London Ambulance Service Computer Aided Dispatch (LASCAD) Failure


An analysis of the failure of the London Ambulance Service Computer Aided Dispatch system.


The London Ambulance Service Computer Assisted Dispatch (LASCAD) system was intended to replace a manual system and improve communication, location and dispatch of vehicles to improve the timeliness of medical treatment. It also provided auditing and analysis systems to monitor and improve the system over time.

Initial Problems

During a trial period of the LASCAD in a semi-manual style for three divisions of the city, where operator were allowed to override various decisions of the system, a variety of problems were noted. These included the failure to detect duplicated calls, prioritise messages and prevent them scrolling off the screens, errors in allocating software resources, lockups and slow response times.

The modifications made to fix the problems mainly related to management and operation and not the needed software changes.

Full Use

The system went live on October 26th, 1992, covering all of London and stopping use of the manual backup. Although on the first two days all functionality was provided, some response times were less than adequate, and manual intervention to correct problems was difficult.

The gradual effects included the system having less and less information about the location and status of the vehicles, inefficient and duplicated allocation of vehicles to calls, and an increasing backlog of messages awaiting action. Another result was the increased number of calls being made more than once as vehicles failed to arrive in a timely fashion.

Recovery

A partially manual system was reinstigated, and with the opportunity to override allocations, the situation remained acceptable until shortly after 2:00am on November 4th when the system slowed down and locked up.

Upon a reboot failing to fix the problem, the fully manual system was reinstigated, but there was no means of finding out the current state of the system except for going through the telephone logs of the requests made. As a result, the hoped for failsafe alternative to the automated system was not avaiable.

Investigation

One of the direct results of this shutdown included an ambulance arriving after the patient had died and had already been taken away by the undertaker. Estimates of the total number of fatalities caused differ from 10 upwards, even through no coronial findings included the late arrival of an ambulance as the direct cause.

The investigation blamed a wide range of factors, including technical, managerial, human and environmental issues. Some blame was placed upon incomplete software, and inadequate testing (particularly the lack of adequate load testing) and optimisation of the system the use of tools meant for prototyping and not for safety-critical systems. The human factors aspects included that staff had little or no confidence in the system and had not been trained in its operation. Managerial issues included the lack of change as a result of earlier problems.

An early contributing factor was seen to be the award to a contractor that had not produced similar systems previously.

Fix?

Better testing, expecially using a realistic operational envelope, may have revealed the problems before use.

Fix?

The commissioning of the system did not allow for recovery from the situation.