Therac-25

Therac-25 was a linear accelerator for use in radiation therapy . Eleven copies of it were built from 1982 to 1985 by the Canadian government company Atomic Energy of Canada Limited (AECL) and installed in clinics in the USA and Canada. A serious malfunction was possible due to software errors and inadequate quality assurance , which from June 1985 to 1987 cost the lives of three patients and seriously injured three others before suitable countermeasures were taken.

This is one of the most momentous mistakes in the history of software development and an often studied example for software requirements in security-relevant areas.

device

Therac-25 was an electron linear accelerator. As therapeutic radiation, particularly for cancer therapy , could either the electron beam directly or through an intermediate target of tungsten generated X-ray radiation of energy 25 MeV may be used. In direct mode, a significantly lower brilliance (strength of the electron beam) was set than in X-ray mode .

The predecessors, Therac-6 and Therac-20, with 6 and 20 MeV photon energy, respectively, were non-computerized constructions in which the safety measures were implemented by mechanical locking and the monitoring of the system function by analog measuring devices. A PDP-11 computer and a VT-100 terminal were later added for ease of use only.

The new design Therac-25 replaced these with sensors , the measured values of which were evaluated by the computer, and actuators that made the various settings under software control. A prototype, still without the computer control, was completed in 1976, the first series machine in 1982. A safety analysis of the device was carried out in 1983, which expressed confidence in the superiority of the software solution, since software is not subject to wear and tear .

Case history

June 3, 1985, Kennestone Regional Oncology Center

The radiation device had been in use here for six months. When exposed to 10 MeV electrons, the patient complained that she had been burned, but no traces could be seen at the irradiation site at that time. This process has never been officially investigated. The patient later sued the manufacturer after the arm and shoulder became immobile and caused chronic pain. The lawsuit was settled through an out-of-court settlement.

July 26, 1985, Ontario Cancer Foundation

Here too, the device had already been in use for over six months. It often reported a malfunction with the additional display that no radiation dose was applied. In these cases a key was routinely pressed to repeat. When a cancer patient's hip was irradiated, this happened four times on July 26, 1985, after which the device switched off with another error message. The patient stated that she felt an uncomfortable feeling like with a current flow. As a result, massive swelling developed in the irradiated area and a burning pain. After the patient died of her underlying disease, an autopsy revealed destruction of the hip joint.

The manufacturer and the Food and Drug Administration were notified, and AECL suspected that a failed microswitch had caused the tungsten target to be incorrectly located. The position determination has been revised so that a single switch failure would no longer have any consequences due to the redundancy of the overall system. In the final report on this incident, the AECL stated that it had reduced the error rate by a factor of 10,000.

The FDA classified the incident as a "class 2 recall", which means that it is possible, but very rare, that there will be serious harm to the patient.

March 21, 1986, East Texas Cancer Center

Patient Ray Cox experienced a painful, electric shock-like sensation when the back was irradiated. He got up, which went unnoticed because the audio and video surveillance of the treatment room was not active. The device indicated underdose , the radiation was repeated while the patient was already up, and hit his hand. The patient suffered from symptoms of radiation sickness after radiation , paralysis in both legs and one arm, and died five months from the effects of the radiation overdose .

April 11, 1986, East Texas Cancer Center

During facial radiation for skin cancer, the patient screamed and later said he saw a bright flash. The burn from the radiation was so severe that it was smell noticeable. The patient died after only three weeks and an autopsy revealed lesions of the brain stem as the cause of death.

January 17, 1987, Yakima Valley Memorial Hospital

One patient died after three months as a result of an overdose.

causes

Radiation source

All incidents were based on the fact that the linear accelerator was working with the high brilliance for the X-ray mode, but the tungsten target was not in the beam path. This is the most dangerous possible operating state, which was excluded in the previous models by a mechanical interlock. The radiation exposure in the six cases was subsequently estimated at 40 to 200 Gray , a normal treatment corresponds to a dose below 2 Gray. A radiation exposure of the entire body with 10 Gray is considered lethal as safe, for localized radiation exposure are little experience before.

Bug

Interface for controlling Therac-25

The computer of the Therac-25 was responsible for the acquisition of measured values and the control of the device, as well as for the user interaction, by multitasking both tasks were done quasi-simultaneously. The main problem was the correct synchronization of the two processes. Under certain circumstances it could happen that after a correction of the input data by the computer when controlling the device, the corrected data was only used for part of the data, but for the other part the old data was used before the correction. When activating the device, different magnets are brought into position one after the other, which takes 8 seconds each. After setting the first magnet, not the last, a certain flag was erroneously cleared, which meant that while setting additional magnets, corrections to the input data by the operator were ignored by a part of the system that contained part of the data for setting of the device. Furthermore, after the magnets had been set, when checking whether the operator had completed the data entry, this part of the system incorrectly only checked whether the cursor had already been at the end of the entry, but not whether data had been changed in the meantime. Obviously, these errors led to input corrections within 8 s, inconsistent data being used to control the device in an unfavorable time window during the overdoses at the East Texas Cancer Center in Tyler.

Another software error was that a flag indicating the need to check the position of the turntable, on which the tungsten target is attached, was not set to a fixed value other than 0 during a setting phase, but increased continuously. This flag was stored in an 8-bit variable, i.e. it had the value 0 after every 256th increase due to overflow. If the operator initiated the data transfer exactly then, the system did not check whether the tungsten target was really in the beam path with the intended X-ray radiation, or z. B. another mirror for the optical alignment of the patient and the irradiated area. This apparently led to the overdose on January 17, 1987 at Yakima Valley Memorial Hospital.

Software development

The software was written by a single software developer, using existing parts whose programmers no longer worked for the company. The developer was also responsible for tests.

quality control

AECL had extensive experience with safety assessments and the necessary analyzes were carried out with due care. But they completely ignored the fact that software can be buggy. The only possible error conditions affecting the computer system were hardware failures and the corruption of the main memory by alpha rays ( soft error ).

corrective actions

The AECL, and in part the FDA, initially underestimated the importance of the incidents and users were poorly informed. Those responsible for investigating and evaluating the incidents had ruled out the software as a source of error for too long. The corrective measures after the first two incidents were considered effective without being able to demonstrate a causal relationship.

literature

P. O'Brien, HB Michaels, JE Aldrich, JW Andrew, Characteristics of electron beams from a new 25-MeV linear accelerator , Medical Physics, Volume 12, Issue 6 (Nov 1985), pp. 799-805
NG Leveson, CS Turner, An Investigation of the Therac-25 Accidents , IEEE Computer, Volume 26, Issue 7 (Jul 1993), pp. 18-41, ISSN 0018-9162
MH Thomas, The story of the Therac-25 in LOTOS , High Integrity Systems Journal, Volume 1, Issue 1 (Feb 1994), pp. 3-15
NG Leveson, Safeware, System Safety and Computers , Addison-Wesley 1995, ISBN 0-201-11972-2

Web links

Martin Pfeifer: Famous software bug: Therac-25 (PDF file; 191 kB)
Nancy G. Leveson: The Therac-25 Accidents - Annex A from Safeware (PDF file; 292 kB)
Nancy G. Leveson: An Investigation of the Therac-25 Accidents - The article from IEEE Computers
Troy Gallagher: Short summary of the Therac-25 Accidents ( Memento December 12, 2007 in the Internet Archive )
Adam Fabio: Killed By A Machine: The Therac-25 .