior, Deborah Swinglehurst, Julian Hough,
Zhaohui Huang, Karen Li, Alexis Lewis and Geraint Wiggins have all been helpful in writing this paper.
We are also grateful for the interactions with other scholars and patient safety practitioners,
facilitated th ough the EP“‘C g a t CHI+MED: “afe Medi al De i es EP/G059063/1).
54
Appendix: Three further illustrations of the Distributed Cognition

notion of information representation
Here we briefly talk through three cases where the usage of ISF may in principle be of some benefit,
in understanding how to prevent these incidents from reoccurring again in future. These are not
safet i ide ts in the traditional sense, but serve to further illustrate the Distributed Cognition
notion of information representation, giving some idea of the potentially wide scope of situations in
which ISF may be of some use.
Article 1 – ‘Free’ frying pans leave egg on face (METRO 2012, verbatim)

A COOKWARE company has given away 600 frying pans – after accidentally offering them on its
website for £0.00 each. Word about the free deal fo P oCook s £ pa s sp ead like g eased
lightning around the blogosphere before the error was spotted. It could have cost the Gloucester
firm £50,000 with some customers wanting up to 40 of the non-stick pans. A spokeswoman said one
pan will be sent to each person who ordered as a goodwill gesture.
How does this case relate to the Distributed Cognition notion of information representation?
This article suggests that the wrong cost information representation of £0.00 was propagated
through the work-system. If this was indeed the case, ISF can be used to help understand how such
an incident could be avoided in future. This would be done through modelling how the cost
information representations flowed through the socio-technical work-system of the company, as
well as modelling the related safety functions which may have shaped this flow.
Article 2 – Secret council files found on Morse set (Dunne 2012, summary)
This article reported on a case where dozens of confidential files were found at an abandoned town
hall in London. These confidential files included sensitive social services reports, which should not
have been left in this abandoned town hall by the local council responsible for the safekeeping of
these files.
From reading this article, it is possible that an accidental propagation of the wrong location
information representation may have occurred – with respect to the files left in the abandoned town
hall. Assuming that understanding the use of location information was a substantive consideration in
the investigation subsequently done, ISF could be used to model and understand its flow through
the socio-technical work-system of the local council, together with the related safety functions
which may have shaped this flow.
Article 3 – Home Affairs Committee report on Olympics security provision at

London 2012 (Home Affairs Committee 2012, summary)
As part of the security arrangements for the 2012 London Olympics, one of the biggest security firms
in the world (http://www.g4s.com/) was hired to provide the security arrangements for the games.
Unfortunately this company was eventually unable to provide the originally agreed number of
security personnel, and many extra military personnel had to be deployed to make up the numbers
to secure the running of the games. The subsequent investigation found that though the precise
easo s fo G “ s failu e e ai u lea , all the e ide e pointed to poor management information
55
and poor communications as the two main contributory factors. This i ide t as a high-profile
and well-publicised one, especially in the UK media.
There are potentially many information representations which may be worth looking at in this case.
Without knowing more about the precise details, we can only tentatively suggest one for illustrative
purposes here.
A potentially useful line of inquiry here may be to look at the flow of the availability-status
information representation through the socio-technical management system of G4S (and perhaps
also their counterparts in the form of the London Organising Committee of the Olympic and
Paralympic Games). Here ISF could potentially be used to investigate the various safety functions
that may or may not have supported the correct and consistent flow of this availability-status
information – for each candidate security officer provisionally recruited by G4S in the time leading
up to the Olympics.
56
References
Artman, H., Garbis, C., 1998. Team communication and coordination as Distributed Cognition. In: Proceedings
of 9th Conference of Cognitive Ergonomics: Cognition and cooperation, pp.151-156.
Burns, C.P., 2000. Analysing accident reports using structured and formal methods. PhD thesis, University of
Glasgow.
Cohen, M.R. (Ed.), 2007. Medication Errors, 2nd Edition. American Pharmacists Association, Washington, USA.
Dechy, N., Dien, Y., Funnemark, E., Roed-Larsen, S., Stoop, J., Valvisto, T., Arellano, A.L.V., 2012. Results and
lesso s lea ed f o the E“‘eDA s A ide t Investigation Working Group: Introducing a ti le to “afet
“ ie e spe ial issue o I dust ial E e ts Investigation . “afet “ ie e 50(6), 1380-1391.
Dunne, J., 2012. Secret council files found on Morse set. London EVENING STANDARD, 3 October 2012: 23.
(http://www.standard.co.uk/news/secret-council-files-containing-private-personal-data-found-on-morse-
set-8195506.html, accessed 10/9/2013)
ESReDA Working Group on Accident Investigation, 2009. Guidelines for safety investigations of accidents.
European Safety, Reliability and Data Association.
Federico, F., 2011. The Five Rights of Medication Administration. Institute for Healthcare Improvement
(http://www.ihi.org/knowledge/Pages/ImprovementStories/FiveRightsofMedicationAdministration.aspx,
accessed 26/7/2013)
Furniss, D., Blandford, A., 2006. Understanding emergency medical dispatch in terms of distributed cognition:
A case study. Ergonomics 49(12-13), 1174-1203.
Galliers, J., Wilson, S., Fone, J., 2007. A method for determining information flow breakdown in clinical systems.
International Journal of Medical Informatics 76(Supplement 1), S113-S121.
Giere, R., 2002. Scientific cognition as distributed cognition. In: Carruthers, P., Stich, S., Siegal, M. (Eds.), The
cognitive basis of science, pp. 285-299. Cambridge University Press.
Halverson, C.A., 2002. Activity Theory and Distributed Cognition: Or what does CSCW need to DO with
theories? Computer Supported Cooperative Work 11(1-2), 243-267.
Harms-Ringdahl, L., 2009. Analysis of safety functions and barriers in accidents. Safety Science 47(3), 353-363.
Hollan, J., Hutchins, E., Kirsh, D., 2000. Distributed Cognition: Toward a new foundation for Human-Computer
Interaction research. ACM Transactions on Computer-Human Interaction 7(2), 174-196.
Hollnagel, E., 2004. Barriers and accident prevention. Ashgate Publishing Limited.
Hollnagel, E., 2008. Risk + barriers = safety? Safety Science 46(2), 221-229.
Hollnagel, E., Speziali, J., 2008. Study on developments in accident investigation methods: A survey of the
“tate-of-the-A t . ‘epo t : , “KI.
Home Affairs Committee, 2012. Seventh Report, Olympics security.
(http://www.publications.parliament.uk/pa/cm201213/cmselect/cmhaff/531/53102.htm, accessed
10/9/2013)
Hopkins, A., 2013. Issues in safety science. Safety Science. In Press, Corrected Proof, DOI:
http://dx.doi.org/10.1016/j.ssci.2013.01.007.
Huang, H., Ruksenas, R., Ament, M.G.A., Curzon, P., Cox, A., Blandford, A., Brumby, D., 2011. Capturing the
distinction between task and device errors in a formal model of user behaviour. Electronic
Communications of the EASST 45.
Huang, H., Curzon, P., White, G., Blandford, A., 2013a. Building up conceptual models of two patient safety
incidents using the Information Safety Framework. (see the supplementary paper on pp61 - 69)
Huang H., Curzon P., White G., Blandford, A., 2013b. Learning from iatrogenic incidents: A novel framework for
investigating, understanding and communicating information-based medical error. Oral presentation,
Communicating Medical Error, Ascona, Switzerland (http://www.come.usi.ch/, no proceedings).
Hutchins, E., 1995a. Cognition in the Wild. The MIT Press.
Hutchins, E., 1995b. How a cockpit remembers its speeds. Cognitive Science 19(3), 265-288.
57
Hutchins, E., 2000. The cognitive consequences of patterns of information flow. Intellectica 1(30), 53-74.
Hutchins, E., 2001. Cognition, Distributed. International Encyclopedia of the Social & Behavioral Sciences,
2068-2072.
ISMP Canada, 2006. Canadian Root Cause Analysis Framework: A tool for identifying and addressing the root
22
causes of critical incidents in healthcare . (http://www.ismp-canada.org/rca.htm, accessed 28/9/2012)
ISMP Canada, 2007. Fluorouracil Incident Root Cause Analysis. (http://www.ismp-
canada.org/download/reports/FluorouracilIncidentMay2007.pdf, accessed 12/9/2013).
Johnson, C.W., 2003. Failure in Safety-Critical Systems: A Handbook of Accident and Incident Reporting.
University of Glasgow Press.
Johnson, C.W., Oltedal, H.A., Holloway C.M., 2012. Comparing the identification of the recommendations by
different accident investigators using a common methodology. In: Proceedings of the 7th IET Conference
on Systems Safety and CyberSecurity, Edinburgh, Scotland.
Katsakiori, P., Sakellaropoulos, G., Manatakis E., 2009. Towards an evaluation of accident investigation
methods in terms of their alignment with accident causation models. Safety Science 47(7), 1007-1015.
Leveson, N., 2004. A new accident model for engineering safer systems. Safety Science 42(4), 237-270.
Leveson, N., 2011. Engineering a safer world: Systems thinking applied to safety. The MIT Press.
Lindberg, A.-K., Hansson, S.O., Rollenhagen, C., 2010. Learning from accidents – What more do we need to
know? Safety Science 48(6), 714-721.
Liu, Z., Nersessian, N.J., Stasko, J.T., 2008. Distributed Cognition as a theoretical framework for information
visualization. IEEE Transactions on Visualization and Computer Graphics 14(6), 1173-1180.
Lundberg, J., Rollenhagen, C., Hollnagel, E., 2009. What-You-Look-For-Is-What-You-Find – The consequences of
underlying accident models in eight accident investigation manuals. Safety Science 47(10), 1297-1311.
Masci, P., Huang, H., Curzon, P., Harrison, M.D., 2012. Using PVS to investigate incidents through the lens of
distributed cognition. In: Goodloe, A.E., Person, S. (Eds.), Proceedings of the 4th NASA Formal Methods
Symposium, Lecture Notes in Computer Science 7226, pp. 273-278. Springer.
METRO, 2012. Free f i g pa s lea e egg o fa e. METRO, 3 October 2012: 21.
(http://e-edition.metro.co.uk/home.html, accessed 10/9/2013).
McDonald, T.B., Helmchen, L.A., Smith, K.M., Centomani, N., Gunderson, A., Mayer, D., Chamberlin, W.H.,
2010. Responding to patient safety incidents: the se e pilla s . Quality and Safety in Health Care 19(6):
e11.
Nardi, B.A., 2002. Coda and Response to Christine Halverson. Computer Supported Cooperative Work 11(1-2),
269-275.
Nersessian, N.J., 2009. How do engineering scientists think? Model-based simulation in biomedical engineering
research laboratories. Topics in Cognitive Science 1(4), 730-757.
Rajkomar, A., Blandford, A., 2012. Understanding infusion administration in the ICU through Distributed
Cognition. Journal of Biomedical Informatics 45(3), 580-590.
Reason, J., 1990. Human Error. Cambridge University Press.
Reason, J., 2004. Beyond the organisational accident: the eed fo e o isdo o the f o tli e. Quality
and Safety in Health Care 13(Suppl II), ii28-ii33.
Reddy, M.J., 1979. The conduit metaphor: A case of frame conflict in our language about language. In: Ortony,
A. (Ed.), Metaphor and thought, 2nd Edition, pp. 164-201. Cambridge University Press.
Roelen, A.L.C., Lin, P.H., Hale, A.R., 2011. Accident models and organisational factors in air transport: The need
for multi-method models. Safety Science 49(1), Pages 5-10.
22
This document was updated in 2012, readers interested in the 2006 version should contact ISMP directly, or
contact us for a copy.
58
Saleh, J.H., Pendley, C.C., 2012. From learning from accidents to teaching about accident causation and
prevention: Multidisciplinary education and safety literacy for all engineering students. Reliability
Engineering and System Safety 99, 105-113.
Sellberg, C., Susi, T., 2013. Technostress in the office: A Distributed Cognition perspective on human-
technology interaction. Cognition, Technology & Work.
Sklet, S., 2004. Comparison of some selected methods for accident investigation. Journal of Hazardous
Materials 111(1-3), 29-37.
Snijders, C., van Lingen, R.A., Klip, H., Fetter, W.P.F., van der Schaaf, T.W., Molendijk, H.A., 2009. Specialty-
based, voluntary incident reporting in neonatal intensive care: Description of 4846 incident reports.
Archives of Disease in Childhood – Fetal and Neonatal Edition 94(3), F210-F215.
Stoop, J., Roed-Larsen, S., 2009. Public safety investigations – A new evolutionary step in safety enhancement?
Reliability Engineering & System Safety 94(9), 1471-1479.
Svenson, O., 2000. Accident Analysis and Barrier Function (AEB) Method: Manual for incident analysis. SKI
report 00:6, Swedish Nuclear Power Inspectorate project number 97176.
Sweeney, D.E., 2009. The aetiology of error: Cognitive profiling events within the mining industry. PhD thesis,
The University of British Columbia.
Ta g, C.“.C., . “tud i g u ses i fo mation flow to inform technology design. PhD thesis, University of
Calgary.
Toft, B., 2001. E te al I ui i to the ad e se i ide t that o u ed at Quee s Medi al Ce t e, Nottingham,
4th January 2001. United Kingdom Department of Health.
Underwood, P., Waterson, P., 2013. Systemic accident analysis: Examining the gap between research and
practice. Accident Analysis and Prevention 55, 154-164.
Vincent, C., Hewett, D., 2013. The investigation and analysis of clinical incidents. In: Youngberg, B.J. (Ed.),
Patient safety handbook, 2nd Edition, pp. 111-123. Jones & Bartlett Learning, LLC.
Wimmer, R.D., Dominick, J.R., 2012. Mass media research: An introduction (10th Edition). Cengage Learning.
Wright, P.C., Fields, R.E., Harrison, M.D., 2000. Analyzing Human-Computer Interaction as Distributed
Cognition: The Resources Model. Human-Computer Interaction 15(1), 1-41.
Xu, L., Clarke, D., 2012. What does Distributed Cognition tell us about student learning of science? Research in
Science Education 42(3), 491-510.
Ziedelis, S., Noel, M., 2011. Comparative analysis of nuclear event investigation methods, tools and techniques.
European Commission, Joint Research Centre, Institute for Energy.
Zotov, D.V., 2006. Grappling with complexity: Finding the core problems behind aircraft accidents. PhD thesis,
Massey University, New Zealand.
59
Page deliberately left empty
60
(Supplementary paper)
Building up conceptual models of two patient safety incidents
using the Information Safety Framework
1
Huayi Huang, 1Paul Curzon, 1Graham White, 2Ann Blandford
1
Cognitive Science Research Group, Queen Mary University of London.
{huayi.huang, p.curzon, graham.white}@qmul.ac.uk
2
UCL Interaction Centre, University College London.
a.blandford@ucl.ac.uk
1. Introduction
This document reconstructs the ‘final’ line of reasoning taken by the first author, in
constructing conceptual models of incidents using a prototypical version of the Information
Safety Framework (ISF). ISF was used to help understand and reframe incident data, drawn
from the investigation reports for two independent incidents. This document is based on
notes taken as part of the ISF analyses done between late May and early July 2012. These
earlier notes include other less certain lines of reasoning not presented here.
The first of the two incidents analysed involved an overdose of Fluorouracil [1], and the other
involved an injection of Vincristine via the wrong route of administration [2]. Inline citations to
the two reports are used throughout this document, to explicitly link the reasoning described
to incident data from the reports. The specific references presented are indicative rather than
exhaustive.
2. ISF modelling of the Fluorouracil incident

2.1 The information representation selected
We selected the rate of infusion (for the Fluorouracil drug) information representation for ISF
analysis. This was the information representation eventually (wrongly) given to the patient.
The reasoning by which the ISF model of the incident was derived is detailed below. Section
2.2 describes the reasoning leading to the information flows identified, and Section 2.3
describes the reasoning leading to the safety functions identified.
2.2 The information flows identified

Starting with the patient, the initial ‘upstream’ participant subsequently identified was the
infusion pump [1, p13], and nurse RN #1 programmed and initiated the infusion [1, p13]. The
rate of infusion information used by nurse RN #1 was informed both by her reading of the
pharmacy label [1, p13], as well as by the confirmation from nurse RN #2 [1, p13]. Both
nurses signed off on the handwritten medication administration record (MAR) [1, p13]. RN #1
also electronically signed for the total dose of drug to give on the computer [1, p13]. We do
61
not know whether either of the nurses did, or did not in fact use the handwritten MAR to
inform them specifically of the rate of infusion information. We do not know whether this rate
information was available as part of the electronic signing off done by nurse RN #1. We do
not know whether nurse RN #2 was primarily responsible for the infusion given to the patient.
Nurse RN #2 did a passing check only at the request of RN #1 [1, p13]. Nurse RN #2 clearly
had to have obtained information about the rate of infusion from somewhere in order to be
able to do this checking. Here we assumed that the handwritten MAR was used to inform
nurse RN #2’s knowledge of the correct rate (prior to her signing off on it). It was unclear to
us where the information in the handwritten MAR came from. This therefore formed one
stopping point for modelling the flow of information, due to a perceived lack of further clear
incident knowledge. Since RN #1 seemed to have used the pharmacy label to inform her
knowledge of the rate of infusion, it was unnecessary for us to make a similar assumption of
RN #1 also using the handwritten MAR to gain knowledge of the rate information.
We found insufficient incident data to fully and clearly trace back the flow of rate of infusion
information – from the pharmacy label to its source and ‘creator’. It was also unclear who
prescribed the chemotherapy order used in the first place. The chemotherapy order was
entered into the pharmacy information system by a pharmacy technician [1, p12-13]. We
assumed that the rate of infusion information was included as part of this order. Pharmacists
were also involved in this part of the information flow, but it was unclear whether multiple
pharmacists were involved, and how their involvement related to the rate of infusion
information specifically [1, p12-13]. The pharmacy technician clearly transcribed the rate
information from somewhere else into the pharmacy information system. In this case a
computerized prescriber order entry (CPOE) system seemed to exist separately from the
pharmacy information system. The CPOE system was used to inform the pharmacy staff as
to what must be entered into the pharmacy information system [1, p33]. We conjectured that
the pharmacy label was generated by the pharmacy information system. Figure 1 shows the
ISF model of the information flows identified.
62
Figure 1: An ISF model of the flows of rate of infusion information identified.
2.3 The safety functions identified

Three safety functions were identified and reified with a degree of confidence from analysing
the incident data in the report. These are detailed below. Figure 2 shows how these safety
functions were perceived to relate to the flow of rate of infusion information.
Safety function 1: Low index of suspicion for unusual rate of infusion for new nurse
We know that nurse RN #1 was new to the day care unit where the patient was being cared
for. This was the first time RN #1 administered a 4-day Fluorouracil infusion [1, p18]. The
rate of infusion calculated was apparently not so unusual for other similar infusions in the
clinic [1, p18]. The report holistically summarised these contributory factors, as resulting in a
‘low index of suspicion’ regarding the high infusion rate calculated. A reported consequence
of RN #1’s relative unfamiliarity with the work-setting and particular administration protocol
used, was that no subsequent mental approximation of the calculated rate was done [1, p18].
We interpreted RN #1’s low index of suspicion, as an aspect of the interaction context which

reduced the probability of a correct rate of infusion information representation being in both
RN #1’s head, as well as in the infusion pump itself. This contextual aspect was perceived to
reduce RN #1’s chances of timely self-detection and correction, upon calculating an incorrect
rate of infusion. This contextual aspect was also perceived to reduce the chances that RN #1
would detect any wrong rate values whilst programming the infusion pump (and therefore
reducing the chances of a correct rate existing in the pump). RN #2 was apparently a
‘trouble shooter’ [1, p16]. This suggested that this ‘low index of suspicion’ safety function
was unlikely to be applicable to RN #2 also, due to her relative familiarity and experience
with the work-setting and administration protocol used at the time of the incident. This safety
63
function may potentially apply to all such ‘new’ nurses, in a position similar to RN #1 at the
time of this incident.
Safety function 2: Complex workload and multitasking for nurses
Nurses in the day care unit where the patient was being cared for were expected to deal with
complex workloads, and often multitask between different parts of this workload
simultaneously [1, p20]. In this situation, information (such as the rate of infusion) may
potentially be communicated both to and from such nurses inconsistently (through
misreading/mishearing for example). The additional cognitive load that may be induced
through routinely needing to simultaneously manage the individual subtasks of these
complex workloads, also reduces the chances for information representations to remain
correct within the nurses’ heads (through an increased chance of forgetting for example).
This contextual aspect of the system was interpreted by us as reducing the probability of the
rate of infusion information being consistently transmitted either to or from the nursing staff
involved in this incident (i.e., RN #1 and RN #2). This aspect was also interpreted as
reducing the probability of the rate of infusion information remaining correct in these nurses’
heads.
Safety function 3: Fallible human transcription
As part of the events leading up to the incident, the report notes that human transcription of
information affords the potential for errors to inadvertently occur [1, p33]. In this particular
case a mistranscription of the volume of Fluorouracil to be infused apparently occurred as
part of the drug preparation activities in the pharmacy part of the work-system (although it is
unclear precisely how this particular mistranscription occurred) [1, p33]. ‘Fallible human
transcription’ was conjectured as an aspect of the work-context that was readily applicable in
a general way, as it is clearly in general unrealistic to expect human transcription to occur
routinely with 100% accuracy. This contextual aspect was assumed to reduce the probability
of the rate of infusion information being consistently transmitted either to or from any human
participants in such a system. The patient did not ‘transcribe’ information, due to being the
passive destination for the rate information, so was not included in the functional scope of
this particular safety function.
64
Figure 2: An ISF model of the safety functions affecting the flow of the rate of infusion
information representation in the Fluorouracil incident. The numbered circles correspond to
how the safety functions identified relate to the flows shown in Figure 1.
3. ISF modelling of the Vincristine incident

3.1 The information representation selected
We selected the route of administration (for the Vincristine drug) information representation
for ISF analysis. This was the information representation eventually (wrongly) given to the
patient. The reasoning by which the ISF model of the incident was derived is detailed below.
Section 3.2 describes the reasoning leading to the information flows identified, and Section
3.3 describes the reasoning leading to the safety functions identified.
3.2 The information flows identified

Starting with the patient, the initial ‘upstream’ participant subsequently identified was Dr
Morton, who administered the Vincristine intrathecally (i.e., via the spine) to the patient (Mr
Jowett) [2, p29]. A number of other participants may have facilitated the route of
administration information used by Dr Morton. Dr Mulhem confirmed this route information
for the drug with Dr Morton [2, p29]. Dr Morton also consulted the patient’s prescription chart
[2, p29]. Route of administration information was included on the labelling affixed to the
syringes used [2, Plate 1, p4]. We assumed that Dr Morton read from this syringe label
before administering the Vincristine. Nurse Vallance also reportedly remarked to Dr Morton
65
earlier about the (intrathecal) route of drug administration for the patient [2, p26]. Dr Musuka
wrote out the patient’s prescription chart [2, p24] (it was unclear who the original prescriber
of the patient’s chemotherapy treatment was). Dr Mulhem consulted the prescription chart [2,
p28]. Dr Mulhem also read from the syringe label prior to handing the syringe to Dr Morton [2,
p28]. We assumed that when Dr Mulhem took the packet containing the syringe with the
Vincristine drug from Nurse Vallance [2, p27] he also looked at the syringe packaging label.
The pharmacy database was used to generate both the syringe label, as well as the syringe
packaging label [2, p13].
Figure 3: An ISF model of the flows of route of administration information identified.
3.3 The safety functions identified

Five safety functions were identified and reified with a degree of confidence from analysing
the incident data in the report. These are detailed below. Figures 4 and 5 show how these
safety functions were perceived to relate to the flow of route of administration information.
Respectively without, and with the effects of safety function 3, originally identified through
analysing the Fluorouracil incident.
Safety function 4: Constraints on the pharmacy database
The report states that the pharmacy database was constrained, such that only the three
drugs used for intrathecal chemotherapy could be labelled for intrathecal use [2, p13]. Since
the pharmacy database automatically generates both the syringe, and syringe packaging
labels [2, p13], this aspect of the work-system was interpreted as a safety function that helps
to preserve the consistency of the route of administration information – between its
representation in the pharmacy database, and the two types of labels generated. Further
specific details about how this constraint was achieved is not provided by the report, though
66
a relatively strong enforcement mechanism is implied for preserving the consistency of route
of administration information at this point in the overall flow.
Safety function 5: Physical and temporal separation of the packaging and supply of
drugs to the wards
The intrathecal and non-intrathecal drugs (prepared in the Sterile Production Unit) are
physically and temporally separated [2, p16], to help ensure that the route of administration
displayed on both the syringe, and syringe packaging labels would always correctly reflect
the intended route of administering the drugs prepared. This separation minimises the
chances of inadvertent mix-ups between the labelling of drugs intended for different routes,
and was interpreted as a safety function which increases the probability that the route of
administration information displayed on these two types of labels would be correct.
Safety function 6: Physically bi-compatible syringe connection
Syringes containing intravenous drugs such as Vincristine may also be successfully

connected to the spinal needles intended only for intrathecal administration [2, p14]. This
physical bi-compatibility and indiscrimination is interpreted here as a safety function, which
reduces the probability of the route of administration ‘given’ to the patient at the point of drug
delivery being correct.
Safety function 7: Avoiding compromising patient care
In this incident, drugs intended for administration via different routes were in fact sent to the
ward at the same time, to avoid compromising patient care [2, p36]; thus directly
contradicting the temporal aspect of the normative temporal-spatial separation protocol of
safety function 5. This was a ‘workaround’ employed by the pharmacy staff, who may have
had to prepare the drugs on shorter notice than usual. Conditions existing at the time of the
incident may have indirectly exerted pressure, to send these intrathecal and non-intrathecal
drugs at the same time. In particular, we know that:
1) The patient’s treatment information had not been entered into the ward manager’s
chemotherapy diary. As a result, the patient’s chemotherapy had not, as was normal practice,
been ordered in advance [2, p10];
2) The patient missed his planned appointment to see Dr Musuka on the morning of the 4th
January 2001, and did not notify Ward E17 of his intention to arrive that afternoon [2, p10].
This ‘workaround’ directly negated the intended purpose of the normative temporal-spatial
separation protocol, as described in safety function 5; thus representing an aspect of the
system which increased the probability that inadvertent mix-ups between the labelling of
drugs intended for different routes may occur.
Safety function 8: Lack of a rigorous checking procedure for the doctors
While the nurses had an explicit protocol to follow for checking the correctness of the route
of administration information, the doctors did not [2, p35]. This lack of formalised checking
procedure for the doctors, was interpreted as an aspect of the system that reduced the
probability that the route information representation in the doctors’ heads would be correct
67
(i.e., they are less likely to self-correct). Dr Musuka was excluded from the functional scope
of this safety function, because he was not directly involved in the drug delivery process.
Figure 4: An ISF model of the safety functions affecting the flow of the route of administration
information representation in the Vincristine incident. The numbered circles correspond to
how the safety functions identified relate to the flows shown in Figure 3.
3.4 Generalising from the safety functions of the Fluorouracil

incident
As part of the identification of safety functions, the three safety functions identified – as part
of constructing the Fluorouracil ISF incident model – were considered in turn for their
applicability to this Vincristine incident. These three safety functions were:
- Low index of suspicion for unusual rate of infusion for new nurse (safety function 1),
- Complex workload and multitasking for nurses (safety function 2),
- Fallible human transcription (safety function 3).
From reading the Vincristine investigation report it was unclear to us the extent to which
safety functions 1 and 2 were generalisable to this incident. There were insufficient
contextual details for a clear judgment of the applicability of these two safety functions, about
infusions and nurses respectively. We judged safety function 3 to be sufficiently generic to
be applicable to this Vincristine incident also. The model including safety function 3 (Figure
5) was considered to be the ‘final’ ISF model of the Vincristine incident.
68
Figure 5: An ISF model of the safety functions affecting the flow of the route of administration
information representation in the Vincristine incident. This figure includes the generalisation
of safety function 3 from Section 2.3.
References
[1] ISMP Canada, 2007. Fluorouracil Incident Root Cause Analysis. (http://www.ismp-
canada.org/download/reports/FluorouracilIncidentMay2007.pdf, accessed 20/11/2013).
[2] Toft, B., 2001. External Inquiry into the adverse incident that occurred at Queen’s Medical Centre,
Nottingham, 4th January 2001. United Kingdom Department of Health.
(http://www.who.int/patientsafety/news/Queens%20Medical%20Centre%20report%20(Toft).pdf,
accessed 20/11/2013)
69
View publication stats

First Principles Information Safety

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

First Principles Information Safety

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

The First Principles of the Information Safety Framework

Technical Report · February 2014

Huayi Huang Graham White

SEE PROFILE SEE PROFILE

Critical Cognitive Science View project

Medieval Thought View project

The user has requested enhancement of the downloaded file.

Public Paper no. 206

The First Principles of the Information Safety

Huayi Huang, Paul Curzon, Graham White & Ann Blandford

Huang, H., Curzon, P., White, G., & Blandford, A. (2014).

PP release date: 11 February 2014

The first principles of the Information Safety Framework

 A new modelling framework for understanding information use.

Information use, Incident investigation, Distributed Cognition.

Corresponding author: Huayi Huang

1.2 Incidents, models and information safety

1.3 Relating ISF to existing research

1) the patterns and trajectories of information use, and

2. A distributed perspective on cognitive activity

2.1 Key principles and observations from Distributed Cognition

1. distribution of cognition across members of a social group,

2. distribution of cognition among both internal and external structures (including

2.2 Other theoretical and practical issues

– such as interpretation and imagination – are reducible to (a dehumanising interpretation of)

3. Iterative hypotheses generation and

u k o situatio s through a iterati e reaso i g le in which a temporary and

4. A new modelling framework for investigating

B. To increase our chances of preventing such information safety incidents in future, it

 How can we design representations to facilitate their flexible use?

4.2 Contributions from Distributed Cognition

4.2.2 A Distributed Cognition notion of system

4.2.3 Roles and contributions of internalised and external representations

4.3 Assuring the use and coordination of the right information

4.3.1 Deconstructing the metaphor of information flow

ISF models generated in an analysis. We now go on to discuss some exceptions of theoretical

4.3.2 The semantics of information flow in ISF

4.4 Relating latent factors to the ‘flows’ of information

Type 2 - A correctness-reducing safety function:

Type 3 - A consistency-enhancing safety function:

Type 4 - A consistency-reducing safety function:

4.5 Illustrating some ‘valid’ configurations of information flows and

4.6 Main steps in identifying ISF models

4.6.1 Selecting an information representation

4.6.2 Identifying the associated information trajectories

Where did the <?> information in <PARTICIPANT> come fro ? for upstrea e ploration

4.6.3 Identifying the safety functions acting on an information trajectory

Figure 7: A consistency-enhancing safety function, using the same notation as in Figure 5.

4.7 Systematically exploiting the ISF models generated to support

4.7.1 Interpreting an ISF model to support iterative hypotheses generation

4.7.2 Interpreting an ISF model on conclusion of an investigation

5. Using the Information Safety Framework to

5.1 A summary of the Fluorouracil incident and investigation

5.2 A summary of the Vincristine incident and investigation

To investigate the circumstances leading up to an intrathecal, rather than intravenous

5.3 Gathering incident data from each investigation report

 I ad e te t o ta i atio f o the p io i estigati e easo i g p ese ted i ea h

 The inadvertent accretion of unfounded, or weakly founded assumptions about

5.3.2 Potential limitations of the data access strategy used

each incident. Explicit systematic reflection, on whether each individual piece of

5.4 Findings from the two ISF analyses

5.4.1 Final ISF model identified for the Fluorouracil incident