Scribd
Upload
74 views16 pages

The Therac-25: A Software Fatal Failure

The Therac-25 was a medical linear accelerator used to treat cancer patients. However, software issues led to fatal radiation overdoses in three patients between 1985-1987. An investigation found race conditions in the software from reused code that allowed the beam to activate even with errors. This was due to a lack of independent software verification and inadequate safety procedures. The accidents highlighted the importance of rigorous software engineering practices for safety-critical systems.

Uploaded by

Tharshninipriya Rajasekar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
74 views16 pages

The Therac-25: A Software Fatal Failure

The Therac-25 was a medical linear accelerator used to treat cancer patients. However, software issues led to fatal radiation overdoses in three patients between 1985-1987. An investigation found race conditions in the software from reused code that allowed the beam to activate even with errors. This was due to a lack of independent software verification and inadequate safety procedures. The accidents highlighted the importance of rigorous software engineering practices for safety-critical systems.

Uploaded by

Tharshninipriya Rajasekar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

+

THE THERAC-25

- A SOFTWARE FATAL FAILURE

Kpea, Aagbara Saturday


SYSM 6309
Spring ’12
UT-Dallas
+
What is the Therac-25

The Therac-25 was a medical linear accelerator, used to treat cancer

patients to remove tumors.


+ Background Information

 Early1970’s, AECL (Atomic Energy of Canada Limited)and a French Company


(CGR) collaborate to build Medical Linear Accelerators (linacs).

 They develop Therac-6, and Therac-20.

 AECL and CGR end their working relationship in 1981.

 In 1976, AECL develops the revolutionary "double pass" accelerator which leads to
the development of Therac-25.

 In March, 1983, AECL performs a safety analysis of Therac-25 which apparently


excludes an analysis of software.
+
Background info …

 July 29,1983, the Canadian Consulate General announces the introduction


of the new "Therac 25" Machine manufactured by AECL Medical, a
division of Atomic Energy of Canada Limited.

 Medical linear accelerators (linacs) known generally as “Therac-25”.


+ How Therac-25 works:

Generating an Electron Beam


 Linear accelerator works just like the computer monitor
 The electrons are accelerated by the gun in the back of the monitor and
directed at the inside of the screen
 A medical linear accelerator produces a beam of electrons about 1,000
times more powerful than the standard computer monitor
 Medical linear accelerators accelerate electrons to create high-energy beams
that can destroy tumors with minimal impact on surrounding healthy tissue
 The Therac-25 is designed to fold beam back and forth in order to produce
long acceleration to fit into smaller space
+
Getting the Beam into the Body

 Shallow tissue is treated with accelerated electrons


 Scanning magnets placed in the way of the beam; the
spread of the beam (and thus its power) could be
controlled by a magnetic fields generated by these
magnets

 Deeper tissue is treated with X-ray photons


 The X-ray beam is flattened by a device in the
machine to direct the appropriate intensity to the
patient.

 Beams kill (or retard the growth of) the cancerous tissues
+ Accident with Therac-25
 At East Texas Cancer Center in Tyler, Texas, a

patient complains of a bright flash of light, heard a frying, buzzing sound,


and felt a thump and heat like an electric shock.

 This indicates radiation overdose by Therac-25 machines after cancer


treatment session

 A few days after the unit was put back into operation, another patient
complained that his face felt like it was on fire.
 Another potential overdose of radiation beam by Therac-25.

 Both patients died after 4months and 3 weeks respectively due to


administered overdose of radiation
+
Accidents with Therac-25 … contd
 At Yakima Valley, Washington in January 1987, another incident of
overdose with Therac-25 occurred

 Performed two film exposures

 Patient developed severe striped burns after treatments, an indication


of overdose

 Patient died in April as a result


+ Reasons for the cause of the accidents
At Texas facility;

 Operator selected x-rays by mistake, used cursor keys to change to electrons

 Machine tripped with “Malfunction 54”


 – Documentation explains this is “dose input 2” error

 Operator saw “beam ready” proceeded; machine tripped again

At Washington facility;

 Operator used hand controls to rotate table to field-light position & check alignment

 Operator set machine but forgot to remove film

 Operator turned beam on, machine showed no dose and displayed fleeting message

 Operator proceeded from pause; After another machine pause, operator reentered
room
+ Accidents Race Condition

Source: http://www.cs.jhu.edu
+ Root Cause Analysis of the Accidents
 Software code was not independently reviewed.

 AECL did not consider the design of the software during its assessment of how the
machine might produce the desired results and what failure modes existed. –No proper
risk assessment followed.

 The system noticed that something was wrong and halted the X-ray beam, but merely
displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user
manual did not explain or even address the error codes, so the operator pressed the P key
to override the warning and proceed anyway.

 AECL personnel, as well as machine operators, initially did not believe complaints. This
was likely due to overconfidence

 AECL had never tested the Therac-25 with the combination of software and hardware
until it was assembled at the hospital.

 The problem was a race condition produced by a flaw in the software programming.

 Management inadequacies and lack of procedures for following through on all reported
incident.

 The engineer had reused software from older models. These models had hardware
interlocks that masked their software defects
+ Requirements Issues
 Error messages provided by Therac-25 monitor are not helpful to operators
 Machine pauses treatment but does not indicate reason why
 The equipment control task did not properly synchronize with the operator interface
task, so that race conditions occurred if the operator changed the setup too quickly.

 Software is required to monitor several activities simultaneously in real time

 Interaction with operator


 Monitoring input and editing changes from an operator
 Updating the screen to show the current status of machine

 There were no independent checks that the software was operating correctly
(verification)
+
Requirements Issues … contd

 Traceability matrix: ways to get information about errors, i.e.,


software audit trails should be designed into the software from the
beginning.

 The software should be subjected to extensive testing and formal


analysis at the module and software level.

 System testing alone is not adequate; verification would be very


valuable.

 Involve users at all phases of product development


+ Corrective Action Plan

Documentation should not be an afterthought.

Softwarequality assurance practices and


standards should be established.

Designs should be kept simple and ensure user-


friendly interfaces
+
Lessons

 Complacency

 Assumption that problem was understood without adequate evidence

 Sole reliance on software for safety

 Systems engineering practices need proper coordination


+ References

 The Therac-25 Accidents (PDF), by Nancy G. Leveson (the 1995 update of


the IEEE Computer article)

 http://en.wikipedia.org/wiki/Therac-25

 Jacky, Johathan. "Programmed for Disaster." The Sciences 29 (1989) : 22-


27.

 Leveson, Nancy G., and Clark S. Turner. "An Investigation of the Therac-
25 Accidents." Computer July 1993 : 18-41.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy