“An Investigation of the Therac-25 Accidents” by Nancy G. Leveson and Clark S. Turner Catherine Schell CSC 508 October 13, 2004.

Slides:



Advertisements
Similar presentations
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Advertisements

ES050 – Introductory Engineering Design and Innovation Studio Prof. Ken McIsaac One last word…
CSCI 5230: Project Management Software Reuse Disasters: Therac-25 and Ariane 5 Flight 501 David Sumpter 12/4/2001.
IT Roles and Responsibilities: How Good is Good Enough? IS 485, Professor Matt Thatcher.
The Therac-25: A Software Fatal Failure
THE STANDARDS DEVELOPMENT PROCESS STEP 1 PUBLIC AND COMMITTEE PROPOSAL STAGE PUBLIC AND COMMITTEE PROPOSAL CLOSING DATE FIRST TECHNICAL COMMITTEE MEETING.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Social Implications of a Computerized Society Computer Errors Instructor: Oliver Schulte Simon Fraser University.
An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.
Can We Trust the Computer? Case Study: The Therac-25 Based on Article in IEEE-Computer, July 1993.
Therac-25 Lawsuit for Victims Against the AECL
Therac-24 The Upshot. Summary/Overview Six patients received radiation overdoses during cancer treatment by a faulty medical linear accelerator, the Therac-25.
+ THE THERAC-25 - A SOFTWARE FATAL FAILURE Kpea, Aagbara Saturday SYSM 6309 Spring ’12 UT-Dallas.
Computingcases.org Safeware
INPATIENT PROPOSAL INPATIENT PROPOSAL 4 MONTH CERTIFICATION SCHEDULE.
Chubaka Producciones Presenta :.
2012 JANUARY Sun Mon Tue Wed Thu Fri Sat
CS 5521 Configuration Management the problem Not a simple task! –Different versions of software usually is in the field during the life cycle –Different.
A Gift of Fire Third edition Sara Baase
CBER Managed Review Process Sheryl A. Kochman Deputy Director, DBA, OBRR, CBER September 15, 2009.
Lecture 7, part 2: Software Reliability
Dr Andy Brooks1 Lecture 4 Therac-25, computer controlled radiation therapy machine, that killed people. FOR0383 Software Quality Assurance.
DJ Wattam, Han Junyi, C Mongin1 COMP60611 Directed Reading 1: Therac-25 Background – Therac-25 was a new design dual mode machine developed from previous.
Death by Software The Therac-25 Radio-Therapy Device Brian MacKay ESE Requirements Engineering – Fall 2013.
Therac-25 : Summary Malfunction Complacency Race condition (turntable / energy mismatch) Data overflow (turntable not positioned) time‘85‘86‘88 ‘87 Micro-switch.
FDA Regulatory review in Minutes: What Product Development Executives Need-to-Know. Specifically, frequent causes of recalls and related areas that investigators.
Therac-25 Final Presentation
Therac 25 Nancy Leveson: Medical Devices: The Therac-25 (updated version of IEEE Computer article)
ITGS Software Reliability. ITGS All IT systems are a combination of: –Hardware –Software –People –Data Problems with any of these parts, or a combination.
Chapter 8: Errors, Failures, and Risk
Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?
Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.
Dimitrios Christias Robert Lyon Andreas Petrou Dimitrios Christias Robert Lyon Andreas Petrou.
© 2008 Wayne Wolf Overheads for Computers as Components 2nd ed. System design techniques Quality assurance. 1.
What you know… You work at the East Texas Cancer Center in Tyler, Texas as a physicist who “maintains and checks the machine regularly.” (Huff 2005) Patient.
Computingcases.org Safeware
Computing is Socio-Technical or: Why Stakeholder Listing is Inadequate for Thoughtful Ethical Analysis Chuck Huff St. Olaf College For NSF Computer Ethics.
Provider Outreach and Education November 16, 2010.
Therac-25 CS4001 Kristin Marsicano. Therac-25 Overview  What was the Therac-25?  How did it relate to previous models? In what ways was it similar/different?
Health IT Hazard Manager: Design & Demo James M. Walker, MD, FACP; Principal Investigator, Geisinger Health System Andrea Hassol, MSPH; Project Director,
Practical Implications of Electrical Product Safety Regulation in Ontario International Consumer Product Health and Safety Organization Sixth International.
TGDC Meeting, July 2011 Voluntary Voting System Guidelines Roadmap Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
Investigational Devices and Humanitarian Use Devices June 2007.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
Grants and Contracts Jim Butterfield and Kathy Blackwood October 5, 2004.
2011 Calendar Important Dates/Events/Homework. SunSatFriThursWedTuesMon January
Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.
©2001 Southern Illinois University, Edwardsville All rights reserved. Today Finish Ethics Next Week Research Topics in HCI CS 321 Human-Computer Interaction.
Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.
July 2007 SundayMondayTuesdayWednesdayThursdayFridaySaturday
A Year in the Life Of a State Data Coordinator December, 2013.
Directed Reading 1 Girish Ramesh – Andres Martin-Lopez – Bamdad Dashtban –
Managing the Project Lifecycle
Office of Nuclear Materials Safety and Safeguards
EE 585 : FAULT TOLERANT COMPUTING SYSTEMS B.RAM MOHAN
COMP60611 Directed Reading 1: Therac-25
All Wales Safeguarding Procedures Review Project
Therac-25 Accidents What was Therac-25? Who developed it?
A Gift of Fire Third edition Sara Baase
Reliability and Safety
AGA Best Practices Kick Off Meeting Los Angeles January 17, 2012
System design techniques
CSE403 Software Engineering Autumn 2000 Requirements
Week 13: Errors, Failures, and Risks
McDonald’s calendar 2007.
Computer in Safety-Critical Systems
McDonald’s calendar 2007.
A Gift of Fire Third edition Sara Baase
2015 January February March April May June July August September
Presentation transcript:

“An Investigation of the Therac-25 Accidents” by Nancy G. Leveson and Clark S. Turner Catherine Schell CSC 508 October 13, 2004

Description of Therac-25 The Therac-25 is a medical linear accelerator. Accelerates high-energy beams that can destroy tumors with minimal impact on surrounding tissue Beam can be accelerated electrons or X-ray photons.

Development of the Therac-25 Early 1970’s: Atomic Energy of Canada Limited (AECL) and CGR, a French company, collaborated and developed the Therac-6 and, later, the Therac-20 Therac-6: 6 MeV accelerator that produced X-rays only Therac-20: 20 MeV dual-mode accelerator Both were versions of older CGR machines that were augmented with computer control

Development of the Therac-25 cont’d Mid 1970’s: AECL developed “double-pass” accelerator This was used in the design of the Therac : AECL produced first hardwired prototype of the Therac : AECL and CGR did not renew their agreement due to competitive pressures

Development of the Therac-25 cont’d 1982: Computerized commercial version of the Therac-25 available March 1983: AECL performed safety analysis, which made several assumptions: Programming errors reduced by extensive testing; software errors not included in analysis Software does not degrade Computer execution errors caused by faulty hardware and random errors due to noise

Important Features of the Therac-25 AECL designed Therac-25 to use computer control from the start. Therac-6 and Therac-20 had histories of clinical use without computer control Therac-25 software had more responsibility for safety than in previous machines. Software in the Therac-6 and Therac-20 was reused in the Therac-25.

Therac-25 Software Four major components: Stored data Scheduler Set of critical and non-critical tasks Interrupt services Software allows concurrent access to shared memory Software has no real synchronization aside from data stored in shared variables “Test” and “set” operations for shared variables are not indivisible

Major Event Timeline: 1985 June 3 rd : Marietta, GA overdose Hospital physicist called AECL to ask if overdose by Therac-25 possible, received reply three days later saying it was not July 26 th : Hamilton, Ontario, Canada overdose; machine repeatedly shut down with “H-tilt” error message; AECL notified, cause determined as microswitch failure August 1 st : Four users in the US were advised in a letter from AECL to check ionization chamber to make sure it was positioned correctly; treatment should be discontinued if an “H-tilt” message with incorrect dosage displayed

Major Event Timeline: 1985 cont’d September AECL changes microswitch, notifies users Independent consultant for Hamilton clinic recommends potentiometer on turntable October Georgia patient files suit against AECL and hospital

Major Event Timeline: 1985 cont’d November 8 th : Letter from Canadian Radiation Protection Bureau to AECL asking for hardware interlocks and software changes December Yakima, WA overdose

Major Event Timeline: 1986 January Attorney for Hamilton clinic requests potentiometer on turntable 31 st : Letter to AECL from Yakima reporting possibility of overdose February 24 th : Letter from AECL to Yakima saying overdose not possible, no other incidents had occurred

Major Event Timeline: 1986 cont’d March 21 st : Tyler, TX overdose: AECL notified; AECL claims overdose impossible, no other accidents occurred, suggests electrical problem in hospital as cause April 7 th : Tyler machine put back in service after no electrical problem found 11 th : Second Tyler overdose: AECL notified; AECL finds software problem 15 th : AECL files accident report with the FDA

Major Event Timeline: 1986 cont’d May 2 nd : FDA declares Therac-25 defective; FDA asks for CAP and proper notification of users June 13 th : AECL submits CAP to FDA July 23 rd : FDA responds, asks for more info August First user group meeting

Major Event Timeline: 1986 cont’d September 26 th : AECL sends FDA additional info October 30 th : FDA requests more info November 12 th : AECL submits revision of CAP December: Therac-25 users notified of software bug 11 th : FDA requests further changes to CAP 22 nd : AECL submits second revision of CAP

Major Event Timeline: 1987 January 17 th : Second Yakima, WA overdose 26 th : AECL sends FDA revised test plan February Hamilton clinic investigates first accident, concludes overdose occurred 3 rd : AECL announces changes to Therac th : FDA notifies AECL of adverse findings declaring Therac-25 defective under US law, asks AECL to notify users not to use it for routine therapy; Health Protection Branch of Canada does the same.

Major Event Timeline: 1987 cont’d March Second user group meeting 5 th : AECL submits third revision of CAP April 9 th : FDA requests additional info from AECL May 1 st : AECL submits fourth revision of CAP 26 th : FDA approves CAP subject to final testing and safety analysis

Major Event Timeline: 1987 cont’d June 5 th : AECL sends final test plan and draft of safety analysis to FDA July Third user group meeting 21 st : AECL submits fifth revision of CAP

Major Event Timeline: 1988 January 29 th : Interim safety analysis report issued November 3 rd : Final safety analysis report issued

Lessons Learned Do not put too much confidence in the software. Do not remove standard hardware interlocks when adding computer (software) control. Software should not be solely responsible for safety.

Lessons Learned cont’d Systems should not be designed wherein a single software error can be catastrophic. Software error should not be the last possibility investigated in an accident. Engineers need to design for the worst case.

Lessons Learned cont’d Companies building hazardous equipment should include hazard logging and tracking incident reporting incident analysis as part of quality control procedures. Risk assessment numbers should be meaningful, and statistics should be treated with caution.

Lessons Learned cont’d Documentation is important. Software quality assurance practices and standards should be established. Designs should be simple. Error logging or software audit trail reporting should be designed into the software from the beginning. System testing alone is not adequate; there should also be testing and formal analysis at the module and software levels.

Lessons Learned cont’d Safety-critical software projects must incorporate safety-analysis and design procedures. Reusing software modules does not guarantee safety in the new system. Software engineers need additional training and experience when working on safety-critical systems.

Lessons Learned cont’d Software engineers need better training in interface design, or more input from human factors engineers. There must be recognition of the potential conflict between user- friendly interfaces and safety.

Lessons Learned cont’d Reasons for design decisions must be recorded. Users of safety-critical systems should be involved in resolving problems.