Therac-25

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The Therac-25 was a computer-controlled radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) in 1982 after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with Compagnie Générale Radiographique (CGR) of France).

It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation.[1]: 425 Because of concurrent programming errors (also known as race conditions), it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury.[2] These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics, software engineering, and computer ethics. Additionally, the overconfidence of the engineers[1]: 428 and lack of proper due diligence to resolve reported software bugs are highlighted as an extreme case where the engineers' overconfidence in their initial work and failure to believe the end users' claims caused drastic repercussions.

Design[edit]

The machine had three modes of operation, with a turntable moving some apparatus into position for each of those modes: either a light, some scan magnets, or a tungsten target and flattener.[3]

  • A "field light" mode, which allowed the patient and collimator to be correctly positioned by illuminating the treatment area with visible light.
  • Direct electron-beam therapy, in which a narrow, low-current beam of high-energy (5 to 25 MeV (0.80 to 4.01 pJ)) electrons was scanned over the treatment area by magnets;[3]
  • Megavolt X-ray (or photon) therapy, which delivered a beam of 25 MeV X-ray photons. The X-ray photons are produced by colliding a high current, narrow beam of electrons with a tungsten target. The X-rays are then passed through a flattening filter, resembling an inverted ice-cream cone, which shapes and attenuates the beam, and then measured using an X-ray ion chamber. The electron beam current required to produce the X-rays is about 100 times greater than that used for electron therapy.[3]

Problem description[edit]

Simulated Therac-25 user interface

The six documented accidents occurred when the high-current electron beam generated in X-ray mode was delivered directly to patients. Two software faults were to blame.[3] One, when the operator incorrectly selected X-ray mode before quickly changing to electron mode, which allowed the electron beam to be set for X-ray mode without the X-ray target being in place. A second fault allowed the electron beam to activate during field-light mode, during which no beam scanner was active or target was in place.

Previous models had hardware interlocks to prevent such faults, but the Therac-25 had removed them, depending instead on software checks for safety.

The high-current electron beam struck the patients with approximately 100 times the intended dose of radiation, and over a narrower area, delivering a potentially lethal dose of beta radiation. The feeling was described by patient Ray Cox as "an intense electric shock", causing him to scream and run out of the treatment room.[4] Several days later, radiation burns appeared, and the patients showed the symptoms of radiation poisoning; in three cases, the injured patients later died as a result of the overdose.[5]

Root causes[edit]

A commission attributed the primary cause to general poor software design and development practices rather than single-out specific coding errors. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way.[3]: 48 [additional citation(s) needed]

Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

  • AECL did not have the software code independently reviewed and chose to rely on in-house code, including the operating system.
  • AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed, focusing purely on hardware and asserting that the software was free of bugs.
  • Machine operators were reassured by AECL personnel that overdoses were impossible, leading them to dismiss the Therac-25 as the potential cause of many incidents.[1]: 428
  • AECL had never tested the Therac-25 with the combination of software and hardware until it was assembled at the hospital.

The researchers also found several engineering issues:

  • Several error messages merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, nor give any indication that these errors could pose a threat to patient safety.
  • The system distinguished between errors that halted the machine, requiring a restart, and errors which merely paused the machine (which allowed operators to continue with the same settings using a keypress). However, some errors which endangered the patient merely paused the machine, and the frequent occurrence of minor errors caused operators to become accustomed to habitually unpausing the machine.
    • One failure occurred when a particular sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: if the operator were to press "X" to (erroneously) select 25 MeV photon mode, then use "cursor up" to edit the input to "E" to (correctly) select 25 MeV Electron mode, then "Enter", all within eight seconds of the first keypress, well within the capability of an experienced user of the machine.[3]
  • The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place.
  • The engineer had reused software from the Therac-6 and Therac-20, which used hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so preexisting errors were overlooked.
  • The hardware provided no way for the software to verify that sensors were working correctly. The table-position system was the first implicated in Therac-25's failures; the manufacturer revised it with redundant switches to cross-check their operation.
  • The software set a flag variable by incrementing it, rather than by setting it to a fixed non-zero value. Occasionally an arithmetic overflow occurred, causing the flag to return to zero and the software to bypass safety checks.

Leveson notes that a lesson to be drawn from the incident is to not assume that reused software is safe:[6] "A naive assumption is often made that reusing software or using commercial off-the-shelf software will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred..."[3] This blind faith in poorly understood software coded paradigms is known as cargo cult programming. In response to incidents like those associated with Therac-25, the IEC 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree.[7]

See also[edit]

Further reading[edit]

  • Gallagher, Troy. THERAC-25: Computerized Radiation Therapy. Archived from the original on 2007-12-12. (short summary of the Therac-25 Accidents)

References[edit]

  1. ^ a b c Baase, Sara (5 August 2012). "8.2 Case Study: The Therac-25". A Gift of Fire: Social, Legal, and Ethical Issues for Computing Technology (application/ld+json) (4th ed.). Pearson Prentice Hall. pp. 425–430. ISBN 978-0132492676. LCCN 2012020988. OCLC 840390999. OL 25355635M – via Internet Archive.{{cite book}}: CS1 maint: date and year (link)
  2. ^ Leveson, Nancy G.; Turner, Clark S. (1 July 1993). "An Investigation of the Therac-25 Accidents". Computer. IEEE Computer Society. 26 (7): 18–41. doi:10.1109/MC.1993.274940. eISSN 1558-0814. ISSN 0018-9162. LCCN 74648480. OCLC 2240099. S2CID 9691171.
  3. ^ a b c d e f g Leveson, Nancy G. (17 April 1995). "Appendix A: Medical Devices: The Therac-25" (PDF). Safeware: System Safety and Computers (1st ed.). Addison-Wesley. ISBN 978-0201119725. OCLC 841117551. OL 7406745M – via University of Central Florida.
  4. ^ Casey, Steven (1 January 1998). Set Phasers on Stun: And Other True Tales of Design, Technology, and Human Error (2nd ed.). Aegean Publishing Company. pp. 11–16. ISBN 978-0963617880. LCCN 97077875. OCLC 476275373. OL 712024M.
  5. ^ Rose, Barbara Wade (1 June 1994). "Fatal Dose - Radiation Deaths linked to AECL Computer Errors". Saturday Night. ISSN 0036-4975. OCLC 222180972. Archived from the original on 24 November 2021. Retrieved 27 December 2021 – via Canadian Coalition for Nuclear Responsibility (CCNR).{{cite magazine}}: CS1 maint: date and year (link)
  6. ^ Leveson, Nancy G. (1 November 2017). "The Therac-25: 30 Years Later". Computer. IEEE Computer Society. 50 (11): 8–11. doi:10.1109/MC.2017.4041349. eISSN 1558-0814. ISSN 0018-9162. LCCN 74648480. OCLC 2240099.
  7. ^ Hall, Ken (1 June 2010). "Developing Medical Device Software to IEC 62304". MD&DI. ISSN 0194-844X. OCLC 647577709. Retrieved 24 December 2021.