Therac-25 Analysis and Research

Only available on StudyMode
  • Download(s) : 240
  • Published : March 28, 2012
Open Document
Text Preview
The Therac 25
A case study in safety failure
• Radiation therapy machine • “The most serious computer-related accidents to date” • People were killed • Reference: Nancy Leveson and Clark Turner, “The Investigation of the Therac-25 Accidents”, Computer, 26, 7 (July 1993) pp 18-41.

Therac 25 Background
• Medical linear accelerator developed by Atomic Energy of Canada, Ltd. in mid-1970s • Delivers 25 MeV photons or electrons of various energies • Controlled by PDP-11 minicomputer • Software responsible for safety • Software adapted from earlier Therac-6 & Therac 20 systems, which had hardware interlocks for safety

The Therac 25

Therac 25 Turntable

Therac 25 Turntable
• Electron mode • 5-25 MEV • Magnets spread beam • Ion chamber monitor • X-ray mode • 25 MEV electrons hit target • “Beam flattener” attenuates • 100x beam current • Ion chamber monitor • Field-light mode • No current • Mirror & light used to check alignment • No ion chamber (since not treating)

Therac 25 Turntable
• Computer adjusts turntable position • Microswitches detect turntable setting • 3-bit binary code used to encode turntable setting • Software checks replace hardware interlocks

Therac 25 Software Development
• • • • • • • Evolved from Therac 6 system (1972-1976) Incorporated some Therac 20 code, as well Written in PDP-11 assembler Custom operating system Little documentation during development Minimal unit and software testing Q/A testing was 2700 hours of use as integrated system • Programmer left AECL in 1986, little information available about his background

Therac 25 Software Functions
• Monitors machine status • Sets up machine for treatment • Turns beam on and off in response to operator • Monitors interlocks • If fault, either prevents treatment start or causes a pause/suspend

Therac 25 Software Structure
• Critical tasks:
– Treatment monitor – Servo – Housekeeping

• Non-critical tasks:
– Checksum – Keyboard – Calibration – etc.

• Concurrent access to shared memory, “test” and “set” of variables not indivisible, race conditions

Operator Procedures
• Position patient on table • Manually set treatment field size and gantry rotation; attach accessories • Leave room • Use VT-100 console to enter patient data, dose data, etc. • (System compares manual settings with system values) • If “verified”, operator can start machine • Else must re-enter data

Operator Screen Layout

Operator Procedures
• Complaint
– Re-entering all that data manually is very tedious

• Response
– Set things up so that “carriage return” copies previous data for entry – Series of carriage returns effectively permits fast re-entry of unchanged parts of data

Operator Procedures
• Error Conditions
– “Treatment suspend” requires complete machine reset – “Treatment pause” can be resumed if operator types “P” at console – Machine insists on reset after 5 “P”s – Malfunction messages fairly common & usually do not affect safety

• Error Messages
– Cryptic – Some were of the form “Malfunction NN”

FDA Comment on Manual

Accident History
• 11 Therac 25’s installed (5 US, 6 Canada) • Six accidents involving massive overdoses between 1985 and 1987 • Machines recalled in 1987 • Related problems in Therac 20 discovered later but hardware interlocks prevented injuries

E.g., East Texas, March 1986
• History of 500 patients treated successfully • Prescribed: 22MeV electrons, 180 rads • Operator selected x-rays by mistake, used cursor keys to change to electrons • Machine tripped with “Malfunction 54” – Documentation explains this is “dose input 2” error

• Operator proceeded; machine tripped again

E.g., East Texas, March 1986
• Patient felt something wrong on first jolt, tried to get up • Video/audio links to room not functioning • Patient felt jolt on arm while getting up, pounded on door • Treatment cancelled for day • Calibration checks seemed normal • Later found patient had gotten 16,500-25,000 rads...
tracking img