References:

1
References

• http//en.wikipedia.org/wiki/Therac-25
• http//courses.cs.vt.edu/cs3604/lib/Therac_25/The
  rac_1.html
• IEEE computer, vol. 26, no. 7, july 1993, pp.
  18-41

2
Therac-25 Radiation Therapy Machine

• Ludi Harianto
• March 19, 2008

3
Therac-25

• Computers are increasingly being introduced into
  safety-critical systems.
• Software-related accidents in safety-critical
  system.
• Between June 1985 and January 1987, 6 known
  accidents involve massive overdoses by Therac-25
  with resultant deaths and serious injuries.
• The worst series of radiation accidents in 35
  years history of medical accelerators.

4
What is Therac-25?

• Medical linear accelerators accelerate electrons
  to create high-energy beams that can destroy
  tumors with minimal impact on the surrounding
  healthy tissue.
• Relatively shallow tissue is treated with the
  accelerated electrons, to reach deeper tissue,
  the electron beam is converted into X-ray photon.

5
What is Therac-25

• Built by AECL based on the older model Therac-6
  (producing X-rays only) and Therac-20 ( dual
  mode, X rays or electrons).
• Software functionality was limited on both older
  machines. The computer only added convenience to
  the existing hardware.
• Hardware safety features and interlocks in the
  underlying machine were retained.

6
Why did it happen?

• AECL designed the Therac-25 to take advantage of
  computer control from the outset, did not build
  on a stand-alone machine.
• Its software has more responsibility for
  maintaining safety that software in the previous
  machine, relied on computers ability to control
  and monitor hardware.
• Removed all hardware safety mechanisms and
  interlocks ( cheaper machine).

7
Why did it happen?

• Some software for the machines was interrelated
  or reused
• Therac-6 package was used by AECL when they
  started the Therac-25 software.
• Therac-20 routines were also used in the new
  machine (discovered after a bug related to one
  Therac-25 accidents was found in the Therac-20
  software.

8
Malfunction 54

• No instruction manual to explain the meaning of
  Malfunction 54 except was a dose input 2 error.
• AECL later testified that dose input 2 meant
  that a dose had been delivered that was either
  too high or too low.

9
Malfunction 54

• Data entry speed during editing was the key
  factor in producing the error condition.
• The prescription data was edited at a fast pace ,
  the overdose occurred.

10
The software problem

• Focusing on particular software bugs in not the
  way to make a safe system.
• Virtually all complex software can be made to
  behave in an unexpected fashion under certain
  condition.
• Poor software engineering practices and building
  a machine that relies on the software for safe
  operation.

11
Basic Software-engineering principles that were
violated

• Documentation should not be an afterthought.
• Software quality assurance practice and standard
  should be established
• Design should be kept simple.
• Ways to get information about errors should be
  designed into the software from the beginning.
• The software should be subjected to extensive
  testing and formal analysis at the module and
  software level system testing alone is not
  adequate.