Log in without ID functions on electronic blood tracking systems

[Chris Robbie]

Hi Carly

Thank you for your question. In your scenario, I am presuming that the restricted access prevent access by member of the public and certain staff groups, but that the staff groups that do have access would be a mix of staff with and without specific blood collection training. In that scenario, we would still only expect collection of blood by trained members of staff and barriers to untrained members of staff. As Mike posted above, the barrier in that case could be via other aspects of the quality system, such as training people at induction that they are not to collect blood under any normal circumstances. Given that blood may be required in emergencies when there are no trained members of staff available, you will need to build that scenario into you QMS and policies, such as an alternative way to get blood urgently via a BMS as described above. As a last resort, no one who needs blood should be denied it, a concessionary release process would need to be used where the person using the blood takes full responsibility for an untrained member of staff collecting the blood. Your blood collection policies and procedures must therefore reference not just how to collect blood under normal situations, but also detail how to obtain blood in urgent and emergency situations.

[KarenW]

We currently have a blood tracking system that has a 'crash code' option for collection by 'untrained' blood collectors and are about to upgrade to a system that no longer has this functionality. We do require this function and are therefore looking at alternatives. The crash code option requires the user to call blood transfusion to obtain the code for access and we can therefore document this concessionary release. We do feel we need this option as we have remote sites with emergency blood and no on-site BMS support. We have needed to use this option twice in the last 4 years. Following investigation of the last occasion, fairly recently, a couple of contributory issues were identified (the collector was actually an authorised and trained collector):
1. System is linked to active directory - if staff let their Trust network password expire they are unable to access the blood tracking system. This is an issue with porters who very rarely use a PC for everyday work. Password can be reset 24/7 by calling IT staff but this takes time which you don't have in an emergency situation
2. Each site where emergency blood available should have at least 2 trained blood collectors on duty at anytime - on this occasion one had failed to turn up for shift and the other didn't inform management of this so cover wasn't arranged.

So when the one trained blood collector can't access the system as they've let their password expiry and a patient is bleeding out you really do need an alternative!

[Rashmi]

Can’t the processes be set in a way that accessing the fridge via an override would alert the lab but allow access -perhaps a pop-up screen on the LIMS or a buzzer so lab staff / TP can investigate ASAP? The following concerns me with the various discussion points :

1. If clinical staff have to phone the lab for codes during an emergency this could result in a significant delay if the lab is unable to take the phone call or the phone system goes down ( think Murphy’s law ).
2. Can policies/ training state that if the override is used- then only emergency group O units are collected? Obviously this would need monitoring for adherence.

The key word is ‘emergency’- blood delays to the patient appears to be an increasing trend according to SHOT reports and having greater hurdles for our clinical staff to access units can only risk patient safety. It’s a fine balance.

I remember a case where some hospitals had key lock fridges in theatres- the blood was so secure that no one could access it during an emergency when the ODA had wandered off with the key in their pocket

bw

[Mike Dawe]

Hi

Just to clarify if there is a need to access a blood fridge by untrained personnel, such as in an emergency, this would substantiate concessionary access to mitigate the risk of serious patient harm. As such these situations should be avoided as per the regulation highlighted by Chris above. The key here is that in these situations there is a clear audit of who what when how and why is recorded. How you achieve this is up to the site but a site must reassure themselves that the relevant risks associated with these situations are mitigated in accordance with good practice risk principles i.e. such as in the situation described by KarenW above, in your 'crash code' situation, temporary access is granted by a BMS so it could be argued that, in this situation, the person collecting the blood has been granted authorised access and if their actions are recorded and audited, although reactive, risks can be controlled to a degree.

In the points above:

1. System is linked to active directory - if staff let their Trust network password expire they are unable to access the blood tracking system. This is an issue with porters who very rarely use a PC for everyday work. Password can be reset 24/7 by calling IT staff but this takes time which you don't have in an emergency situation.

You could mitigate this by introducing a system that requires passwords to be re set before the actually expire via a checking and audit system of active password by the 'owner' of the database.

2. Each site where emergency blood available should have at least 2 trained blood collectors on duty at anytime - on this occasion one had failed to turn up for shift and the other didn't inform management of this so cover wasn't arranged.

You can mitigate this by again having regular audits of trained personnel to ensure that they are always in date and also maybe make sure that at least 3 are trained i.e. 1x on holiday, 1x Sick, 1x Spare. In addition was this situation partly caused by a failure in effective communication or a failure of staff to follow Trust Policy? If it was then you should investigate root cause and then mitigate as appropriate?

1. If clinical staff have to phone the lab for codes during an emergency this could result in a significant delay if the lab is unable to take the phone call or the phone system goes down ( think Murphy’s law ).

This should be exercised as part of your BCP self assessment process highlighting what the length of delay might be and what situation actually cause the delay. Once this is assessed you can then introduce mitigation within the context of your business processes.

2. Can policies/ training state that if the override is used- then only emergency group O units are collected? Obviously this would need monitoring for adherence.

This is a very fair point however it does not tell the whole story as you are still allowing access to unauthorised staff who may be able to take the wrong thing or tamper with other units in the fridge unless you are using a SMART fridge i.e. bloodtrack fridges.

Please remember i am only playing devil’s advocate here but the realisation with regards to the regs is that every process must be thought through to identify relevant risk (s) so it can be mitigated effectively to protect patient safety and not to deny essential treatment that may result in major morbidity and not to deny access to emergency treatment in such a rigid way that does not allow flexibility in accordance with possible situations that a site may face.

Another regulation that you may find a useful reference is:

9.1.6 Deviations from established procedures should be avoided as much as possible and should be documented and explained. Any errors, accidents or significant deviations that may affect the quality or safety of blood and blood components should be fully recorded and investigated in order to identify systematic problems that require corrective action. Appropriate corrective and preventive actions should be defined and implemented.

I hope this all makes sense and helps with your thoughts going forwards.

Kind regards

Mike