Page 195 - ARM 64 Bit Assembly Language
P. 195
182 Chapter 6
1. The operator mistakenly specified high power mode during data entry.
2. The operator moved the cursor to the command line area.
3. The operator noticed the mistake, and moved the cursor back to the data entry area with-
out entering a command.
4. The operator corrected the mistake and moved the cursor back to the command line.
5. The operator entered the command line area, left it, made the correction, and returned
within the eight-second window required for adjusting the magnets.
If the above sequence occurred in less than eight seconds, then the operator screen could in-
dicate that the machine was in low power mode, although it was actually set in high power
mode. During a final check before initiating the beam, the software would find that the mag-
nets were set for high power mode but the operator setting was for low power mode. It dis-
played a numeric error code and prevented the machine from starting. The operator could
clear the error code by resetting the computer (which only required one key to be pressed
on the keyboard). This caused the tungsten shield to withdraw but left the machine in X-ray
mode. When the operator entered the command to start the beam, the machine could be in
high power mode without having the tungsten shield in place. X-rays were applied to the un-
protected patient.
It took some time for this critical flaw to appear. The failure only occurred when the operator
initially made a one-keystroke mistake in entering the prescription data, moved to the com-
mand area, and then corrected the mistake within eight seconds. Initially, operators were slow
to enter data, and spent a lot of time making sure that the prescription was correct before ini-
tiating treatment. As they became more familiar with the machine, they were able to enter
data, and correct mistakes more quickly. Eventually, operators became familiar enough with
the machine that they could enter data, make a correction, and return to the command area
within the critical eight-second window. Also, the operators became familiar with the machine
reporting numeric error codes, without any indication of the severity of the code. The oper-
ators were given a table of codes and their meanings. The code reported was “no dose” and
indicated “treatment pause.” There is no reason why the operator should consider that to be a
serious problem; they had become accustomed to frequent malfunctions that did not have any
consequences to the patient.
Although the code was written in assembly language, that fact was not cited as an important
factor. The fundamental problems were poor software design and over-confidence. The re-use
of code in an application for which it was not initially designed also may have contributed
to the system flaws. A proper design using established software design principles, including
structured programming and abstract data types, would almost certainly have avoided these
fatalities.
