Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Safety Case Study Medical Devices : Therac 25 and beyond Matthew Dwyer.

Published byDerek Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Safety Case Study Medical Devices : Therac 25 and beyond Matthew Dwyer."— Presentation transcript:

1 Software Safety Case Study Medical Devices : Therac 25 and beyond Matthew Dwyer

2 Computing Ethics -- Software Safety 2 History The Therac 25 was a 3 rd generation medical linear accelerator Used as a radiation therapy machine for treating cancers Improved on older machines by being a dual- mode machine, i.e., capable of x-ray and electron therapy Allows for treatment of deep cancers X-ray therapy requires very high energy levels The beams are then filtered for dosing

3 Computing Ethics -- Software Safety 3 Therac 25

4 Computing Ethics -- Software Safety 4 Traditional LINACs Were purely electro-mechanical systems All patient and therapy setting were entered in hardware Delivering a treatment was time consuming Hardware interlocks prevented unsafe emission of radiation, e.g., door/beam interlock think of the button that controls your refrigerator light as an interlock that assures the light isn’t on when the door is closed

5 Computing Ethics -- Software Safety 5 Therac 25 Turntable

6 Computing Ethics -- Software Safety 6 Turntable Positioning Is essential for safety X-ray position and electron power  underdose Electron position and X-ray power  overdose Computer-control of turntable position Computer controls rotation 3 sensors indicate positioning Sensor readings are recorded Software tests recorded readings to insure proper positioning Hardware inter-locks removed

7 Computing Ethics -- Software Safety 7 Machine Operation 1. Enter treatment room 2. Position patient on treatment table 3. Set field size, gantry rotation and attach accessories to machine 4. Leave treatment room 5. Enter patient id, prescription, field size, gantry rotation and accessory info 6. If info matches settings then “VERIFIED” is indicated and treatment may proceed

8 Computing Ethics -- Software Safety 8 Operator Interface Screen

9 Computing Ethics -- Software Safety 9 Usability An operator can administer therapy to up to 30 patients a day Setup time was an issue Operators complained that re-keying data took too long The machine developers implemented a feature that allowed “enter” to be used to keep an existing entry unchanged

10 Computing Ethics -- Software Safety 10 Patient/Operator Communication Operators monitored patients through a closed circuit video/audio link In case of a problem (e.g., patient complaint) there are two ways to stop the machine Treatment suspend (requires complete machine reset to restart) Treatment pause (requires a single keystroke to resume treatment) Pause-resume bounded at 5 times before reset

11 Computing Ethics -- Software Safety 11 Segmentation fault … As with many software systems, the usefulness of error messages was a low priority Error messages were Cryptic (“Malfunction 47”, “VTILT”, …) Commonly occurring (e.g., 40 times/day) Rarely involved patient safety Operators became desensitized to them Trained to rely on “builtin safety mechanisms” Assumed they would be resolved during the next machine servicing visit

12 Computing Ethics -- Software Safety 12 Machine Usage 11 Therac 25 Machines installed in US and Canada 6 massive overdoses reported between 1985 and 1987 Recalled in 1987

13 Computing Ethics -- Software Safety 13 Ontario, July 1985 Patient being treated for cervical cancer with a 200 rad dose Machine stops with an “HTILT” error Console displays “NO DOSE” Operator resumes treatment As mentioned resuming after an error was standard procedure Same error Stop-resume repeated 4 more times until reset Patient died 5 months later Estimated overdose: 15000 rads (1000 is fatal)

14 Computing Ethics -- Software Safety 14 Texas, March 1986 Patient being treated for tumor on his back with a 180 rad dose of electron therapy Operator enters data and noticed she had entered “x” (for X-ray in mode) Used the up-arrow key to move up and change the entry to “e” No other parameter changes so she “entered” back down Start treatment, stops immediately with “MALFUNCTION 54” Undocumented, but this means that a dose had been delivered that was either too low or too high Machine showed underdose Resume treatment, stops again with same error Operator hears banging on door

15 Computing Ethics -- Software Safety 15 Texas, March 1986 After first dose, patient felt a “shock” on his back and called to the operator The video display was unplugged and audio monitor was broken at the time Getting no response, he sat up to get off the table when the second dose was applied Patient died from complications of the overdose 5 months later Estimated overdose: 16-25 krads

16 Computing Ethics -- Software Safety 16 Texas, April 1986 Patient being treated for skin cancer on face with a 180 rad dose of electron therapy Same operator, same error Operator enters data and noticed she had entered “x” (for X-ray in mode) Used the up-arrow key to move up and change the entry to “e” No other parameter changes so she “entered” back down Start treatment, stops immediately with “MALFUNCTION 54” Operator hears patient cry out Audio monitor has been fixed Patient died 20 days later due to high-dose radiation injury to his right temporal lobe Estimated overdose: 25krads

17 Computing Ethics -- Software Safety 17 Diagnosing the problem Hospital physicist and operator worked diligently to try to recreate the problem Found that the speed of data-entry was a factor in creating the MALFUNCTION 54 This problem was reproduced on an earlier LINAC (Therac 20) It existed in the software It did not compromise safety due to hardware interlocks

18 Computing Ethics -- Software Safety 18 There were many problems … with this system The Texas accidents have been traced to an error in the software Accidents in Washington were traced to another error This was a system’s safety problem not simply bugs in a program There were many other bugs found in the software that were not safety critical

19 Computing Ethics -- Software Safety 19 Therac 25 Software Runs on a custom-built cyclic pre-emptive executive “tasks” are executed in series based on criticality More critical tasks can pre-empt less critical tasks No synchronization operations (except for test & set) 4 main components of the software Stored data (machine setup and patient-treatment data) Interrupt handlers Critical tasks Non-critical tasks

20 Computing Ethics -- Software Safety 20 A Race Condition Non-critical keyboard handler task 1. Parses text input 2. Encodes result in 2-byte shared variable 3. Sets data entry complete flag Critical task treatment processor (Treat) 1. Detects data entry 2. Reads encoded data to lookup operating parameters 3. Calls routine to set the bending magnets (8 second latency) 4. Loop to delay until magnets set Appears to check for new data entry while waiting 5. Once set treatment processing proceeds

21 Computing Ethics -- Software Safety 21 Texas Bug

22 Computing Ethics -- Software Safety 22 Datent Internals Magnet: [1] set bending flag repeat [2] set next magnet [3] call Ptime [4] if mode/enegy changed then exit [5]until all magnets are set [6]return Ptime: repeat [7] if bending flag then [8] if edit taking place then [9] if mode/energy changed then exit [10]until delay expired [11]clear bending flag [12]return Trace [1] bending set [2] [3] [7] test true [8] [10] … [11] bending reset [12] [4] [5] [2] [3] [7] test false … edit occurs here … [10] 8 sec

23 Computing Ethics -- Software Safety 23 Washington Bug Treat 1. Set Up Test called multiple times during setup; increments shared variable “Class 3” each time 2. Check if housekeeping task (Hkeper) has detected an inconsistent collimator setting by reading shared variable “F$mal”; if not setup is done Hkeper 1. If “Class 3” is not 0 check collimator position 2. Set “F$mal” to result of collimator position test

24 Computing Ethics -- Software Safety 24 Another Race Condition 1) 256th iteration 2) Class 3 rolls over to 0 3) Collimator misaligned 4) Test succeeds

25 Computing Ethics -- Software Safety 25 Lessons Overconfidence in software control Confusing reliability with safety History of correct operation doesn’t assure absence of future errors Lack of defensive design Failure to eliminate root causes Diagnosis and fix of presumed problems weren’t actually addressing the real problem Complacency

26 Computing Ethics -- Software Safety 26 Lessons Unrealistic risk assessment Therac 25 had a risk analysis (it did not consider software) Inadequate investigation and followup Inadequate software engineering practices Keep critical software simple and testable Software Reuse Just because it worked in another system doesn’t mean it works Safe versus Friendly User Interfaces Identify critical interfaces and design them appropriately

27 Computing Ethics -- Software Safety 27 FDA Response First big failure of a radiological device Center for Devices and Radiological Health (CDRH) became involved Quickly determined that the manufacturer had such poor practice that a fix was impossible Hesitated in recalling (re “undue burden”) Instituted reforms at FDA/CDRH Increased emphasis on softwaresoftware Much more stringent reporting requirements

28 Computing Ethics -- Software Safety 28 Issues in Software Safety What are the responsibilities of these parties? System designer/programmer Operators Manufacturer Hospital Government

29 Computing Ethics -- Software Safety 29 Levels of Computer Control 1. The operator does everything. 2. The computer tells the operator the options available. 3. The computer tells the operator the options available and suggests one. 4. The computer suggests an action and implements it if asked. 5. The computer suggests an action, informs the operator, and implements the action if not stopped in time. 6. The computer selects and implements an action if not stopped in time and then informs the operator. 7. The computer selects and implements an action and tells the operator if asked. 8. The computer selects and implements an action and tells the operator if the designer decides the operator should be notified. 9. The computer selects and implements an action without any human involvement.

30 Computing Ethics -- Software Safety 30 What level of control is this … an error message is given (e.g. Malfunction 54), but the system allows the operator to press a "proceed" key to retry the treatment. the treatment is suspended after any error and all treatment data must be typed in over again when the operator is required to "visually check the settings" on the treatment machine when the machine set itself up based on the treatment data entered and then proceeds with the treatment

31 Computing Ethics -- Software Safety 31 Software Safety Myths 1. The cost of computers is lower than that of analog or electromechanical devices. 2. Software is easy to change. 3. Computers provide greater reliability than the devices they replace. 4. Increasing software reliability will increase safety. 5. Testing software and formal verification of software can remove all the errors. 6. Reusing software increases safety. 7. Computers reduce risk over mechanical systems.

32 Computing Ethics -- Software Safety 32 Safety Technologies Risk/hazard analysis Use dependence analysis to identify potential causal relationships in the system Identifies critical software components Rigorous specification Drives inspections and testing Exhaustive (sound) analyses Catch subtle bugs (e.g., race conditions) Analyze HCI systems (e.g., cockpit mode confusion) Nothing is perfect

Download ppt "Software Safety Case Study Medical Devices : Therac 25 and beyond Matthew Dwyer."

Similar presentations

ES050 – Introductory Engineering Design and Innovation Studio Prof. Ken McIsaac One last word…

ES050 – Introductory Engineering Design and Innovation Studio Prof. Ken McIsaac One last word…
System Integration and Performance

System Integration and Performance
Chapter 3 Basic Input/Output

Chapter 3 Basic Input/Output
“An Investigation of the Therac-25 Accidents” by Nancy G. Leveson and Clark S. Turner Catherine Schell CSC 508 October 13, 2004.

“An Investigation of the Therac-25 Accidents” by Nancy G. Leveson and Clark S. Turner Catherine Schell CSC 508 October 13, 2004.
The Therac-25: A Software Fatal Failure

The Therac-25: A Software Fatal Failure
EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage: www.mwftr.com/CNE.html.

EECE499 Computers and Nuclear Energy Electrical and Computer Eng Howard University Dr. Charles Kim Fall 2013 Webpage:
In this presentation you will:

In this presentation you will:
An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.

An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Therac-25 Lawsuit for Victims Against the AECL

Therac-25 Lawsuit for Victims Against the AECL
+ THE THERAC-25 - A SOFTWARE FATAL FAILURE Kpea, Aagbara Saturday SYSM 6309 Spring ’12 UT-Dallas.

+ THE THERAC-25 - A SOFTWARE FATAL FAILURE Kpea, Aagbara Saturday SYSM 6309 Spring ’12 UT-Dallas.
Computingcases.org Safeware

Computingcases.org Safeware
Take 5 for Safety E. Lessard May 5, 2015. LANL Electrical Accident May 3, 2015  LOS ALAMOS, N.M. —Los Alamos National Laboratory workers were injured.

Take 5 for Safety E. Lessard May 5, LANL Electrical Accident May 3, 2015  LOS ALAMOS, N.M. —Los Alamos National Laboratory workers were injured.
A Gift of Fire Third edition Sara Baase

A Gift of Fire Third edition Sara Baase
A Gift of Fire Third edition Sara Baase

A Gift of Fire Third edition Sara Baase
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
16/27/2015 3:38 AM6/27/2015 3:38 AM6/27/2015 3:38 AMTesting and Debugging Testing The process of verifying the software performs to the specifications.

16/27/2015 3:38 AM6/27/2015 3:38 AM6/27/2015 3:38 AMTesting and Debugging Testing The process of verifying the software performs to the specifications.
COMS W3156: Software Engineering, Fall 2001 Lecture #2: The Open Class Janak J Parekh

COMS W3156: Software Engineering, Fall 2001 Lecture #2: The Open Class Janak J Parekh
Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory.

Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory.
©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 An automated insulin pump.

©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 An automated insulin pump.

Similar presentations

Ads by Google