It appears that unit and software testing was minimal, with most effort directed at the integrated system test. Between 1985 and 1987, it was involved in at least six patients deaths due to incorrect radiation doses because of computer software related failure. Therac 25 is a radiation therapy machine that lead to 3 deaths and 3 injuries in 1980s. In a letter to a therac25 user, the aecl quality assurance manager said, the same therac6 package was used by the aecl software people when they started the therac25 software. This video is part of an online course, software testing.
Consequences of the therac25 software disaster 1293. The main problem was with the machines software, which was not caught by cmcs safety analysis and allowed to get into the market by fda. The therac25 was a computercontrolled radiation therapy machine produced by atomic. At a therac25 user group meeting, the same quality. There was some base duplication of the software used from the therac20 that carried over to the therac25. The only the testing of the software was during the use of the product.
The therac25 was both ambitious and sophisticated and for the first time all this hardware was controlled by a software layer. The machine and its predecessors, therac6 and therac20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n. These accidents highlighted the dangers of software control of safetycritical systems, and they have become a. Leveson, therac25 accidents the manufacturer said that the hardware and software had been tested over many years.
Under questioning by the users, he clarified this as meaning 2700 hours of use. The problem of bugs in the software system causing errors in machines under certain conditions has been used as a cover for careless programming, lack of testing, and lack of safety features built into the system in the therac25 accident. Importance of software quality assurance to prevent and reduce software failures in medical devices. It involves execution of a software component or system component to evaluate one or more properties of interest. An important difference between the therac20 software and the therac25 software is the overall role that each plays in the machine. The therac25 software disaster the therac25 is a computerized medical radiation therapy machine for cancer patients. The therac25 radiation therapy machine is described as a case study.
Major design flaws in the software development of therac25. The therac25 software also contained several userfriendly features. This interactive timeline will paint a chronological picture of the therac25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe. They were able to prove that the therac25 was reliable, but this is not the same as being safe. These accidents highlighted the dangers of software control of safety critical systems, and they have become a.
It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. The fda difficulty in getting an adequate test plan out of the company and the lack of regression testing are evidence that testing was not done well. Therac25 radiation overdoses your expert root cause. There are a lot of resources to read more about the therac25.
A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. Therac25, software quality assurance, software testing, software inspection. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. The reasoning given for not including software errors was the extensive testing given to the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is errorproof software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis. Therac25 case study therac25 is a radiation therapy machine that was used for treating patients with cancer. Takes about 8 secs and invoked multiple times 33 race condition from nancy leveson, medical devices. It was also designed from the outset to use software based safety systems rather than hardware controls. Therefore, tests are just extra work for them, and they do not see them as a fundamental element in the development of software. Software testing also helps to identify errors, gaps or missing requirements in contrary to the. The therac25 was not a device anyone was happy to see. A bug that was discovered in therac25 was later also found in the therac20. The therac6 and therac20 were clinically tested machines with an excellent safety record. The article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. An investigation of the therac25 accidents part iv.
Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury. Amazingly, the test data presented to show that the software changes to handle the edit problems in the therac25 are appropriate prove the exact opposite result. The therac25 accidents were fairly unique in having software coding errors involved most computerrelated accidents have not involved coding errors but rather errors in the software requirements such as omissions and mishandled environmental conditions and system states. Thats the worst accidents in history which are caused by software bugs. Therac25 case study article pdf available november 2018 with 1,033 reads how we measure. Finally, some software for the machines was interrelated or reused. At a therac25 users meeting, the same man stated that the therac25 software was tested for 2,700 hours. As it turns out, the therac25 accidents were the result of a gross failure of the sociotechnical system around the machine. These two companies had collaborated since the early 1970s in building linear accelerators for medical applications. Fault trees for both hardware and software were not created. In 1985, canadas therac25 radiation therapy machine malfunctioned due to software bug and delivered lethal radiation doses to patients, leaving 3 people dead and critically injuring 3 others. Therac25 aecl designed therac25 to use computer control from the start.
Software in the therac6 and therac20 was reused in the therac25. Therac25 was a tragic example of how bad code hurts people. However, in the case of therac25, they can be deadly. One of the eventually discovered, failure patterns in the therac25 software had to do with the operating systems having no testandset mechanism, which is. These tasks are not only the responsibility of the.
Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac25 as equivalent to this earlier technology meant that therac25 bypassed the rigorous fda testing procedures. Introduction every day in class i tell my students insistently that the software must be tested, that they are playing with peoples lives. This machine was an improvement of the therac20 and cost approximately 1 million dollars. A clear sign that there was inadequate testing is that when pressed by the fda, aecl struggled to. The therac25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode.
Therac25 relied on software controls to switch between modes, rather than physical hardware. This occurred with the therac25 that had two prominent software errors, a failed microswitch, and a reduced number of safety features compared to earlier versions of the device. Therac 25 software development evolved fromtherac 6 system 19721976 incorporated sometherac 20 code, as well written in pdp11 assembler custom operating system little documentation during development minimal unit and software testing qa testing was 2700 hours of use as integrated system. One programmer, over several years, revised the therac6 software into the therac25 software aecl has not released any information about the programmer or his credentials. In 1993, leveson and turner did a thorough investigation click the link for full version into therac 25 and published a. Therac25 software see the sidebar therac25 software development and design. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way.
They relied primarily on hardware for safety controls, whereas the therac25 relied primarily on software. Using software instead would in theory reduce complexity, and reduce manufacturing costs. Pdf importance of software quality assurance to prevent. The testing only showed how the product would not deteriorate over time. The original report on the therac25 by nancy leveson is great, as well as her 30 years later retrospective on the topic. In addition, i will examine the therac25s software bugs. The therac25 was built by the atomic energy of canada limited and a french company called cgr. Aecl planned a fifth revision of the cap to include the testing and safety analysis results. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. The software for the therac25 system was subjected to insignificant amounts of testing on a simulator.
The programmer should have thoroughly tested all of the code, both modularly and as an entire system, before its integration with the physical system. Unfortunately, though aecls intentions were good, their software design was tragically bad, incorporating a series of horrendous design flaws. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. The therac20 and therac25 software programs were done independently, starting from a common base. A history of the introduction and shut down of therac25. Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. The therac25 software disaster essay 1293 words cram.
Software testing is defined as an activity to check whether the actual results match the expected results and to ensure that the software system is defect free. A usagemodel based approach to test therac25 sciencedirect. The use of computers in the medical field is becoming more and more widely used. The safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. During the time span of june 1985 to january 1987, it. The therac25s software was developed from the therac20s software, which was developed from the therac6s software.
The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general. To be sure, there havent been many, but cases like the therac25 are widely seen as warnings against the widespread deployment of software in safety critical applications. We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical. Preceding models used separate circuits to monitor radiation intensity, and hardware interlocks to ensure that spreading magnets were correctly positioned. Software testing and evaluation, benjamincummings 1987. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. The therac25 was a computerised medical technology radiation therapy machine produced by atomic energy of canada limited aecl in 1982. Furthermore, there was no independent testing or endtoend testing done at all, with most testing happening internally on a hardware simulator. Computers are obviously very beneficial in the medical field. Therac25 relied on software controls to switch between modes. The therac25 was a radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac6 and therac20 units the earlier units had been produced in.
38 671 684 226 1038 583 149 1338 191 578 146 302 219 1149 1507 463 82 815 1339 947 465 976 670 12 1443 1244 1294 1273 633 544 742 1418 250 1143 1337