Therac-25

The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France).

Therac 25 user interface ^[1]
PATIENT NAME : JOHN DOE TREATMENT MODE : FIX BEAM TYPE: X ENERGY (MeV): 25 ACTUAL PRESCRIBED UNIT RATE/MINUTE 0 200 MONITOR UNITS 50 50 200 TIME (MIN) 0.27 1.00 GANTRY ROTATION (DEG) 0.0 0 VERIFIED COLLIMATOR ROTATION (DEG) 359.2 359 VERIFIED COLLIMATOR X (CM) 14.2 14.3 VERIFIED COLLIMATOR Y (CM) 27.2 27.3 VERIFIED WEDGE NUMBER 1 1 VERIFIED ACCESSORY NUMBER 0 0 VERIFIED DATE : 84-OCT-26 SYSTEM : BEAM READY OP.MODE: TREAT AUTO TIME : 12:55. 8 TREAT : TREAT PAUSE X-RAY 173777 OPR ID : T25VO2-RO3 REASON : OPERATOR COMMAND:

Therac 25 user interface ^[1]


PATIENT NAME   : JOHN DOE
TREATMENT MODE : FIX     BEAM TYPE: X     ENERGY (MeV): 25

                          ACTUAL     PRESCRIBED
    UNIT RATE/MINUTE          0            200
    MONITOR UNITS         50  50           200
    TIME (MIN)             0.27           1.00

GANTRY ROTATION (DEG)       0.0              0     VERIFIED
COLLIMATOR ROTATION (DEG) 359.2            359     VERIFIED
COLLIMATOR X (CM)          14.2           14.3     VERIFIED
COLLIMATOR Y (CM)          27.2           27.3     VERIFIED
WEDGE NUMBER                  1              1     VERIFIED
ACCESSORY NUMBER              0              0     VERIFIED

DATE   : 84-OCT-26   SYSTEM : BEAM READY   OP.MODE: TREAT AUTO
TIME   : 12:55. 8    TREAT  : TREAT PAUSE           X-RAY 173777
OPR ID : T25VO2-RO3  REASON : OPERATOR     COMMAND:

It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, approximately 100 times the intended dose.^[2] These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering.

1 Problem description
2 Root causes
3 See also
4 Notes
5 References
6 External links

Problem description

The machine offered two modes of radiation therapy:

Direct electron-beam therapy, which delivered low doses of high-energy (5 MeV to 25 MeV) electrons over short periods of time;
Megavolt X-ray therapy, which delivered X-rays produced by colliding high-energy (25 MeV) electrons into a "target".

When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in megavolt X-ray mode, the machine was designed to rotate four components into the path of the electron beam: a target, which converted the electron beam into X-rays; a flattening filter, which spread the beam out over a larger area; a set of movable blocks (also called a collimator), which shaped the X-ray beam; and an X-ray ion chamber, which measured the strength of the beam.

The accidents occurred when the high-power electron beam was activated instead of the intended low power beam, and without the beam spreader plate rotated into place. The machine's software did not detect that this had occurred, and therefore did not prevent the patient from receiving a potentially lethal dose of beta radiation. The high-powered electron beam struck the patients with approximately 100 times the intended dose of radiation, causing a feeling described by patient Ray Cox as "an intense electric shock". It caused him to scream and run out of the treatment room.^[3] Several days later, radiation burns appeared and the patients showed the symptoms of radiation poisoning. In three cases, the injured patients later died from radiation poisoning.

The software flaw is recognized as a race condition.

Root causes

A commission has concluded ^[1] that the primary reason should be attributed to the bad software design and development practices, and not explicitly to several coding errors that were found. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way.

Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

AECL did not have the software code independently reviewed.
AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed. These form parts of the general techniques known as reliability modeling and risk management.
The system noticed that something was wrong and halted the X-ray beam, but merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, so the operator pressed the P key to override the warning and proceed anyway.
AECL personnel, as well as machine operators, initially did not believe complaints. This was likely due to overconfidence.^[4]
AECL had never tested the Therac-25 with the combination of software and hardware until it was assembled at the hospital.

The researchers also found several engineering issues:

The failure only occurred when a particular nonstandard sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: an "X" to (erroneously) select 25MV photon mode followed by "cursor up", "E" to (correctly) select 25 MeV Electron mode, then "Enter", all within eight seconds.^[1] This sequence of keystrokes was improbable, and so the problem did not occur very often and went unnoticed for a long time.^[3]
The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place.
The engineer had reused software from older models. These models had hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so there was no indication of the existence of faulty software commands.
The hardware provided no way for the software to verify that sensors were working correctly (see open-loop controller). The table-position system was the first implicated in Therac-25's failures; the manufacturer revised it with redundant switches to cross-check their operation.
The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. This was missed during testing, since it took some practice before operators were able to work quickly enough to trigger this failure mode.
The software set a flag variable by incrementing it. Occasionally an arithmetic overflow occurred, causing the software to bypass safety checks.

The software was written in assembly language that might require more attention for testing and good design. However the choice of language by itself is not listed as a primary cause in the report. The machine also used its own operating system.

Notes

^ ^a ^b ^c Medical Devices: The Therac-25 Nancy Leveson, University of Washington
^ Baase 2008, p.425.
^ ^a ^b Set Phasers On Stun - Design and Human Error, Steven Casey, pp. 11-16
^ Baase 2008, p.428.

References

Baase, S (2008). "A Gift of Fire", Pearson Prentice Hall.

External links

The Therac-25 Accidents (PDF), by Nancy G. Leveson (the 1995 update of the IEEE Computer article mentioned below)
Leveson, Nancy G., and Turner, Clark S. (July 1993). "An Investigation of the Therac-25 Accidents," Computer (IEEE), 26(7):18-41. (login required)
Short summary of the Therac-25 Accidents

Nuclear technology

Science

Chemistry · Engineering · Physics · Atomic nucleus · Fission · Fusion · Radiation (ionizing)

Fuel

Deuterium · Fertile material · Fissile · Isotope separation · Plutonium · Thorium · Tritium · Uranium (enriched • depleted)

Neutron

Activation · Capture · Cross-section · Fast · Fusion · Generator · Poison · Radiation · Reflector · Temp · Thermal

Reactors

Fission
reactors
by
moderator

Water	Boiling (BWR · ABWR) · Heavy (CANDU · PHWR · SGHWR) · Natural (NFR) · Pressurized (PWR · VVER · EPR) · Supercritical (SCWR)

Carbon	Advanced gas-cooled (AGR) · Magnox · Pebble bed (PBMR) · RBMK · UHTREX · Very high temperature (VHTR)

FLiBe	Molten salt reactor (MSR) · Liquid fluoride thorium reactor (LFTR)

None (Fast)	Breeder (FBR) · Integral (IFR) · Liquid-metal-cooled (LMFR) · SSTAR · Traveling Wave (TWR) Generation IV by coolant: (Gas (GFR) · Lead (LFR) · Sodium (SFR))

Fusion
reactors
by
confinement

Magnetic	Field-reversed configuration · Levitated dipole · Reversed field pinch · Spheromak · Stellarator · Tokamak

Inertial	Bubble fusion (acoustic) · Fusor (electrostatic) · Laser-driven · Magnetized target · Z-pinch

Other	Dense plasma focus · Migma · Muon-catalyzed · Polywell · Pyroelectric

List of nuclear reactors

Power

Nuclear power plant · By country · Economics · Fusion · Isotope thermoelectric (RTG) · Propulsion (rocket) · Safety

Medicine

Imaging
by
radiation

Gamma camera	Scintigraphy · Positron emission (PET) · Single photon emission (SPECT)

X-ray	Projectional radiography · Computed tomography

Therapy

Boron neutron capture (BNCT) · Brachytherapy · Proton · Radiation · Tomotherapy

Weapon

Topics	Arms race · Delivery · Design · Explosion (effects) · History · Proliferation · Testing (underground) · Warfare · Yield (TNTe)

Lists	Popular culture · States · Tests · Treaties · Weapon-free zones · Weapons

Waste

Products	Actinide: (Reprocessed uranium · Reactor-grade plutonium · Minor actinide) · Activation · Fission (LLFP)

Disposal	Fuel cycle · HLW · LLW · Repository · Reprocessing · Spent fuel (pool • cask) · Transmutation

Debate

Nuclear power debate · Nuclear weapons debate · Anti-nuclear movement · Uranium mining debate · Nuclear power phase-out