Salon.com on Open Source Medical Software

mke writes "Life or death software; new medical programs show the strengths of open-source coding -- and its weaknesses." One of the biggest weaknesses mentioned in the article is that there's no software company to sue if something in the code kills or injures a patient. Another problem, at least in the U.S., is that FDA approval for medical software costs millions. The question is, can these problems be overcome, or will proprietary software continue to be the norm in critical medical applications?

Liability and Paying for Approval

[werdna]

The liability question, at least as put above, is naive. There are some things you can do, notwithstanding even express contractual disclaimers in negotiated and executed agreements, that under certain circumstances cannot be disclaimed -- and conduct leading to personal injury can lead to such liability.

(Think about it -- if liability for medical malpractice could be disclaimed, would there be a doctor or hospital in the world who wouldn't make you sign away your rights as a condition of treatment?)

Accordingly, publishing OSS medical software probably is a risk -- although most publishers (in their individual capacity are likely to be relatively judgment proof compared to the size of most such claims.

But the interesting observation here is the suggestion that open software must be orphaned from regulatory approval for failure of a company to pay for such approval. In my view, that objection is highly overstated and takes perhaps a naive view of the economics of the situation.

Indeed, the company never really pays for the software's approval -- at least at the end of the day. Nor do they pay for the outrageous liability insurance. Customers do. Proprietary medical software that is highly regulated or requires elaborate insurance is expensive, in part, because of these expenses.

If truly good OSS medical stuff were out there, approval might arise in time by the marketplace that intends to use it, either through grants, communal conduct by the marketplace, or "new economy" ideas such as websites soliciting voluntary contributions to support worthy quasi-commercial work.

Those notions should work, that is, unless you believe the "free rider" problem precludes such benefits to society, in which case the arguments for strong IP were right after all. . .

I don't *want* certain software running *ME*

[HoserHead]

I love Free Software. In my eye, it's the only way to go. However, I want the person writing the software controlling my heart to be paid to do so. And I want it tested for twenty years before they put it in me, or hook me up to it, in every possible condition, so that I don't die.

In this case, very complex software like Linux and Windows CE and various other things *cannot*be*used*. As good as the software may be, it isn't infallible - and if anything has to be bug-free, it's medical firmware (well, and military firmware, stuff in plans and the like). Releasing the software as Free Software, freely available, probably wouldn't do much for you - after all, how many people will have this sort of equipment?

That being said, there's no inherent problem with releasing the firmware code of a medical appliance. You could probably get *some* improvements. But I don't want my heart being driven by software that is potentially not completely and utterly tested to the fullest extent. I just don't think that someone not being paid would be willing to do that.

Re:I don't *want* certain software running *ME*

[HoserHead]

I think that Free Software can, normally be tested in most situations to as well as you can get it - much better than commercial software. But, I don't think that, even as good as Free Software testing is, that it's good enough to run, say, the firmware of a heart-and-lung machine. This sort of software has to be tested in *every* possible case, and it costs a *lot* of money to do extensive Q&A on them. I'd be surprised if the firmware in those sorts of machines is younger than 10 years.

Like it or not, the regular sorts of development, be it Free Software development or proprietary development, just isn't good enough for most medical software. It's not data or money you're toying with there - it's people's lives. *I* wouldn't trust my life to Linux - would you? (I should specify - I wouldn't trust my life to pretty much any OS. Add a layer of abstraction, you add more things that can possibly go wrong.)

no one to sue

[trb]

Having no one to sue is not a problem with open source. It's a matter of having someone accepting liability. Accepting liability is a responsibility that someone can assume in exchange for a fee, same as any other responsibility, like the responsibility to provide tech support.

Re:no one to sue

[Eccles]

It's a matter of having someone accepting liability.

Bingo! After all, this isn't a case of hospitals buying off-the-shelf PCs, installing slackware, and then perusing Freshmeat for MRI control software. Generally you get a package of machine plus software, and the software development/testing costs are part of the cost of buying the machine. Open source isn't really an issue, since you aren't supplying source for someone else to debug, and you don't have to worry about someone else releasing a CD with your software for $1.99 -- they still need the machine. Now you might snarf some algorithms off the net, test the hell out of them, and then incorporate them into the MRI software, but the Free Software Bazaar isn't going to start receiving offers to write controllers for radiation emitters any time soon.

Ho hum...

[jd]

If a hospital uses software in blind faith, without some kind of testing - at least to see if it'll even work on their machines, and to familiarise staff with it - then I don't think it is the software house who needs to fear being sued.

On the other hand, if the staff are familiar with the package, have checked to see if it'll run on their computers, and are comfortable using it, then you might expect them to compare the results they get with those they expect.

If the hospital is confident the software behaves as it's supposed to, and the staff are confident in it's use, then the chances of there being any accidents to sue over become sufficiently remote to make it stupid to make that a deciding factor.

Open versus Closed doesn't matter here.

[Arandir]

Whether or not medical software is open or closed doesn't matter to much. What does matter is that it works 100%. The anesthesiologist doesn't care if it's Morally Superior(tm) Free Software, or Evil Capitalistic Proprietary Software, just as long as the decisions it makes won't kill his patient.

I work in the Medical Hardware/Software industry. When the FDA discovers a bug in the software, you MUST fix it. You don't have the luxury of hoping some other hacker might figure out a solution. You don't have the luxury of pondering what to do. You WILL fix it, and you WILL fix it by a certain date, or your software will no longer be used.

The FDA doesn't care if your license announces the lack of warranty. Neither does the anesthesiologist. Neither does the patient. It will be demonstrated to work right the first time it is used in a clinical setting, or it won't be used at all.

Because of these "rules", some Open Source project models won't work at all with medical software, and the typical "release it as GPL and post it on the net" is one of them. However, something similar to Apache's "gather a group of experts and limit membership" model would work. The FSF be damned when it comes to a patient's life! I don't want medical software to be "free"! I want the software under the developer's shackles and chains! I only want experts working on it. I don't want something that's Joe Schmoe's weekend hobby. If the developer needs to use a proprietary libary, I want him to have a license that lets him do it. Ditto for air traffic control software.

I'm sure that there's a Free Software development model that will work for such projects. And I am sure that there will be several such project. However, no proprietary closed source software that saves people's lives will ever be Evil in my book, ever.

Re:The Liability Thing

[Syslevel]

Oh, please.

Software for critical life-care situations isn't some web application that can crash and you just hit the reset switch.

There are design methodologies for high reliability software. And it isn't just throw it out into a bazaar and let a bunch of hackers pound away at it.

There are controls, oversight, audits. Everything is documented, and virtually everything is traceable.

Hint- people like it that way. You don't, but we'll give you a few years to catch a clue. You won't be let near any critical life care development anyway, with your attitude.

Re:Who do you want to sue today?

[Arandir]

Medical software developers get sued constantly. If a patient dies because the software controlling the MRI is faulty, that manufacturer will probably wind up out of business. I work in the medical hardware/software industry. We haven't been sued yet, but some of our competitors have. And we are always disheartened when it happens. Our latest product was released to manufacturing after one and a half YEARS of software testing. We fear that there might still be an undiscovered bug that could lead to a patient dying.