Therac-25
|
|
Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited. It was involved with at least six known accidents between 1985 and 1987, in which patients were given massive overdoses. The overdoses were in some cases on the order of tens of thousands of rad. At least two patients died of the overdoses. These accidents highlighted the dangers of software control of safety-critical systems.
| Contents |
Problem description
The machine had two treatment modes:
When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine. When operating in soft X-ray mode, a beam flattener (in the turntable of the machine) was to be rotated into the path of the beam and caused to emit (safe amount of) X-rays through the use of a much higher electron-beam current (about 100 times of beam power in electron-beam therapy mode). The accidents occurred when the high-energy electron-beam was activated without the beam flattener having been rotated into place. The very high energy electron-beam directly struck the patients causing the feeling of an intense electric shock and the occurrence of thermal and radiation burns. In some cases, the injured patients died later from radiation poisoning.
Root causes
Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:
- The software code was not independently reviewed.
- The software design was not documented with enough detail to support reliability modelling.
- The system documentation did not adequately explain error codes.
- AECL personnel were at first dismissive of complaints.
The researchers also found several engineering issues:
- The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the metal X-ray target in place.
- Software from older models had been reused without properly considering the hardware differences.
- The software assumed that sensors always worked correctly, since there was no way to verify them. (see open loop)
- The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly.
- Arithmetic overflows could cause the software to bypass safety checks.
These incidents have become a standard case study in the history of computing and medicine.
See also
External links
- The Therac-25 Accidents (http://sunnyday.mit.edu/papers/therac.pdf), by Nancy Leveson (the updated version of the IEEE Computer article mentioned below)
- An Investigation of the Therac-25 Accidents (IEEE Computer) (http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_1.html)
- Short summary of the Therac-25 Accidents (http://neptune.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.html)de:Therac-25