Therac-25

The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) in 1982 after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France).

It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation.[1]:425 Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury.[2] These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering. Additionally the overconfidence of the engineers[1]:428 and lack of proper due diligence to resolve reported software bugs, is highlighted as an extreme case where the engineer's overconfidence in their initial work and failure to believe the end users' claims caused drastic repercussions.

Design

The machine offered two modes of radiation therapy:

When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in megavolt X-ray mode, the machine was designed to rotate four components into the path of the electron beam: a target, which converted the electron beam into X-rays; a flattening filter, which spread the beam out over a larger area; a set of movable blocks (also called a collimator), which shaped the X-ray beam; and an X-ray ion chamber, which measured the strength of the beam.

Problem description

The accidents occurred when the high-power electron beam was activated instead of the intended low power beam, and without the beam spreader plate rotated into place. Previous models had hardware interlocks in place to prevent this, but Therac-25 had removed them, depending instead on software interlocks for safety. The software interlock could fail due to a race condition. The defect was as follows: a one-byte counter in a testing routine frequently overflowed; if an operator provided manual input to the machine at the precise moment that this counter overflowed, the interlock would fail.[2]

The high-powered electron beam struck the patients with approximately 100 times the intended dose of radiation, delivering a potentially lethal dose of beta radiation. The feeling was described by patient Ray Cox as "an intense electric shock", causing him to scream and run out of the treatment room.[3] Several days later, radiation burns appeared and the patients showed the symptoms of radiation poisoning; in three cases, the injured patients later died as a result of the overdose.[4]

Root causes

A commission concluded that the primary reason should be attributed to the bad software design and development practices, and not explicitly to several coding errors that were found. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way.[5]

Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

The researchers also found several engineering issues:

The software was written in assembly language that might require more attention for testing and good design. However the choice of language by itself is not listed as a primary cause in the report. The machine also used its own operating system.

Leveson notes that a lesson to be drawn from the incident is to not assume that reused software is safe: "A naive assumption is often made that reusing software or using commercial off-the-shelf software will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred..."[5] This blind faith in poorly understood software coded paradigms is known as Cargo cult programming. In response to incidents like those associated with Therac-25, the IEC 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree.[6]

See also

Notes

  1. 1 2 3 Baase, Sara (2008). A Gift of Fire. Pearson Prentice Hall.
  2. 1 2 Leveson, Nancy G.; Turner, Clark S. (July 1993). "An Investigation of the Therac-25 Accidents" (PDF). IEEE Computer. 26 (7): 18–41.
  3. 1 2 Casey, Steven. Set Phasers On Stun - Design and Human Error. Aegean Publishing Company. pp. 11–16.
  4. Rose, Barbara Wade. "Fatal Dose - Radiation Deaths linked to AECL Computer Errors". www.ccnr.org. Retrieved 14 June 2016.
  5. 1 2 3 Leveson, Nancy, University of Washington (1995). "Medical Devices: The Therac-25 Accidents" (PDF). Safeware: System Safety, and Computers (Update of the 1993 IEEE Computer article ed.). Addison-Wesley.
  6. Hall, Ken (June 1, 2010). "Developing Medical Device Software to IEC 62304". MDDI - Medical Device and Diagnostic Industry. Retrieved 2016-12-12.

Additional reading

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.