Supporting Inspection Strategies Through Palpable Assemblies

Designing for palpability: Workshop at Pervasive 2007, 13-16 May 2007, Toronto, Canada. http://www.ist-palcom.org/palpable-pervasive-2007 Supporting inspection strategies through palpable assemblies Marti Patrizia, Grönvall Erik, Pollini Alessandro, Rullo Alessia University of Siena, Communication Science Department Via Roma 56, 53100 Siena, Italy [email protected], {gronvall, pollini, rullo}@media.unisi.it ABSTRACT The paper reports an early study on inspection strategies of highrisk systems using ambient computing technologies. Traditionally, the main goal of ambient, pervasive and ubiquitous computing applications is to make the technology transparent or invisible for the users. However this sort of technological disappearance is not always desirable in particular in presence of any failure in the system. In such an event the user would benefit from the visibility of the system state, and from adopting inspection strategies to detect the error and take, if possible, the necessary correctional measures. The paper presents a study performed in a Neonatal Intensive Care Unit where novel ambient computing technologies and related inspection strategies are currently being designed and assessed in the context of the European project PalCom (http://www.ist-palcom.org/). Keywords High-risk systems, ambient computing, inspection, error detection 1. INTRODUCTION Traditionally, the main goal of ambient, pervasive and ubiquitous computing applications is to make the technology transparent or invisible [1] for the users. However, when these applications are more deeply considered, it becomes obvious that this sort of technological disappearance is not always possible or even desirable. When, for example, an error occurs within ubiquitous systems, a user would benefit from the visibility of the current system state, which would thus permit the inspection of the error and allow, if possible, the necessary correctional measures to be taken. In other words, this means that in order to effectively use these applications the users must always remain in control [2]. This is especially true in emergency or breakdown situations in safety critical domains, such as, for example, Neonatal Intensive Care [3]. In these kinds of settings where distributed processes and simultaneous overlaps between the situations deeply affect the nature of the work, many potential conflicts and dangerous situations can be generated. In this paper we draw on ethnographic studies and long-term participatory design sessions with the medical staff and the parents of premature children at the Neonatal Intensive Care Unit (NICU) of ‘Le Scotte’ Hospital in Siena (Italy). The study investigates visibility and control of ambient devices in relation to inspection strategies for errors or faults detection and recovery. Balancing transparency and automation with awareness and control is the goal of PalCom (PalCom, http://www.istpalcom.org), which aims at developing an innovative design approach called Palpable Computing. Palpable computing complements key features of ambient computing, such as invisibility and end-user composition of devices, with their opposites - e.g., visibility and decomposition – to enable users to independently navigate and influence the computing system [2]. As compositions of devices, or ‘assemblies’ become increasingly dynamic there is an urgent need for supporting users in handling resources and debugging processes in detailed and useful ways. Indeed, quality of service depends on people’s ability to gauge the different capacities of the created assemblies (e.g. levels of accuracy for measurements, location information, or other information provided by elements of an assembly) [4]. 2. Assemblies and inspection Palpable assemblies are characterized by their availability for dynamic composition and use. A major feature of many current ubiquitous and distributed computing applications is the use of fixed (or pre-defined) collections of devices for specific activities. An example in a fairly common environment (home technology) is the automatic service composition developed at Nokia Research Center U.S. where a ‘Media Library’ device, a ‘Video Screen’, a ‘Media Server’, ‘Media Receiver and Controller’ are collected in a network [5]. Palpable assemblies ought to support user needs regarding flexible and adaptable tools. If composition is automated, users should be able to notice and take control at any step in the process. In addition, completely user controlled composition of assemblies should be supported. A dynamic assembly is made from collections of devices, services and communication capabilities where palpability emerges as property-in-use of these systems. In the dynamic construction and deconstruction of assemblies, services are distributed and able to dynamically discover and interact with each other and the discovery can in principle reside on any of the participating devices. PalCom devices and services thus recognize each other and heterogeneity among the assembled devices is made possible. As assemblies become dynamic there is an urgent need for handling resources and debugging processes in detailed and useful ways. We are going to debate what happens when connections break among the components and how to notice and understand if the assembly still preserves (some of) its initial capacities. Managing resources and inspecting processes reveals to be dramatically critical in using dynamic assemblies. A component might not always have the same capacities and services, thus it can potentially have different levels of accuracy. It is very important that the users can be made aware of the given accuracy of the assemblies that they are relying upon. 3. The Neonatal Intensive Care Unit (NICU) The NICU presents some peculiar features which challenge the design of ambient computing technologies in many ways, as they can support the premature babies’ necessities and the inspection mechanisms of the medical staff. The incubators used in the ward represent a complex system of different components, each one playing a precise role for the child care. More in detail [3], [6]: 1. The system is characterized by a high level of reconfigurability, i.e. each incubator should be conceived as an ad hoc entity, tailored to the baby’s conditions and dynamically changing over time. 2. The incubator is associated to external equipments to sustain the baby necessities, but no functional coupling is now supported among the different devices, this making complicate to recognize and discriminate system failures vs. aggravation of the baby conditions. 3. The work practice is based on the continuous combination and integration of data coming from different sources. 4. Different actors have different access to the incubator depending on their role: this implies a different access to the information to be displayed. 5. This setting should support co-existence of emergence situations as well as daily care. how well the baby is breathing and how well the blood is being pumped around the body. The scenario describes the inspection strategies adopted by the nurse and the neonatologist to overcome the mismatch and detect and solve the error occurred in the system. Such a complexity can generate latent conflict situations that could affect the safety of the patients and the security of the work environment [3]. Indeed, the correct execution of different undergoing processes depends on the medical staff’s control of the equipment, the possibility to anticipate breakdowns’ occurrences and the inspection of the system behavior. From a direct observation of the activity in the ward, a number of scenarios have been collected to understand the current inspection strategies adopted by the medical personnel at NICU. The collected scenarios have been presented using the Model for Error Detection developed by Rizzo, Ferrante and Bagnara in 1995 [7]. The model is based on the idea that a stimulus can be evaluated with respect to the reference system it evokes after the fact, rather than in relation to pre-established expectations. The process includes four main phases: i) mismatch emergence (i.e., a breakdown in the perception-action loop; it consists in a conflict or clash of knowledge in the working memory); ii) detection (i.e., the awareness that an error occurred; in this case the undesired result is properly attributed to the own activity); iii) identification (i.e., individuation of the source of the breakdown); iv) overcoming of the mismatch (i.e., strategies for either reducing the mismatch, or to get rid of it, or to undo its cause). The four steps do not necessarily occur in all the error detection episodes; instead the contrary is often the case. In the following we illustrate a real scenario occurred at the NICU, generated by a variation in the SpO2 value of the baby. SpO2 is a measurement of the amount of oxygen attached to the haemoglobin cell in the circulatory system. Put simpler it is the amount of oxygen being carried by the red blood cell in the blood. SpO2 is given in as a percentage, normal is around 96%. The "S" stands for saturation and the SpO2 is monitored by the Saturimeter. In practice, SpO2 goes up and down according to Figure 1: Inspection scenario – SpO2 variation As the scenario illustrated in Figure 1 shows, the incubator and the equipments surrounding it define a quite opaque system which in presence of an unexplainable variation does not offer any means to inspect the system and overcome the error. The only way to cope with the mismatch is to apply a trial and error strategy. Indeed when a variation in the SpO2 value occurs, the medical staff first decides to control the baby and then to check if the sensor is correctly positioned on the baby to decide to change the sensors’ position or substitute it. Eventually they control the respirator. The way in which this trial and error strategy is applied depends on the previous experiences of the nurse and of the neonatologist. During the inspection, the medical staff generates different hypotheses about the system status, continuously checking the conditions of the baby and trying to understand which the source of the mismatch is. This strategy has two main consequences: in the case of mismatch detection, the medical staff must question the overall reliability of the system; no level of degradation is provided: whenever a component stops working the whole system is compromised. In other words, this can be considered an on/off system. Moreover it is not possible to figure out the functional relations among the different equipments necessary for the child survival; although a malfunction on one device (e.g. the respirator) directly effects the functioning on another device (e.g. the Saturimeter) which in turn directly influences the baby status (e.g. change in the SpO2 value). 4. Making existing technology palpable: the Incubator assembly We are designing technologies that can be used to create flexible incubator assemblies that can be adapted on-the-fly for different kinds of treatments and situations. This allows the staff members to manage events related to the baby care more flexibly and sensitively. The incubator assembly is composed by the incubator itself, the surrounding machinery as well as a number of technologies we developed in the PalCom project. These include: The BioBelt: A wearable device augmented with a set of sensors to be placed around the infant’s chest on the abdomen. The PalCom-node: This node is an I/O-device functioning as a bridge between non-palpable devices (existing technologies in the ward) and the PalCom technologies. This allows non-palpable equipment to take part in palpable assemblies. The Assembly Browser: With the browser users can manage assemblies throughout the whole assembly lifecycle [8]. It allows the users to construct, initiate assemblies as well as reconfigure and turning off assemblies along the activity. The Assembly browser exists today as one version targeting developers. One intended for the end-users are now being under development. The palpable devices can be assembled with other palpable devices but also in combination with the current, existing equipment at the NICU (e.g. the Saturimeter). This is permitted through the use of the ‘PalCom node’. All these devices (i.e. the devices running the PalCom architecture and the devices connected through the PalCom-node) can be managed (e.g. be attached to different running assemblies or inspected) through the Assembly Browser. Figure 2: System overview and examples of assemblies (red and green dot lines) The biosensors belt is developed as a first prototype with embedded sensors and transducers for monitoring the heart rate (HR), the breathing rate (BR), the body movements (BM) and the temperature (T) [9], [10]. Concerning the physiological parameters, the belt aims at facilitating the continuous HR, BR, BM and T monitoring with proper signals acquisition and preprocessing systems, ensuring an unobtrusive measure [11], [12]. In order to address the requirements of this particular application domain, the biosensor belt design necessitates specific considerations in relation to the sensor integration in a textile substrate. The belt is about 4 cm wide and can be adapted in respect to the baby size and fixed in a non invasive way, to avoid the direct contact of scratchy material to the baby skin. The BioBelt can interact with the Assembly browser and other PalCom devices through a PalCom-node. The already existing equipment in the ward, such as the Respirator and the Saturimeter become part of the PalCom network in the same way, by connecting them to PalCom-nodes running services that can wrap them into PalCom devices. The Saturimeter measures the Heart rate and the SpO2 values from the child while the Respirator assists the child breathing function. The neonatologist can combine the information coming from the belt in order to get more detailed assessment of the baby conditions. A first assembly consists of the Saturimeter and the biosensors belt for monitoring of the Sp02 values. The assembly not only allows to connect PalCom devices with existing ones but its networking properties support the inspection of the system by checking the status of the functional connections among the different components of the assembly. To facilitate this task, the belt can transmit also the raw bio-signals ((electrocardiogram (ECG) and the chest dilatation (respiratory movement)) thus facilitating the understanding of possible sensors’ failures. The definition and the use of the assemblies result in a deeper understanding of the baby’s conditions. Indeed in this way any failure in the functional connections among the assembly components can be easily detected, in particular those which directly affect the baby’s conditions. 5. Discussion: network-based inspection The Incubator assemblies described above define a system of different components that can allow novel forms of inspection by relying on the networking among the assembly components. This allows the medical staff to respond to the evolution of the baby conditions more flexibly and sensitively. In this system different assemblies can co-exist (e.g. the BioBelt, the Saturimeter and the assembly browser in parallel with the BioBelt, the Saturimeter and the Respirator) integrating palpable applications with the existing equipment in the NICU. This notion of assembly captures a very critical feature of the work the NICU. As the scenarios in Figure 3 and 4 show, the incubator system is the product of various, interrelated components that have a strong, logical connection since all of them have a mutual influence on each other through the baby. Despite this strong correlation, the incubator does not create a system with the other external components. In fact nowadays they are not functionally connected and each one works independently from the others. The use of assemblies in this setting can significantly modify this situation by establishing novel connections among the incubator equipment and making it visible the functional relations among the assembly components. In the implemented system, it is possible to recognize two complementary strategies to allow inspection of the system behavior. The first one is illustrated in Figure 3. In this case a classical redundant error handling strategy is applied. The heart rate (HR) detected by the Saturimeter (HR1) is continuously compared with the heart rate coming from the BioBelt (HR2) that the child wears. In this application an alarm is generated each time the compared values overcome a defined threshold. This represents a classical inspection strategy which compares the same value coming from different sources. Currently this comparison is done by the medical staff without any external support. Figure 3: Inspection strategies based on redundancy Figure 4: Network-based inspection strategies Redundancy is a well consolidated strategy and is considered necessary for high-reliability organizations to manage activities that are sufficiently dangerous to cause serious consequences in the event of operational failures. In classic organizational theory, redundancy is provided by some combination of duplication (two units performing the same function) and overlap (two units with functional areas in common). The theory is that reliability can be enhanced by parallel configurations—standby components that are in place to operate should the primary components fail [13]. Not all of the critical points of exposure and of vulnerability, however, can be covered, as safety is a compromise between requirements and economic necessity [14]. Indeed inserting additional levels of control is costly and poses problems on the interactive complexity of the system: unexpected interactions can affect supposedly redundant sub-systems. A sufficiently complex system can be expected to have many such unanticipated failure mode interactions, making it vulnerable to normal accidents. For this reason other kinds of inspection strategies are currently investigated in the PalCom project working with the notion of assembly. Figure 4 shows a scenario exploiting the network-based inspection: each component of an assembly is interconnected with the others and in this way is aware of and responsible for the others. If a failure in a component occurs, the other components of the assembly can notify it to the user. Indeed, while using dynamic assemblies, users can discover and detect connections’ breakdowns and inspect a failure of a component that for some reason does not respond any more to its neighbor in the assembly. Relying on the networking enabled between the assembly’s components each constituent is aware and become “responsible” of its neighbors and can be used to check whether it is receiving signals and data from the others or not. In this way each component of the assembly can refer to the others about the state of its neighbors and the message can be broadcasted in the assembly. An example of such application is the case of the breathing rate monitoring. In the scenario illustrated in figure 4, the Respirator provides the child with oxygen, while the breathing rate, which correlates to the respirator function, is monitored by the BioBelt; the SpO2 values are monitored by the Saturimeter. Whether any malfunction occurs in the respirator the discovery protocols enabled by the PalCom nodes will propagate the information on the missing signal from the respirator to the whole assembly. This creates a novel inspection opportunity for the user who can understand what is going wrong and at which level of the system. This allows taking different recovery actions. [6] Marti, P., Rullo, A., Progettare in ambienti 'fragili': il valore della partecipazione, in 'La parola e la cura', autumn 2006 As anticipated in the introduction, this study on inspection strategies in high-risk systems is at an early stage. In order to more deeply investigate the opportunities of the network-based inspection, the scenarios described in the paper will be simulated in the NICU with the medical staff with the purpose to raise new requirements from the operators. Initial results show that the possibility to use both redundancy and the network-based inspection strategy may offer new insights about the way in which the user can make sense and perceive the assemblies in particular in relation to breakdowns and failures in ambient computing systems. [7] Rizzo, A., Ferrante, D. & Bagnara, S., Handling human errors. In Expertise and technology, J-M. Hoc, P.C. Cacciabue & E. Hollnagel (Eds.), 195-212. Hillsdale, NJ: Lawrence Erlbaum Associates Publishers., 1995 6. REFERENCES [1] Weiser, M. The Computer for the Twenty-First Century. Scientific American, pp. 94-10, September 1991 [2] Schultz, U.P. Corry, E. Lund, K. E. (2005) Virtual Machines for Ambient Computing: A Palpable Computing Perspective, Proceeding of ECOOP 2005 Object Technology for Ambient Intelligence Workshop, Glasgow, U.K., 2005. [3] Rullo A., Marti P., Grönvall E., Pollini A., 2006 End-user composition and re-use of technologies in the Neonatal Intensive Care Unit, Proceedings of Pervasive Healthcare 2006, Innsbruck, Austria, 29 Nov. – 1 Dec. 2006. [4] Büscher, M., Christensen, M., Hansen, K.M., Mogensen, P., Shapiro, D., Bottom-up, top-down? Connecting software architecture design with use, In Voss,A., Hartswood, M., Ho, K., Procter,R. Rouncefield, M., Slack, R., Büscher, M. Configuring user-designer relations: Interdisciplinary perspectives. Springer Verlag, Accepted for publication. [5] Wisner, P., Automatic Composition in Service Browsing Environments, MIRW 2006, Espoo, Finland, 12 September 2006 [8] Svensson, D. Magnusson, B. and Hedin, G., Composing adhoc applications on ad-hoc networks using MUI, Proceedings of Net.ObjectDays, 6th Annual International Conference on Object-Oriented and Internet-based Technologies, Concepts, and Applications for a Networked World, Erfurt, Germany, September 2005. [9] Panfili G. et al., “A Wearable Device for Continuous Monitoring of Hearth Mechanical Function Based on Impedance Cardiography”, 28th EMBS Conference, New York 2006, Aug. 30- Sept. 3, pp. 5960-5963. [10] Piccini, L., L. Arnone, F. Beverina, L. Petrelli, A. Cucchi, G. Andreoni: “A Wireless DSP architecture for biosignals acquisition”, Proceedings of ISSPIT, pp 487-490, 2004. [11] Andreoni, G., Maggi L., Piccini, L., “Automatic control of thermal comfort”, International Encyclopedia of Ergonomics and Human Factors, 2nd Edition. Taylor & Francis (Eds) 2005. pp 1755-1762. [12] Di Rienzo, M. G. Andreoni, L. Piccini L., “A wearable system for unobtrusive measure of ECG”, Proceedings of IFMBE, n. 435, 2004. [13] O'Connor, P. (1991). Practical Reliability Engineering (3rd ed.). New York: John Wiley. [14] Petroski, H. (1994). Design Paradigms. Cambridge, England: Oxford University.