1. DJ Wattam, Han Junyi, C Mongin1 COMP60611 Directed Reading 1: Therac-25 Background – Therac-25 was a new design dual mode machine developed from previous Therac-6 (single mode) and -20 (dual mode) machines. – Previous machines relied on hardware interlocks for safety. – Limited hardware checks were designed into -25 from onset. – It is essential for dual mode machines that the turntable is positioned correctly for either electron (conditioning magnetic field), X-ray (cone attenuator) or field light test modes. – 11 units were installed in USA and Canada – Between June 1985 and Jan 1987, Therac-25 computer-controlled radiation therapy machines massively overdose 6 people, directly leading to fatality is some cases. – Manufacturer was complacent in investigating the events and negligent in not working to robust procedures/processes. 3 October 2011

2. DJ Wattam, Han Junyi, C Mongin2 COMP60611 Directed Reading 1: Therac-25 Human Factors – Software written by one programmer 1 in assembly language, reusing some previous routines. – AECL QA manager was unaware of many software details and did not provide a professional framework for development and testing leading to robust design. – Limited testing of the whole system rather than individual functions. – Design relied on “correct” software to provide all safety features ignoring previous experience with hardware interlocks. – Software flows: Limited or no cross checks between shared variables, Over- complicated software (should have been avoided by system review), basic errors e.g. checking variables at wrong time, overflows. – Unrealistic risk assessments, complacency/negligence by AECL. – Closed/proprietary system, few if any details, protecting commercial position, no independent checking. – Complacency/negligence by AECL. – Audio/visual systems treatment/control room not working. – Poor user interface with lack of meaningful error descriptions 3 October 2011

3. DJ Wattam, Han Junyi, C Mongin3 COMP60611 Directed Reading 1: Therac-25 Concurrency Problem – Treat (Datent) and Keyboard Handler concurrent threads share Data Entry Completion Flag – Setting of this flag not robust, as relies only on cursor going to command line, not that it is still there. Allows exit from Datent before all input completed. – Prescription editing using the up arrow key to correct incorrect entry for mode gives inconsistent state in shared variable relating table position to mode (e.g. Select X-ray first and then correct to Electron). Default for X-ray is 25MeV i.e. maximum value. Presumably, this allows X-ray treatment without the attenuator. – Time delay in Magnet routine uses another shared variable to check if data edits detected by the keyboard handler; however, edit flag checked only first time through the routine. Allows inconsistency between variables displayed on console and machine settings. – On exit from the Magnet routine, input data is not rechecked if the data entry flag is set. Overflow Problem – Variable overflow condition allowed incorrect table setting and full power burst in field light position. References – 1 - http://neptune.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.htm http://neptune.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.htm 3 October 2011