The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. Therac 25 software development evolved fromtherac 6 system 19721976 incorporated sometherac 20 code, as well written in pdp11 assembler custom operating system little documentation during development minimal unit and software testing qa testing was 2700 hours of use as integrated system. Therac25 case study article pdf available november 2018 with 1,033 reads how we measure. Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines.
For the love of physics walter lewin may 16, 2011 duration. This machine was an improvement of the therac20 and cost approximately 1 million dollars. Therac25 case study therac25 is a radiation therapy machine that was used for treating patients with cancer. A history of the introduction and shut down of therac25.
The article proceeds to only skim over the plethora of other issues involved and mistakes made in the development process of the therac25 the next article, an investigation of the therac25 accidents by nancy leveson, delves much more into detail but it does state that while the software was the lynch pin in the therac25, it. Pdf importance of software quality assurance to prevent. These accidents highlighted the dangers of software control of safety critical systems, and they have become a. The original report on the therac25 by nancy leveson is great, as well as her 30 years later retrospective on the topic. The therac25s software was developed from the therac20s software, which was developed from the therac6s software. A bug that was discovered in therac25 was later also found in the therac20. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of therac25 as equivalent to this earlier technology meant that therac25 bypassed the rigorous fda testing procedures. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. Under questioning by the users, he clarified this as meaning 2700 hours of use. Software in the therac6 and therac20 was reused in the therac25. Using software instead would in theory reduce complexity, and reduce manufacturing costs. The therac25 software disaster the therac25 is a computerized medical radiation therapy machine for cancer patients.
The therac25 was not a device anyone was happy to see. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. Therac25 software see the sidebar therac25 software development and design. During the time span of june 1985 to january 1987, it. Software testing and evaluation, benjamincummings 1987. The therac25 was a radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac6 and therac20 units the earlier units had been produced in. The therac25 radiation therapy machine is described as a case study. Therac25 radiation overdoses your expert root cause. Leveson, therac25 accidents the manufacturer said that the hardware and software had been tested over many years. Therac25 relied on software controls to switch between modes, rather than physical hardware. A usagemodel based approach to test therac25 sciencedirect. The therac25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited in 1982 after the therac6 and therac20 units. Unfortunately, though aecls intentions were good, their software design was tragically bad, incorporating a series of horrendous design flaws.
Therac25 relied on software controls to switch between modes. The use of computers in the medical field is becoming more and more widely used. An important difference between the therac20 software and the therac25 software is the overall role that each plays in the machine. In 1993, leveson and turner did a thorough investigation click the link for full version into therac 25 and published a. Fault trees for both hardware and software were not created.
The therac25 was a computerised medical technology radiation therapy machine produced by atomic energy of canada limited aecl in 1982. However, in the case of therac25, they can be deadly. This video is part of an online course, software testing. In 1985, canadas therac25 radiation therapy machine malfunctioned due to software bug and delivered lethal radiation doses to patients, leaving 3 people dead and critically injuring 3 others. The software for the therac25 system was subjected to insignificant amounts of testing on a simulator. The safety analysis of the therac25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection. There are a lot of resources to read more about the therac25. This interactive timeline will paint a chronological picture of the therac25 tragedies, exploring the root causes that led to medical accelerators most devastating catastrophe. It appears that unit and software testing was minimal, with most effort directed at the integrated system test. They relied primarily on hardware for safety controls, whereas the therac25 relied primarily on software.
In 1982 a machine called therac25 created by the atomic energy of canada limited aecl appeared in the medical field for cancer treatments, using radiation and xrays. We hope this mapping will honor the victims by providing insight, information, and understanding to encourage ethical. Takes about 8 secs and invoked multiple times 33 race condition from nancy leveson, medical devices. These tasks are not only the responsibility of the. In addition, i will examine the therac25s software bugs. The therac25 was built by the atomic energy of canada limited and a french company called cgr. A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. Importance of software quality assurance to prevent and reduce software failures in medical devices. Consequences of the therac25 software disaster 1293. Therefore, tests are just extra work for them, and they do not see them as a fundamental element in the development of software. Software testing also helps to identify errors, gaps or missing requirements in contrary to the. The problem of bugs in the software system causing errors in machines under certain conditions has been used as a cover for careless programming, lack of testing, and lack of safety features built into the system in the therac25 accident. The main problem was with the machines software, which was not caught by cmcs safety analysis and allowed to get into the market by fda. This occurred with the therac25 that had two prominent software errors, a failed microswitch, and a reduced number of safety features compared to earlier versions of the device.
The therac20 and therac25 software programs were done independently, starting from a common base. Using xrays or a beam of electrons, radiation therapy machines kill cancerous tissue, even deep inside the body. Finally, some software for the machines was interrelated or reused. Preceding models used separate circuits to monitor radiation intensity, and hardware interlocks to ensure that spreading magnets were correctly positioned. The therac25 software disaster essay 1293 words cram. One programmer, over several years, revised the therac6 software into the therac25 software aecl has not released any information about the programmer or his credentials. It involves execution of a software component or system component to evaluate one or more properties of interest. These accidents highlighted the dangers of software control of safetycritical systems, and they have become a. Major design flaws in the software development of therac25. The programmer should have thoroughly tested all of the code, both modularly and as an entire system, before its integration with the physical system. These two companies had collaborated since the early 1970s in building linear accelerators for medical applications. Between 1985 and 1987, it was involved in at least six patients deaths due to incorrect radiation doses because of computer software related failure. Therac25, software quality assurance, software testing, software inspection. Therac25 was a tragic example of how bad code hurts people.
At a therac25 users meeting, the same man stated that the therac25 software was tested for 2,700 hours. However, the investigation found that a minimum amount of tests had been run on a simulator, while most of the effort had been directed at. There was some base duplication of the software used from the therac20 that carried over to the therac25. The testing only showed how the product would not deteriorate over time. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way. Therac25 aecl designed therac25 to use computer control from the start. In a letter to a therac25 user, the aecl quality assurance manager said, the same therac6 package was used by the aecl software people when they started the therac25 software. The therac25 was a computercontrolled radiation therapy machine produced by atomic. Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury.
A clear sign that there was inadequate testing is that when pressed by the fda, aecl struggled to. Furthermore, there was no independent testing or endtoend testing done at all, with most testing happening internally on a hardware simulator. The machine and its predecessors, therac6 and therac20, was a product from the collaboration of atomic energy of canada limited aecl and a french company called cgr leveson, n. The therac25 was a radiation therapy machine manufactured by aecl in the 80s, which offered a revolutionary dual treatment mode. It was also designed from the outset to use software based safety systems rather than hardware controls. The therac6 and therac20 were clinically tested machines with an excellent safety record. The therac25 was both ambitious and sophisticated and for the first time all this hardware was controlled by a software layer.
The only the testing of the software was during the use of the product. Therac 25 is a radiation therapy machine that lead to 3 deaths and 3 injuries in 1980s. The fda difficulty in getting an adequate test plan out of the company and the lack of regression testing are evidence that testing was not done well. Thats the worst accidents in history which are caused by software bugs. The therac25 software also contained several userfriendly features. They were able to prove that the therac25 was reliable, but this is not the same as being safe. An investigation of the therac25 accidents part iv. In addition, the therac25 software same therac6 package was used by the accidents. One of the eventually discovered, failure patterns in the therac25 software had to do with the operating systems having no testandset mechanism, which is. Software testing is defined as an activity to check whether the actual results match the expected results and to ensure that the software system is defect free. Computers are obviously very beneficial in the medical field. Introduction every day in class i tell my students insistently that the software must be tested, that they are playing with peoples lives.
The reasoning given for not including software errors was the extensive testing given to the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is errorproof software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis. The therac25 accidents were fairly unique in having software coding errors involved most computerrelated accidents have not involved coding errors but rather errors in the software requirements such as omissions and mishandled environmental conditions and system states. Amazingly, the test data presented to show that the software changes to handle the edit problems in the therac25 are appropriate prove the exact opposite result. At a therac25 user group meeting, the same quality. To be sure, there havent been many, but cases like the therac25 are widely seen as warnings against the widespread deployment of software in safety critical applications. It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general. Aecl planned a fifth revision of the cap to include the testing and safety analysis results.
1409 434 1338 1217 889 1321 30 1337 609 1363 458 510 1568 308 52 1307 332 587 1273 947 1342 1196 352 411 1267 1203 723 1075 1549 37 34 647 1271 861 66 1519 677 774 505 1065 226 503 1244 391 1007