Introduction every day in class i tell my students insistently that the software must be tested, that they are playing with peoples lives. Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. The therac25 was the third system created under the therac name by the atomic energy of canada limited aecl. Fatal dose radiation deaths linked to aecl computer. The problem with the therac25 system was the lack of software or hardware devices to detect and report overdoses and shut down the reactor immediately. The therac 25 was the third system created under the therac name by the atomic energy of canada limited aecl. Pdf importance of software quality assurance to prevent. In a letter to a therac 25 user, the aecl quality assurance manager said, the same therac 6 package was used by the aecl software people when they started the therac 25 software.
A history of the introduction and shut down of therac25. Therac25 and the security of the computer controlled. The therac25 runs on an customdesigned realtime operating system. The therac25 software also contained several userfriendly features. The previous product to the therac 25 was the therac 6, a 6 million electron volt accelerator. Oct 26, 2015 the therac25 was not a device anyone was happy to see. Although these stories are more extreme than most software bugs engineers will encounter during their careers, they are worth studying for the insights they can offer into software development and deployment. And the therac25 was controlled principally by software. The therac 25 had only software interlocks, which were faulty. The problem of bugs in the software system causing errors in machines under certain conditions has been used as a cover for careless programming, lack of testing, and. Older theracs relied on hardware to set the machine up for treatment, to position the beam, and to run the safety system.
Therac25 replaced expensive hardware safety interlocks with software controls. The therac25 software errors that cause radiation overexposures can be reduced down to interface errors. The therac25 was a radiation therapy machine that, due to a software error, led to several deaths and serious injuries true bigo notation indicates how long a solution will take to run on a hypothetical machine. A bug that was discovered in therac 25 was later also found in the therac 20. Therac25 case study article pdf available november 2018 with 1,033 reads how we measure. According to the wikipedia entry on the therac25, it was in response to incidents like those that the iec 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree. It is essential to reexamine the specifications and design of the software, consider implications and risks for the new environment, and retest the software for the new use. Computer science illuminated chapter 18 study guide true. We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical, critical thinking in software design. To learn more about the therac25 incidents, and why i chose therac25 for my domain name, read the about section. With the move to computer control, most of the safety checks for the operation of the machine were shifted to software, and the hardware safety interlocks were removed. The therac25 was produced along with another machine, the therac20, both being derived from the therac6 model. The software used in the therac20 had some bugs in it but safety measures prevented it from becoming apparent until the therac25 produced similar errors as the therac20 cotterman et al.
As it turns out, the therac25 accidents were the result of a gross failure of the sociotechnical system around the machine. Therac25 part one the programmer is responsible the programmer is responsible for the malfunctioning therac25 software. To be sure, there havent been many, but cases like the therac 25 are widely seen as warnings against the widespread deployment of software in safety critical applications. Therac25 is an extreme example of what can go wrong with software systems, and the devastating consequences that bugs can have on regular people. We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical. Finally, some software for the machines was interrelated or reused. The worst computer bugs in history is a mini series to commemorate the discovery of the first computer bug seventy years ago. However, when i went to remove the old file, i typed in the new files name and deleted it instead. This interactive timeline will paint a chronological picture of the therac25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe.
Therac 25 is an extreme example of what can go wrong with software systems, and the devastating consequences that bugs can have on regular people. I was updating my passwords file that i keep encrypted. Therac 25 was a tragic example of how bad code hurts people. Hardware locks were removed in the therac25, and the safetymaintaining functions were passed to the software instead. At a therac25 users meeting, the same man stated that the therac25 software was tested for 2,700 hours.
The reasoning given for not including software errors was the extensive testing given to the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis. Aecl has been far eclipsed by its most notorious product. However, in the case of therac25, they can be deadly. The programmer should have used a better system to check the system after each use. Oct 10, 2016 since the therac 25 events, the fda has changed their attitude to many of the issues involving safetycritical systems and moved to improve the reporting system and to augment their procedures and guidelines to include software. The therac 20 and therac 25 software programs were done independently, starting from a common base. Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. These accidents highlighted the dangers of software control of safety critical systems. Oec an investigation of the therac25 accidents abstract. The procedure for the appearance of the bug was the following. Under questioning by the users, he clarified this as meaning 2700 hours of use.
This machine was an improvement of the therac 20 and cost approximately 1 million dollars. The article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. The therac 25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. Professionalismtherac25 wikibooks, open books for an open. The therac 25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred. Since the therac25 events, the fda has changed their attitude to many of the issues involving safetycritical systems and moved to improve the reporting system and to augment their procedures and guidelines to include software. To be sure, there havent been many, but cases like the therac25 are widely seen as warnings against the widespread deployment of software in safety critical applications. It was an important lesson not only for fda, but for all industrial safetycritical systems. The therac25 was a computercontrolled radiation therapy machine produced by atomic. An investigation of the therac25 accidents computer. This occurred with the therac25 that had two prominent software errors, a failed microswitch, and a reduced number of safety features compared to earlier versions of the device.
The software of the therac 25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. However, in the case of therac 25, they can be deadly. The therac case study has acquired a recognition the contemporaneous article and title wouldnt have experienced the company name was then the more notable signifier. This occurred with the therac 25 that had two prominent software errors, a failed microswitch, and a reduced number of safety features compared to earlier versions of the device. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac25 as equivalent to this earlier technology meant that therac25 bypassed the rigorous fda testing procedures. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. Reading 05 therac25 case study ethical and professional.
Therac 6 and therac 20 had histories of clinical use without computer control therac 25 software had more responsibility for safety than in previous machines. Initially, aecls solution to the problem was to physically disable the up key on all therac 25 operators keyboards. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. An investigation of the therac25 accidents stanford university. Therac25 and the security of the computer controlled equipment. The therac25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. At a therac 25 users meeting, the same man stated that the therac 25 software was tested for 2,700 hours. The software used in the therac 20 had some bugs in it but safety measures prevented it from becoming apparent until the therac 25 produced similar errors as the therac 20 cotterman et al.
Among the innovations of therac25 was the move to more complete computer control, allowing operators to set up the machine more quickly and thus treat more patients in a day. Today, therac 25 should lead, on the same basis as aecl did in the original. Writing software can seem cool and abstracted until you realise the impact your code can have. What evidence is there that software quality is improving. The therac 25 was produced along with another machine, the therac 20, both being derived from the therac 6 model. The case of the therac25 has become one of the most wellknown killer software bugs in history. Although these stories are more extreme than most software bugs engineers will encounter during their careers, they are worth studying for the. The 20 and 25 models had 20 and 25 million electron volt accelerators respectively. A clear sign that there was inadequate testing is that when pressed by the fda, aecl struggled to present a test plan. A bug that was discovered in therac25 was later also found in the therac20. Its purpose was to provide radiation to a specific part of the body and hopefully kill the malignant tumor. And the therac 25 was controlled principally by software. The main problem was with the machines software, which was not caught by cmcs safety analysis and allowed to get into the market by fda. Then, if the operator were to input the incorrect beam type, or err on any data entry, he would be forced to restart the process.
This interactive timeline will paint a chronological picture of the therac 25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe. Software in the therac6 and therac20 was reused in the therac25. This is an abstract of a 1993 article from ieee computer about the therac25 computerized radiation therapy machine and its software flaws, which caused massive overdoses to patients. Aug 08, 2010 the reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof.
The software would check if the operation was safe so no harm would come to the person. The fda difficulty in getting an adequate test plan out of the company and the lack of regression testing are evidence that testing was not done well. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac 25 as equivalent to this earlier technology meant that therac 25 bypassed the rigorous fda testing procedures. The bugs that appeared in the software are quite difficult to identify. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. The therac 25 accidents were fairly unique in having software coding errors involved most computerrelated accidents have not involved coding errors but rather errors in the software requirements such as omissions and mishandled environmental conditions and system states. This is an abstract of a 1993 article from ieee computer about the therac 25 computerized radiation therapy machine and its software flaws, which caused massive overdoses to patients. Once an operator enters treatment information at the terminal outside of treatment room, the magnets used to filter and control radiation levels are set. Hardware is the computer itself, its keyboard, casing, microchips, switches rusting, dusty, fallible, and mortal. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. Therac25 radiation overdoses your expert root cause. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. The therac20 and therac25 software programs were done independently, starting from a common base. The therac25 was a radiation therapy machine that, due to a software error, led to several deaths and serious injuries true bigo notation indicates how long a solution will take to.
Today, therac25 should lead, on the same basis as aecl did in the original. Consequences of the therac25 software disaster 1293. Although the authors warn against drawing any oversimplified conclusions from these complex accidents, it appears clear to me that the root cause was the omission from the therac25 of the hardware safety interlocks of its safely operated predecessor, the therac20, and the devices dependence for these functions on poorly written, hardly. Feb 20, 2017 the article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. An investigation of the therac25 accidents part iv. A final feature was that some of the old software used in therac 6 and therac 20 was used in the therac 25. Pdf importance of software quality assurance to prevent and. The therac 25 software also contained several userfriendly features. In response to incidents like those associated with therac 25, the iec 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree.
This blind faith in poorly understood software coded paradigms is known as cargo cult programming. Importance of software quality assurance to prevent and reduce software failures in medical devices. Takes about 8 secs and invoked multiple times 33 race condition from nancy leveson, medical devices. Software in the therac 6 and therac 20 was reused in the therac 25. Since the therac 25 events, the fda has changed their attitude to many of the issues involving safetycritical systems and moved to improve the reporting system and to augment their procedures and guidelines to include software. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof. Although most of us wont work on safetycritical systems, software errors can still have a significant impact on our users. Therac25 was a tragic example of how bad code hurts people.
Tragically, due to a software bug, it led to the the deaths of four people. Therac25 aecl designed therac25 to use computer control from the start. Therac25 used a computer to provide the safety of the whole system, where earlier therac versions used hardwired, electromechanical circuits called interlocks. The therac25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred.
The first of these errors involved the entering of treatment data by the machine operator. To learn more about the therac 25 incidents, and why i chose therac25 for my domain name, read the about section. First, the bug that had caused the problems was an easy bug to fix. Therac 25 aecl designed therac 25 to use computer control from the start. They were able to prove that the therac25 was reliable, but this is not the same as being safe. The therac25 was not a device anyone was happy to see. One reason for the lack of testing could be attributed to. Therac 25 background medical linear accelerator developed by atomic energy of canada, ltd. Although the authors warn against drawing any oversimplified conclusions from these complex accidents, it appears clear to me that the root cause was the omission from the therac 25 of the hardware safety interlocks of its safely operated predecessor, the therac 20, and the devices dependence for these functions on poorly written, hardly. Therac25 questions cs 105 intro to computing studocu. The previous product to the therac25 was the therac6, a 6 million electron volt accelerator. In a letter to a therac25 user, the aecl quality assurance manager said, the same therac6 package was used by the aecl software people when they started the therac25 software. Therac 25 used a computer to provide the safety of the whole system, where earlier therac versions used hardwired, electromechanical circuits called interlocks.
564 1518 460 911 802 574 1385 1097 20 282 1197 1452 1047 1093 648 1209 839 1463 933 600 107 757 1479 542 96 1028 978 375 1384 1444 1328 826 308 125 710 780 748 1306 28 97