The therac25 software disaster the therac25 is a computerized medical radiation therapy machine for cancer patients. Learn therac 25, an important case study, and realize that errors and bad decisions can injure and kill. This course is specifically about software systems, systems where software plays a major role. Of 11 therac25s installed, there were 6 reported accidents, including 3 fatalities, between 1985 and 1987, after which the device was recalled. The problem with the therac25 system was the lack of software or hardware devices to detect and report overdoses and shut down the reactor immediately. Fixing each individual software flaw as it was found did not solve the safety problems of the device. In response to incidents like those associated with therac 25, the iec 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree.
In a letter to a therac25 user, the aecl quality assurance manager said, the same therac 6 package was used by the aecl software people when they started the therac25 software. Then, if the operator were to input the incorrect beam type, or err on any data entry, he would be forced to restart the process. Furthermore, these problems are not limited to the medical industry. The therac25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred. Computers are obviously very beneficial in the medical field. Therac25 questions cs 105 intro to computing studocu. Software in the therac6 and therac20 was reused in the therac25. This interactive timeline will paint a chronological picture of the therac25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe. Therac 25 units in canada and us are taken out of service until aecl completes new cap. It was the third radiation therapy machine by the company, preceded by the therac6 and therac20. Feb 18, 2015 it is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. Nobody objects to eliminating the use of bad algorithms that have undesirable consequences, such as the therac 25 software that delivered radiation overdoses to patients or the incorrect unit computation that caused nasa to lose its mars climate orbiter.
Although these stories are more extreme than most software bugs engineers will encounter during their careers, they are worth studying for the insights they can offer into software development and deployment. The therac25 nancy lev eson univ ersit y of w ashington 1 in tro duction bet w een june 1985 and jan uary 1987, a computercon trolled radiation therap y mac hine, called the therac25, massiv ely o v erdosed six p eople. The software would check if the operation was safe so no harm would come to the person. Therac25 and the security of the computer controlled equipment. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. Good engineering practice dictates that a system should be designed so that no single point of failure leads to catastrophe. The machine and its predecessors, therac6 and therac20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n. It was also designed from the outset to use software based safety systems rather than hardware controls. Jan 15, 1990 the system was not designed to be a fail safe. Therac25s computerization made the laborious process of machine setup much easier for operators, and thus allowed them to spend minimal time in setting up the.
Aug 01, 2016 its important to note that while the software was the lynch pin in the therac25, it wasnt the root cause. Therac 25 background medical linear accelerator developed by atomic energy of canada, ltd. The reactions after each overdose the creators of therac 25 were contacted. The therac 25 software also contained several userfriendly features. A history of the introduction and shut down of therac25. Oct 26, 2015 the case of the therac 25 has become one of the most wellknown killer software bugs in history. The machine was released to the market in 1983 and was later involved in at least 6 accidents that lead to.
At the individual level, the programmer had the options of inserting the safety interlocks in the hardware, software, or both. The worst computer bugs in history is a mini series to commemorate the discovery of the first computer bug seventy years ago. Fatal dose radiation deaths linked to aecl computer errors. We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical, critical thinking in software design. Flaws studies of the therac25 incidents showed that many factors contributed to the injuries and deaths. After the therac25 deaths, the fda made a number of adjustments to its policies in an attempt to address the breakdowns in communication and product approval. After the first incident the aecl responses was simple, after careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the therac 25 or by any. The machine in the room therac25 is not just a machine, but an installation consisting of the machine, the pdp11 that controlled the machine, the shielded room the machine sits in, and the monitoring and. The main problem was with the machines software, which was not caught by cmcs safety analysis and allowed to get into the market by fda. Safetycritical loads were placed upon a computer system that was not designed to control them. The software of the therac 25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. The first consisted of an electron beam targeted directly at the patient in small doses for a short amount of time. The therac25 was much more of a management and engineering failure than a technical problem, though.
As it turns out, the therac25 accidents were the result of a gross failure of the sociotechnical system around the machine. Therac25 was a tragic example of how bad code hurts people. The software interlock could fail due to a race condition. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general. The therac25 software also contained several userfriendly features. It incorporated the most recent computer control equipment. Computer execution errors are caused by faulty hardware components and by soft random errors induced by alpha particles and electromagnetic noise. Therac25 was a new generation medical linear accelerator introduced in 1983 for treating cancer. The therac25 was a radiation therapy machine produced by atomic energy of canada limited after the therac6 and therac20 units. The series of accidents involving the therac25 is a good example of exactly this problem. To be sure, there havent been many, but cases like the therac 25 are widely seen as warnings against the widespread deployment of software in safety critical applications. And the therac25 was controlled principally by software. Therac 25 was a tragic example of how bad code hurts people.
Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. In this assignment, you will debate, draw conclusions and assign levels of responsibility or liability to each of the parties being sued. In addition, the therac25 software has more responsibility for maintaining. The cgr employees modified the software for the therac 20 to handle the dual modes. Therac25 radiation overdoses your expert root cause. These acciden ts ha v e b een describ ed as the w orst in the 35y ear history of medical accelerators 6. After the first incident the aecl responses was simple, after careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the therac25 or by any. An investigation of the therac25 accidents stanford university. In a pr newswire the canadian consulate general announces the introduction of the new \ therac 25 \ machine manufactured by aecl medical, a division of atomic energy of canada limited. The therac 25 disaster october 2012 1 introduction the therac25 was a machine for cancer treatment manufactured by the atomic energy of canada limited aecl and went down to history as one of the worlds worst software disasters. Therac 25 directed by cassandra phillipsgrande starring cassandra phillipsgrande, lesley risdale. Thus, while the hardware interlocks on therac20 prevented software errors from causing problems, therac25 had no similar mechanism. As noted earlier, the software for the therac 25 and therac 20 both evolved from the therac 6 software.
Professionalismtherac25 wikibooks, open books for an open. Practice analysis of ethical decisionmaking and by extension become better ethical decision makers. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac 25 as equivalent to this earlier technology meant that therac 25 bypassed the rigorous fda testing procedures. Lets stop treating algorithms like theyre all created equal. The safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. If i read nancys and clarks article an investigation of therac25 accidents correctly, they mentioned therac25 software was developed based on therac6 software by a single, unidentified programmer. While the immediate cause of the deaths was a race condition in the software, it was only capable of causing harm because the hardware safety mechanism had been removed as a costsaving measure, without proper verification that the software was capable of doing the same job.
Therac25 aecl designed therac25 to use computer control from the start. As a result, several people died and others were seriously injured. Several universities use the case as a cautionary tale of what can go wrong, and how investigations. Such incidents would not have been an issue in a singleuse machine and unlike previous models, the therac 25 relied on software rather than hardware safety interlocks. Sometimes software bugs can result in the loss of lives, as was the case with a device called therac25. Writing software can seem cool and abstracted until you realise the impact your code can have. The therac25 was manufactured by atomic energy of canada limited aecl. Aecl was expected to notify therac25 users of the problem, and of fdas recommendations. Between june 1985 and january 1987, the therac25 medical electron accelerator was involved in six massive radiation overdoses.
The therac25 was a computercontrolled radiation therapy machine produced by atomic. Assume the family of one of the victims is suing the hospital where the machine was used, the manufacturer of the machine aecl and the programmer who wrote the therac25 software. Therac 25 computerized radiation therapy report by. Dependable computer systems 2016, stefan poledna, all rights reserved contents dependability problem statement examples of dependable systems and. The case of the therac25 has become one of the most wellknown killer software bugs in history. Finally, some software for the machines was interrelated or reused. The aecl statement took issue with an article about the therac25 accidents published. An investigation of the therac25 accidents part iv. A detailed investigation of the factors involved in the softwarerelated overdoses and attempts by users, manufacturers, and government agencies to deal with the accidents is. The therac25 was produced along with another machine, the therac20, both being derived from the therac6 model. The previous product to the therac25 was the therac6, a 6 million electron volt accelerator.
Detect and eliminate selfinterest factors and other peripheral considerations when making an ethical decision. Program software does not degrade due to wear, fatigue, or reproduction process. The therac25 was a computerised medical technology radiation therapy machine produced by atomic energy of canada limited aecl in 1982. Initially, aecls solution to the problem was to physically disable the up key on all therac25 operators keyboards. Aecl sends update of cap plus list of nine items requested by users at march meeting. Therac25 case study therac25 is a radiation therapy machine that was used for treating patients with cancer.
We know that the software for the therac25 was developed by a single person using pdp 11 assembly language, over a period of several years. In addition, the therac25 software same therac6 package was used by the accidents. In one of the software quality classes we were talking about the famous case of therac25, which came to my mind these days after dealing with my students. The therac25 was a medical linear accelerator, a linac, developed by the. The article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. These accidents highlighted the dangers of software control of safety critical systems, and. A widely cited 1993 computer article described failures in a softwarecontrolled radiation machine that massively overdosed six people in the late 1980s, resulting in serious injury and fatalities. While the immediate cause of the deaths was a race condition in the software, it was only capable of causing harm because the hardware safety mechanism had been removed as a costsaving measure, without proper verification that the software was capable of doing the. Yet over the years there have been numerous reports both official and unofficial of accidents and overdoses involving the improper diagnostic and therapeutic application of ionizing radiation. However, in the case of therac25, they can be deadly. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. Therac25, a radiation treatment machine, massively overdosed 6 people because. Aecl performs a safety analysis of therac 25 which apparently excludes an analysis of software.
What is the name of the programmer who wrote the therac25. My professor investigated the therac25 incident and. Aug 08, 2010 the safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. Therac 25 ethics case study by ken enstrom on prezi. Reuse of therac6 design features or modules may explain some of the problematic aspects of the therac25 software see the sidebar therac25 software development and design. Aecl did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed.
The therac20 and therac25 software programs were done independently, starting from a common base. Sep 12, 2019 on one hand, justified distrust of dangerous technology is a good thing. Unfortunately, he decided to add the emergency locks only in the software. When the time came to design the therac25, the partnership had dissolved. The therac 20 and therac25 software programs were done independently, starting from a common base. For six unfortunate patients in 1986 and 1987, the therac25 did the unthinkable. However, looking past the immediate causes of the problem, we find that a more general reason for the difference was a substantial increase in the complexity of the system underlying therac25. Video created by university of colorado system for the course software design threats and mitigations.
The therac25 software disaster essay 1293 words cram. This is an abstract of a 1993 article from ieee computer about the therac25 computerized radiation therapy machine and its software flaws, which caused massive overdoses to patients. With the aid of an onboard computer, the device could select multiple. As it turns out, the therac 25 accidents were the result of a gross failure of the sociotechnical system around the machine. The use of computers in the medical field is becoming more and more widely used. Aecl built the therac6 and 20 in partnership with cgr, a french company. Therac25 software was not written from scratch, but was built up from components that were borrowed from the earlier versions of therac.
The therac25 is a dualmode machine that can generate an electron beam, to cure cancer in patients. Firstly, the software controlling the machine contained bugs which proved to be fatal. The therac 25 was the most computerized and sophisticated radiation therapy machine of its time. These incidents were a result of a combination of factors that can be viewed as unethical actions made through the ranks. In february, 1987, the fda and its canadian counterpart cooperated to. Teaching therac25 introduction montana state university.
What happened was the operator using a keypad would select a particular mode. Oec an investigation of the therac25 accidents abstract. The therac25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. The 20 and 25 models had 20 and 25 million electron volt accelerators respectively. After sending an engineer to investigate this incident, aecl concluded that there was a different software problem that allowed the electron beam to be turned on without the device that spread it to a safe concentration being placed in the beam. Consider the therac25 failure, in which several deaths occurred because of a software engineering failure. For several years and thousands of patients there were no problems. The therac 25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode. Dec 07, 2017 embedded system safety and therac 25 phil koopman.
In therac 25 s case, the players at the three levels had at least two options from which to choose. It was involved in at least six accidents between 1985 and 1987. Fixing each individual software flaw as it was found did not. Therac 25 used a computer to provide the safety of the whole system, where earlier therac versions used hardwired, electromechanical circuits called interlocks. And when someone finally discovered the real problems, it was too little too late, and six.
The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. The therac 25 was a machine for administering radiation therapy, generally for treating cancer patients. When accidents occurred with the therac25 during the 1986 to 1988 timeframe, the statement read in part, aecl medical reacted quickly to investigate and inform health and welfare canada and the u. The problem was exacerbated by the design of the mechanism that. Therac25 software see the sidebar therac25 software development and design. Unfortunately, the previous accounts of the therac25 problems have been. Between 1985 and 1987, it was involved in at least six patients deaths due to incorrect radiation doses because of computer software related failure. The reactions after each overdose the creators of therac25 were contacted. A brief note on the therac 25 incident 1432 words bartleby. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. A bug that was discovered in therac25 was later also found in the therac20. Assume the family of one of the victims is suing the hospital where the machine was used, the manufacturer of the machine aecl and the programmer who wrote the therac 25 software.
Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. The developers of the software werent tempted to introduce the bug. This blind faith in poorly understood software coded paradigms is known as cargo cult programming. Aecl faxed me a statement approved by their lawyers that was to be their definitive answer to questions about the therac 25 accidents. Patients were given hundreds of times of radiation than is usual for this treatment. The therac 25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. The therac25 had only software interlocks, which were faulty. However, in the case of therac 25, they can be deadly. Additional functions had to be added because the therac 20 and therac 25 operates in both xray and electron mode, while the therac 6 has only xray mode. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. In therac25s case, the players at the three levels had at least two options from which to choose.
851 359 247 660 1669 239 1062 738 643 971 1311 160 1103 606 1612 6 119 1423 51 1254 1391 1540 275 1335 288 754 491 65 1379 587 1459 943 1275