+ THE THERAC-25 - A SOFTWARE FATAL FAILURE Kpea, Aagbara Saturday SYSM 6309 Spring ’12 UT-Dallas.

Slides:



Advertisements
Similar presentations
ES050 – Introductory Engineering Design and Innovation Studio Prof. Ken McIsaac One last word…
Advertisements

CSCI 5230: Project Management Software Reuse Disasters: Therac-25 and Ariane 5 Flight 501 David Sumpter 12/4/2001.
IT Roles and Responsibilities: How Good is Good Enough? IS 485, Professor Matt Thatcher.
“An Investigation of the Therac-25 Accidents” by Nancy G. Leveson and Clark S. Turner Catherine Schell CSC 508 October 13, 2004.
The Therac-25: A Software Fatal Failure
Background Increasing use of automated systems Hardware and software technology are improving rapidly User interface technology is lagging Critical bottleneck.
RADIOTHERAPY ACCIDENT IN COSTA RICA - CAUSE AND PREVENTION OF RADIATION ACCIDENTS IN HOSPITALS Module XIX.
An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.
Can We Trust the Computer? Case Study: The Therac-25 Based on Article in IEEE-Computer, July 1993.
Therac-25 Lawsuit for Victims Against the AECL
Computingcases.org Safeware
Reliability and Safety Lessons Learned. Ways to Prevent Problems Good computer systems Good computer systems Good training Good training Accountability.
Motivation Why study Software Engineering ?. What is Engineering ? 2 Engineering (Webster) – The application of scientific and mathematical principles.
A Gift of Fire Third edition Sara Baase
A Gift of Fire Third edition Sara Baase
SWE Introduction to Software Engineering
Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory.
CSE 341 S. Tanimoto Social/Ethical Issues - 1 Social and Ethical Issues in Programming Language Design Can harm be done by designers of programming languages?
CS 235: User Interface Design January 22 Class Meeting
Today’s Lecture application controls audit methodology.
Software Failures Ron Gilmore, CMC Edmonton April 2006.
Lecture 7, part 2: Software Reliability
Dr Andy Brooks1 Lecture 4 Therac-25, computer controlled radiation therapy machine, that killed people. FOR0383 Software Quality Assurance.
DJ Wattam, Han Junyi, C Mongin1 COMP60611 Directed Reading 1: Therac-25 Background – Therac-25 was a new design dual mode machine developed from previous.
Death by Software The Therac-25 Radio-Therapy Device Brian MacKay ESE Requirements Engineering – Fall 2013.
Therac-25 : Summary Malfunction Complacency Race condition (turntable / energy mismatch) Data overflow (turntable not positioned) time‘85‘86‘88 ‘87 Micro-switch.
Software Safety Case Study Medical Devices : Therac 25 and beyond Matthew Dwyer.
Therac-25 Final Presentation
Hosted by Dr. William J. Frey Safety and Risk Educational Laptops Bus and Nat Env Therac
IAEA International Atomic Energy Agency PREVENTION OF ACCIDENTAL EXPOSURE IN RADIOTHERAPY Part 5: Reporting, investigating and preventing accidental exposures.
Therac 25 Nancy Leveson: Medical Devices: The Therac-25 (updated version of IEEE Computer article)
MICE Magnetic Field Mitigation Review Potential impact on ISIS of MICE Stray Magnetic Fields 24 th September 2013 Martin Hughes.
ITGS Software Reliability. ITGS All IT systems are a combination of: –Hardware –Software –People –Data Problems with any of these parts, or a combination.
Course: Software Engineering © Alessandra RussoUnit 1 - Introduction, slide Number 1 Unit 1: Introduction Course: C525 Software Engineering Lecturer: Alessandra.
Chapter 8: Errors, Failures, and Risk
CS 235: User Interface Design August 25 Class Meeting Department of Computer Science San Jose State University Fall 2014 Instructor: Ron Mak
XpsOES : A New Tool for Improving Safety at Workplace Yasar Kucukefe, Ph.D., National Power Energy.
Security and Reliability THERAC CASE STUDY TEXTBOOK: BRINKMAN’S ETHICS IN A COMPUTING CULTURE READING: CHAPTER 5, PAGES
Intent Specification Intent Specification is used in SpecTRM
Dimitrios Christias Robert Lyon Andreas Petrou Dimitrios Christias Robert Lyon Andreas Petrou.
FDA Public Meeting: Device Improvements to Reduce the Number of Under-doses and Misaligned Exposures from Therapeutic Radiation.
Using Radiation in Medicine. There are 3 main uses of radiation in medicine: Treatment Diagnosis Sterilization.
©2001 Southern Illinois University, Edwardsville All rights reserved. Today Fun with Icons Thursday Presentation Lottery Q & A on Final Exam Course Evaluations.
© 2008 Wayne Wolf Overheads for Computers as Components 2nd ed. System design techniques Quality assurance. 1.
What you know… You work at the East Texas Cancer Center in Tyler, Texas as a physicist who “maintains and checks the machine regularly.” (Huff 2005) Patient.
Computingcases.org Safeware
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification 1.
Therac-25 CS4001 Kristin Marsicano. Therac-25 Overview  What was the Therac-25?  How did it relate to previous models? In what ways was it similar/different?
CS, AUHenrik Bærbak Christensen1 Critical Systems Sommerville 7th Ed Chapter 3.
3 Medical uses of Radiation
Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.
CSCI 3428: Software Engineering Tami Meredith Chapter 7 Writing the Programs.
©2001 Southern Illinois University, Edwardsville All rights reserved. Today Finish Ethics Next Week Research Topics in HCI CS 321 Human-Computer Interaction.
Chapter 8 Errors, Failures, & Risks. Real Headlines Navigation system directs car into river Data entry typo mutes millions of U.S. pagers Flaws found.
Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.
Directed Reading 1 Girish Ramesh – Andres Martin-Lopez – Bamdad Dashtban –
MI Shielding Machine Protection Credit D. Capista March 7,2010.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Need for a Regulatory program.
Increasing use of automated systems
Why study Software Design/Engineering ?
IAEA E-learning Program
EE 585 : FAULT TOLERANT COMPUTING SYSTEMS B.RAM MOHAN
COMP60611 Directed Reading 1: Therac-25
Therac-25 Accidents What was Therac-25? Who developed it?
A Gift of Fire Third edition Sara Baase
Reliability and Safety
System design techniques
Week 13: Errors, Failures, and Risks
Computer in Safety-Critical Systems
A Gift of Fire Third edition Sara Baase
Presentation transcript:

+ THE THERAC-25 - A SOFTWARE FATAL FAILURE Kpea, Aagbara Saturday SYSM 6309 Spring ’12 UT-Dallas

+ What is the Therac-25 The Therac-25 was a medical linear accelerator, used to treat cancer patients to remove tumors.

+ Background Information Early1970’s, AECL (Atomic Energy of Canada Limited)and a French Company (CGR) collaborate to build Medical Linear Accelerators (linacs). They develop Therac-6, and Therac-20. AECL and CGR end their working relationship in In 1976, AECL develops the revolutionary "double pass" accelerator which leads to the development of Therac-25. In March, 1983, AECL performs a safety analysis of Therac-25 which apparently excludes an analysis of software.

+ Background info … July 29,1983, the Canadian Consulate General announces the introduction of the new "Therac 25" Machine manufactured by AECL Medical, a division of Atomic Energy of Canada Limited. Medical linear accelerators (linacs) known generally as “Therac- 25”.

+ How Therac-25 works: Generating an Electron Beam Linear accelerator works just like the computer monitor The electrons are accelerated by the gun in the back of the monitor and directed at the inside of the screen A medical linear accelerator produces a beam of electrons about 1,000 times more powerful than the standard computer monitor Medical linear accelerators accelerate electrons to create high- energy beams that can destroy tumors with minimal impact on surrounding healthy tissue The Therac-25 is designed to fold beam back and forth in order to produce long acceleration to fit into smaller space

+ Getting the Beam into the Body  Shallow tissue is treated with accelerated electrons  Scanning magnets placed in the way of the beam; the spread of the beam (and thus its power) could be controlled by a magnetic fields generated by these magnets  Deeper tissue is treated with X-ray photons  The X-ray beam is flattened by a device in the machine to direct the appropriate intensity to the patient.  Beams kill (or retard the growth of) the cancerous tissues

+ Accident with Therac-25 At East Texas Cancer Center in Tyler, Texas, a patient complains of a bright flash of light, heard a frying, buzzing sound, and felt a thump and heat like an electric shock. This indicates radiation overdose by Therac-25 machines after cancer treatment session A few days after the unit was put back into operation, another patient complained that his face felt like it was on fire.  Another potential overdose of radiation beam by Therac-25. Both patients died after 4months and 3 weeks respectively due to administered overdose of radiation

+ Accidents with Therac-25 … contd At Yakima Valley, Washington in January 1987, another incident of overdose with Therac-25 occurred Performed two film exposures Patient developed severe striped burns after treatments, an indication of overdose Patient died in April as a result

+ Reasons for the cause of the accidents At Texas facility; Operator selected x-rays by mistake, used cursor keys to change to electrons Machine tripped with “Malfunction 54” – Documentation explains this is “dose input 2” error Operator saw “beam ready” proceeded; machine tripped again At Washington facility; Operator used hand controls to rotate table to field-light position & check alignment Operator set machine but forgot to remove film Operator turned beam on, machine showed no dose and displayed fleeting message Operator proceeded from pause; After another machine pause, operator reentered room

+ Accidents Race Condition Source:

+ Root Cause Analysis of the Accidents Software code was not independently reviewed. AECL did not consider the design of the software during its assessment of how the machine might produce the desired results and what failure modes existed. –No proper risk assessment followed. The system noticed that something was wrong and halted the X-ray beam, but merely displayed the word "MALFUNCTION" followed by a number from 1 to 64. The user manual did not explain or even address the error codes, so the operator pressed the P key to override the warning and proceed anyway. AECL personnel, as well as machine operators, initially did not believe complaints. This was likely due to overconfidence AECL had never tested the Therac-25 with the combination of software and hardware until it was assembled at the hospital. The problem was a race condition produced by a flaw in the software programming. Management inadequacies and lack of procedures for following through on all reported incident. The engineer had reused software from older models. These models had hardware interlocks that masked their software defects

+ Requirements Issues Error messages provided by Therac-25 monitor are not helpful to operators Machine pauses treatment but does not indicate reason why The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. Software is required to monitor several activities simultaneously in real time Interaction with operator Monitoring input and editing changes from an operator Updating the screen to show the current status of machine There were no independent checks that the software was operating correctly (verification)

+ Requirements Issues … contd Traceability matrix: ways to get information about errors, i.e., software audit trails should be designed into the software from the beginning. The software should be subjected to extensive testing and formal analysis at the module and software level. System testing alone is not adequate; verification would be very valuable. Involve users at all phases of product development

+ Corrective Action Plan Documentation should not be an afterthought. Software quality assurance practices and standards should be established. Designs should be kept simple and ensure user-friendly interfaces

+ Lessons Complacency Assumption that problem was understood without adequate evidence Sole reliance on software for safety Systems engineering practices need proper coordination

+ References The Therac-25 Accidents (PDF), by Nancy G. Leveson (the 1995 update of the IEEE Computer article) The Therac-25 Accidents (PDF)Nancy G. Leveson Jacky, Johathan. "Programmed for Disaster." The Sciences 29 (1989) : Leveson, Nancy G., and Clark S. Turner. "An Investigation of the Therac-25 Accidents." Computer July 1993 :

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.