DIM Gap Analysis

kitlunchroomAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

81 views

DIM Gap Analysis


Michael Faughn

and
Arthur Griesser, Ph.D.

Prometheus Computing LLC


To

find
patient
-
safety related
gaps in the Device Information Model (DIM) standard,
IEEE
11073
-
10201
, we examined three
Quantum Medi
c
al Device Interoperability (QMDI)

clinical
scenarios
i
.

These clinical scenarios include a narrative, workflow diagrams, and analysis.
The
narratives were the most interesting parts of the QMDI scenarios.
To understand
these scenarios

better we constructed the UML activity diagrams
ii

based on our understanding of

the “proposed
state”
. The newly constructed activity diagrams are

included here as Diagram
s

1
-
3.


The DIM defines
object
-
oriented classes of

many

medical devices. It specifies attributes,
associations, and events. It also

specifies a

data

Application Programming Interface (API) that
can be used to
configure
, query, and collect data from

these devices
.
The DIM classes do not
necessarily represent medical devices that are available off the shelf. DIM classes
instead
repres
ent components that can be configured (together with
multiplicity
-
narrowing

constraints
and
nomenclature from
IEEE
11073
-
10101
) and assembled together to describe many (but
certainly not all) commercially available devices.


The first
QMDI

scenario,
Patient Controlled Analgesia

(PCA)
, proposes functionality that



Verifies device settings against physician orders and patient’s health history



Monitors patient for dangerous cond
itions during PCA

This scenario is summarized in Diagram 1.
The DIM fully sup
ports functionality required of the
medical devices in this scenario, including the ability to obtain device settings, collect data from
the patient,
and raise alarms. The

proposed validation and the

ability to query physician orders
and the patient’s hea
lth history are clearly well outside the scope of the DIM
.



The second
QMDI

scenario, Handoff, proposes an app
that



Electronically t
ransfer
s

information about patient needs from the OR to the ICU



Helps ICU staff collect supplies



Programs devices such as i
nfusion pumps

This scenario is summarized in Diagram 2.
The first two functions
are unrelated to DIM
functionality such as medical device configuration and data collection.

These functions are
nevertheless

easy to implement: if hospital IT systems do not a
lready support
the first two
functions
, it would be surprising. The third function
is
fully
supported by

the DIM.



The third
QMDI

scenario,
Home to Hospital, proposes



W
earable medical devices that

can

provide patient data

to a
n ambulance or hospital



Disease management systems that can provide patient data to a hospital

This is summarized in Diagram 3.
The DIM supports the ability
(of either the ambulance or
hospital)
to query wearable medical devices for the types of data called for in the scenario. T
he
only aspect of this scenario that the DIM could do a better job of supporting is tracking of data
provenance.


Diagram 1: Patient Controlled Analgesia


Diagram 2: Handoff






Diagram 3: Home to Hospital



In general, the QMDI scenarios describe functionality that is not yet commercially available, but
is definitely supported by the DIM. Even though the QMDI use cases do not identify safety gaps
in the DIM proper, there nevertheless is plenty of room for im
provement in the DIM, including
the following.


Name

Description

Formal constraints

The DIM does not currently specify a way for vendors to describe their
own product specific co
-
constraints. Furthermore, when the DIM itself
specifies co
-
constraints, it

does not do so in a “computable” way, it uses
䕮b汩獨⸠佢橥c琠t潮獴牡i湴nianguage
佃i⤠)潵o搠扥⁵獥搠景d⁢潴栠
灵牰p獥献

呥牭楮潬潧y
c潮獴牡楮is

周q⁄f䴠摯M猠湯s⁣u牲en瑬y⁰牯 楤攠i 睡y⁴漠獰ec楦y⁷ e牥⁳ ec楦楣
瑥t浳⁦m潭of䕅䔠
ㄱ〷N
-
㄰㄰N

a牥⁡汬潷e搠潲

湯n⁡汬潷o搮

m牯癥湡湣e

周q⁄f䴠M潵汤⁩湣汵摥⁴桥⁡扩b楴y⁦ 爠摥癩ve猠瑯⁳楧渠摡瑡Ⱐ畳楮g⁰畢汩c
步y cry灴pgra灨y⸠f渠浡ny⁳楴畡瑩潮猠o桩猠睯畬搠湯琠扥⁰dac瑩ca氬⁢畴⁩
c潵汤⁳瑩汬⁢ ⁡渠潰瑩潮o

pe汦⁤l獣物灴楯n

周q⁄f䴠摯M猠湯s⁣u牲en瑬y⁰牯 楤攠i 睡y⁦ 爠摥v楣i猠瑯⁤e獣物扥⁴ e楲i
晵湣瑩潮o汩tyⰠ潴桥爠瑨r渠by⁲e晥牥湣e猠瑯sf䕅䔠
ㄱ〷0
-
㄰㄰N

湯浥湣污瑵牥⸠⁔.a琠t猠獡瑩獦sc瑯ty⁦潲慮y⁰ 牰潳o献†f琠tig桴⁢攠
摥獩牡扬攠瑯⁡摤⁴桥da扩b楴y 瑯⁤敳t物扥灥牡瑩潮o氠獴慴
e
 a瑨t爠瑨r渠
c潭o畮楣u瑩潮⁳oa瑥Ⱐth楣栠楳⁡汲lady⁤e獣物扥搠d渠f䕅䔠
ㄱ〷N
-
㈰㘰O
)

Diagram 4:

The IEEE 11073
-
20601 Agent state machine.

There is a similar state machine
for Managers.
Higher
-
level

standards need to define
what happens in the
“Operating” bubble
(for example, distinguishing between states where a PCA pump is (or is not) responsive to the
patient
.
A sub
-
machine for operating state

can

be implied by
the semantics of
events that
devices respond to.

It may be desirable to provide
a concise way to describe the sub
-
machine.







Disconnected
Connected
Transport connect indication
Transport disconnect indication
Unassociated
Associating
+
entry
/
TxAssocReq
assocReq
RxAssocAbort
Or
TxAssocAbort
RxAssocRsp
(
rejected
)
Associated
RxAssocAbort
TxAssocAbort
RxAssocRelReq
/
TxAssocRelRsp
RxAssocRsp
(
accepted
-
unknown
-
config
)
RxAssocRsp
(
accepted
)
Operating
Configuring
Sending Config
TxConfigEventReportReq
RxConfigEventReportRsp
(
accepted
-
config
)
Waiting Approval
Disassociating
+
entry
/
TxAssocRelReq
assocRelReq
RxAssocAbort
TxAssocAbort
RxAssocRelRsp
RxConfigEventReportRsp
(
unsupported
-
config
)
RxAssocRelReq
/
TxAssocRelRsp
Ensuring safety is very difficult: it cannot be accomplished by analysis of a few use cases.
Certainly it is desirable to track preventable deaths and take steps to prevent the most common.
This is a sc
attershot practice though. It would be more effective to methodically identify and
remediate hazards. Procedures for doing so are described in a number of publications, including:


Document

Description

IEEE
1228
-
1994


p潦瑷a牥⁓a晥ty⁐污湳


Mfi
-
pqa
-
㠸㉃

“System Safety Program Requirements”. Department of defense standard
a灰汩e猠瑯⁥湴s牥⁳y獴敭Ⱐs湣汵摩湧⁳潦瑷a牥.


-
ㄷ㡃


“Software Considerations in Airborne Systems and Equipment
Certification”,
e
x灥c瑥搠t漠牥灬慣e⁄
-
ㄷNBⰠ
c畲ue湴ny⁵獥
搠dy c䅁.

乁pA
-
p呄
-
㠷ㄹ⸱㍂

“Software Safety Standard”. NASA standard for safety of purchased and
楮ie牮r汬y⁤e癥汯灥搠獯lt睡牥.

乁pA
-

-
㠷ㄹ⸱8

“NASA Software Safety Guidebook” supplements
乁pA
-
p呄
-
㠷ㄹ⸱8B

䅅Ci⁃b
-
㄰〱
-
p呄

o䕖⸲


p瑡湤t牤⁦潲o
p潦瑷are⁅湧楮ie物rg映卡 ety⁃物r楣i氠l潦瑷a牥


fp传ㄴ㤷l


o楳欠ia湡ge浥湴m
-

ma牴‱㨠䅰灬 ca瑩潮o⁒楳欠ia湡ge浥湴⁴漠me摩da氠
䑥癩捥s


f䕅䔠b
-
㐮㌮4


䅰灬楣A瑩潮⁃物瑥物r⁦ 爠m牯rra浭a扬攠big楴a氠l潭灵oe爠ry獴敭猠s渠
pa晥ty⁓y獴敭猠潦⁎uc汥a爠偯睥爠
de湥牡瑩ng

p瑡瑩潮t


f䕃‶〸㠰


p潦瑷a牥 景f⁃潭灵oe牳⁩渠 桥⁓a晥ty⁓y獴敭猠潦s乵k汥l爠偯re爠却a瑩潮o


䅎pf
-
䝅fA
-
p呄
-
〰㄰
-
㈰〹


p瑡湤t牤rBe獴⁐牡c瑩ce猠景f⁓y獴敭⁓afety⁐牯g牡洠䑥癥汯灭e湴⁡湤n
䕸ec畴u潮



f渠a畴獨e汬Ⱐ瑨攠楤,a⁩猠 漠楤敮瑩oy⁡汬⁰潳
獩扬e⁨ za牤猠異⁦牯湴Ⱐr湤⁤n晩湥湥爠浯 e⁣潮瑲潬猠
瑨慴t
a摤牥獳⁴桥⁵湤 牬yi湧⁣a畳u猠瑯s
灲e癥湴⁴桥 桡za牤⸠r
䡡za牤⁩摥湴n晩fa瑩潮⁣a渠扥⁦ac楬楴a瑥搠
by⁣潮獩de牡瑩潮o⁣a瑥杯物g猠潦⁨sza牤猬⁳畣栠a猠c潮瑡浩湡瑩潮Ⱐ敬oc瑲楣a氠獨潣欬⁣潭扵o瑩潮Ⱐ
a湤n
牡摩慴楯渮†
䡡za牤猠浡y⁢e⁣污獳楦楥搠dy⁴桥 爠
灲潢p扩b楴y a湤⁢y⁴桥楲⁩ 灡c琮⁁⁳t湧汥l
c潮瑲潬ay⁢e⁳畦 ic楥湴⁦潲⁡⁨ za牤r睩瑨潷⁰o潢o扩b楴y⁡湤潷⁩n灡c琮†乁p䄠Ae煵楲q猠
瑨牥e⁩湤数 湤e湴⁣潮瑲潬猠景s⁨楧栠h牯扡扩b楴y⁨ 杨⁩g灡c琠桡ta牤猬⁳漠瑨rt

獡晥ty⁩猠敮獵 e搠
e癥渠楦⁴睯n⁴桥 c潮瑲潬猠晡楬.

f琠t猠s汳漠湥ce獳sry 瑯⁩摥湴nfy⁳潭e⁷ay⁴漠癥 楦y⁴桡琠 ac栠
c潮瑲潬⁩猠s晦ec瑩癥.


f渠来湥ra氬⁴桥⁥湴n牥⁳y獴e洠⡩湣汵摩湧⁨畭慮 e牡瑯牳Ⱐ楦tany⤠浵獴⁢攠)潮獩摥牥搠瑯⁥湳畲e
獡晥ty⸠
f琠t猠瑨敲e景fe c汥l爠瑨r琠湯⁳a晥ty⁥晦潲琠
⡨E睥癥爠楮瑥湳e⤠)a渠扥⁴桯牯畧桬y⁥晦ec瑩癥⁩映楴
楳i
景f畳u搠睨潬dy渠瑨

afM
⸠.周q⁄f䴠c潵汤Ⱐo潷o癥爬rke⁩ ⁥a獩s爠瑯⁥湳畲n⁳ 晥⁳y獴敭猠
by⁩摥湴楦y楮g⁰潴敮瑩慬⁨aza牤猠r湤⁣潮瑲潬献†周o猠楮景s浡瑩潮⁳m
潵汤⁢攠灵獨o搠異⁴漠⡡湤n
ex灡湤n搠d琩⁴桥
汥癥氠l映c潭oe牣楡汬y⁡va楬a扬攠b牯摵r瑳t











i

Available from
http://mdpnp.org/MD_PnP_Program___Clinical_S.html

ii

It might appear
that the workflow diagrams include
d in the QMDI documents renders
activity
diagrams

unnecessary. We found that we needed to create the activity diagrams
because the QMDI workflows contained excessive detail that obscured the underlying
ideas. For example
, the workflow for the first (Patient Controlled Analgesia) scenario
contains (in “BPMN 1.0 diagram: IV Assessment”) the detailed sequence of steps that a
nurse performs manually. For the purpose of describing how PCA plug
-
and
-
play works,
this sequence of

manual steps might as well be a single step: this detail obscures rather
than elucidates. Another example is that diagram “BMP 5R Drug Administration” specifies
that the dose programmed into the infusion pump be compared to the physician’s orders
after

t
he drug is compared to the patient’s allergies. If the intention is to ensure the pump
is programmed with the correct drug, and that the patient is not allergic to the drug, these
goals could just as easily be accomplished by performing the comparison in
the reverse
order: the diagram over
-
constrains the solution space. These check
s

could also have been
compressed into a single vertex. In other places the sequence of events appears to be
suboptimal. For example, in this same diagram “identifyPatient” occ
urs
after

the patient’s
id is used in the previous steps: it would seem to be preferable to verify the patient’s
identity first. The descriptions of workflow steps are also cryptic. For example, it’s not
very clear what “getISData” means.