Implementer guidance
This page contains guidance to implementers and is not part of the normative-track FHIRcast specification.
Synchronization Considerations
FHIRcast describes a mechanism for synchronizing distinct applications.
Sometimes things go wrong and applications fail to synchronize or become out of sync.
For example, the user within the EHR opens a new patient's record,
but the app fails to process the update and continues displaying the initial patient.
Depending upon the expectations of the user and the error handling of the applications in use,
this scenario is potentially risky.
Identified below are four distinct synchronization scenarios, ranging from lowest level of expected synchronization to highest.
Overall, FHIRcast does not dictate how applications should react to synchronization failure. You should design your product to meet your customer's expectations and needs. Appropriate error handling is specific to the synchronization scenario, user expectations and implemeter.
Also note that synchronization failure is a worst-case scenario and should rarely occur in production.
Scenarios
Below a couple of usage scenarios are listed where the risk of becoming out of sync are exemplified
Machine-to-machine-to-machine: Different machines, different times
Scenario: Clinician walks away from her desktop EHR and accesses an app on her mobile device which synchronizes to the EHR's hibernated session.
Consideration | Risk |
---|---|
Synchronization failure significance | low |
Performance expectations | negligible |
User inability to distinguish between synchronized applications | n/a |
Summary: This serial or sequential use-case is a convenience synchronization and the clinical risk for synchronization failure is low.
Cross device: Different machines, same time
Scenario: Clinician accesses her desktop EHR as well an app on her mobile device at the same time. Mobile device synchronizes with the EHR desktop session.
Consideration | Risk |
---|---|
Synchronization failure significance | medium |
Performance expectations | low |
User inability to distinguish between synchronized applications | low |
Summary: The user clearly distinguishes between the applications synchronized on multiple devices and therefore clinical risk for a synchronization failure depends upon the workflow and implementer's goals. User manual action may be appropriate when synchronization fails.
Same machine, same time
Scenario: Clinician is accessing two or more applications on the same machine in a single workflow.
Consideration | Risk |
---|---|
Synchronization failure significance | medium |
Performance expectations | high |
User inability to distinguish between synchronized applications | medium |
Summary: Although, disparate applications are distinguishable from one another, the workflow requires rapidly accessing one then another application. Application responsivity to synchronization is particularly important. Synchronization failure may introduce clinical risk and therefore user notification of synchronization failure is suggested.
Embedded apps: Same machine, same time, same UI
Scenario: Clinician accesses multiple applications within a single user interface.
Consideration | Risk |
---|---|
Synchronization failure significance | very high |
Performance expectations | high |
User inability to distinguish between synchronized applications | very high |
Summary: Disparate applications indistinguishable from one another require the greatest amount of context synchronization. Clinical risk of synchronization failure is critical. Application responsivity to synchronization should be high. Synchronization failure may introduce clinical risk and therefore user notification of synchronization failure is suggested.
Synchronization recommendations
FHIRcast is based on a subscription model where each subscribing client receives notifications of the updated state of the topic being subscribed to. There is no explicit requirement for a subscribing client to follow the context of another client. The subscription model also implies that it is the subscribing clients responsibility to maintain a contextual synchronization or to notify end users whenever the contextual synchronization is lost. However, as noted in above scenarios, there may be risk associated with the end user expectation of have two tightly synchronized applications if they fall out of sync. There are in some cases good reasons for a client not to follow the subscribed context and this section will outline some of the recommended approaches.
Blocking action on subscribing client preventing context synchronization
Many systems in some cases go into edit mode or start a modal dialog that locks the system from changing context without user intervention. Examples can be when modifying texts, reports, annotating images or performing administrative tasks. The clients may by design then decline to follow the subscribed context to prevent loss of end user data.
System | Failure mode | Possible actions |
---|---|---|
Subscribing Client | Modal dialog open in UI, unable to change case without losing end user data | Present end user with clear indication that contextual synchronization is lost |
Subscribing Client | Unable to change context | Respond with a http status code of 409 conflict |
Hub | One of the subscribing clients cannot follow context | No action/Update all subscribing clients with event sync-error |
Unresponsive callback url of subscribing client
This error scenario is all about the Hub losing contact with its subscribing clients. This may be due to a client crash, mis-configured callback url or simply an underlying network failure. In these cases the clients are usually not aware of the fact that the context has changed or that the subscription messages are not received.
System | Failure mode | Possible actions |
---|---|---|
Subscribing Client | No event received from Hub | No action possible |
Hub | Timeout or error from client callback url | No action/Retry/Update all subscribing clients with event sync-error |
Race condition during launch
Once an app is launched with initial context, for example, the currently in context patient, the app must subscribe before it receives notifications of updated context. Between the instant of launch and the instant of a confirmed subscription, it's technically possible for context to change, such that the newly launched app joins a session with stale contextual information. In most scenarios, this problem is likely noticeable by the end user. Apps should optimize the time required to launch and subscribe to reduce this likelihood.
Sync-error event received from Hub
In the scenarios where the Hub is aware of a synchronization error, it is advisable for the Hub to signal this to the subscribing applications to minimize any patient risk associated with having one or many applications out of sync.
System | Failure mode | Possible actions |
---|---|---|
Subscribing Client | Sync-error event received from Hub | Present end user with clear indication that contextual synchronization is lost |