The Therac-25 was a computer-controlled

radiation therapy Radiation therapy or radiotherapy, often abbreviated RT, RTx, or XRT, is a therapy using ionizing radiation, generally provided as part of cancer treatment to control or kill malignant cells and normally delivered by a linear accelerator. Radia ...

machine produced by

Atomic Energy of Canada Limited Atomic Energy of Canada Limited (AECL) is a Canadian federal Crown corporation and Canada's largest nuclear science and technology laboratory. AECL developed the CANDU reactor technology starting in the 1950s, and in October 2011 licensed thi ...

(AECL) in 1982 after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with of France). It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. Because of concurrent programming errors (also known as race conditions), it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury. These accidents highlighted the dangers of software

control Control may refer to: Basic meanings Economics and business * Control (management), an element of management * Control, an element of management accounting * Comptroller (or controller), a senior financial officer in an organization * Controllin ...

of safety-critical systems, and they have become a standard case study in

health informatics Health informatics is the field of science and engineering that aims at developing methods and technologies for the acquisition, processing, and study of patient data, which can come from different sources and modalities, such as electronic hea ...

software engineering Software engineering is a systematic engineering approach to software development. A software engineer is a person who applies the principles of software engineering to design, develop, maintain, test, and evaluate computer software. The term '' ...

, and

computer ethics Computer ethics is a part of practical philosophy concerned with how computing professionals should make decisions regarding professional and social conduct. Margaret Anne Pierce, a professor in the Department of Mathematics and Computers at Ge ...

. Additionally, the overconfidence of the engineers and lack of proper

due diligence Due diligence is the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party or an act with a certain standard of care. It can be a l ...

to resolve reported

software bugs A software bug is an error, flaw or fault (technology), fault in the design, development, or operation of computer software that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. The process of finding an ...

are highlighted as an extreme case where the engineers' overconfidence in their initial work and failure to believe the end users' claims caused drastic repercussions.

Design

The machine had three modes of operation, with a turntable moving some apparatus into position for each of those modes: either a light, some ''scan magnets'', or a tungsten target and ''flattener''. * A "field light" mode, which allowed the patient and

collimator A collimator is a device which narrows a beam of particles or waves. To narrow can mean either to cause the directions of motion to become more aligned in a specific direction (i.e., make collimated light or parallel rays), or to cause the spati ...

to be correctly positioned by illuminating the treatment area with visible light. * Direct electron-beam therapy, in which a narrow, low-current beam of high-energy () electrons was scanned over the treatment area by magnets; * Megavolt X-ray (or photon) therapy, which delivered a beam of 25 MeV

X-ray An X-ray, or, much less commonly, X-radiation, is a penetrating form of high-energy electromagnetic radiation. Most X-rays have a wavelength ranging from 10 picometers to 10 nanometers, corresponding to frequencies in the range 30&nb ...

photons. The X-ray photons are produced by colliding a high current, narrow beam of electrons with a

tungsten Tungsten, or wolfram, is a chemical element with the symbol W and atomic number 74. Tungsten is a rare metal found naturally on Earth almost exclusively as compounds with other elements. It was identified as a new element in 1781 and first isolat ...

target. The X-rays are then passed through a flattening filter, and then measured using an X-ray

ion chamber The ionization chamber is the simplest type of gas-filled radiation detector, and is widely used for the detection and measurement of certain types of ionizing radiation, including X-rays, gamma rays, and beta particles. Conventionally, the term ...

. The flattening filter resembles an inverted ice-cream cone, and it shapes and attenuates the X-rays. The electron beam current required to produce the X-rays is about 100 times greater than that used for electron therapy.

Problem description

The six documented accidents occurred when the high-current electron beam generated in X-ray mode was delivered directly to patients. Two software faults were to blame. One, when the operator incorrectly selected X-ray mode before quickly changing to electron mode, which allowed the electron beam to be set for X-ray mode without the X-ray target being in place. A second fault allowed the electron beam to activate during field-light mode, during which no beam scanner was active or target was in place. Previous models had hardware interlocks to prevent such faults, but the Therac-25 had removed them, depending instead on software checks for safety. The high-current electron beam struck the patients with approximately 100 times the intended dose of radiation, and over a narrower area, delivering a potentially lethal dose of

beta radiation A beta particle, also called beta ray or beta radiation (symbol β), is a high-energy, high-speed electron or positron emitted by the radioactive decay of an atomic nucleus during the process of beta decay. There are two forms of beta decay, β� ...

. The feeling was described by patient Ray Cox as "an intense electric shock", causing him to scream and run out of the treatment room. Several days later,

radiation burn A radiation burn is a damage to the skin or other biological tissue and organs as an effect of radiation. The radiation types of greatest concern are thermal radiation, radio frequency energy, ultraviolet light and ionizing radiation. The most ...

s appeared, and the patients showed the symptoms of radiation poisoning; in three cases, the injured patients later died as a result of the overdose.

Root causes

A commission attributed the primary cause to general poor software design and development practices rather than single-out specific coding errors. In particular, the software was designed so that it was realistically impossible to test it in a rigorous,

automated Automation describes a wide range of technologies that reduce human intervention in processes, namely by predetermining decision criteria, subprocess relationships, and related actions, as well as embodying those predeterminations in machines ...

way. Researchers who investigated the accidents found several contributing causes. These included the following institutional causes: * AECL did not have the software code independently

reviewed Review is an evaluation of a publication, product, service, company, or other object or idea. An article about or a compilation of reviews may itself be called a review. Review may also refer to: Evaluation processes *Book review, a description ...

and chose to rely on in-house code, including the operating system. * AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed, focusing purely on hardware and asserting that the software was free of bugs. * Machine operators were reassured by AECL personnel that overdoses were impossible, leading them to dismiss the Therac-25 as the potential cause of many incidents. * AECL had never tested the Therac-25 with the combination of software and hardware until it was assembled at the hospital. The researchers also found several

engineering Engineering is the use of scientific method, scientific principles to design and build machines, structures, and other items, including bridges, tunnels, roads, vehicles, and buildings. The discipline of engineering encompasses a broad rang ...

issues: * Several error messages merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, nor give any indication that these errors could pose a threat to patient safety. * The system distinguished between errors that halted the machine, requiring a restart, and errors which merely paused the machine (which allowed operators to continue with the same settings using a keypress). However, some errors which endangered the patient merely paused the machine, and the frequent occurrence of minor errors caused operators to become accustomed to habitually unpausing the machine. ** One failure occurred when a particular sequence of keystrokes was entered on the

VT-100 The VT100 is a video terminal, introduced in August 1978 by Digital Equipment Corporation (DEC). It was one of the first terminals to support ANSI escape codes for cursor control and other tasks, and added a number of extended codes for special f ...

terminal which controlled the

PDP-11 The PDP-11 is a series of 16-bit minicomputers sold by Digital Equipment Corporation (DEC) from 1970 into the 1990s, one of a set of products in the Programmed Data Processor (PDP) series. In total, around 600,000 PDP-11s of all models were sold, ...

computer: if the operator were to press "X" to (erroneously) select 25 MeV photon mode, then use "cursor up" to edit the input to "E" to (correctly) select 25 MeV Electron mode, then "Enter", all within eight seconds of the first keypress, well within the capability of an experienced user of the machine. These edits were not noticed as it would take 8 seconds for startup, so it would go with the default setup. * The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place. * The engineer had reused software from the Therac-6 and Therac-20, which used hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so preexisting errors were overlooked. * The hardware provided no way for the software to verify that sensors were working correctly. The table-position system was the first implicated in Therac-25's failures; the manufacturer revised it with redundant switches to cross-check their operation. * The software set a flag variable by incrementing it, rather than by setting it to a fixed non-zero value. Occasionally an

arithmetic overflow Arithmetic () is an elementary part of mathematics that consists of the study of the properties of the traditional operations on numbers—addition, subtraction, multiplication, division, exponentiation, and extraction of roots. In the 19th cen ...

occurred, causing the flag to return to zero and the software to bypass safety checks.

Leveson Leveson is a surname. The name as printed can represent two quite different etymologies and pronunciations: #A Leveson family who were Merchants of the Staple became very influential in Wolverhampton in the late Middle Ages, supplying both lay sup ...

notes that a lesson to be drawn from the incident is to not assume that reused software is safe: "A naive assumption is often made that reusing software or using commercial off-the-shelf software will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred..." In response to incidents like those associated with Therac-25, the IEC 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using

software of unknown pedigree SOUP stands for software of unknown (or uncertain) pedigree (or provenance), and is a term often used in the context of safety-critical and safety-involved systems such as medical software. SOUP is software that has not been developed with a know ...

Design

Problem description

Root causes

See also

References

Further reading