The CPOE interface described in Box 3-1 did not have one screen that lists previous medication and drip orders, up-to-date laboratory results, or whether the patient is currently receiving a KCl drip (Horsky et al., 2005). Here, clinicians may need to switch between dif- ferent display windows to ascertain all the information needed to complete KCl calculations. This requires the practitioner to enter keying sequences that are quite arbitrary and to re- member what was on previous screens as he switches between them. The practitioner be- comes the de facto integrating agent for all such data and hence bears the brunt of all the cognitive demands required for such integration (Woods et al., 2010). Furthermore, practi- tioners who work in a chaotic interruption-driven environment must turn their efforts to many other tasks before they have completed the task on which they are currently working. In such an inadequately designed environment, it is easy for a practitioner to lose context, to get lost in a multitude of windows, and to regain context of the interrupted task only partially, resulting in a higher risk of patient harm.
Clumsy automation reflects poor coordination between human users and information tech- nology. Even clumsy automation often offers benefits when user workload is low (which is why systems that offer clumsy automation are so often accepted initially), but the costs and burdens of such automation become most apparent during periods of high workload, high criticality, or high-tempo operations.
The use of a computerized interface—usually a video display screen—to display data can provide examples of the phenomenon of clumsy automation. Poorly designed computerized in-
terfaces tend to make interesting and noteworthy things invisible when they hide important data behind a number of windows on the screen (Woods et al., 2010). Thus, practitioners are forced to access data serially even when the data are highly related and are most usefully viewed in paral- lel.
SAFETY REPORTING AND IMPROVEMENT
The safety of a system may degrade over time if attention is not given to ensuring system safety. Over time, technology changes as fixes and upgrades are made to the applications and the infrastructure on which those applications run, and the changes may often not be systems based and may be made without considering their impact on operational tasks. Experienced personnel depart and inexperienced personnel arrive. External regulations and institutional priorities both evolve, and thus operating procedures change.
When such changes are large, they are often accompanied by formal documentation that modifies existing work-as-designed procedures. But more often, changes to work-in-practice oc- cur with little formal documentation. As the system’s work-in-practice drifts farther away from work-as-designed, the likelihood of certain unsafe outcomes increases, as discussed above. For this reason, safety-conscious overseers of the system will audit the system from time to time so that they can identify budding safety problems and take action to forestall them.
But it is hard to know where to look for problems in a system that appears to be performing safely. Thus, all parties responsible for safety must make it easy for practitioners to report cir- cumstances that result in actual harm and also to report close calls that could have resulted in harm if they had not been caught in time.
In addition, because the society in which the U.S. health care system is embedded (that is, society writ large) generally seeks to apportion responsibility and fault for actual harm, health professionals—who are in the best position to know what actually happened in any given acci- dent—often have incentives to refrain from reporting fully or at all when unsafe conditions oc- cur. Thus, information that is needed to improve the safety of health care—and of health IT– assisted care in particular—is likely to be systematically suppressed and underreported. Report- ing mechanisms must therefore be structured to offer countervailing incentives for such report- ing. Safety analysts often point to the “Just Culture” principles for dealing with incident report- ing (Marx, 2001; Global Aviation Information Network Working Group E, 2004; Reason, 1997). Based on the notion that the safety afforded by an organization can benefit more by learning from mistakes than by punishing people who make them, a Just Culture organization encourages people to report errors and to suggest changes as part of their normal everyday duties. People can report without jeopardy, and mistakes or incidents are seen not as failure but as an opportunity to focus attention and to learn. Thus, information provided in good faith is not used against those who report it.
The Just Culture organization recognizes that most people are genuinely concerned for the safety of their work, and it takes advantage of the fact that when reporting of problems leads to visible improvements, employees need few other motivations or exhortations to report. In Leve- son’s words, “empowering people to affect their work conditions and making the reporters of safety problems part of the change process promotes their willingness to shoulder their responsi- bilities and to share information about safety problems.… Blame is the enemy of safety … [and] when blame is a primary component of the safety culture, people stop reporting incidents” (Leveson, 2009).
CONCLUSION
The idea that safety is an emergent property of a sociotechnical system is easy to acknowl- edge in the abstract. But in fact, the implications of taking such a view challenges many wide- spread practices found in health IT vendors and health care–providing organizations. Vendors often focus on the role of technology when safety is compromised, and they pledge to fix any technology problems thus found without addressing the human-interaction component in the overall functioning of the technology as an inextricable component of health IT as a clinical tool. Because complex systems almost always fail in complex ways (a point noted in safety examina- tions in other fields7), health care organizations must focus on identifying the conditions and fac- tors that contribute to safety compromises. They must pledge to address these conditions and fac- tors in ways that reduce the likelihood of unsafe events rather than superficially focusing only on single root causes. Failure to acknowledge that technology-related problems that are encountered are a product of larger systems-based issues will result in the implementation of countermeasures that will fall far short with regard to the reduction of risk to the patient.
The fact that a sociotechnical system has multiple components that interact with each other in unpredictable ways means that an isolated examination of any one of these components will not yield many reliable insights into the behavior of the examined component as it operates in actual practice. This point has implications for technology developers in particular, who must develop products that can fit well into the operational practices and workflow (which are usually nonli- near) of many different health care organizations. The next chapter suggests various levers with which to improve safety.
REFERENCES
Baker, J. A. 2007. The report of the BP U.S. refineries independent safety review panel. Available at
http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/SP/STAGING/local_assets/assets/ pdfs/Baker_panel_report.pdf (accessed September 28, 2011).
Cohen, T., B. Blatter, C. Almeida, and V. L. Patel. 2007. Reevaluating recovery: Perceived violations and preemptive interventions on emergency psychiatry rounds. Journal of the American Medical Informatics Association 14(3):312-319.
Fox, W. M. 1995. Sociotechnical system principles and guidelines: Past and present. Journal of Applied Behavioral Science 31(1):91-105.
Global Aviation Information Network Working Group E. 2004. A roadmap to a just culture: Enhancing the safety environment. http://204.108.6.79/products/documents/roadmap%20to%20a%20just%20culture.pdf (accessed August 9, 2011).
Harrison, M. I., R. Koppel, and S. Bar-Lev. 2007. Unintended consequences of information technologies in health care—an interactive sociotechnical analysis. Journal of the American Medical Informatics Association 14(5):542-549.
Harrington, L., D. Kennerly, and C. Johnson. 2010. Safety issues related to the electronic medical record (EMR): Synthesis of the literature from the last decade, 2000-2009. Journal of Healthcare Management 56(1):31- 43; discussion 43-34.
Horsky, J., G. J. Kuperman, and V. L. Patel. 2005. Comprehensive analysis of a medication dosing error related to CPOE. Journal of the American Medical Informatics Association 12(4):377-382.
IOM (Institute of Medicine). 2001. Crossing the quality chasm: A new health system for the 21st century. Washington, DC: National Academy Press.
Kahol, K., M. Vankipuram, V. L. Patel, and M. L. Smith. 2011. Deviations from protocol in a complex trauma environment: Errors or innovations? Journal of Biomedical Informatics 44(3):425-431.
7 This point was noted in the report of the Board investigating the Shuttle Columbia disaster
(http://spaceflightnow.com/columbia/report/006boardstatement.html) and in the investigation of the Deepwater oil rig explosion (http://www.deepwaterinvestigation.com/go/doc/3043/1193483/).
Leveson, N. 1995. Safeware: System safety and computers. Reading, MA: Addison-Wesley.
Leveson, N. 2009. Engineering a safer world: Systems thinking applied to safety. http://sunnyday.mit.edu/safer- world/safer-world.pdf (accessed June 1, 2011).
Marx, D. 2001. Patient safety and the "just culture": A primer for health care executives. New York, NY: Columbia University. Available at http://psnet.ahrq.gov/resource.aspx?resourceID=1582.
NRC (National Research Council). 2007. Software for dependable systems. Washington, DC: The National Academies Press.
Orasanu, J., L. H. Martin, and J. Davison. 2002. Cognitive and contextual factors in aviation accidents: Decision errors, in E. Salas and G. Klein (eds.), Linking expertise and naturalistic decision making. Mahwah: Erl- baum Associates. 209-226.
Patel, V. L., A. W. Kushniruk, S. Yang, and J.-F. Yale. 2000. Impact of a computer-based patient record system on data collection, knowledge organization, and reasoning. Journal of the American Medical Informatics Association 7(6):569-585.
Rasmussen, J. 1985. Trends in human reliability analysis. Ergonomics, 28(8), 1185-1195.
Rasmussen, J. 1997. Risk management in a dynamic society: A modelling problem. Safety Science 27(2-3):183-213. Rasmussen, J., K. Duncan, and J. Leplat. 1987. New technology and human error. New York: John Wiley & Sons. Reason, J. 1997. Managing the risks of organizational accidents. Hants, England: Ashgate.
Sittig, D. F., and H. Singh. 2010. A new sociotechnical model for studying health information technology in complex adaptive healthcare systems. Quality & Safety in Health Care 19(Suppl 3):i68-i74.
Snook, S. A. 2002. Friendly fire: The accidental shootdown of U.S. Blackhawks over northern Iraq. Princeton, NJ: Princton University Press.
Suchman, L. 1987. Plans and situated actions: The problem of human machine communication. New York: Cambridge University Press.
Walker, J. M., P. Carayon, N. Leveson, R. A. Paulus, J. Tooker, H. Chin, A. Bothe, Jr., and W. F. Stewart. 2008. EHR safety: The way forward to safe and effective systems. Journal of the American Medical Informatics Association 15(3):272-277.
Woods, D., S. Dekker, R. Cook, L. Johannesen, and N. Sarter. 2010. Behind human error, 2nd ed. Burlington, VT: Ashgate.
4-1