The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) and CGR MeV of France after the Therac-6 and Therac-20 units. Radiation therapy (or radiotherapy) is the medical use of Ionizing radiation as part of Cancer treatment to control Malignant A machine is any device that uses Energy to perform some activity This article is about the country For a topic outline on this subject see List of basic France topics. It was involved with at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, approximately 100 times the intended dose. Radiation poisoning, also called " radiation sickness " or a " creeping dose " is a form of damage to organ tissue due to excessive exposure to Three of the six patients died. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics. A control system is a device or set of devices to manage command direct or regulate the behavior of other devices or systems Health informatics or medical informatics is the intersection of Information science, Computer science, and Health care.
Contents |
Problem description
The machine offered two modes of radiation therapy:
- Direct electron-beam therapy, which delivered low doses of high-energy (5 MeV to 25 MeV) electrons over short periods of time;
- Megavolt X-ray therapy, which delivered X-rays produced by colliding high-energy (25 MeV) electrons into a "target". Radiation therapy (or radiotherapy) is the medical use of Ionizing radiation as part of Cancer treatment to control Malignant Cathode rays (also called an electron beam or e-beam) are streams of Electrons observed in Vacuum tubes i Megavoltage X-rays are produced by Linear accelerators ("linacs" operating at Voltages in excess of 1000 KV (1 MV range X-radiation (composed of X-rays) is a form of Electromagnetic radiation.
When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in megavolt X-ray mode, the machine was designed to rotate four components into the path of the electron beam: a target, which converted the electron beam into X-rays; a flattening filter, which spread the beam out over a larger area; a set of movable blocks (also called a collimator), which shaped the X-ray beam; and an X-ray ion chamber, which measured the strength of the beam. A collimator is a device that narrows a beam of particles or waves
The accidents occurred when the high-power electron beam was activated instead of the intended low power beam, and without the beam spreader plate rotated into place. The machine's software did not detect that this had occurred, and therefore did not prevent the patient from receiving a potentially lethal dose of radiation. The high-powered X-ray beam struck the patients with approximately 100 times the intended dose of radiation, causing a feeling described by patient Ray Cox as "an intense electric shock". It caused him to scream and run out of the treatment room. [1] Several days later, radiation burns appeared and the patients showed the symptoms of radiation poisoning. In three cases, the injured patients died later from radiation poisoning. Radiation poisoning, also called " radiation sickness " or a " creeping dose " is a form of damage to organ tissue due to excessive exposure to
Root causes
Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:
- AECL did not have the software code independently reviewed. Code review is systematic examination (often as Peer review) of computer Source code intended to find and fix mistakes overlooked in the initial development
- AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed. These form parts of the general techniques known as reliability modeling and risk management. Reliability engineering is an Engineering field that deals with the study of Reliability: the ability of a System or component to perform its required For non-business risks see Risk or the disambiguation page Risk analysis.
- The system noticed that something was wrong and halted the X-ray beam, but merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, so the operator pressed the P key to override the warning and proceed anyway.
- AECL personnel initially did not believe complaints.
The researchers also found several engineering issues:
- The failure only occurred when a particular nonstandard sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: an "X" to (erroneously) select 25,000 EV mode followed by "cursor up", "E" to (correctly) select 200 EV mode, then "Enter". Engineering is the Discipline and Profession of applying technical and scientific Knowledge and VT100 is a video terminal which was made by Digital Equipment Corporation (DEC This sequence of keystrokes was improbable, and so the problem did not occur very often and went unnoticed for a long time. [1]
- The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place. Interlocking is a method of preventing undesired states in a state machine, which in a general sense can include any electrical electronic or mechanical device or system
- The engineer had reused software from older models. Code reuse, also called software reuse is the use of existing software or software knowledge to build new software These models had hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so there was no indication of the existence of faulty software commands.
- The hardware provided no way for the software to verify that sensors were working correctly (see open-loop controller). An open-loop controller, also called a non-feedback controller, is a type of controller which computes its input into a system using only the current state The table-position system was the first implicated in Therac-25's failures; the manufacturer revised it with redundant switches to cross-check their operation.
- The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. In computing a process is an instance of a Computer program that is being sequentially executed by a computer system that has the ability to run several computer Mutual exclusion (often abbreviated to mutex) Algorithms are used in Concurrent programming to avoid the simultaneous use of a common resource such as a A race condition or race hazard is a flaw in a System or process whereby the output and/or result of the process is unexpectedly and critically dependent This was evidently missed during testing, since it took some practice before operators were able to work quickly enough for the problem to occur.
- The software set a flag variable by incrementing it. In Computer programming, flag refers to one or more Bits that are used to store a binary value or Code that has an assigned meaning Occasionally an arithmetic overflow occurred, causing the software to bypass safety checks. The term arithmetic overflow or simply overflow has the following meanings
See also
Notes
- ^ a b Set Phasers On Stun - Design and Human Error, Steven Casey, pp. A software bug (or just “bug” is an error flaw mistake Failure, fault or “undocumented feature” in a Computer program that prevents it 11-16
External links
- The Therac-25 Accidents (PDF), by Nancy Leveson (the updated version of the IEEE Computer article mentioned below)
- An Investigation of the Therac-25 Accidents (IEEE Computer)
- Short summary of the Therac-25 Accidents
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic