Major design flaws in the software development of therac 25 randy graebner february 7, 1999 code reuse has long been an accepted practice in software engineering. Feb 18, 2015 it is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. In march 1983, a ecl performed a safety analysis on the therac25. These accidents highlighted the dangers of software control of safety critical systems, and. If i read nancys and clarks article an investigation of therac25 accidents correctly, they mentioned therac25 software was developed based on therac6 software by a single, unidentified programmer. The series of accidents involving the therac25 is a good example of exactly this problem.
Lastly, i will look at the governments reactions and explore what has been done to prevent similar. The therac25 software also contained several userfriendly features. My professor investigated the therac25 incident and. In addition, the therac25 software has more responsibility for maintaining safety than the. It is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. Leveson, therac25 accidents the manufacturer said that the hardware and software had been tested over many years. The use of computers in the medical field is becoming more and more widely used. As noted earlier, the software for the therac25 and therac20 both evolved from the therac6 software.
The therac 25 had only software interlocks, which were faulty. In addition, i will examine the therac25s software bugs. Computers are increasingly being introduced into safetycritical systems and, as a consequence, have been involved in accidents. Lessons for softwareintensive systems learning from therac25 confusing reliability low failure rate with safety lack of defensive design eg software checks complacency about radiation therapy machines inadequate investigation or followup on accident reports specification and documentation after development.
Therac25 overview linear particle accelerator replaced earlier version utilized much more computerized control in particular, more software responsibility for safety maintenance reused some software from earlier versions. Virtually all complex software will behave in an unexpected or undesired fashion under some conditions there will always be another bug. The therac25 was the most computerized and sophisticated radiation therapy machine of its time. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. Leveson is a leading american expert in system and software safety. With the aid of an onboard computer, the device could select multiple. What is the name of the programmer who wrote the therac25. Additional functions had to be added because the therac20 and therac25 operates in both xray and electron mode, while the therac6 has only xray mode. She made a considerable contribution to system and software safety. Therac 25 computerized radiation therapy report by. Fault analysis considered only computer hardware failures therac25 accident history. Major design flaws in the software development of therac25.
Fixing each individual software flaw as it was found did not solve the devices safety problems. The original plan foresaw the production of an integrated system where the software would have complete control of the system. Then, if the operator were to input the incorrect beam type, or err on any data entry, he would be forced to restart the process. We know that the software for the therac25 was developed by a single person using pdp 11 assembly language, over a period of several years. An investigation of the therac25 accidents part iv. However, in the case of therac25, they can be deadly. The therac25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. The cgr employees modified the software for the therac20 to handle the dual modes. However, the investigation found that a minimum amount of tests had been run on a simulator, while most of the effort had been directed at the integrated system test. An investigation of the therac25 accidents cal poly computer.
A final feature was that some of the old software used in therac 6 and therac 20 was used in the therac 25. The therac25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. She is professor of aeronautics and astronautics at mit, united states nancy leveson gained her degrees in computer science, mathematics and management from ucla, including her phd in 1980. Major design flaws in the software development of therac25 randy graebner february 7, 1999 code reuse has long been an accepted practice in software engineering. An investigation of the therac25 accidents stanford university. Nancy and clark turner spent three years collecting the materials and. A bug that was discovered in therac25 was later also found in the therac20. Previously she worked at university of california, irvine and the university of washington as a faculty member.
These accidents highlighted the dangers of software control of safetycritical systems, and. The mistakes that were made are not unique to this manufacturer but are, unfortunately, fairly common in. The therac25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred. The therac25 was a computercontrolled radiation therapy machine produced by atomic. For decades, programmers have been finding ways to cut corners by incorporating old code into the system they are currently creating. An investigation of the therac25 accidents nancy leveson, university of washington clark s. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. This appendix is taken from nancy leveson, safeware. This analysis was in the form of a fault tree and apparently excluded the software.
The therac25 was not a device anyone was happy to see. However, in the case of therac 25, they can be deadly. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. Aug 08, 2010 the reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof. A bug that was discovered in therac 25 was later also found in the therac 20. Therac25 radiation overdoses your expert root cause. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof. Professionalismtherac25 wikibooks, open books for an open. Therac25 software development the software for therac25 was developed by a single person at aecl and was intended to take full advantage of computer control from the outset.
1277 716 1272 165 1004 584 572 322 957 1140 664 17 292 1399 328 421 299 443 1124 638 560 875 599 1370 849 1480 103 793 1333 1481 533 147