Therac-25 Case Study

  1. Therac-25 was a medical linear accelerator, a device used to treat cancer. What made Therac-25 unique at the time of its use was the software. Not only did the software ease the laborious set-up process, but it also monitored the safety of the machine. In this case on safety critical software, you will find that some patients received much more radiation than prescribed despite the software safety programming.
Therac-25 Case History

A more detailed set of descriptions from the viewpoint of the various stakeholders and actors.

Therac-25: Safety is a System Property

Normally, when a patient is scheduled to have radiation therapy for cancer, he or she is scheduled for several sessions over a few weeks and told to expect some minor skin discomfort from the treatment. The discomfort is described as being on the order of a mild sunburn over the treated area. In the case you are about to read, a very abnormal thing happened to several patients: they received severe radiation burns resulting in disability, and, in 3 cases, death.

The Therac-25 was a device that targeted electron or X-ray beams on cancerous tissue to destroy it. Electron beams were used to treat shallow tissue, while photon beams could penetrate with minimal damage to treat deep tissue. Even though operators were told that there were "so many safety mechanisms" that it was "virtually impossible" to overdose a patient, this is exactly what did occur in six documented cases [ Leveson].

These massive radiation overdoses were the result of a convergence of many factors including

  • simple programming errors
  • inadequate safety engineering
  • poor human computer interaction design
  • a lax culture of safety in the manufacturing organization
  • inadequate reporting structure at the company level and as required by the U.S. government
In considering this case we are not interested in determining who should be blamed for these accidents. All the cases have already gone through the courts and have been settled. We are interested in helping you learn how to think about the design and use of software in safety-critical applications. What are the responsibilities of the organizations and individuals involved? What design decisions and organizational structures led to the accidents? How might different organizational systems or software design have helped avoid or minimize the harm?

As a computer scientist, you will be focussing on the software in this medical linear accelerator. And indeed there are some clear coding errors on which we can focus. However, the more difficult and dangerous problems are those in the design of the entire system, and in the way the software plays its part in that design. These system safety issues are critical to understanding this case and to understanding what it means to design safe software.

Therac-25: A Socio-Technical System

The safety of the Therac-25 is not really a property of the machine alone. Accidents that go unreported contribute to (or at least fail to stop) later accidents. When the TV camera in the room is unplugged, the operator cannot see that the patient is in trouble. So safety is really a property of the entire technical and social system (socio-technical system). In a similar manner, an ethical analysis of the issues in this case requires an awareness of the entire socio-technical system.


therac25_facility.jpg

Assignment

We can analyse the cases in a varity of ways. Use Moodle to select one of the options. You can sign up for a group here:

  1. Therac25 Option 1: Software Safety Myths
  2. Therac25 Option 2: Analyzing Therac-25
  3. Therac25 Option 3: Analyze Therac 25 as a failure from reuse
Topic revision: r3 - 2016-09-20 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback