eweek.com Perhaps nothing shows the ravages of faulty calculations as clearly as cancer.
The patients who were suffering in Panama had cancers of the pelvis. Pelvic organs such as the intestines and kidneys are acutely sensitive to radiation. Before a cancer patient such as Garcia is exposed to radiation, a doctor devises a treatment plan that determines what dose of radiation can safely be directed at the tumor. The physician considers the tumor's position and depth in the body, the likelihood that the cancer has spread to surrounding tissue, the location and sensitivity of nearby organs and the best angles of attack.
As part of the plan, the doctor figures out how to place metal shields, known as "blocks," above the area where the tumor is located. These blocks, usually made of lead or a metal alloy called cerrobend, protect normal or sensitive tissue from the gamma rays to come.
The doctor hands his plan to a medical physicist, who feeds information on the size, shape and location of the blocks into a software package. These packages generally create a 3-D picture of how the dose will be distributed, showing how the radiation will "sum" as beams coming in from different angles intersect at depth in the patient's tissue. Once the doctor prescribes a dosage, the software calculates the duration of treatment.
The physicists in Panama were carrying out a doctor's instruction to be more protective, adding a fifth block to the four the hospital often used on patients in cancer treatments. The extra block could help protect patients whose tissues were especially sensitive due to previous surgeries or radiation treatments.
Multidata's planning software was designed to calculate treatments when there were four or fewer blocks, according to the company's general business manager, Mick Conley. Saldaña, however, read Multidata's manual and concluded she could make the software account for a fifth block.
According to an August 2001 report from the IAEA, Saldaña found the software didn't only work if she entered the dimensions of each block individually, up to four. She found it also allowed her to enter the dimensions of all five blocks as a single, composite shape-for instance, a rectangle with one triangular block sitting in each corner and a fifth square block protruding, tooth-like, down into the rectangle from the top.
PointerWant the story latest news in programming environments and developer tools? Check out eWEEK's Developer Center at http://developer.eweek.com
So, using the mouse attached to her computer, she entered on the screen the coordinates of the specially shaped block— first the inner perimeter of the shape and then the outer perimeter. This is when she felt she was "home free."
After all, when Saldaña entered the data for this unusual-looking block, the system produced a diagram that appeared to confirm its dimensions. She seemed to be getting confirmation from the system itself that her approach was acceptable.
Next Page: Ravages of miscalculation. But inside the software, the calculations of appropriate dosages were going awry. The treatment time would be close to correct if Saldaña entered the data for the inner perimeter of the shape going in one direction, say clockwise, and the outer perimeter in the opposite direction, according to the IAEA report. But if she entered the data for the inner and outer perimeters going in the same direction, so that the two loops defining the perimeters crossed, the software essentially locked up. It was not able to accurately recognize the shape and, as a result, miscalculated the treatment times, the report said.
Depending on how many treatments the patients received, they accumulated overdoses ranging from 20 percent more radiation than was prescribed to a double dose of the potentially harmful rays, the IAEA found.
Inspectors from the FDA were dispatched to Multidata's offices after the agency received reports of patient "radiation overexposures." The inspection ran from May 31 to Sept. 21, 2001.
A summary of their findings echoed the IAEA report: "The treatment-planning system miscalculated the dose each patient was to receive due to failure of the software to correctly handle certain types of blocks... This resulted in a much higher dose being calculated for each patient."
Multidata's Conley says the FDA's finding "is wrong." He says that if you read FDA reports, "you find out the FDA isn't always right.
"Given [the input] that was given," he says, "our system calculated the correct amount, the correct dose. It was an unexpected result. And, if [the staff in Panama] had checked, they would have found an unexpected result."
Conley insists his company has done nothing wrong. He says the physicists at the National Cancer Institute never called Multidata asking for advice or support.
The physicists admit they did not always verify the results of the software's calculations, which Multidata's manual said was "the responsibility of the user."
Saldaña says the hospital was treating more than 100 patients per day using the one Cobalt-60 machine. The IAEA also found that whatever steps the hospital took to ensure the radiation machine was operating properly only addressed the hardware. There was no quality-assurance program for the software-or its results.
In the day-to-day operations of the cancer institute, that meant the physicists were not required to tell anyone they had changed the way they entered data into the cancer-therapy system. As a result, no one on staff questioned the software's results.
Had the hospital verified the dosages, by manually checking the software's calculations or by testing the dosages in water before radiating patients, a procedure that Conley argues is standard medical practice in much of the rest of the world-the staff would have caught the overdoses in time to avoid harming anyone.
But independent experts not associated with the case say software that controls medical equipment and other life-critical devices should be designed to pause or shut down if told to execute a task it's not programmed to perform.
"If a computer can make a user kill people, it's like a loaded gun," says Jack Ganssle, an engineer whose Ganssle Group advises companies and developers on how to create high-quality software. "A user shouldn't be able to do anything that causes a machine to be dangerous."
But the Multidata software continued to operate.
Next Page: Cause of death.
As tragic as it is, the Panama incident does not stand alone. In all, Baseline has found no fewer than a half-dozen cases in which software has contributed to loss of life. (See Eight Fatal Software-Related Accidents, Baseline, March 2004.)
The patients who were suffering in Panama had cancers of the pelvis. Pelvic organs such as the intestines and kidneys are acutely sensitive to radiation. Before a cancer patient such as Garcia is exposed to radiation, a doctor devises a treatment plan that determines what dose of radiation can safely be directed at the tumor. The physician considers the tumor's position and depth in the body, the likelihood that the cancer has spread to surrounding tissue, the location and sensitivity of nearby organs and the best angles of attack.
As part of the plan, the doctor figures out how to place metal shields, known as "blocks," above the area where the tumor is located. These blocks, usually made of lead or a metal alloy called cerrobend, protect normal or sensitive tissue from the gamma rays to come.
The doctor hands his plan to a medical physicist, who feeds information on the size, shape and location of the blocks into a software package. These packages generally create a 3-D picture of how the dose will be distributed, showing how the radiation will "sum" as beams coming in from different angles intersect at depth in the patient's tissue. Once the doctor prescribes a dosage, the software calculates the duration of treatment.
The physicists in Panama were carrying out a doctor's instruction to be more protective, adding a fifth block to the four the hospital often used on patients in cancer treatments. The extra block could help protect patients whose tissues were especially sensitive due to previous surgeries or radiation treatments.
Multidata's planning software was designed to calculate treatments when there were four or fewer blocks, according to the company's general business manager, Mick Conley. Saldaña, however, read Multidata's manual and concluded she could make the software account for a fifth block.
According to an August 2001 report from the IAEA, Saldaña found the software didn't only work if she entered the dimensions of each block individually, up to four. She found it also allowed her to enter the dimensions of all five blocks as a single, composite shape-for instance, a rectangle with one triangular block sitting in each corner and a fifth square block protruding, tooth-like, down into the rectangle from the top.
PointerWant the story latest news in programming environments and developer tools? Check out eWEEK's Developer Center at http://developer.eweek.com
So, using the mouse attached to her computer, she entered on the screen the coordinates of the specially shaped block— first the inner perimeter of the shape and then the outer perimeter. This is when she felt she was "home free."
After all, when Saldaña entered the data for this unusual-looking block, the system produced a diagram that appeared to confirm its dimensions. She seemed to be getting confirmation from the system itself that her approach was acceptable.
Next Page: Ravages of miscalculation. But inside the software, the calculations of appropriate dosages were going awry. The treatment time would be close to correct if Saldaña entered the data for the inner perimeter of the shape going in one direction, say clockwise, and the outer perimeter in the opposite direction, according to the IAEA report. But if she entered the data for the inner and outer perimeters going in the same direction, so that the two loops defining the perimeters crossed, the software essentially locked up. It was not able to accurately recognize the shape and, as a result, miscalculated the treatment times, the report said.
Depending on how many treatments the patients received, they accumulated overdoses ranging from 20 percent more radiation than was prescribed to a double dose of the potentially harmful rays, the IAEA found.
Inspectors from the FDA were dispatched to Multidata's offices after the agency received reports of patient "radiation overexposures." The inspection ran from May 31 to Sept. 21, 2001.
A summary of their findings echoed the IAEA report: "The treatment-planning system miscalculated the dose each patient was to receive due to failure of the software to correctly handle certain types of blocks... This resulted in a much higher dose being calculated for each patient."
Multidata's Conley says the FDA's finding "is wrong." He says that if you read FDA reports, "you find out the FDA isn't always right.
"Given [the input] that was given," he says, "our system calculated the correct amount, the correct dose. It was an unexpected result. And, if [the staff in Panama] had checked, they would have found an unexpected result."
Conley insists his company has done nothing wrong. He says the physicists at the National Cancer Institute never called Multidata asking for advice or support.
The physicists admit they did not always verify the results of the software's calculations, which Multidata's manual said was "the responsibility of the user."
Saldaña says the hospital was treating more than 100 patients per day using the one Cobalt-60 machine. The IAEA also found that whatever steps the hospital took to ensure the radiation machine was operating properly only addressed the hardware. There was no quality-assurance program for the software-or its results.
In the day-to-day operations of the cancer institute, that meant the physicists were not required to tell anyone they had changed the way they entered data into the cancer-therapy system. As a result, no one on staff questioned the software's results.
Had the hospital verified the dosages, by manually checking the software's calculations or by testing the dosages in water before radiating patients, a procedure that Conley argues is standard medical practice in much of the rest of the world-the staff would have caught the overdoses in time to avoid harming anyone.
But independent experts not associated with the case say software that controls medical equipment and other life-critical devices should be designed to pause or shut down if told to execute a task it's not programmed to perform.
"If a computer can make a user kill people, it's like a loaded gun," says Jack Ganssle, an engineer whose Ganssle Group advises companies and developers on how to create high-quality software. "A user shouldn't be able to do anything that causes a machine to be dangerous."
But the Multidata software continued to operate.
Next Page: Cause of death.
As tragic as it is, the Panama incident does not stand alone. In all, Baseline has found no fewer than a half-dozen cases in which software has contributed to loss of life. (See Eight Fatal Software-Related Accidents, Baseline, March 2004.)
Comments