low complexity system designs for medical cyber physical human systems

Low Complexity System Designs for Medical Cyber-Physical-Human Systems (CPHS)

Po-Liang WuUniversity of Illinois at Urbana-Champaign

Ph.D. Defense, 2016 1

2

The size and complexity of cyber-physical-human systems have increased

significantly.

“These advances have not only made it possible to reach the frontier faster; they have also increased by orders of magnitude the levels of complexity open to exploration and experimentation. Understanding complexity and learning how best to harness these new capabilities are both a challenge and a responsibility.”

NSF Strategic Plan, September 2006

Control & Harnessing Complexity of Cyber-Physical-Human Systems

Introduction Medical CPHS are both safety-critical and highly complex and our

goal is to have a formally verifiable safe system in spite of the complexity, using the approach recommended by National Academic Science:• “One key to achieving dependability at reasonable cost is a serious and

sustained commitment to simplicity, including simplicity of critical functions and simplicity in system interactions. This commitment is often the mark of true expertise”

Thus, we must understand the sources of complexity and their interactions in medical systems.

3

Motivation – Complexity and Interactions

4

High cognitive load increases the likelihood of medical errors

The medical errors may cause severe complications.

The degradation of patient conditions further increases the cyber-physical complexity

Physical complexity: more medical devices must be added to handle the complications, more treatments must be performedCyber complexity: more exception handling routines must be performed, more device interactions must be checked, etcFurther increases the human cognitive load.

Dimensions and Measurements of Complexity

From a computer science perspective, complexity reflects the workload of performing tasks by measuring number of steps or elapsed time.

Verification complexity• Measures the state space to verify the system properties.

Cyber medical treatment complexity• Measures the number of steps to perform a treatment at run-time.

Cognitive load complexity• Measures human memory and mental computation demand for

performing tasks.• It can be measured by task completion time, accuracy, NASA-TLX, etc.

5

Summary of Preliminary Results Reducing verification complexity

• Major source: Message Interleaving due to asynchronous communication• Goal: Allow bounded message interleaving without causing state space

explosion• Proposed Solution: Interruptible Remote Procedural Call (RPC) pattern

6

Supervisor Child device

C1

Async

C2

R1

Supervisor Child device

C1

Sync

C2

R1

R2

Supervisor

C1

stop

Interruptible

R1partial

Child device

C2

stopR2

H. Yun, P.-L. Wu, M. Rahmaniheris, C. Kim, and L. Sha. A reduced complexity design pattern for distributed hierarchical command and control system. In Proceedings of the ACM/IEEE ICCPS, 2010.

Summary of Preliminary Results

Reducing verification complexity• Major source: race conditions

due to concurrent patient adverse events.

• Goal: Low complexity patient adverse events handling without introducing unsafe race conditions.

• Proposed Solution: Organ-centric hierarchical architecture and consistent view generation and coordination (CVGC) protocol

7P.-L. Wu, W. Kang, A. Al-Nayeem, L. Sha, R. B. Berlin Jr, and J. M. Goldman. A low complexity coordination architecture for networked supervisory medical systems. In Proceedings of the ACM/IEEE ICCPS. 2013


Reducing cyber medical treatment complexity• Performing a treatment is complex and involve many steps, including

validating preconditions, monitoring side effects, and checking patient responses.

• Proposed solution: Treatment validation protocol

8

ActivateDefibrillator

Rhythm == Shockable

InjectEPI

BloodPH > 7.4

UrineFlow> 12 mL/s

Airway & Breathing

AssistedVentilation

The side effect of the treatments may adversely affect patient conditions.

A patient may not response to the treatments as expected.

P.-L. Wu, D. Raguraman, L. Sha, R. B. Berlin, and J. M. Goldman. A treatment validation protocol for cyber-physical-human medical systems. In EUROMICRO Software Engineering and Advanced Applications (SEAA), 2014


Reducing cognitive load complexity• Physicians must memorize the best practice workflow and correlate

tremendous information.• Proposed solution: Prototype of Best Practice Guidance (BPG) system

9

Nurse’s tablet

Situation Awareness Display

PhysiciansMicrosoft Surface

Video demo

https://uofi.box.com/s/5nd7r412mdlw59h2o9k8

Committee’s Comments and Remaining Challenges

Modeling of medical best practice workflow with the consideration of run-time adaptation• Proposed solution:

» A workflow validation protocol to safely adapt workflows to the patient conditions.

Categorizing and evaluating of the cognitive load with the developed BPG system.• Proposed solution:

» Identifying major sources of cognitive load in medical environments.» Clinician-in-the-loop evaluations have been conducted in Carle training

classes with a medical manikin.

10

REDUCING CYBER MEDICAL TREATMENT COMPLEXITY: SAFE WORKFLOW ADAPTATION AND VALIDATION PROTOCOL

Po-Liang Wu, Lui Sha, Richard Berlin, Julian Goldman, 「 Safe Workflow Adaptation and Validation Protocol for Medical Cyber-Physical-Human Systems」 , in EUROMICRO Software Engineering and Advanced Application (SEAA) 2015

11

12

Introduction In medical CPHS, synchronizing supervisory medical systems,

physicians’ behavior and patient conditions in compliance with best practice workflow is essential for patient safety.

However, patient adverse events are naturally asynchronous and may interrupt the current medical workflow.

In order to handle patient adverse events, medical workflows must be safely adapted.

13

Motivating Example – Cardiac Arrest Resuscitation

Intra-workflow Adaptation• EPI is a commonly used drug to improve patient's cardiac output.

However, if the patient develops acidosis, in which patient's blood pH is lower than 7.2, epinephrine may not be effective.

• Instead, another drug, called sodium bicarbonate, should be considered to treat acidosis first.

Inter-workflow Adaptation• Due to the rapid change of patient condition, physicians may need to

switch to another workflow.• Patient’s oxygen saturation level (SpO2) suddenly drops, physicians

usually fix the oxygenation problem first.

14

Categorize Safety Hazards If workflow adaptation is not performed correctly, the adaptation may even

cause safety hazards. Device configuration hazards

• Each workflow requires a set of medical devices to monitor patient conditions and perform treatments.

Patient physiological conditions hazards• Workflows usually have certain preconditions on the patient physiological

conditions, such as heart rate, blood pressure, and allergy.

Treatment adverse interaction hazards• Certain treatments may cause severe adverse interactions if performed

simultaneously. Precondition validation is key to mitigate the above hazards.

15

Physical Models and Definitions Workflow is modeled as a timed automaton, W = < Q, Σ, C, E, q0>,

where• Q is a set of states• Σ is a set of actions• C is a set of clocks• E is a set of transitions• q0 is the initial state

Timed automata model is capable of modeling medical workflows based on our case studies on resuscitation, sepsis and stroke, and can be directly used for model-checking.

However, the developed system does not automate the execution of a workflow.

16

Physical Models and Definitions Workflow Adaptation Precondition is defined as a tuple <DS, PCS,

ITS>, where • DS (Device Set) is a set of medical devices that are required to perform

the treatments or operations after the adaptation• PCS (Physiological Condition Set) is a set of physiological condition

predicates• ITS (Incompatible Treatments Set) is a set of treatments that may cause

adverse interactions with the treatment that will be performed after the adaptation.

For instance, the precondition of switching to a EKG flat-line (asystole) workflow is <{Infusion pump, Oximeter}, {(Heart rate = 0), (Blood pressure < 20)}, {Calcium Chloride ↔ Sodium Bicarbonate} >

17

System Architecture The proposed Workflow Adaptation

and Validation protocol is based on Medical Device Plug and Play (MDPnP) framework.

MDPnP framework provides interoperability between supervisory controller and distributed medical devices through network.

The protocol gathers physiological information and command medical devices through MDPnP controller.

Workflow Adaptation

and Validation Protocol

MDPnP Controller

User Interface

Medical Staff

Patients

Adaptation process Workflows

Device commands

Patient conditions and

devices states

EKG Monitor

Adapter

Defibrillator

Adapter

Infusion Pump

Adapter

Pulse Oximeter

Adapter

NetworkNetwork

18

A Workflow Adaptation and Validation Protocol

The proposed protocol consists of four phases1. Raising patient adverse events

» The protocol dynamically monitors the physiological measurements and raises patient adverse events if any measurement becomes abnormal

» An integrated patient information and system configurations is sent to the medical staff.

2. Validating preconditions phase» The required devices are connected and configured according to the

new workflows» The patient conditions are consistent with the new workflow.» The performed treatments will not cause adverse interactions with the

treatments specified in the new workflow

19

A Workflow Adaptation and Validation Protocol

3. Adapting phase» Intra-workflow adaptation: Adding/Removing/Updating the states» Inter-workflow adaptation: Switching to another workflow and the

previous workflow is pushed into a stack for further reference.

4. Completing workflow phase» Case 1: Resuming the previous workflow if the previous workflow is

still applicable» Case 2: Switching to another workflow» The validation routine must be performed.

Intra-Workflow Adaptation

20

Asystole workflow

CPR EPIIV/IO …

Workflow stack

Validation Engine

Calcium chloride

Effective treatment list

Administer sodium bicarbonate

Rhythm?

User Interface

PAE: Blood pH < 7.2


21

Asystole workflow

CPR EPIIV/IO …

Workflow stack

Validation Engine

Calcium chloride


Warning: Validation fails: adverse drug interaction

Rhythm?

Sodium bicarbonate and calcium chloride cannot be given at the same time.

Validation fails

User Interface


22

Asystole workflow

CPR EPIIV/IO …

Workflow stack

Validation Engine

SodiumBicarb


Stop calcium chloride

Rhythm?

SodiumBicarbonate

Validation success

User Interface

Inter-Workflow Adaptation

23

Asystole workflow

CPR EPIIV/IO …

Workflow stack

Validation Engine

SodiumBicarb


Switch Workflow

Rhythm?

SodiumBicarbonate

User Interface

PAE: SpO2 < 85


24

Asystole workflow

CPR EPIIV/IO …

Workflow stack

Validation Engine

SodiumBicarb


Rhythm?

SodiumBicarbonate

User Interface

Warning: device Bag valve mask?

If any precondition cannot be automatically validated by the system, the system raises a warning and request medical staff to manually check it.


25

SpO2 Low Workflow

…Secure Airway …

Asystole Workflow

Workflow stack

Validation Engine

SodiumBicarb


User Interface

Intubation

Tache-otomy

26

Verification We model the proposed protocol in UPPAAL to verify both safety

and correctness properties.

The protocol model follows the four-phase operations.

The changes of patient’s physiological measurements are modeled as non-deterministic transitions with timing properties.

27

UPPAAL Model – EKG

Verification – Hazards MitigationWorkflow Adaptation Safety Hazards

Device configuration hazards

H1: The system switches to a ventricular fibrillation or ventricular tachycardia workflow, but a defibrillator is not ready to be used.H2: The system adds a workflow state of administering sodium bicarbonate, but an infusion pump is not yet connected to the system.

Patientphysiologicalcondition hazards

H3: Sodium bicarbonate is given before the patient’s airwayis secured.H4: The system switches to a sinus tachycardia workflow,but patient’s heart rate is slower that 150 bpm.

Adverse treatmentinteraction hazards

H5: Sodium bicarbonate and calcium chloride is administeredsimultaneously.H6: Atropine is administered while the system switches toa sinus tachycardia workflow.

28

Summary In order to reduce medical safety hazards due to workflow adaptation,

a validation protocol is proposed with respect to• Required devices configuration• Consistency with patient conditions• No adverse treatments interaction

We use a model checking tool to verify both safety and correctness properties.

Human computer interaction (HCI) and situation awareness is an important aspect for developing supervisory medical systems with human-in-the-loop.

In the 2nd part of the presentation, we will present the developed Integrated workflow and patient status display system.

29

REDUCING COGNITIVE LOAD COMPLEXITY:INTEGRATED DISPLAY PROVIDING REAL-TIME WORKFLOW TRACKING, AND PATIENT DATA

30

Po-Liang Wu, Min Young Nam, Jeonghwan Choi, Alex Kirlik, Lui Sha, Richard Berlin, Julian Goldman, 「 Supporting Emergency Medical Care Teams with an Integrated Status Display Providing Real-Time Access to Medical Best Practices, Workflow Tracking, and Patient Data」 , submitted to IEEE Transactions on Human Machine Systems.

31

State of Current Research (Main focus) Lack of context-dependent information and lack of

adaption ability to the dynamic context changes Context-dependent information

• Context is a set of state variables, including patient’s physiological measurements, current medical procedure and medical history.

• Context information is important for system to provide step-by-step guidance and alert medical staff of potential deviation.

Design objectives: our system organizes the context information and adapts to the context changes according to the medical workflow in order to reduce medical staff’s cognitive load.

We have conducted simulation-based and clinician-in-the-loop evaluation with Carle Foundation Hospital.

“Health care is up to two decades behind other complex industries like aviation in terms of the widespread of implementation of computerization and automation.” The Oxford Handbook of Cognitive Engineering

Cognitive Load – Motivating Example

CPR for 2 min

Recall workflow steps and prepare for the next treatment.Track time.

Another dose of EPI

Recall EPI preconditions and dosage.Verbally order EPI.

Sudden drop of SpO2

Perform the treatments for increasing SpO2

32

Sources of Cognitive Load C1. Assemble clinical information C2. Recalls:

• Recall workflow steps• Recall treatment guidelines• Recall pending medication order • Recall the previous diagnosis and performed treatments

C3. Real-time tracking: • Track real-time changes of the patient conditions• Track temporal progress of the treatment

C4. Calculations:• Calculate the recommended drug dosage and administration period

33

User-Centric Design In order to develop an user-friendly system to reduce medical staff’s

cognitive load, we continually involved physicians and nurses in the system development.

We understand and document their working environment using a set of work models.

Based on the work models, the system is designed in a manner that provides comprehensive and concise context information/guidance as well as fits into their working environment.

34

Flow Model

35

The flow model depicts the communication and coordination between medical staff as well as their responsibilities.

The system was designed to externalize the communicated clinical information in order to reduce the possibility of misunderstandings and number of recalls.

Sequence Model

36

Sequence model describes how a sequence of medical tasks unfolds over time.

The model is built based on the American Heart Association (AHA) guidelines and medical staff’s description.

The system was designed to provide guidance on the treatments in complaint with the AHA guidelines.

Physical Model

37

Physical model illustrates the physical environment.

Based on the physical model, the system designers can understand the environmental constraints and opportunities that need to be considered for a successful design.

Integrated Workflow and Patient Conditions Display

38Video demo

https://uofi.box.com/s/5nd7r412mdlw59h2o9k8

Nurse’s Touch Tablet

39

Evaluation Settings The evaluation is performed in the

Carle’s training classes with real physicians and nurses on a professional medical manikin.

A medical team, consisting of four medical staff, performs two simulated cardiac arrest scenarios, one with the developed system (first) and one without it (later).

After the simulation, the medical staff fill NASA-TLX sheets to evaluate their task load.

40

41

Evaluation NASA Task Load Index (NASA-TLX)

Metrics Description

Mental Demand How much mental or perceptual activity was required?

Physical Demand How much physical activity was required?

Temporal Demand How hurried or rushed was the pace of the task?

Performance How successful were users in performing the task? (Lower score means better performance)

Effort How hard did users have to work to accomplish the task?

Frustration How insecure, discouraged, irritated, and stressed, did users feel during the task?

42

Evaluation

From 12 physicians and nurses

Limitations of The Evaluation The number of participants (12 physicians and nurses) is relatively

small.• This is a preliminary study and we cannot claim statistics significance.

The two cardiac arrest scenarios performed by a medical team are different due to the nature of the training class.• We have asked the evaluation coordinator to give a more challenging

scenario, which involves more patient adverse events and more treatments, when the team used the developed system.

The evaluation results may subject to confirmation bias.• Most of the participants are not involved in the system development.

43

Clinical Impact Quote from Troy Hoshauer, Life Support Coordinator

• “After the scenarios were concluded we asked all six of the physicians if they found the tool to be extremely helpful and if we should move forward with the project. The answer was unanimous yes. Dr. Arwari felt we needed to get this into a trial for the floor as he sees a huge impact in keeping everyone on the same page during the code.”

Quote from Carle Foundation Hospital • “It is expected that the use of the system will result in rapid and

consistent timing of medical interventions, stricter adherence to standardized medical treatment guidelines, more accurate record keeping, and improved team situation awareness.”

44

FDA Approval Requirements – Risk Analysis

In addition to follow best-practice software engineering process, FDA specifically requires risk analysis and traceability.

Risk analysis• Fault-tree Analysis (Top-down)

» Analyzing how an unsafe state/event of a system, i.e. risk, could be reached due to a combination of hardware/software failure.

• Failure Mode Effects Analysis (FMEA) (Bottom-up)» Analyzing how a hardware/software failure could cause the overall system

failure or compromise safety requirements, i.e. risks.• A set of risk-management requirements is derived.

45

FDA Approval Requirements – Traceability

Requirement-design-testing traceability• Demonstrate complete traceability, especially the risk-management

requirements.

46

Clinical Requirements

System Requirements

Software Requirements

Design/Implementation Testing

Conclusion Reduce and control complexity in respect of

• Verification complexity• Cyber medical treatment complexity• Cognitive load complexity

We have developed • interruptible RPC and consistent coordination protocol to reduce

verification complexity.• workflow and treatment validation protocols to reduce treatment

complexity• best practice guidance system to reduce cognitive load complexity

47

Published Work Published work

• P.-L. Wu, W. Kang, A. Al-Nayeem, L. Sha, R. B. Berlin Jr, and J. M. Goldman. “A low complexity coordination architecture for networked supervisory medical systems.” In: Proc. ICCPS’13.

• P.-L. Wu, D. Raguraman, L. Sha, R. B. Berlin, and J. M. Goldman. “A treatment validation protocol for cyber-physical-human medical systems.’ in EUMIRCRO SEAA’14.

• P.-L. Wu, Lui Sha, Richard Berlin, Julian Goldman, “Safe Workflow Adaptation and Validation Protocol for Medical Cyber-Physical-Human Systems”, in EUROMICRO SEAA’15

• H. Yun, P.-L. Wu, M. Rahmaniheris, C. Kim, and L. Sha. “A reduced complexity design pattern for distributed hierarchical command and control system.’ In: Proc. ICCPS’10.

• W. Kang, P.-L. Wu, M. Rahmaniheris, L. Sha, R. B. Berlin, and J. M. Goldman. “Towards organ-centric compositional development of safe networked supervisory medical systems.’ In: Proc. CBMS’13.

Under review• P.-L. Wu, Min Young Nam, Jeonghwan Choi, Alex Kirlik, Lui Sha, Richard Berlin, Julian Goldman,

“Supporting Emergency Medical Care Teams with an Integrated Status Display Providing Real-Time Access to Medical Best Practices, Workflow Tracking, and Patient Data”, submitted to IEEE Transactions on Human Machine Systems.

48

Thanks!

49