Canadian consulate general announces the introduction of the new therac25 machine. Food and drug administration fda and the canadian bureau of radiation and medical devices and in depositions associated with lawsuits brought against aecl. The therac25 accidents are the most serious computerrelated accidents to date at least nonmilitary and admitted and have even drawn the attention of the popular press. Learning from the piper alpha accident oil and gas industry b. A case study of the therac 25 chuck huff1 and richard brown2. Rules of software quality assurance to prevent and reduce. Software in the therac 6 and therac 20 was reused in the therac 25. An investigation of the therac25 accidents ieee journals.
Citeseerx document details isaac councill, lee giles, pradeep teregowda. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france. However, in the case of therac25, they can be deadly. An investigation of the therac25 accidents computer. Many lessons can be learned from this series of accidents. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. This machine was an improvement of the therac 20 and cost approximately 1 million dollars. It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. The second, higher energy mode, used the full power of the machine at 25 million electron volts. Six patients received radiation overdoses during cancer treatment by a faulty medical linear accelerator, the therac25 unit. A detailed accident investigation, drawn from publicly available docu ments, can be. One of the serious mistakes that led to the multiple therac25 accidents was the tendency to believe that the cause of an accident had been determined for example, a microswitch failure in the hamilton accident without adequate evidence to come to this conclusion and without looking at all possible contributing factors.
In 1987, all treatment with the eleven machines in operation was suspended. This resulted in everyone from the manufacturers, to fda, to hospitals and operators assuming that it was a failsafe machine, especially since its earlier versions had been working. The therac25 accidents are the most serious computerrelated accidents to date at least nonmilitary and admit tcd and have even drawn the attention of the popular press. One of the serious mistakes that led to the multiple therac25 accidents was the tendency to believe that the cause of an accident had been determined e. Software assumed safer than hardware so safety functions delegated to software and hardware controls removed july 29, 1983. Oec an investigation of the therac25 accidents abstract. Aug 08, 2010 the therac 25 had no hardware protective circuits and depended solely on software for protection. Apr 15, 20 history of therac devices and accidents. The therac 25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred. An investigation of the therac 25 accidents nancy leveson, university of washington clark s. Therac25 radiation overdoses your expert root cause. Between june 1985 and january 1987, six known accidents involved massive overdoses by the therac25 with resultant deaths and serious injuries. Kirk mckusicks most famous contribution to bsd is his work on the fast file system ffs. The user manual did not explain or even address the error codes, so the.
On the surface, the primary reason that therac20 killed far fewer people than therac25 was the fact that therac20 had hardware interlocks, while therac25 did not. No more accidents were reported from these machines. Therac 25 6 therac 25 s computerization made this laborious process much easier for operators, and allowed them to spend minimal time in setting up the equipment. I besides citing the awed microswitch, i the report faulted both hardware and software components of the therac s design. After the tyler accidents, therac 20 users who had heard informally about the tyler accidents from therac 25 users conducted informal investigations to determine whether the same problem could occur with their machines. A history of the introduction and shut down of therac 25. There were two earlier versions of the therac 25 unit. The therac25 was a computercontrolled radiation therapy machine produced by atomic. Company called atomic energy commision limited aecl and another french company called cgr were paired up to produce medical linear accelerators. Software in the therac 6 and therac 20 was reused in the therac25. Stories about the therac25 have appeared in trade journals, newspapers. Turner, university of california, irvine reprinted. Safeware system safety and computers a guide to preventing accidents and losses caused by technology, nancy g.
Aecl performs a safety analysis of therac 25, excluding analysis of software. An investigation of the therac25 accidents abstract. The therac25 accidents are the most healthy tissue. Nancy leveson and clark turner, the investigation of thetherac 25 accidents, computer, 26, 7 july 1993 pp 1841. Canadian consulate general announces the introduction of the new therac 25 machine. An investigation of the therac 25 accidents computer author. Although the authors warn against drawing any oversimplified conclusions from these complex accidents, it appears clear to me that the root cause was the omission from the therac25 of the hardware safety interlocks of its safely operated predecessor, the therac 20, and the devices dependence for these functions on poorly written, hardly. Accident prevention in radiotherapy pubmed central pmc. This is an abstract of a 1993 article from ieee computer about the therac 25 computerized radiation therapy machine and its software flaws, which caused massive overdoses to patients.
Therac 6 and therac 20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. Together, these sections give one a good idea of the information each actor in the case had at the time of the accidents. What links here related changes upload file special pages permanent link. Leveson, addison wesley, 1995 text by the same author with a 33page analysis of the therac 25 case, somewhat less technical than the ieee paper but still including thorough details, with perhaps more emphasis on the ethical.
History of therac devices and accidents journey towards. Nancy leveson and clark turner, the investigation of thetherac25 accidents, computer, 26, 7 july 1993 pp 1841. Indonesian mining contractor accident of a haul truck and pickup. Turner, university of california, irvine ieee c l 26 l 1993 18computer, vol. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. A therac6 and therac20 were both used in the treatment of cancer. Therac 25 aecl designed therac 25 to use computer control from the start. An investigation of the therac25 accidents essay 10546 words. Citeseerx an investigation of the therac25 accidents. The therac 25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. In manual mode, a radiotherapy technician would physically set up. Therac 25 investigation is known as one of the biggest accidents in medical history. The therac 25 accidents and their causes are well documented in materials from the u.
Apr 20, 20 an investigation of the therac 25 accidents part iii nancy leveson, university of washington clark s. The therac 25 a case study in safety failure radiation therapy machine the most serious computerrelated accidents to date people were killed reference. Turner, an investigation of the therac 25 accidents, computer, 26 july 1993. First, like the therac6 and the therac20, the therac25 is con trolled by a. A thorough account of the therac 25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. Aecl performs a safety analysis of therac25, excluding analysis of software. The operators manual supplied with the machine does sitions the. The therac 25 a case study in safety failure radiation therapy machine the most serious computerrelated accidents to date people were killed references. Clark turner entitled an investigation of the therac25 accidents. The safety analysis of the therac 25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. In addition, the forest service investigation team will conduct their investigation of forest service management and policy issues following this investigation guide concurrent with the ntsb investigation. Those machines were refitted with the safety devices required by the fda and remained in service. It was believed that the new therac25 was much more efficient than therac6 and therac20. Report also provided government, user, and manufacturers responses to each accident.
Therac25 and the security of the computer controlled. Essay on the therac25 and its accident investigation instructor name school coursenumber june 2, 2015 introduction in 1983, a machine was released to help in the treatment of cancerous tumors through the use of high energy laser beams. System safety and computers published by addisonwesley. Thus, while the hardware interlocks on therac20 prevented software errors from causing problems, therac25 had no similar mechanism. It was an extremely costly machine with high maintenance needs. Therac25 aecl designed therac25 to use computer control from the start. For six unfortunate patients in 1986 and 1987, the therac25 did the. Between june 1985 and january 1987, six known accidents involved massive overdoses by the therac25. Its purpose was to provide radiation to a specific part of the body and hopefully kill the malignant tumor. Visit this page for a complete list of final accident reports located here or linked to from this site. Role of software in spacecraft accidents space industry. A common mistake in engineering, in this case and in many others, is to put too much confidence in software. However, in the case of therac 25, they can be deadly. The big picture the therac 25 was a computerized radiation therapy machine 11 machines were installed us and canada in 19851987 there were 6 known accidents where massive overdoses were made patients died or suffered serious injuries these were traced to race conditions in reading operator input unique early investigation of safetycritical.
An investigation of the therac25 accidents cal poly computer. The therac25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited in 1982 after the therac6 and therac20 units. In 1982 a machine called therac 25 created by the atomic energy of canada limited aecl appeared in the medical field for cancer treatments, using radiation and x. The number that goes along with the word therac stands for the maximum amount of mega electron volts mev the machine can dispense. With information for this article raken from publicly available documents, we present a detailed. The therac 25, like other medical linear accelerators including its predecessors therac 6 and therac 20, used highenergy electron beams to destroy tumors without damaging nearby healthy tissue.
A history of the introduction and shut down of therac25. The base code of therac 25 software was derived from therac 6 and later with more investigation in therac 25 software due to overdose accidents the quality assurance of aecl mentioned that some routines and features of therac 20 were also used in therac. The first mode consisted of an electron beam of 200 rads that was aimed at the patient directly. An investigation of the therac25 accidents part iv. An investigation of the therac25 accidents computer author. The therac25 and its accident investigation case study. Stories about the therac25 have appeared in trade journals, newspapers, people magazine, and on televisions 2020 and mcneil lehrer news hour. Comparison to classical engineering field registered professional engineer would have risked losing license due to inappropriate action to ensure public welfare and safety ethical principles engineers shall expose risks openly to supervisors engineers shall participate in a lifelong learning process regarding the practice of their profession.
Between june 1985 and january 1987, the therac25 medical electron accelerator was involved in six massive radiation overdoses. Essay on the therac 25 and its accident investigation school number june 2, introduction in 1983, a machine was released to help in the treatment of cancerous tumors through the use of high energy laser beams. These socalled accidents and mistakes are really just cases of human inattention. Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of. The therac25 and its accident investigation case study 1. Between june 1985 and january 1987, the therac 25 medical electron accelerator was involved in six massive radiation overdoses. Researchers who investigated the accidents found several contributing. Description of therac25 the therac25 is a medical linear accelerator. Turner, university of california, irvine a thorough account of the therac 25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future.
A detailed investigation of the factors involved in the softwarerelated overdoses and attempts by users, manufacturers, and government agencies to. Therac 6 and therac 20 had histories of clinical use without computer control therac 25 software had more responsibility for safety than in previous machines. An investigation of the therac 25 accidents nancy g. Information and computer science, university of california, irvine, 1992 59 pages.
Final reports of investigation found at our companion web site, weve gathered hundreds of final accident investigation reports too numerous to list here. Aecl sold eleven therac25 machines that were used in the united states and canada beginning in 1982. Some of the most widely cited softwarerelated accidents in safetycritical systems involved a computerized radiation therapy machine called the therac25. Accelerates highenergy beams that can destroy tumors with minimal impact on surrounding tissue beam can be. Depending on whether the tumor was close to the skin or in deeper tissue, the therac 25 would operate in an electronbeam or xray mode. Operators were thus freed to spend more time talking with and helping the patient. An updated version of the original accident investigation paper by nancy leveson i have updated and changed slightly the original accident report. It was involved in at least six accidents between 1985 and 1987, in which patients were given massive. As noted earlier, the software for the therac 25 and therac 20 both evolved from the therac 6 software. Infamously and instructively, in the mid to late1980s, therac 25 machines were misconfigured and delivered radiation doses hundreds of times greater than justified. A detailed accident investigation, drawn from publicly available docu ments. The operators manual supplied with the machine does not ex.
Overdoses caused by programming errors that produced race conditions case has led to advancements in systems safety testing, computer control, reporting industry response was inadequate. Fda memos accuses aecl by not having a mechanism to follow up reports of suspected accidents 4 after developing a reddening and swelling in the center of the treatment area, the patient was admitted to a hospital in atlanta, but was sent to kennestone to go on with therac 25. Stories about the therac25 have appeared in trade jour nals, newspapers, people magazine, and on televisions 20120 and mcneill lehrer news hour. Turner, university of california, irvine reprinted with permission, ieee computer, vol. Computers are increasingly being introduced into safetycritical systems and, as a consequence, have been involved in accidents.
Therac 25 just like any other technology, therac 25 too had its sociotechnical aspects. An investigation of the therac25 accidents stanford university. The therac 6 and therac 20 units were built with a microcomputer that made the patient data entry more accessible, but the. As a result, several people died and others were seriously injured. I it concluded with a list of four modi cations to the therac 25 necessary for minimum compliance with canadas radiation emitting devices red act which gave government o cials. An investigation of the therac25 accidents nancy g. The therac 25 was a computerized radiation therapy machine 11 machines were installed us and canada in 19851987 there were 6 known accidents where massive overdoses were made patients died or suffered serious injuries these were traced to race conditions in reading operator input unique early investigation of safetycritical. Professionalismtherac25 wikibooks, open books for an open. Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. An investigation of the therac25 accidents medicalhealthcare d. Our presentation of the case itself is composed of three parts.
1326 1389 1220 431 939 491 13 1049 560 197 177 1007 1538 148 587 1251 953 471 375 77 779 920 194 1444 12 826 465 95 461 503 781 315 296 176