The therac25 was a medical linear accelerator, a linac, developed by the. Aecl built the therac6 and 20 in partnership with cgr, a french company. The safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. The software of the therac 25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. A series of accidents involving the aecl therac 25 in the 1980s caused three fatalities and other serious injuries. Thus, while the hardware interlocks on therac20 prevented software errors from causing problems, therac25 had no similar mechanism. The software interlock could fail due to a race condition. Jan 15, 1990 the system was not designed to be a fail safe. The reactions after each overdose the creators of therac 25 were contacted. The use of computers in the medical field is becoming more and more widely used. Between 1985 and 1987, it was involved in at least six patients deaths due to incorrect radiation doses because of computer software related failure.
Therac 25 ethics case study by ken enstrom on prezi. Fixing each individual software flaw as it was found did not solve the safety problems of the device. It was involved in at least six accidents between 1985 and 1987. Fatal dose radiation deaths linked to aecl computer errors. During the time span of june 1985 to january 1987, it was the source of six fatal or near fatal overdoses. Nobody objects to eliminating the use of bad algorithms that have undesirable consequences, such as the therac 25 software that delivered radiation overdoses to patients or the incorrect unit computation that caused nasa to lose its mars climate orbiter. Assume the family of one of the victims is suing the hospital where the machine was used, the manufacturer of the machine aecl and the programmer who wrote the therac 25 software. The therac25 is a dualmode machine that can generate an electron beam, to cure cancer in patients. Furthermore, these problems are not limited to the medical industry. Aecl performs a safety analysis of therac 25 which apparently excludes an analysis of software.
When the time came to design the therac25, the partnership had dissolved. Therac25 questions cs 105 intro to computing studocu. Sometimes software bugs can result in the loss of lives, as was the case with a device called therac25. Feb 18, 2015 it is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. The previous product to the therac25 was the therac6, a 6 million electron volt accelerator. The first consisted of an electron beam targeted directly at the patient in small doses for a short amount of time. The software would check if the operation was safe so no harm would come to the person. What happened was the operator using a keypad would select a particular mode. When accidents occurred with the therac25 during the 1986 to 1988 timeframe, the statement read in part, aecl medical reacted quickly to investigate and inform health and welfare canada and the u. This is an abstract of a 1993 article from ieee computer about the therac25 computerized radiation therapy machine and its software flaws, which caused massive overdoses to patients. Computer execution errors are caused by faulty hardware components and by soft random errors induced by alpha particles and electromagnetic noise. Unfortunately, he decided to add the emergency locks only in the software. Writing software can seem cool and abstracted until you realise the impact your code can have. At the individual level, the programmer had the options of inserting the safety interlocks in the hardware, software, or both.
As it turns out, the therac 25 accidents were the result of a gross failure of the sociotechnical system around the machine. Oct 26, 2015 the case of the therac 25 has become one of the most wellknown killer software bugs in history. Therac25 radiation overdoses your expert root cause. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. In therac25s case, the players at the three levels had at least two options from which to choose. And the therac25 was controlled principally by software. To be sure, there havent been many, but cases like the therac 25 are widely seen as warnings against the widespread deployment of software in safety critical applications. Therac 25 units in canada and us are taken out of service until aecl completes new cap.
Detect and eliminate selfinterest factors and other peripheral considerations when making an ethical decision. Aecl did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed. The case of the therac25 has become one of the most wellknown killer software bugs in history. This blind faith in poorly understood software coded paradigms is known as cargo cult programming. Therac 25 computerized radiation therapy report by. Unfortunately, the previous accounts of the therac25 problems have been. Fixing each individual software flaw as it was found did not. The problem was exacerbated by the design of the mechanism that. The therac 25 was the most computerized and sophisticated radiation therapy machine of its time. Firstly, the software controlling the machine contained bugs which proved to be fatal. The machine and its predecessors, therac6 and therac20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n.
These incidents were a result of a combination of factors that can be viewed as unethical actions made through the ranks. These acciden ts ha v e b een describ ed as the w orst in the 35y ear history of medical accelerators 6. Professionalismtherac25 wikibooks, open books for an open. The therac25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. Additional functions had to be added because the therac 20 and therac 25 operates in both xray and electron mode, while the therac 6 has only xray mode. Consider the therac25 failure, in which several deaths occurred because of a software engineering failure. This course is specifically about software systems, systems where software plays a major role. In therac 25 s case, the players at the three levels had at least two options from which to choose. The therac25 was manufactured by atomic energy of canada limited aecl. In february, 1987, the fda and its canadian counterpart cooperated to. The therac25 had only software interlocks, which were faulty. In one of the software quality classes we were talking about the famous case of therac25, which came to my mind these days after dealing with my students. Aecl sends update of cap plus list of nine items requested by users at march meeting.
Initially, aecls solution to the problem was to physically disable the up key on all therac25 operators keyboards. If i read nancys and clarks article an investigation of therac25 accidents correctly, they mentioned therac25 software was developed based on therac6 software by a single, unidentified programmer. The therac25 software also contained several userfriendly features. With the aid of an onboard computer, the device could select multiple.
We know that the software for the therac25 was developed by a single person using pdp 11 assembly language, over a period of several years. Finally, some software for the machines was interrelated or reused. Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. The aecl statement took issue with an article about the therac25 accidents published. Learn therac 25, an important case study, and realize that errors and bad decisions can injure and kill. Patients were given hundreds of times of radiation than is usual for this treatment. While the immediate cause of the deaths was a race condition in the software, it was only capable of causing harm because the hardware safety mechanism had been removed as a costsaving measure, without proper verification that the software was capable of doing the same job. Dec 07, 2017 embedded system safety and therac 25 phil koopman. Therac25, a radiation treatment machine, massively overdosed 6 people because.
What is the name of the programmer who wrote the therac25. These accidents highlighted the dangers of software control of safety critical systems, and. Flaws studies of the therac25 incidents showed that many factors contributed to the injuries and deaths. After the first incident the aecl responses was simple, after careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the therac 25 or by any. Several universities use the case as a cautionary tale of what can go wrong, and how investigations. After the therac25 deaths, the fda made a number of adjustments to its policies in an attempt to address the breakdowns in communication and product approval. After the first incident the aecl responses was simple, after careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the therac25 or by any. Assume the family of one of the victims is suing the hospital where the machine was used, the manufacturer of the machine aecl and the programmer who wrote the therac25 software. However, in the case of therac25, they can be deadly. Video created by university of colorado system for the course software design threats and mitigations.
The 20 and 25 models had 20 and 25 million electron volt accelerators respectively. Program software does not degrade due to wear, fatigue, or reproduction process. And when someone finally discovered the real problems, it was too little too late, and six. Software in the therac6 and therac20 was reused in the therac25. A bug that was discovered in therac25 was later also found in the therac20. Good engineering practice dictates that a system should be designed so that no single point of failure leads to catastrophe. The machine was released to the market in 1983 and was later involved in at least 6 accidents that lead to. As a result, several people died and others were seriously injured. The therac25 was a computerised medical technology radiation therapy machine produced by atomic energy of canada limited aecl in 1982.
The therac20 and therac25 software programs were done independently, starting from a common base. The article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. Aug 08, 2010 the safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available.
The therac25 software disaster essay 1293 words cram. My professor investigated the therac25 incident and. A history of the introduction and shut down of therac25. While this is a serious failure, im not sure its fair to say that this is a great example of an ethical dilemma. Therac 25 directed by cassandra phillipsgrande starring cassandra phillipsgrande, lesley risdale. It incorporated the most recent computer control equipment. For several years and thousands of patients there were no problems. Practice analysis of ethical decisionmaking and by extension become better ethical decision makers. However, in the case of therac 25, they can be deadly. Teaching therac25 introduction montana state university. A widely cited 1993 computer article described failures in a softwarecontrolled radiation machine that massively overdosed six people in the late 1980s, resulting in serious injury and fatalities. Lets stop treating algorithms like theyre all created equal. An investigation of the therac25 accidents part iv.
Such incidents would not have been an issue in a singleuse machine and unlike previous models, the therac 25 relied on software rather than hardware safety interlocks. Therac25 aecl designed therac25 to use computer control from the start. Therac 25 was a tragic example of how bad code hurts people. In a letter to a therac25 user, the aecl quality assurance manager said, the same therac 6 package was used by the aecl software people when they started the therac25 software. The reactions after each overdose the creators of therac25 were contacted. In addition, the therac25 software same therac6 package was used by the accidents.
The therac25 was produced along with another machine, the therac20, both being derived from the therac6 model. Computers are obviously very beneficial in the medical field. As noted earlier, the software for the therac 25 and therac 20 both evolved from the therac 6 software. The therac25 software disaster the therac25 is a computerized medical radiation therapy machine for cancer patients. The series of accidents involving the therac25 is a good example of exactly this problem. Reuse of therac6 design features or modules may explain some of the problematic aspects of the therac25 software see the sidebar therac25 software development and design. The therac 25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. The therac25 nancy lev eson univ ersit y of w ashington 1 in tro duction bet w een june 1985 and jan uary 1987, a computercon trolled radiation therap y mac hine, called the therac25, massiv ely o v erdosed six p eople. The problem with the therac25 system was the lack of software or hardware devices to detect and report overdoses and shut down the reactor immediately. In this assignment, you will debate, draw conclusions and assign levels of responsibility or liability to each of the parties being sued.
However, software does not do anything without the hardware where it is installed and running, and software systems are usually part of a much wider context that involves not only other technical components, but also people, organisations and other social structures. The therac 25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode. Aecl was expected to notify therac25 users of the problem, and of fdas recommendations. Although these stories are more extreme than most software bugs engineers will encounter during their careers, they are worth studying for the insights they can offer into software development and deployment. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general.
Therac25 software was not written from scratch, but was built up from components that were borrowed from the earlier versions of therac. The therac 25 was a machine for administering radiation therapy, generally for treating cancer patients. The therac25 was much more of a management and engineering failure than a technical problem, though. Aug 01, 2016 its important to note that while the software was the lynch pin in the therac25, it wasnt the root cause. The cgr employees modified the software for the therac 20 to handle the dual modes. For six unfortunate patients in 1986 and 1987, the therac25 did the unthinkable. The therac 25 disaster october 2012 1 introduction the therac25 was a machine for cancer treatment manufactured by the atomic energy of canada limited aecl and went down to history as one of the worlds worst software disasters. The therac25 was a radiation therapy machine produced by atomic energy of canada limited after the therac6 and therac20 units. A brief note on the therac 25 incident 1432 words bartleby. Therac25 software see the sidebar therac25 software development and design. Therac 25 used a computer to provide the safety of the whole system, where earlier therac versions used hardwired, electromechanical circuits called interlocks.
In response to incidents like those associated with therac 25, the iec 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree. The developers of the software werent tempted to introduce the bug. Therac25 was a new generation medical linear accelerator introduced in 1983 for treating cancer. The therac25 was a computercontrolled radiation therapy machine produced by atomic. Safetycritical loads were placed upon a computer system that was not designed to control them. Therac25 case study therac25 is a radiation therapy machine that was used for treating patients with cancer. Dependable computer systems 2016, stefan poledna, all rights reserved contents dependability problem statement examples of dependable systems and. In a pr newswire the canadian consulate general announces the introduction of the new \ therac 25 \ machine manufactured by aecl medical, a division of atomic energy of canada limited. The worst computer bugs in history is a mini series to commemorate the discovery of the first computer bug seventy years ago. As it turns out, the therac25 accidents were the result of a gross failure of the sociotechnical system around the machine. The main problem was with the machines software, which was not caught by cmcs safety analysis and allowed to get into the market by fda. This interactive timeline will paint a chronological picture of the therac25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe. The machine in the room therac25 is not just a machine, but an installation consisting of the machine, the pdp11 that controlled the machine, the shielded room the machine sits in, and the monitoring and. Between june 1985 and january 1987, the therac25 medical electron accelerator was involved in six massive radiation overdoses.
In addition, the therac25 software has more responsibility for maintaining. The therac25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred. While the immediate cause of the deaths was a race condition in the software, it was only capable of causing harm because the hardware safety mechanism had been removed as a costsaving measure, without proper verification that the software was capable of doing the. Of 11 therac25s installed, there were 6 reported accidents, including 3 fatalities, between 1985 and 1987, after which the device was recalled. However, looking past the immediate causes of the problem, we find that a more general reason for the difference was a substantial increase in the complexity of the system underlying therac25. Sep 12, 2019 on one hand, justified distrust of dangerous technology is a good thing. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac 25 as equivalent to this earlier technology meant that therac 25 bypassed the rigorous fda testing procedures.
Therac 25 background medical linear accelerator developed by atomic energy of canada, ltd. It was the third radiation therapy machine by the company, preceded by the therac6 and therac20. The therac 20 and therac25 software programs were done independently, starting from a common base. Therac25 and the security of the computer controlled equipment. Then, if the operator were to input the incorrect beam type, or err on any data entry, he would be forced to restart the process. An investigation of the therac25 accidents stanford university. Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. Yet over the years there have been numerous reports both official and unofficial of accidents and overdoses involving the improper diagnostic and therapeutic application of ionizing radiation. Aecl faxed me a statement approved by their lawyers that was to be their definitive answer to questions about the therac 25 accidents. After sending an engineer to investigate this incident, aecl concluded that there was a different software problem that allowed the electron beam to be turned on without the device that spread it to a safe concentration being placed in the beam. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation.
We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical, critical thinking in software design. Therac25s computerization made the laborious process of machine setup much easier for operators, and thus allowed them to spend minimal time in setting up the. It was also designed from the outset to use software based safety systems rather than hardware controls. The therac 25 software also contained several userfriendly features. Therac25 was a tragic example of how bad code hurts people. Oec an investigation of the therac25 accidents abstract. A detailed investigation of the factors involved in the softwarerelated overdoses and attempts by users, manufacturers, and government agencies to deal with the accidents is.