Therac 25 Incident

1
Therac 25 Incident

• By

2
Introduction

• Background
• The Therac 25 machine was a linear accelerator or
  lineac. This is a medical machine that fires high
  energy radiation to destroy tumors.
• Therac 25 was the successor to the Therac 6 and
  20. It began development in 1976.
• Therac 25 was created by the Canadian firm Atomic
  Energy Comission Limited (AECL)

3
Background to accidents

• Eleven Therac 25 devices were sold, 6 to Canada
  and 5 to USA
• Between 1985 and 1987 6 recorded deaths were
  attributed to the machine
• Deaths caused by massive radiation overdoses
• In 1987 the Therac 25 was recalled by AECL after
  several US and Canadian federal investigations.

4
How Therac 25 Worked

• Therac 25 could operate in two modes
• Electron
• X-Ray

Electron Mode
X-Ray Mode
5
How Therac 25 Worked

• In Electron mode the gun did not need shielding.
• In X-Ray mode a shield was needed due to the
  higher energy.
• In each mode bending magnets had to be set before
  it fired

6
Problems with Therac 25

• Problems in the design process
• Software reuse management
• Failure of testing
• Failings of the risk assessments
• Irresponsible usage

7
Therac 25 design problems

• Attempted to combine functionality from previous
  versions for lower cost
• Apparently no consultation with stakeholders -
  such as medical technicians
• Over confidence in the previous designs
  resulting in complacency

8
Software Reuse

• Therac 25 borrowed heavily from previous Therac
  designs.
• Therac 20 and Therac 6 relied on hardware safety
  systems
• Therac 25 removed the hardware safety
• Therac 25 software had the same bugs as found in
  Therac 20

9
Testing of Therac 25

• As software came from Therac 20 it was assumed to
  be bug free
• AECL assumed only hardware failures were possible
  as software doesnt degrade over time
• AECL performed a safety analysis on the
  Therac-25 and apparently excluded the
  software.(Leveson et al, 1993)

10
Failure of risk assessment

• AECL did not perform a proper risk assessment of
  Therac 25
• Hardware would be the primary cause of failure
• Believed overdosing of patients was impossible

11
Software issues

• Used flags to synchronise processes
• Used 8-bit flags which were prone to overflowing
• Created race condition between magnet control and
  keyboard control
• The error messages were indecipherable to users
  technicians

12
Implications

• If the user entered any data while the gun was
  being set it did not react
• However the rest of the system did react,
  allowing unshielded X-Rays to be fired
• A race condition in a real-time system!

13
Implications

• The use of flags that were too small allowed
  overflow
• This overflow allowed unshielded X-Rays to be
  fired
• This was and is fatal!

14
Error Messages

• Error messages gave an error number with no
  explanation
• Error message documentation was incomplete
• Only AECL technicians understood the documented
  errors
• Frequently appeared so lost their value as a
  warning

15
Consequences

• Users frequently continued passed errors without
  understanding them
• Errors did not alarm users and so were not
  reported
• This happened in the majority of accidents

16
AECLs Failure of Care

• AECL failed to deal with the problems effectively
• No communication between all parties
• Fixes such as sellotaping up keys or removing
  them endorsed
• Did not make changes demanded by Canadian
  Government after initial accidents

17
Safety Critical Problems

• Allowed user to continue potentially fatal
  treatments paused instead of stopping
• No checks on the dose administered
• No hardware logging often turned off
• Overflow allowed on gun control flag
• Error messages were not prioritised or informative

18
Summary

• Reutilisation of old Software
• Complacency towards
• Testing
• Risk Assessment
• Design
• Training
• Error Management

19
References

• Leveson, Nancy Turner, Clark S. 1993 An
  Investigation of the Therac-25 Accidents
• http//courses.cs.vt.edu/cs3604/lib/Therac_25/The
  rac_1.html