The benefits of formalising design guidelines: a case study on the predictability of drug infusion pumps

  • Paolo Masci
  • Rimvydas Rukšėnas
  • Patrick Oladimeji
  • Abigail Cauchi
  • Andy Gimblett
  • Yunqiu Li
  • Paul Curzon
  • Harold Thimbleby


A demonstration is presented of how automated reasoning tools can be used to check the predictability of a user interface. Predictability concerns the ability of a user to determine the outcomes of their actions reliably. It is especially important in situations such as a hospital ward where medical devices are assumed to be reliable devices by their expert users (clinicians) who are frequently interrupted and need to quickly and accurately continue a task. There are several forms of predictability. A definition is considered where information is only inferred from the current perceptible output of the system. In this definition, the user is not required to remember the history of actions that led to the current state. Higher-order logic is used to specify predictability, and the Symbolic Analysis Laboratory is used to automatically verify predictability on real interactive number entry systems of two commercial drug infusion pumps—devices used in the healthcare domain to deliver fluids (e.g., medications, nutrients) into a patient’s body in controlled amounts. Areas of unpredictability are precisely identified with the analysis. Verified solutions that make an unpredictable system predictable are presented through design modifications and verified user strategies that mitigate against the identified issues.


Predictability Interactive system design Model checking Higher-order logic SAL 



Funded as part of the CHI+MED: Multidisciplinary Computer-Human Interaction research for the design and safe use of interactive medical devices project, EPSRC Grant Number EP/G059063/1, and Extreme Reasoning, Grant Number EP/F02309X/1.


  1. 1.
    List of errorprone abbreviations, symbols and dose designations (2006).
  2. 2.
    Arney D, Jetley R, Jones P, Lee I, Sokolsky O (2007) Formal methods based development of a PCA infusion pump reference model: generic infusion pump (GIP) project. In: Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability 0, pp 23–33. doi: 10.1109/HCMDSS-MDPnP.2007.36
  3. 3.
    B-Braun Melsungen AG: Infusomat space and accessory: Instruction for useGoogle Scholar
  4. 4.
    Back J, Brumby DP, Cox AL (2010) Locked-out: investigating the effectiveness of system lockouts to reduce errors in routine tasks. In: Proceedings of the 28th of the international conference extended abstracts on Human factors in computing systems, CHI EA ’10. ACM, New York, pp 3775–3780. doi: 10.1145/1753846.1754054
  5. 5.
    Bass EJ, Feigh KM, Gunter EL, Rushby JM (2011) Formal modeling and analysis for interactive hybrid systems. ECEASST 45Google Scholar
  6. 6.
    Bolton ML, Bass EJ (2010) Formally verifying human–automation interaction as part of a system model: limitations and tradeoffs. Innov Syst Softw Eng 6(3):219–231. doi: 10.1007/s11334-010-19730129-9 Google Scholar
  7. 7.
    Campos JC, Harrison MD (2009) Interaction engineering using the ivy tool. In: Proceedings of the 1st ACM SIGCHI symposium on Engineering interactive computing systems, EICS ’09. ACM, New York, pp 35–44. doi: 10.1145/1570433.1570442
  8. 8.
    Campos JC, Harrison MD (2011) Modelling and analysing the interactive behaviour of an infusion pump. ECEASST 45Google Scholar
  9. 9.
    Cauchi A, Gimblett A, Thimbleby A, Curzon P, Masci P (2012) Safer “5-key” number entry user interfaces using differential formal analysis. In: 26th Annual Conference on Human–Computer Interaction, BCS-HCIGoogle Scholar
  10. 10.
    Degani A, Heymann M (2002) Formal verification of human–automation interaction. Human Factors 44(1):28–43CrossRefGoogle Scholar
  11. 11.
    Department fo Health and Human Services, US Food and Drug Administration (2010) Total Product Life Cycle: Infusion Pump—Premarket Notification [510(k)] Submissions—Draft Guidance, April 2010Google Scholar
  12. 12.
    Dix AJ (1991) Formal methods for interactive systems. Computers and people series. Academic Press, San Diego.
  13. 13.
    Dix AJ, Runciman C (1985) Abstract models of interactive systems. People and computers: designing the interface. Cambridge University Press, Cambridge, pp 13–22Google Scholar
  14. 14.
    Harrison MD, Thimbleby H (1985)Abstract models of interactive systems. In: Proceedings British Computer Society Conference on Human Computer Interaction (HCI’85). Cambridge University Press, Cambridge, pp 161–171Google Scholar
  15. 15.
    Endsley MR, Bolte B, Jones DG (2003) Designing for situation awareness: an approach to user-centered design. Taylor and Francis, Boca RatonGoogle Scholar
  16. 16.
    Health C (2006) Alaris GP volumetric pump: directions for useGoogle Scholar
  17. 17.
    Hinckley K, Cutrell E, Bathiche S, Muss T (2002) Quantitative analysis of scrolling techniques. In: Proceedings of the SIGCHI conference on Human factors in computing systems: changing our world, changing ourselves, CHI ’02. ACM, New York, pp 65–72. doi: 10.1145/503376.503389
  18. 18.
    Javaux D (1998) Explaining sarter and woods’ classical results. In: Second Workshop on Human Error, Safety, and Software DesignGoogle Scholar
  19. 19.
    Kim B, Ayoub A, Sokolsky O, Lee I, Jones P, Zhang Y, Jetley R (2011) Safety-assured development of the GPCA infusion pump software. In: Proceedings of the ninth ACM international conference on Embedded software, EMSOFT ’11. ACM, New York, pp 155–164. doi: 10.1145/2038642.2038667
  20. 20.
    Leape L (1994) Error in medicine. J Am Med Assoc 272(23):1851–1857CrossRefGoogle Scholar
  21. 21.
    Masci P, Rukšėnas R, Oladimeji P, Cauchi A, Gimblett A, Li Y, Curzon P, Thimbleby H (2011) On formalising interactive number entry on infusion pumps. ECEASSTGoogle Scholar
  22. 22.
    Medicines and Healthcare products Regulatory Agency (MHRA) (2010) Device bulletin, infusion systems, db2003(02) v2.0.
  23. 23.
    de Moura L, Owre S, Ruess H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Alur R, Peled DA (eds) Computer aided verification: CAV 2004, Lecture Notes in Computer Science, vol 3114. Springer, Berlin, pp 496–500Google Scholar
  24. 24.
    Norman DA (1983) Design rules based on analyses of human error. Commun ACM 26(4):254–258. doi: 10.1145/2163.358092 Google Scholar
  25. 25.
    Norman DA (2002) The Design of Everyday Things, reprint paperback edn. Basic Books, New YorkGoogle Scholar
  26. 26.
    Oladimeji P, Thimbleby H, Cox A (2011) Number entry interfaces and their effects on error detection. In: Proceedings of the 13th IFIP TC 13 international conference on Human–computer interaction—Volume Part IV, INTERACT’11. Springer, Berlin, pp 178–185.
  27. 27.
    Perrow C (1984) Normal accidents: living with high-risk technologies. Basic Books, New YorkGoogle Scholar
  28. 28.
    Reason J (1990) Human error, 1st edn. Cambridge University Press, CambridgeGoogle Scholar
  29. 29.
    Rushby J (2002) Using model checking to help discover mode confusions and other automation surprises. Reliab Eng System Safety 75(2):167–177.
  30. 30.
    Rushby JM (2001) Modeling the human in human factors. In: Proceedings of the 20th International Conference on Computer Safety, Reliability and Security, SAFECOMP ’01. Springer, London, pp 86–91.
  31. 31.
    Ryan M, Fiadeiro JL, Maibaum TSE (1991) Sharing actions and attributes in modal action logic. In: TACS, pp 569–593Google Scholar
  32. 32.
    Thimbleby H (2001) Permissive user interfaces. Int J Human Comput Studies 54(3):333–350. doi: 10.1006/ijhc.2000.0442 CrossRefzbMATHGoogle Scholar
  33. 33.
    Thimbleby H (2007) Interaction walkthrough: evaluation of safety critical interactive systems. In: Doherty G, Blandford A (eds) DSVIS 2006, The XIII International Workshop on Design, Specification and Verification of Interactive Systems, Lecture Notes in Computer Science, vol 4323. Springer, Berlin, pp 52–66Google Scholar
  34. 34.
    Thimbleby HW, Gimblett A (2011) Dependable keyed data entry for interactive systems. ECEASST 45Google Scholar
  35. 35.
    Trafton GJ, Monk CA (2007) Task interruptions. Rev Human Factors Ergonomics. 3(16):111–126. doi: 10.1518/155723408X299852.
  36. 36.
    Vincent (2011) Patient safety, 2nd edn. Wiley, New YorkGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  • Paolo Masci
    • 1
  • Rimvydas Rukšėnas
    • 1
  • Patrick Oladimeji
    • 2
  • Abigail Cauchi
    • 2
  • Andy Gimblett
    • 2
  • Yunqiu Li
    • 2
  • Paul Curzon
    • 1
  • Harold Thimbleby
    • 2
  1. 1.Queen Mary University of LondonSchool of Electronic Engineering and Computer ScienceLondonUK
  2. 2.Future Interaction Technology LabSwansea UniversitySwanseaUK

Personalised recommendations