Log in

No account? Create an account
The Broken Hut
Working my way up to a full-size building
Mutable state considered deadly 
25th-Apr-2007 08:58 am

I read in the BMJ the other day* about a case where someone was given a wrong dose because of a miscalculation. I’m sure people get given wrong doses of things all the time; just consider how many millions of people must be in treatment at any time around the world. It would be impossible not to have mistakes.

The point that interested me was how the mistake happened. The patient was a 3-month old baby showing “clinical signs of meningococcal sepsis with petechiae, purpura, and shock” (whatever that might mean). The baby needed a precise concoction of twelve different drugs for treatment.

The dosages were calculated using a spreadsheet template which calculates required dose from weight, age, and so on. In a standard version of Excel it is possible to “lock” particular cells so they cannot be inadvertently edited. For example, you would lock the cell which stores the formula for the calculation, so that you can’t accidentally write over it.

Unfortunately, the software used here wasn’t the full-blown version of Excel or some functional equivalent, but something called PocketExcel. It doesn’t allow locked cells; someone tabbed into the wrong field and overwrote the calculated dose with the baby’s weight. Ouch!

If I remember the article correctly (I don’t subscribe to the BMJ myself…) this all happened at 3.30 in the morning. The person filling it in was no doubt exhausted and extremely stressed. So we can add this instance to the long list of tragedies:

  • that occur due to operator fatigue or stress
  • and could have been prevented by better tool design

Don Norman’s The Design of Everyday Things is full of situations like this — nuclear power generation and air traffic control, for example — where bad design has allowed exhausted people to make dangerous mistakes. There are plenty more.

Simon Peyton Jones et al mention the similarity between functional programming and the Excel spreadsheet. Each cell in a spreadsheet is keyed off others in the FP style, without dependence on order of evaluation. This allows for the simplest possible model of computation, since a result depends only on the numbers you explicitly plug in to it.

So I would like to extend that comparison slightly and say that what we have here is a demonstration of the dangers of mutable state. If the output-only fields were prevented from being over-written by outside processes (in this case, the user) this problem wouldn’t have happened. Instead, the data-dependency tree which the user expected to hold was no longer there. And a potentially fatal mistake resulted.

* I don’t get to start enough blog posts like that. Alas.

25th-Apr-2007 09:12 am (UTC)

You're telling me that medical professionals are using spreadsheets to handle patient-critical data????!!!!

I thought that sort of thing was the perogative of stuffed-shirt business executives!

"Here's an idea. Let's save money by committing minimal resources to professional application development and just give all our staff excel+no training and expect them to create reliable apps."

I really think it should be a legal requirement that all spreadsheet software should carry a splash-screen disclaimer on start-up:

"Warning. Make sure you know your arse from your elbow before you use this software for anything really important."

Perhaps in the case of PocketExcel it should read:

"DON'T use this software for anything really important. Just don't."
25th-Apr-2007 10:50 am (UTC)
A friend's sister is studying to be a nurse, she's failed the calculations exam FIVE TIMES and just keeps retaking it. Her mum's a nurse and has tried to help her too but no joy. I hope to God she never has to use one of these spread sheets.
25th-Apr-2007 10:52 am (UTC)
I can't remember if the article mentioned what happened to the child. I think it survived, but I don't know. :-O
25th-Apr-2007 11:02 pm (UTC)
when we do dose calculations at work they are a) done on paper with full working and b)checked by two people, the second one semi-blind (in that they can't just watch the first person do it. they are expected to go and check that all in input data (weight, % viability of cells, that sort of thing) are are correct and then do the maths. we don't quite go as far as two sheets of paper but I bet if we ever had a cock up that would be the next step.)

man, we double sign off *everything*.
26th-Apr-2007 07:15 am (UTC)
The thing that really worries me about people using spreadsheets to handle critical information is that I have seen too many instances where the spreadsheet itself fails to calculate correctly, quite aside from any design errors in calculation or failure to lock the state of cells. For example, I had a lot of problems with spreadsheets that had been created in Excel XP (2002) which had been saved in a backwards-compatible format but which didn't work correctly in Excel 2000 - yielding incorrect results to formulas.

The other fly in the ointment is where someone, for some reason, switches off auto-recalculation, then forgets to switch it back on, then someone else uses the sheet.
27th-Apr-2007 01:55 pm (UTC)
For what it's worth, PocketExcel is the PocketPC version of Excel. It comes with PocketPC PDAs and is pretty rubbish. Horrible they used it for something mission-critical, especially when lives were at stake.
This page was loaded Apr 21st 2018, 3:47 am GMT.