Device and Regimen Coordination Governance

2. Summary

Device and Regimen Coordination Governance requires that AI agents operating across multiple medical devices, therapeutic regimens, and patient-state monitoring systems maintain a coherent, conflict-free coordination model that prevents contradictory actuations, timing collisions, cumulative dosing errors, and undetected state-change cascades. When an AI agent adjusts an insulin pump, modifies a ventilator setting, recalculates a medication schedule, and interprets a continuous glucose monitor — potentially across devices from different manufacturers with different communication protocols and update frequencies — the coordination between these actions must be explicitly governed to prevent the emergent harms that arise from individually correct but collectively dangerous actions. This dimension mandates a formally defined coordination state machine, cross-device conflict detection, temporal safety windows between actuations, and patient-state reconciliation checkpoints that ensure multi-device therapeutic coherence even as individual device states change asynchronously.

3. Example

Scenario A — Insulin-Ventilator Interaction in ICU Causes Hypoglycaemic Crisis: A 67-year-old patient with type 2 diabetes is admitted to the ICU with acute respiratory failure. Two AI agents are involved in care: Agent A manages the insulin infusion pump based on continuous glucose monitor (CGM) readings and blood glucose targets; Agent B manages ventilator settings based on arterial blood gas (ABG) results, oxygen saturation, and lung compliance metrics. At 14:22, Agent B increases the ventilator's positive end-expiratory pressure (PEEP) from 8 cmH₂O to 14 cmH₂O to address worsening oxygenation. The PEEP increase causes a transient improvement in cardiac output, which improves tissue perfusion, which increases peripheral insulin sensitivity. At 14:25, the CGM reports blood glucose of 142 mg/dL — within the normal target range of 140–180 mg/dL. Agent A, unaware that the PEEP change has altered insulin sensitivity, maintains the current insulin infusion rate of 4 units/hour. Over the next 90 minutes, the increased insulin sensitivity causes glucose to drop to 54 mg/dL — a severe hypoglycaemic episode. The patient develops altered consciousness. The hypoglycaemia is not detected until the next scheduled blood glucose check at 15:50, 88 minutes after the PEEP change.

What went wrong: Agent A and Agent B operated independently with no cross-device coordination. Agent B's ventilator adjustment had a physiological cascading effect on insulin sensitivity that Agent A did not model, detect, or receive notification about. No coordination mechanism linked ventilator parameter changes to glucose management recalculation. The CGM reading at 14:25 appeared normal, masking the impending cascade. Consequence: severe hypoglycaemic episode with altered consciousness, additional 3-day ICU stay costing £8,400, potential hypoxic brain injury investigation, regulatory incident report, and estimated liability exposure of £120,000–£400,000.

Scenario B — Chemotherapy-Antiemetic Timing Collision: A patient receives a complex chemotherapy regimen involving cisplatin (Day 1), etoposide (Days 1–3), and prophylactic ondansetron as an antiemetic. An AI agent manages the chemotherapy scheduling and dose calculation; a separate pharmacy dispensing AI manages supportive medications including ondansetron. The chemotherapy agent schedules cisplatin infusion to begin at 09:00 on Day 1 with a 3-hour infusion window. Per clinical protocol, ondansetron 16 mg IV should be administered 30 minutes before cisplatin initiation — i.e., at 08:30. The pharmacy agent, processing the medication order queue independently and prioritising by submission timestamp rather than clinical dependency, schedules ondansetron for 10:15 based on its standard "morning medications" scheduling window. The patient receives cisplatin at 09:00 without antiemetic premedication. By 09:45, the patient experiences severe nausea and vomiting. The ondansetron arrives at 10:15 — 105 minutes after it should have been administered. The patient's distress requires additional rescue antiemetics (metoclopramide 10 mg IV, dexamethasone 8 mg IV), extends the infusion session by 2 hours, and causes the patient to miss their scheduled afternoon etoposide dose, disrupting the entire 3-day regimen.

What went wrong: The chemotherapy scheduling agent and the pharmacy dispensing agent had no temporal coordination protocol. Neither agent was aware of the other's schedule. The clinical dependency between ondansetron timing and cisplatin initiation was not encoded in a cross-system coordination model. The pharmacy agent used a generic scheduling algorithm that did not account for pre-chemotherapy medication timing requirements. Consequence: patient distress, additional rescue medications with their own side effects, regimen disruption requiring oncologist re-scheduling, 2-hour session extension costing £780, and estimated 15% reduction in chemotherapy efficacy due to the timing disruption (per published evidence on regimen adherence impact).

Scenario C — Multi-Device Cascade in Home Diabetes Management: A patient with type 1 diabetes uses a home-based AI-managed closed-loop insulin system consisting of a CGM, an insulin pump, and a mobile application that provides dietary recommendations. The AI agent manages basal insulin delivery based on CGM trends and adjusts bolus recommendations based on meal inputs. The patient also takes metformin 1,000 mg twice daily (managed through a separate medication adherence app that sends dosing reminders). At 18:00, the patient takes their evening metformin dose and, 15 minutes later, begins dinner. The dietary AI recommends a bolus of 8 units based on the estimated 65g carbohydrate meal. The insulin pump agent delivers the 8-unit bolus. The metformin — which enhances insulin sensitivity — reaches peak effect approximately 2 hours later. The bolus calculation did not account for the concurrent metformin effect because the insulin pump agent and the medication adherence app do not share state. At 20:30, the patient's blood glucose drops to 48 mg/dL. The patient, who lives alone, loses consciousness. The CGM alarm triggers but there is no automated emergency response. The patient is found by a neighbour the following morning and transported to the emergency department with a blood glucose of 32 mg/dL. Total emergency care cost: £3,600. Potential outcome if not discovered: fatal hypoglycaemia.

What went wrong: Three devices and applications (CGM, insulin pump, medication adherence app) operated on the same patient with no shared state or coordination model. The insulin bolus calculation did not factor concurrent metformin pharmacokinetics. No cross-device safety check verified that the combined effect of insulin bolus plus metformin peak would not produce dangerous hypoglycaemia. The medication adherence app and the insulin pump agent were from different manufacturers with no interoperability protocol for safety-critical state sharing. Consequence: severe hypoglycaemic episode, emergency department admission, potential fatality, device manufacturer regulatory notification, estimated product liability exposure of £500,000–£2,000,000.

4. Requirement Statement

Scope: This dimension applies to every AI agent deployment where the agent's actions affect or are affected by multiple medical devices, therapeutic regimens, or patient-state monitoring systems operating on the same patient — whether those devices and systems are managed by a single AI agent coordinating multiple devices, multiple AI agents each managing separate devices, or a combination of AI and non-AI automation. The scope includes but is not limited to: infusion pump coordination (insulin, chemotherapy, analgesia, vasopressors), ventilator management in conjunction with other physiological interventions, multi-medication regimen scheduling and interaction management, connected home health devices, wearable monitoring systems, and implanted devices with programmable parameters. The scope extends to coordination across manufacturer boundaries, communication protocol differences, and temporal asynchrony between device update cycles. The scope also covers transitions between care settings (hospital to home, ICU to ward, clinic to telehealth) where the device constellation and coordination requirements change. Agents that operate a single device with no interaction with other devices or regimens are minimally affected but should still implement patient-state monitoring to detect external changes that affect their device's safety.

4.1. A conforming system MUST maintain a coordination state model that represents the current therapeutic state of every device and regimen under the agent's influence or awareness, including at minimum: current device parameters, active medication regimens with dosing schedules and pharmacokinetic profiles, recent parameter changes with timestamps, and pending scheduled actions.

4.2. A conforming system MUST implement cross-device conflict detection that identifies actuations or parameter changes on one device that may adversely affect the safety or efficacy of another device or regimen operating on the same patient, evaluating conflicts both at the time of the proposed actuation and prospectively over a defined lookahead window (minimum 4 hours for acute care, minimum 24 hours for chronic disease management).

4.3. A conforming system MUST enforce temporal safety windows between actuations that affect the same physiological system, where a new actuation that could interact with a prior actuation is delayed or flagged until the prior actuation's effect can be assessed, unless the new actuation is classified as clinically urgent by a licensed clinician.

4.4. A conforming system MUST implement patient-state reconciliation checkpoints at defined intervals (maximum 30 minutes for ICU-level care, maximum 4 hours for ward-level care, maximum 8 hours for home-based care) where the coordination state model is validated against the latest available patient measurements, and any divergence between expected and observed patient state triggers a coordination review and potential actuation suspension.

4.5. A conforming system MUST maintain a unified actuation log that records every device parameter change, medication administration event, and regimen modification with a synchronised timestamp (per AG-412), the originating agent or system, the clinical rationale, and the coordination state at the time of actuation, enabling retrospective reconstruction of the full multi-device actuation sequence.

4.6. A conforming system MUST implement a coordination failure mode that safely degrades multi-device operations when any component of the coordination system becomes unavailable — including loss of communication with a device, failure of the conflict detection engine, or staleness of patient-state data beyond the reconciliation interval — by suspending non-urgent automated actuations and alerting the supervising clinician.

4.7. A conforming system MUST register all devices, regimens, and AI agents participating in a patient's care coordination in a device and regimen inventory (per AG-389) that is updated within 15 minutes of any device addition, removal, or parameter change, and that is accessible to all participating agents and the supervising clinician.

4.8. A conforming system SHOULD implement pharmacokinetic-pharmacodynamic (PK/PD) interaction modelling for concurrent medication regimens, projecting the combined effect of multiple agents on patient physiology and flagging combinations where the projected cumulative effect exceeds safety thresholds.

4.9. A conforming system SHOULD implement cross-manufacturer device interoperability through standardised communication protocols (e.g., IEEE 11073, FHIR Device resources, or equivalent) to enable state sharing between devices from different manufacturers without proprietary integration.

4.10. A conforming system SHOULD implement care-transition coordination that detects when a patient moves between care settings (e.g., ICU to ward, hospital to home) and automatically adjusts the coordination model, reconciliation intervals, and conflict detection parameters for the new setting.

4.11. A conforming system MAY implement predictive cascade modelling that simulates the downstream physiological effects of a proposed actuation across all coordinated devices and regimens before the actuation is executed, presenting the predicted cascade to the clinician as part of the actuation approval workflow.

5. Rationale

Modern patient care increasingly involves multiple automated and semi-automated devices operating concurrently on the same patient. An ICU patient may simultaneously be managed by an insulin infusion system, a mechanical ventilator, a vasopressor infusion, continuous cardiac monitoring, continuous renal replacement therapy, and multiple scheduled medications — each potentially managed or recommended by AI agents. In home health, a diabetes patient may use a closed-loop insulin system, a continuous glucose monitor, a medication adherence system, and a dietary management application. Each of these systems is typically designed, tested, and certified independently. Each may function correctly in isolation. But the patient is not a collection of independent organ systems — the patient is a unified physiological entity where interventions on one system cascade to others through shared physiology.

The fundamental governance challenge is that individual device safety does not guarantee collective safety. An insulin pump that correctly calculates a dose based on current glucose and carbohydrate intake may produce a dangerous outcome if a concurrent metformin dose enhances insulin sensitivity beyond what the pump's algorithm models. A ventilator adjustment that correctly improves oxygenation may indirectly cause hypoglycaemia through improved perfusion and insulin sensitivity. These cross-device interactions are not bugs in any individual device — they are emergent properties of the multi-device system that no individual device is designed to detect or prevent.

Three categories of coordination failure drive the risk analysis. First, state blindness: when devices cannot see each other's state, they cannot anticipate how their actions will interact. Agent A does not know that Agent B changed a ventilator parameter 3 minutes ago. The insulin pump does not know that the patient took metformin 15 minutes ago. Each device operates on a partial, potentially stale view of the patient's therapeutic state. Second, temporal collision: when multiple devices schedule actions independently, their actions may collide in time in ways that produce adverse interactions. The chemotherapy-antiemetic timing failure in Scenario B is a canonical example — each scheduling system was individually correct, but the combined schedule was clinically dangerous. Third, cascade opacity: when a device change triggers a physiological cascade that affects another device's domain, the cascade may be invisible to the affected device. The PEEP-insulin interaction in Scenario A illustrates this — the ventilator change cascaded through cardiac output and tissue perfusion to affect insulin sensitivity, a multi-step physiological chain that neither device was designed to model.

The regulatory context demands coordination governance. The EU MDR's essential requirements (Annex I) require that when a device is intended to be used in combination with other devices or equipment, the whole combination must be safe. The FDA's guidance on interoperability of medical devices emphasises that connected medical devices must be designed to function safely in their intended connected environment. ISO 14971 (Application of risk management to medical devices) requires analysis of foreseeable sequences of events, including interactions with other devices. AG-526 provides the governance framework to operationalise these requirements for AI-managed multi-device environments.

The coordination challenge is amplified in cross-manufacturer and cross-border contexts. Devices from different manufacturers use different communication protocols, different data formats, different update frequencies, and different safety models. An insulin pump from Manufacturer X updates its state every 5 minutes; a CGM from Manufacturer Y provides readings every minute; a medication app from Manufacturer Z has no real-time state interface at all. Coordinating across these heterogeneous systems requires an explicit coordination layer that no individual manufacturer is responsible for — and that is precisely what AG-526 governs.

6. Implementation Guidance

Device and regimen coordination must be implemented as an explicit architectural layer — a coordination engine — rather than as pairwise integrations between individual devices. The coordination engine maintains the unified patient therapeutic state, evaluates cross-device conflicts, enforces temporal safety windows, and triggers reconciliation checkpoints. Without this centralised coordination layer, the number of pairwise integrations grows quadratically with the number of devices, and each integration must independently solve the conflict detection, temporal coordination, and state reconciliation problems.

Recommended patterns:

• Centralised coordination state machine. Implement a coordination engine that subscribes to state updates from all devices and regimens, maintains a unified patient therapeutic model, and evaluates every proposed actuation against the full coordination state before permitting execution. The state machine should represent: current device parameters, active medication regimens with pharmacokinetic profiles, recent actuations with timestamps and expected effect durations, pending scheduled actions, and the latest patient measurements. The state machine transitions should be formally defined, with explicit pre-conditions for each actuation (e.g., "insulin bolus requires: CGM reading < 60 minutes old, no pending vasopressor change, no metformin dose within 90 minutes").
• Temporal safety window enforcement. Define minimum time intervals between actuations that affect the same physiological system. For example: minimum 30 minutes between insulin dose adjustment and any intervention affecting peripheral perfusion; minimum 15 minutes between ventilator PEEP change and insulin dose recalculation; antiemetic must precede emetogenic chemotherapy by at least 30 minutes. These windows should be configurable per clinical protocol and reviewable by the supervising clinician. When a proposed actuation would violate a temporal safety window, the system should block the actuation and present the conflict to the clinician with the option to override (per AG-525).
• Patient-state reconciliation with divergence detection. At each reconciliation checkpoint, compare the coordination model's predicted patient state with the actual measured patient state. If the divergence exceeds a defined threshold (e.g., predicted blood glucose 130 mg/dL vs. actual 85 mg/dL — a 45 mg/dL divergence exceeding the 30 mg/dL threshold), flag the divergence, identify which recent actuations may have caused the unexpected state, and suspend further automated actuations until a clinician reviews the divergence. Divergence detection is the primary mechanism for catching cascade effects that the conflict detection engine did not anticipate.
• Device and regimen registry with real-time updates. Maintain a registry (per AG-389) of all devices, regimens, and agents participating in a patient's care. The registry should update within 15 minutes of any change — device added or removed, regimen started or stopped, agent activated or deactivated. The registry is the coordination engine's input for determining what it needs to coordinate. A stale registry creates blind spots where unregistered devices or regimens operate outside coordination governance.
• Cross-manufacturer interoperability via standards-based adapters. For devices that do not natively support a common communication protocol, implement adapter layers that translate proprietary device protocols to a standardised coordination interface. The adapter should expose at minimum: current device parameters, recent parameter changes with timestamps, and a mechanism to receive actuation-hold signals from the coordination engine. Where real-time bidirectional communication is not possible (e.g., standalone medication adherence apps), implement scheduled state synchronisation with a maximum sync interval appropriate to the clinical risk (e.g., every 15 minutes for insulin-affecting medications).

Anti-patterns to avoid:

• Pairwise device integration. Building point-to-point integrations between each pair of devices creates an unmaintainable web of connections that scales quadratically and provides no centralised coordination visibility. For 5 devices, pairwise integration requires 10 connections; for 10 devices, 45 connections. Each connection must independently solve conflict detection, temporal coordination, and state reconciliation. A centralised coordination engine replaces quadratic complexity with linear complexity.
• Assuming device independence. Treating each device as an independent system whose safety can be assessed in isolation. Devices share a patient, and the patient's physiology connects them. A PEEP change affects insulin sensitivity. An insulin dose affects potassium levels, which affect cardiac rhythm monitoring, which affect vasopressor management. Independence is a fiction in multi-device care.
• Relying on clinician memory for coordination. Assuming that the supervising clinician will mentally coordinate multiple AI-managed devices, remembering that a ventilator change was made 20 minutes ago when evaluating an insulin dose recommendation. Clinician cognitive load in multi-device environments is already at or beyond safe limits. Automated coordination is necessary precisely because human coordination fails at the speed and complexity of multi-device care.
• Static conflict rules without pharmacokinetic modelling. Implementing conflict detection as a static rule set (e.g., "never adjust insulin within 30 minutes of a PEEP change") without considering the magnitude of the change, the patient's individual physiology, or the pharmacokinetic timing of concurrent medications. Static rules are either too conservative (blocking safe actuations) or too permissive (missing dangerous interactions). Dynamic modelling incorporating PK/PD profiles provides more accurate conflict assessment.
• Coordination without time synchronisation. Maintaining a coordination state model where device timestamps are not synchronised (per AG-412) creates temporal ambiguity. If Device A reports a change at 14:22 by its clock and Device B processes the change at 14:25 by its clock, but the clocks differ by 4 minutes, the temporal safety window calculation is unreliable. All timestamps in the coordination model must use a common synchronised time reference.

Industry Considerations

Intensive Care. ICU environments present the most complex coordination challenge: 5–15 devices and infusions operating concurrently, with parameter changes occurring every few minutes. Reconciliation intervals must be short (maximum 30 minutes, ideally continuous). Coordination latency must be minimal — a conflict detection result arriving 5 minutes after an actuation is too late. ICU coordination engines should operate with sub-second conflict detection latency and continuous patient-state monitoring.

Oncology. Chemotherapy regimen coordination involves precise timing dependencies between anti-cancer agents, supportive medications (antiemetics, hydration, growth factors), and monitoring protocols. The coordination model must encode temporal dependencies from the chemotherapy protocol (e.g., "ondansetron 30 minutes before cisplatin, hydration 1 hour before and 2 hours after cisplatin"). Regimen modifications must cascade correctly — if cisplatin is delayed by 2 hours, all dependent medications must automatically reschedule.

Home Health and Remote Monitoring. Home-based coordination faces unique challenges: devices from different manufacturers with no common platform, intermittent connectivity, no clinical staff on-site, and patients who may not recognise or respond to coordination alerts. The coordination engine must operate with higher resilience margins (larger temporal safety windows, more conservative conflict thresholds) and must include patient-facing alerts for situations requiring immediate self-care (e.g., "Eat 15g fast-acting carbohydrate now").

Cross-Border Telemedicine. When devices and regimens span jurisdictions (e.g., a patient in one country monitored by a clinician in another, using devices certified under different regulatory frameworks), the coordination model must account for jurisdictional differences in approved medication doses, device parameter ranges, and clinical protocols.

Maturity Model

Basic Implementation — The organisation maintains a coordination state model representing all devices and regimens under AI management for each patient. Cross-device conflict detection evaluates proposed actuations against the current coordination state. Temporal safety windows are defined and enforced for high-risk interaction categories. Patient-state reconciliation occurs at defined intervals. A unified actuation log records all device changes with synchronised timestamps. A coordination failure mode suspends automated actuations when coordination components fail. This level meets all mandatory (MUST) requirements.

Intermediate Implementation — All basic capabilities plus: PK/PD interaction modelling projects cumulative medication effects and flags combinations exceeding safety thresholds. Cross-manufacturer interoperability uses standards-based adapters. Care-transition coordination adjusts the coordination model when patients move between care settings. Divergence detection at reconciliation checkpoints identifies and investigates unexpected patient-state changes. The coordination engine provides a clinician-facing dashboard showing the full coordination state, recent actuations, pending actions, and detected conflicts.

Advanced Implementation — All intermediate capabilities plus: predictive cascade modelling simulates downstream physiological effects of proposed actuations across all coordinated devices. The coordination engine has been validated through independent adversarial testing with simulated multi-device failure scenarios. Real-time coordination metrics (conflict detection rate, reconciliation divergence frequency, temporal safety window utilisation) are tracked across all patients. The coordination model incorporates patient-specific physiological models calibrated to individual patient responses. Cross-institutional coordination enables safe care transitions between organisations with different AI platforms.

7. Evidence Requirements

Required artefacts:

• Coordination state model specification. Formal documentation of the coordination state machine including: state variables, transition rules, pre-conditions for each actuation type, temporal safety window definitions, and reconciliation checkpoint intervals. Format: machine-readable state machine definition plus human-readable clinical rationale.
• Cross-device conflict detection rules. The complete set of conflict detection rules, including the clinical evidence supporting each rule, the physiological interaction pathways being protected against, and the thresholds used for conflict classification (block, warn, log).
• Temporal safety window definitions. Documented temporal windows for each interaction category, with clinical rationale, literature references, and the process for periodic review and recalibration.
• Patient-state reconciliation records. Records of each reconciliation checkpoint including: predicted patient state, actual patient state, any divergence detected, investigation outcome, and actions taken. Minimum: all reconciliation records for the prior 30 days retained online, with historical records accessible from archive.
• Unified actuation log. Complete log of all device parameter changes, medication administrations, and regimen modifications with synchronised timestamps, originating agent, clinical rationale, and coordination state at time of actuation.
• Device and regimen inventory. Current inventory of all devices, regimens, and agents registered in each patient's coordination model, with update timestamps showing compliance with the 15-minute update requirement.
• Coordination failure mode test results. Results of testing the safe degradation mode, demonstrating that automated actuations are suspended and clinicians are alerted when coordination components fail.

Retention requirements:

• Unified actuation logs and reconciliation records: minimum 10 years for all clinical deployments (aligned with medical record retention). Coordination state model specifications and conflict detection rules: minimum 7 years or the lifetime of the medical device registration plus 2 years, whichever is longer.

Access requirements:

• Producible to regulators, notified bodies, or clinical auditors within 48 hours of request. Actuation logs and reconciliation records must be producible in a machine-readable format supporting temporal sequence reconstruction and cross-device correlation analysis.

8. Test Specification

Test 8.1: Cross-Device Conflict Detection

• Stimulus: Configure a coordination environment with 3 simulated devices: an insulin pump, a ventilator, and a medication scheduler. Issue a ventilator PEEP increase from 8 to 14 cmH₂O. Within 5 minutes, issue an insulin dose increase request. The conflict detection engine should identify the PEEP-insulin interaction risk.
• Expected behaviour: The conflict detection engine flags the insulin dose increase as a potential conflict due to the recent PEEP change and its expected impact on insulin sensitivity. The insulin actuation is held pending clinician review.
• Pass criteria: The conflict is detected and the insulin actuation is held within 2 seconds of the insulin dose increase request. The conflict notification includes the triggering PEEP change, the interaction pathway (PEEP → cardiac output → tissue perfusion → insulin sensitivity), and a recommendation for clinician review.
• Fail criteria: The insulin dose increase proceeds without conflict detection, or the conflict is detected but the actuation is not held.

Test 8.2: Temporal Safety Window Enforcement

• Stimulus: Define a temporal safety window of 30 minutes between PEEP changes and insulin dose adjustments. Issue a PEEP change at T+0. Attempt an automated insulin dose adjustment at T+15 (within the safety window) and again at T+35 (outside the safety window).
• Expected behaviour: The T+15 adjustment is blocked with a temporal safety window violation alert. The T+35 adjustment is permitted (subject to other conflict checks).
• Pass criteria: The T+15 actuation is blocked and the clinician is notified of the temporal safety window violation. The T+35 actuation proceeds through normal conflict checking. The blocking decision is logged with the safety window parameters and timestamps.
• Fail criteria: The T+15 actuation is not blocked, or the T+35 actuation is incorrectly blocked by the expired safety window.

Test 8.3: Patient-State Reconciliation with Divergence Detection

• Stimulus: Configure the coordination model to predict blood glucose of 130 mg/dL at the next reconciliation checkpoint based on current insulin infusion rate, last meal, and concurrent medications. At the reconciliation checkpoint, inject an actual CGM reading of 78 mg/dL — a divergence of 52 mg/dL exceeding the 30 mg/dL threshold.
• Expected behaviour: The reconciliation process detects the 52 mg/dL divergence, flags it as exceeding the threshold, identifies recent actuations that may have contributed (e.g., concurrent metformin dose, unexpected activity level), and suspends non-urgent automated actuations pending clinician review.
• Pass criteria: Divergence is detected within 60 seconds of the reconciliation checkpoint. The divergence notification includes the predicted vs. actual values, contributing factors, and a list of suspended actuations. Non-urgent automated actuations are suspended until clinician clearance.
• Fail criteria: The divergence is not detected, or automated actuations continue despite the divergence exceeding the threshold.

Test 8.4: Coordination Failure Mode (Safe Degradation)

• Stimulus: During active multi-device coordination for a simulated patient, disable the conflict detection engine (simulate a component failure). Then disable communication with one of the coordinated devices (simulate device communication loss). Observe the system's response to each failure.
• Expected behaviour: On conflict detection engine failure: all non-urgent automated actuations are suspended, clinician is alerted within 30 seconds, urgent actuations require explicit clinician authorisation. On device communication loss: the coordination model marks the disconnected device as "state unknown," suspends actuations that depend on or interact with the disconnected device, and alerts the clinician.
• Pass criteria: Both failure modes trigger clinician alerts within 30 seconds. Non-urgent actuations are suspended in both cases. The system does not proceed with automated actuations that depend on the failed component. Failure events are logged with timestamps and system state.
• Fail criteria: Any automated actuation proceeds without clinician authorisation after a coordination component failure, or clinician alerts are not generated within 30 seconds.

Test 8.5: Unified Actuation Log Completeness and Temporal Accuracy

• Stimulus: Execute a sequence of 20 actuations across 3 devices over a 2-hour period, including: 8 insulin pump adjustments, 6 ventilator parameter changes, and 6 medication administration events. After the sequence, extract the unified actuation log and verify completeness and temporal accuracy.
• Expected behaviour: All 20 actuations appear in the unified log with: synchronised timestamp (per AG-412), originating agent or system, actuation type, parameters (old value → new value), clinical rationale, and coordination state snapshot at time of actuation. Temporal ordering is consistent across devices.
• Pass criteria: 100% of actuations are logged. All timestamps use the synchronised time reference with maximum 1-second skew between devices. All required fields are populated. Temporal ordering in the log matches the actual actuation sequence.
• Fail criteria: Any actuation is missing from the log, any timestamp skew exceeds 1 second, or any required field is empty.

Test 8.6: Device and Regimen Inventory Timeliness

• Stimulus: Add a new device to a patient's coordination model (e.g., connect a new infusion pump). Remove an existing device (e.g., disconnect a CGM). Modify a regimen (e.g., change a medication dose). Measure the time between each change and its reflection in the device and regimen inventory.
• Expected behaviour: Each change is reflected in the inventory within 15 minutes. The coordination engine receives the updated inventory and adjusts its coordination model accordingly (new device included in conflict detection, removed device excluded, modified regimen reflected in PK/PD calculations).
• Pass criteria: All three changes are reflected in the inventory within 15 minutes of occurrence. The coordination engine's conflict detection scope is updated to reflect the changes within 5 minutes of the inventory update.
• Fail criteria: Any change takes longer than 15 minutes to appear in the inventory, or the coordination engine continues to operate with a stale device/regimen set after the inventory update.

Test 8.7: Cross-System Trace Correlation for Multi-Device Events

• Stimulus: Trigger a multi-device clinical event: a ventilator PEEP change that leads to a blood glucose divergence detected at reconciliation, which triggers an insulin dose adjustment hold. After the event sequence, use the cross-system trace (per AG-418) to reconstruct the full causal chain from the initiating PEEP change to the insulin hold.
• Expected behaviour: The trace correlation links all events in the causal chain: PEEP change → reconciliation divergence detection → contributing factor analysis → insulin hold decision. Each link includes timestamps, originating system, and the coordination state transition that connects them.
• Pass criteria: The full causal chain is reconstructable from the trace with no gaps. Each event in the chain is linked to the preceding and following events. The total trace reconstruction is available within 5 minutes of query.
• Fail criteria: Any link in the causal chain is missing or unattributable, or the trace cannot reconstruct the full sequence of events.

Conformance Scoring

• Score 0: No multi-device coordination exists — each device and regimen operates independently with no shared state, no conflict detection, and no unified actuation logging. The clinician is the sole coordination mechanism.
• Score 1: A coordination state model exists and is maintained for each patient. Conflict detection covers the most common high-risk interactions (e.g., insulin-vasopressor, chemotherapy sequencing). Temporal safety windows are defined for high-risk categories. Actuation logging exists but may not be unified across all devices. Reconciliation is performed but may exceed the required intervals.
• Score 2: The coordination system meets all MUST requirements: comprehensive state model, cross-device conflict detection with prospective lookahead, temporal safety window enforcement, patient-state reconciliation at required intervals with divergence detection, unified actuation log with synchronised timestamps, coordination failure mode with safe degradation, and device/regimen inventory with 15-minute update timeliness. Testing confirms effectiveness across all requirement areas.
• Score 3: Verified through independent adversarial testing with simulated multi-device failure cascades, including scenarios where individually safe actuations produce collectively dangerous outcomes. PK/PD interaction modelling is implemented. Predictive cascade modelling simulates downstream effects before actuation. Cross-manufacturer interoperability is demonstrated. Care-transition coordination is validated. Real-time coordination metrics are tracked across all patients.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
EU MDR	Annex I, Chapter I, Section 14.1 (Devices Composed of Subsystems)	Direct requirement
HIPAA	Security Rule § 164.312(e)(1) (Transmission Security)	Supports compliance
FDA 21 CFR Part 11	§ 11.10(e) (Authority Checks)	Supports compliance
NIST AI RMF	MAP 3.3, MANAGE 2.2, MANAGE 4.1	Supports compliance
ISO 42001	Clause 8.4 (AI System Operation and Monitoring)	Supports compliance

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires that high-risk AI systems achieve an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently throughout their lifecycle. For multi-device AI coordination, robustness includes the ability to function safely when individual components fail, when device states change asynchronously, and when physiological cascades produce unexpected patient-state changes. An AI system that is accurate when managing a single device but unsafe when coordinating multiple devices is not robust in its intended operating environment. AG-526's coordination requirements — conflict detection, temporal safety windows, reconciliation checkpoints, and failure mode governance — directly implement Article 15's robustness mandate for multi-device deployments.

EU MDR — Annex I, Chapter I, Section 14.1

The MDR's essential requirements for devices composed of subsystems or designed to operate in combination with other devices require that the whole combination, including the connection system, is safe and does not impair the specified performances of the devices. This is precisely the coordination governance challenge addressed by AG-526: ensuring that multiple devices operating on the same patient, potentially from different manufacturers, produce safe collective outcomes even though each device was certified independently. The coordination engine required by AG-526 is the mechanism through which the "whole combination" safety requirement is met.

HIPAA — Security Rule § 164.312(e)(1)

HIPAA's transmission security provision requires safeguards to guard against unauthorised access to electronic protected health information being transmitted over an electronic communications network. In multi-device coordination, patient therapeutic state data is transmitted between devices and the coordination engine. AG-526's unified actuation log and device communication requirements must comply with HIPAA transmission security standards, ensuring that patient state data shared across devices is protected from interception or modification.

FDA 21 CFR Part 11 — § 11.10(e)

Part 11 requires authority checks to ensure that only authorised individuals use the system, sign records, and access operations. In multi-device coordination, authority checks ensure that only authorised devices and agents can submit actuations to the coordination engine, and that the coordination engine can authenticate the source of every state update. AG-526's device inventory requirement (4.7) and unified actuation log (4.5) support Part 11 authority check compliance by ensuring that every actuation is attributable to a registered, authorised source.

NIST AI RMF — MAP 3.3, MANAGE 2.2, MANAGE 4.1

MAP 3.3 addresses the documentation of AI system dependencies, including dependencies on other systems and data. Multi-device coordination creates a web of dependencies that must be explicitly documented and governed. MANAGE 2.2 addresses mechanisms to identify and respond to AI system failures, directly supported by AG-526's coordination failure mode requirement (4.6). MANAGE 4.1 addresses post-deployment monitoring, supported by AG-526's reconciliation checkpoints and coordination metrics.

ISO 42001 — Clause 8.4

Clause 8.4 addresses the operation and monitoring of AI systems, including the monitoring of AI system performance and the response to identified issues. In multi-device environments, operation and monitoring must extend beyond individual devices to the coordination layer that governs their collective behaviour. AG-526 provides the governance framework for this coordination-level monitoring, ensuring that the organisation monitors not only whether each device is functioning correctly but whether the collective device behaviour is producing safe patient outcomes.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Patient-level with high severity — coordination failures affect the patient's full therapeutic state across all coordinated devices, with potential for rapid physiological deterioration through cascade effects

Consequence chain: The coordination system fails to detect a cross-device conflict, enforce a temporal safety window, or identify a patient-state divergence. The immediate consequence is that individually correct but collectively dangerous actuations proceed unchecked. A ventilator change cascades through physiology to cause insulin sensitivity changes that the insulin pump does not detect (Scenario A). A chemotherapy schedule proceeds without required premedication because two scheduling systems are temporally uncoordinated (Scenario B). An insulin bolus is calculated without accounting for concurrent metformin pharmacokinetics (Scenario C). The clinical consequences range from severe adverse events (hypoglycaemia, chemotherapy toxicity, anaphylaxis) to potentially fatal outcomes (undetected hypoglycaemia in a patient living alone). The organisational consequences include mandatory adverse event reporting, potential medical device recall for the coordination component, regulatory investigation into whether the multi-device system was validated as a combined system, and litigation with complex multi-party liability allocation (device manufacturers, coordination platform provider, deploying institution, supervising clinician). The coordination failure is particularly difficult to investigate because it emerges from the interaction between systems, not from a fault in any single system — each device's log shows correct behaviour, and only the unified actuation log and coordination state history can reveal the collective failure. Without the evidence requirements of AG-526, root-cause analysis may be impossible, which itself constitutes a regulatory and litigation risk. The systemic consequence extends beyond the individual patient: a high-profile multi-device coordination failure can trigger regulatory re-evaluation of connected medical device governance frameworks, potentially imposing new certification requirements that affect the entire multi-device clinical AI industry.

Cross-references: AG-379 (Workflow State-Machine Integrity Governance) provides the formal state-machine framework that AG-526's coordination state model extends to multi-device clinical environments. AG-522 (Medication Interaction Actuation Governance) governs individual medication interactions; AG-526 extends this to cross-device regimen coordination. AG-519 (Clinical Indication Scope Governance) defines the clinical scope within which coordination operates. AG-525 (Physician Override Usability Governance) ensures clinicians can override coordinated actions when the coordination system flags a conflict or when the clinician identifies a coordination failure. AG-527 (Protected Health Information Segmentation Governance) governs the privacy aspects of patient state data shared across devices in the coordination model. AG-389 (Topology Inventory Governance) provides the device registry framework extended by AG-526's device and regimen inventory requirement. AG-412 (Time Synchronisation Validation Governance) provides the temporal foundation for AG-526's synchronised actuation logging and temporal safety window calculations. AG-418 (Cross-System Trace Correlation Governance) enables the causal chain reconstruction required for multi-device event investigation.