The therac20 has indepen 20 and therac25 software programs analysis was in the form of a fault tree therac25 software. Why were there so many incidents from the therac25. While the immediate cause of the deaths was a race condition in the software, it was only capable of causing harm because the hardware safety mechanism had been removed as a costsaving measure, without proper verification that the software was capable of doing the. Since the therac25 events, the fda has moved to improve the reporting system and to augment their procedures and guidelines to include software. We then present a particular case, that of a radiation therapy machine in the mid 1980s that killed several people. A bug that was discovered in therac 25 was later also found in the therac 20. The quality assurance manager was apparently unaware that some therac20 routines were also used in the therac25. This blind faith in poorly understood software coded paradigms is known as cargo cult programming. Aecl built the therac 6 and 20 in partnership with cgr, a french company.
A number of patients received up to 100 times the intended dose, and at least three of them died as a direct result of the radiation. The therac25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. Therac25 radiation overdoses your expert root cause. Namely, there was great overconfidence in the therac25 to not fail, and this only compounded the problems that stemmed from programming issues. This report provides an indepth timeline and description of the therac25 incidents. On the surface, the primary reason that therac20 killed far fewer people than therac25 was the fact that therac20 had hardware interlocks, while therac25 did not. In one of the software quality classes we were talking about the famous case of therac 25, which came to my mind these days after dealing with my students. Introduction every day in class i tell my students insistently that the software must be tested, that they are playing with peoples lives. The previous product to the therac25 was the therac6, a 6 million electron volt accelerator. Some of the types of system problems found in the therac25 may be present in the medical radiation devices currently in use.
And when someone finally discovered the real problems, it was too little too late, and. The therac25 was much more of a management and engineering failure than a technical problem, though. Lessons learned from the therac25 reused software may contain bugswell designed ui are crucial. The therac25 was a computercontrolled radiation therapy machine. Therac25 part one the programmer is responsible the programmer is responsible for the malfunctioning therac25 software. In response to incidents like those associated with therac 25, the iec 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree. For several years and thousands of patients there were no problems. In addition, the therac 25 software same therac 6 package was used by the accidents. Yet over the years there have been numerous reports both official and unofficial of accidents and overdoses involving the improper diagnostic and therapeutic application of ionizing radiation. Therac25 was a tragic example of how bad code hurts people. In each mode bending magnets had to be set before it fired 6 problems with therac 25 problems in the design. Furthermore, these problems are not limited to the medical industry.
Firstly, the software controlling the machine contained bugs which proved to be. In addition, i will examine the therac25s software bugs. When problems started occurring, investigators assumed that hardware was the cause and focused only on the hardware. I would argue that the problems apparently caused by code reuse were actually due to larger, more fundamental problems in the design of the therac25. The therac25 was the most computerized and sophisticated radiation therapy machine of its time. Therac 25 background medical linear accelerator developed by atomic energy of canada, ltd. Unfortunately, he decided to add the emergency locks only in the software. Manufacture said about the machine therac25 said the machine could not have caused the overdoses and no other incidents had been reported which was untrue.
View homework help therac answers from cs 105 at university of nevada, reno. A bug that was discovered in therac25 was later also found in the therac20. When the time came to design the therac25, the partnership had dissolved. Therac25, software quality assurance, software testing, software inspection. The therac25 software also contained several userfriendly features. The physicists passed a resolution that there needed to be a hardware solution to the problems of the therac25 regardless of what software changes were made. A single programmer produced the software for the therac25. The bad software design and development practices, and not.
The number of medical radiation machines in the united states in 1985 was approximately. The therac25 was not a device anyone was happy to see. A case study of the therac 25 chuck huff1 and richard brown2 abstract almost all computer ethics courses use cases to some extent. The therac 25 a case study in safety failure radiation therapy machine the most serious computerrelated accidents to date people were killed references.
The programmer should have used a better system to check the system after each use. The main problems in the development of this software had been the following. The reasoning given for not including software errors was the extensive testing given to the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is errorproof software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis. The machine and its predecessors, therac6 and therac20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n. It is still a common belief that any good engineer can build software, regardless of whether he. The therac25 was built by the atomic energy of canada limited and a french company called cgr.
An investigation of the therac25 accidents stanford university. Related problems were found in the therac 20 software. The problems which existed then still exist today, the attitudes, the haste, the poor engineering. The quality assurance manager was apparently unaware that some therac 20 routines were also used in the therac 25. Lessons learned from the therac25 reused software may contain bugswell. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles.
By 2009 the number had increased to approximately 4450. Whos largely responsible or to blame for the failure of the therac 25. An investigation of the therac25 accidents nancy leveson, university of washington clark s. It provides understanding through addressing the testimonies, user and manufacturer responses, and problems that led to these tragedies. The reasoning given for not including software errors was the extensive testing given to the therac 25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is errorproof software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis.
This resulted in everyone from the manufacturers, to fda, to hospitals and operators assuming that it was a failsafe machine, especially since its earlier versions had been working. Aecl, which also brought along its legal staff, presented its plans for correction, all of which involved changing the software. Pdf importance of software quality assurance to prevent. The therac25 is one of the most devastating computer related engineering disasters to date. A common mistake in engineering, in this case and in many others, is to put too much confidence in software, leveson wrote.
The safety analysis of the therac 25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. The therac 20 and therac 25 software programs were done independently, starting from a common base. The premature assumption that the problems was detected. The software was inadequately tested, and patches were used from earlier versions of the machine. The therac25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. Feb 20, 2017 the article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it.
Therac 25 was a tragic example of how bad code hurts people. The therac25 had no hardware protective circuits and depended solely on software for protection. Thus, while the hardware interlocks on therac20 prevented software errors from causing problems, therac25 had no similar mechanism. Since much of the software had been taken from the therac 6 and therac 20 systems, and since these software systems had been running many years without detectable errors, the analysts assumed there were no design problems in the software. The therac25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode. One of the eventually discovered, failure patterns in the therac25 software had to do with the. System safety and computers, addisonwesley, 1995 34. Oct 26, 2015 the therac25 was not a device anyone was happy to see.
Nov 12, 2015 the therac 25 was manufactured by atomic energy of canada limited aecl. Aecl was expected to notify therac25 users of the problem, and of fdas recommendations. At the individual level, the programmer had the options of inserting the safety interlocks in the hardware, software, or both. The therac25 was manufactured by atomic energy of canada limited aecl. Reading 05 therac25 case study ethical and professional. Therac25 relied on software controls to switch between modes, rather than physical hardware. It was the third radiation therapy machine by the company, preceded by the therac 6 and therac 20. The therac 25 incidents and present day problems with computer controlled linacs. These were not recognized until after the therac25 accidents because the therac 20 included hardware safety interlocks and thus no injuries resulted. Nancy leveson, a software safety expert who researched the therac25 extensively for her 1995 book, software. For six unfortunate patients in 1986 and 1987, the therac25 did the. An investigation of the therac25 accidents nancy leveson, university of washington. References to more recent accidents are included below.
After another 6 months of negotiation with the fda, aecl received approval for its final corrective action plan. Computers are increasingly being introduced into safetycritical systems and, as a consequence, have been involved in accidents. The therac25 medical radiation therapy device was involved in several cases where massive overdoses of radiation were administered to patients in 198587, a side effect of the buggy software powering the device. A related tendency among engineers is to ignore software. The software of the therac 25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. The previous product to the therac 25 was the therac 6, a 6 million electron volt accelerator. It was the third radiation therapy machine by the company, preceded by the therac6 and therac20. Aug 08, 2010 the therac 25 had no hardware protective circuits and depended solely on software for protection. They wanted a doseperpulse monitor on all the machines. Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. Fatal dose radiation deaths linked to aecl computer errors.
In february, 1987, the fda and its canadian counterpart cooperated to require all units of therac25 to be shut down until effective and permanent modifications were made. Therac25 just like any other technology, therac25 too had its sociotechnical aspects. Writing software can seem cool and abstracted until you realise the impact your code can have. In a letter to a therac 25 user, the aecl quality assurance manager said, the same therac 6 package was used by the aecl software people when they started the therac 25 software. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. The therac 25 was the most computerized and sophisticated radiation therapy machine of its time.
Aecl made some hardware and software changes to fix these problems. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. Code reuse, like any other software technique, can be done well or poorly. The therac 25 software also contained several userfriendly features. Finally, some software for the machines was interrelated or reused. Takes about 8 secs and invoked multiple times 33 race condition from nancy leveson, medical devices. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. Therac answers name major cse other therac25 questions. The machine and its predecessors, therac 6 and therac 20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n. The therac 25 was built by the atomic energy of canada limited and a french company called cgr.
Related problems were found in the therac20 software. In therac25s case, the players at the three levels had at least two options from which to choose. Therac25 case study therac25 is a radiation therapy machine that was used for treating patients with cancer. It was an extremely costly machine with high maintenance needs.
Therac 25 just like any other technology, therac 25 too had its sociotechnical aspects. The first safety analysis on the therac 25 did not include software although nearly full responsibility for safety rested on the software. The first safety analysis on the therac25 did not include software although nearly full responsibility for safety rested on the software. The safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. These two companies had collaborated since the early 1970s in building linear accelerators for medical applications. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. A history of the introduction and shut down of therac25. It was also designed from the outset to use software based safety systems rather than hardware controls. The therac 25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. Therac 25 case study therac 25 is a radiation therapy machine that was used for treating patients with cancer. A series of accidents involving the aecl therac 25 in the 1980s caused three fatalities and other serious injuries.
Therac25 software see the sidebar therac25 software development and design. A number of patients received up to 100 times the intended dose, and at. Also, if the aecl believed that there were problems with the therac25 right after the first incident then it is possible that most of the 5 other incidents could have been avoided and possibly the 3 fatalities. When the time came to design the therac 25, the partnership had dissolved. The therac 25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode.
Aecl built the therac6 and 20 in partnership with cgr, a french company. A case study of the therac25 chuck huff1 and richard brown2 abstract. System safety and computers, wrote this about the software problems that plagued the therac25. Aecl produced the first hardwired prototype of the therac 25 in 1976, and the completely computerized commercial version. A final feature was that some of the old software used in therac 6 and therac 20 was used in the therac 25. Once the fda got involved in the therac25, their response was impressive, especially considering how little experience they had with similar problems in computercontrolled medical devices. In february, 1987, the fda and its canadian counterpart cooperated to require all units of therac 25 to be shut down until effective and permanent modifications were made. An investigation of the therac25 accidents nancy g.
1282 163 1240 1245 432 993 1350 1005 853 147 991 589 676 319 964 265 475 122 259 787 447 254 329 1410 1202 1038 376 1477 1064 580 787 1172 1180 1240 1063 1464 249 563 302 1197 1464