Phase 1 of 6
Scoping & CPOE / Pharmacy Integration
Define the order-entry surface, latency budget, alert philosophy, and integration boundaries before any model is designed. The order submit button is waiting — every architectural decision downstream lives or dies by these constraints.
0/8
Phase Progress
Required Recommended Optional Open-Source Proprietary Trinidy
Order Entry Surface & Latency Budget
Identify CPOE / pharmacy surfaces in scope
Why This Matters
The surface determines both the data available and the alert shape. Epic BestPractice Advisories (BPAs) fire synchronously in the ordering flow with a hard sub-500ms budget, while Omnicell or BD Pyxis cabinet checks operate on a different latency envelope and receive a very different feature set. Dispensing-error literature (ISMP analyses) places the baseline dispensing error rate near 5% of all dispensed doses — interventions earlier in the flow (CPOE) prevent errors at roughly 10x the downstream cost recovery of pharmacy-stage catches.
Note prompts — click to add
+ Which surfaces already have integration points available today vs. require EHR vendor engagement?+ Do we have a single model serving all surfaces or surface-specific models tuned to each decision point?+ Who owns the alert contract per surface — pharmacy informatics, CMIO, or the model team?
Required
Confirm the order-entry and pharmacy verification surfaces the model must decision against in real time.
Select all that apply
Epic Willow inpatient CPOE (BestPractice Advisories)
Epic Willow ambulatory CPOE
Oracle Health (Cerner) Millennium PowerChart / PowerOrders
Pharmacy verification workflow (Epic Willow / Cerner PharmNet)
Automated dispensing (Omnicell / BD Pyxis) at cabinet pull
Infusion pump smart-library cross-check
Discharge medication reconciliation
Anticoagulation / high-alert medication module
required
✓ saved
Define end-to-end inference latency SLA
Why This Matters
The Epic Willow CDS integration spec places a hard ceiling near 500ms end-to-end — beyond that the advisory renders after the physician has already tabbed to the next field or clicked submit, and the alert is functionally invisible. Cloud API calls at order entry commonly introduce 100–800ms of variable latency, which is why AHRQ and JAMIA both emphasize in-EHR deployment for mission-critical CDS. Latency is not a performance metric here — it is a patient-safety metric.
Note prompts — click to add
+ What is our measured p99 latency today from order-entry action to advisory render?+ Have we stress-tested under morning-rush peak load (7–9am admission surges)?+ What is our fallback behavior on latency breach — silent suppression, rules-only fallback, or block submit?
Required
Select the p99 latency budget the medication-safety model must hold inside the order-entry flow.
Single choice
< 200ms p99 (aggressive — leaves room for BPA rendering)
< 500ms p99 (Epic Willow CDS integration ceiling)
< 1s p99 (pharmacy verification workflow)
< 2s p99 (discharge reconciliation / non-blocking)
Tiered by surface (mixed SLA)
requirededgetrinidy
TrinidyCloud-routed inference adds 100–800ms of variable round-trip to every order — inside the 500ms CPOE window that is an alert the physician never sees. NEXUS OS runs the interaction graph and dosing models on-node inside the EHR perimeter, keeping p99 predictable and deterministic.
✓ saved
Define alert fatigue tolerance and interruptive threshold
Why This Matters
Published literature on interruptive drug-interaction alerts consistently shows clinicians override the overwhelming majority — in many deployments override rates exceed 90%, turning safety logic into noise. The ISMP guidance on high-alert medications emphasizes that alert quality (PPV), not sensitivity alone, drives real safety outcomes. Without a measured interruptive-alert budget per shift, optimization defaults to recall and alert fatigue silently compounds.
Note prompts — click to add
+ Do we measure interruptive alert rate per provider per shift, or only aggregate across the institution?+ What is our current override rate on drug-interaction alerts, and do we distinguish justified overrides from fatigue?+ Have we run a provider-burnout survey that includes alert burden as a factor?
Required
Set the maximum interruptive-alert rate per provider per shift that clinical leadership will tolerate.
Single choice
< 5 interruptive alerts per provider-shift (aggressive PPV target)
5–15 interruptive alerts per provider-shift (clinical target)
15–30 interruptive alerts per provider-shift (current state at many systems)
> 30 per shift (legacy CPOE baseline — active alert fatigue)
Not yet measured at the provider level
required
✓ saved
Establish missed-ADE tolerance for model classes
Why This Matters
The Joint Commission National Patient Safety Goal NPSG.03.06.01 specifically mandates anticoagulant safety programs — missed warfarin, DOAC, or heparin interactions carry both clinical harm and direct regulatory consequence. ISMP high-alert medication lists converge on the same classes: sensitivity floors for these groups must be clinically defended, not statistically averaged. National Academies / AHRQ 2024 estimates place US ADE harm at roughly 1.5M patients per year with 700K ED visits and 100K hospitalizations, with preventable events concentrated in these high-risk classes.
Note prompts — click to add
+ Do we have class-specific sensitivity targets approved by P&T committee, or a uniform threshold?+ Which classes require human verification regardless of model confidence?+ How do we document a missed serious interaction for root-cause and model retraining?
Required
Define the clinical floor for sensitivity by medication risk class.
Select all that apply
Anticoagulants (NPSG.03.06.01 — zero missed serious interactions target)
Insulin and hypoglycemics
Opioids (including PCA dosing)
Chemotherapy / high-risk oncolytics
Neuromuscular blocking agents
Pediatric weight-based dosing
Renally-cleared drugs (dose adjustment)
Hepatically-metabolized drugs
required
✓ saved
Confirm PHI on-premises / HIPAA sovereign deployment
Required
Confirm whether PHI must remain on-premises for the medication-safety inference plane.
Single choice
PHI must remain on-premises (most common for inpatient)
Private cloud in-region under BAA is acceptable
Public cloud under BAA is acceptable for inference
Hybrid: on-prem inference, de-identified training in cloud
Not yet decided by HIPAA privacy officer
requiredtrinidy
TrinidyHIPAA 45 CFR §164.312 technical safeguards plus hospital BAA posture almost always drive on-premises inference for CPOE-embedded CDS. NEXUS OS keeps medication history, labs, allergies, and model scoring inside the institution's existing PHI perimeter — no external API call at order entry.
✓ saved
Map FDA SaMD and ONC HTI-1 / HTI-2 applicability
Why This Matters
The 21st Century Cures Act §3060 created a narrow clinical decision support carve-out from FDA device regulation — medication-safety models that display inputs and allow the clinician to independently review typically qualify, but models that autonomously adjust dosing do not. ONC HTI-1 (2024) and HTI-2 impose separate transparency and risk-management requirements on Decision Support Interventions embedded in certified EHRs, with HTI-2 enforcement now active. CMS Conditions of Participation 42 CFR §482.25 requires medication management controls as a condition of reimbursement — a documented failure is a CMS sanction path, not a soft issue.
Note prompts — click to add
+ Has regulatory affairs signed off that our model fits the CDS carve-out criteria?+ Are our HTI-1 DSI disclosures published and kept current with model changes?+ Who owns the FDA Pre-Submission strategy if we ever move out of the CDS carve-out?
Required
Confirm the regulatory classification of the medication-safety model under current US digital health rules.
Select all that apply
FDA SaMD — clinical decision support carve-out under 21st Century Cures §3060
FDA SaMD — device (full 510(k) / De Novo pathway)
ONC HTI-1 Decision Support Intervention (DSI) transparency requirements
ONC HTI-2 expanded DSI oversight (active enforcement)
CMS Conditions of Participation — medication management (42 CFR §482.25)
Joint Commission NPSG.03.06.01 (anticoagulant safety)
Not yet assessed by regulatory affairs
required
✓ saved
Define degraded-mode behavior on downtime or isolation
Required
Specify the medication-safety behavior when network isolation, EHR downtime, or model unavailability occurs.
Single choice
Fall back to legacy FDB / Lexicomp / Micromedex rules engine
Fall back to internal rule-set on last-good cached features
Block high-risk orders pending pharmacy verification
Silent suppression — orders proceed with no CDS
Not yet formally defined
requirededgetrinidy
TrinidyNEXUS OS on-node deployment continues scoring during network isolation — no upstream dependency for the order-entry decision. Downtime behavior is pre-specified, not emergent.
✓ saved
Establish scope of clinical decision authority
Why This Matters
The decision-authority mode is a clinical-governance decision that directly interacts with the FDA CDS carve-out — a model that blocks orders without independent clinician review can exit the carve-out and enter the SaMD device pathway. Tiered-severity deployment (advisory for moderate, hard stop with pharmacist override for severe / NPSG.03.06.01 anticoagulant combinations) is the most common production pattern and preserves both the carve-out and the clinical safety posture.
Note prompts — click to add
+ Has P&T or the medication safety committee formally approved the decision-authority tier by severity?+ Who can override a hard-stop, and is that override logged with a reason code that feeds the training set?+ Does our HTI-1 DSI documentation match the actual decision authority in production?
Required
Define whether the model advises, warns, or blocks — and who authorizes each mode.
Single choice
Advisory only (non-interruptive, sidebar / inline hint)
Interruptive advisory (modal — clinician must acknowledge with reason code)
Hard stop for high-severity interactions (pharmacist override required)
Tiered by severity (mixed — most common)
Not yet defined by P&T or medication safety committee
required
✓ saved