Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited and CGR of France after the Therac-6 and Therac-20 units. It was involved with at least six known accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, which were in some cases on the order of hundreds of grays. At least five patients died of the overdoses. These accidents highlighted the dangers of software control of safety-critical systems.
Problem description
The machine had two treatment modes:
- Direct electron-beam therapy, which used low (5 MeV) to high (25 MeV) electron beam of low current over short periods of time;
- Xray therapy, which used Xrays derived from high current, high energy (25 MeV) electron beam via a "target", a device which converts electron beams into Xrays by bremsstrahlung.
When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in Xray mode, the machine was designed to rotate three components into the path of the electron beam, in order to shape and moderate the power of the beam:
- a target, which converted the electron beam into Xrays,
- a flattening filter that generated a uniform intensity,
- a set of moveable blocks (also called a collimator), which shaped the Xray beam, and
- an X-ray ion chamber, which measured the strength of the beam.
The accidents occurred when the high-energy electron-beam was activated for Xray therapy without the target having been rotated into place; the machine's software did not detect that this had occurred, and did not therefore determine that the patient was receiving a potentially lethal dose of radiation, or prevent this from occurring. As a result a high current, high energy electron-beam directly struck the patients. Patients reported 'lightning strikes' and the beams caused a feeling of an intense electric shock and the occurrence of thermal and radiation burns. In some cases, the injured patients died later from radiation poisoning.
Root causes
Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:
- AECL did not have the code independently reviewed.
- AECL did not consider the design of the software during its reliability modelling.
- The system documentation did not adequately explain error codes.
- AECL personnel initially did not believe complaints.
The researchers also found several engineering issues:
- The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place.
- The engineer had reused software from older models. These models had hardware interlocks and were therefore not as vulnerable to the software defects.
- The hardware provided no way for the software to verify that sensors were working correctly (see open-loop controller).
- The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. This was evidently missed during testing, since it took some practice before operators were able to work quickly enough for the problem to occur.
- The software set a flag variable by incrementing it. Occasionally an arithmetic overflow occurred, causing the software to bypass safety checks.
- The software was written in assembly language. While this was more common at the time than it is today, assembly language is harder to debug than most high-level languages.
The case of the Therac-25 and its causes has become a standard case study in the history of computing and medicine - illustrating now NOT TO WRITE SOFTWARE.
| References | |
|---|---|
| The Therac-25 Accidents by Nancy Leveson |  |
| A Short summary of the Therac-25 Accidents (T.Gallagher, U.Guelph. CA) |  |