You are on page 1of 18

Therac-25

THE THERAC-25
A TERM PROJECT
Submitted to:
Ms. Esen Uygaroglu
Of
Eastern Mediterranean University
By
Zainab Sada
In partial fulfillment of the requirements for the course
EFL201 Technical Report Writing
In
School of Foreign Languages
Modern Languages Division

Gazi Magusa, Turkish Republic of Northern Cyprus


June 5, 2016

Department Of Software Engineering

Therac-25
ABSTRACT
This report is about a radiation therapy machine called the Therac-25, and the
incidents that followed its official release in 1985. The purpose of this report is to look at
the causes of the accidents related to the Therac-25, and hopefully learn to prevent such
accidents in the future when dealing with computer-controlled machines. First, the report
looks at the history and background of the machine as well as the overall design. Then,
the report goes into the software bug and the resultant cases related to the bugs. The
report concludes that software testing and quality assurance is a very important step, if
not the most important, when it comes to making computer-controlled machines,
especially if the machine is directly connected to the lives of people.

Department Of Software Engineering

Therac-25
TABLE OF CONTENTS

LIST OF FIGURES.4
INTRODUCTION...5
HISTORY AND BACKGROUND.6
History And Background Of The Therac-25...6
The Design...7
WHAT WENT WRONG...12
The Software Bug..12
Cases And Incidents...14
CONCLUSION..16
REFERENCES..17

Department Of Software Engineering

Therac-25
LIST OF FIGURES

Figure 1: Photon and Electron Modes of the Therac-25.8


Figure 2. Typical Therac-25 Facility..9
Figure 3. The Set Up of The Therac-2510
Figure 4. Upper Turntable Assembly11
Figure 5. The Tasks and Subroutines in the Code Blamed for the Tyler Accidents.13

Department Of Software Engineering

Therac-25

INTRODUCTION
The use of computers in medicine has become very popular and proven to be very
beneficial, however in the 1980s six people were exposed to high doses of radiation by a
machine called the Therac-25 which; in some cases, were fatal.
This is report is about the Therac-25; a radiation therapy machine, which is highly
dependent on the software, and how the software failure led to a series of fatal events.
The purpose of this report is to highlight the specific events that took place in the 1980s
due to the lack of care taken by the engineers that worked on the Therac-25, and to
explain the design of the machine and software and what went wrong. This report will be
beneficial to software engineering student, as it will help enlighten them on the dangers
of improper testing and the consequences of such incompetence.
The two parts of this report discuss (1) the history and background of the Therac25 and (2) the resulting problems the software bug caused. The part about the history and
background will also go into the machine design and software design. The final part will
also discuss the cases recorded; as there were six of them, and why the problem was not
caught early enough.

Department Of Software Engineering

Therac-25
1. History And Background
PCs are progressively being brought into security basic frameworks and, as an
outcome, have been included in mishaps. The absolute most generally referred to
programming related mishaps in security basic frameworks included a modernized
radiation treatment machine called the Therac-25.
1.1 The History and Background of the Therac-25
Between June 1985 and January 1987, six known mischances included monstrous
overdoses by the Therac-25 - with resultant fatalities and lifelong injuries. They have
been depicted as one of the worst medical mishaps in 35 years. The Therac-25 is a
medical linear particle accelerator, also known as linacs, used for radiation therapy in
cancer patients. The machine accelerated electrons that created energy beams that
destroyed tumors. Electrons were used for shallow penetration, and to reach deeper tissue
the beams were converted into x-ray.
Atomic Energy of Canada (AECL) whom got their technology from Compagnie
Generale Radiologie (CGR); a French radiology company, had worked together to
develop the Therac-6; a 6 million electron volt (MeV) accelerator which could only
produce x-rays, and Therac-20; a 20 MeV which could produce both electrons and x-rays,
in the early 1970s. However, in 1981 the two companies relationship had taken a bad
turn and they both decided not to renew their contract. In 1976 AECL developed the
double pass accelerator, which then led to the development of the Therac-25. A double
pass accelerator is more cost-efficient when it comes to production, as Leveson (1995)
stated a double-pass accelerator needs much less space to develop comparable energy
levels because it folds the long physical mechanism required to accelerate the electrons.

Department Of Software Engineering

Therac-25
A programmer from AECL wrote the software alone for the machine over a period of
several years.
Compared to its predecessors, the Therac-25 is designed to be small in size and
economical in operation, and easier to use. The machine also takes advantage of the
concept of depth dose. Leveson (1995) states that depth dose is when the energy rate and
the depth in the body at which maximum dose build-up are directly proportional, thus
sparing the tissue above the specific area targeted(p. 2). The Therac-25 was then
released to the market in 1983. In 1987, all treatment with the machines in operation was
stopped. Those machines were refitted with safety devices required by the FDA and were
later returned for reuse. No more accidents were reported from these machines. At about
that time, the department in AECL that designed and produced the machine became an
independent company.

1.2 The Design


The software was written in PDP 11 assembly language, which evolved from the
software of the Therac-6 and contained some code from the Therac-20.
The Therac-25 had two main types of operation: a low energy mode, which
consisted of an electron beam of 200 rads that was aimed at the patient directly, and a
high-energy mode, which used the full power of the machine at 25 million electron
volts. When used on patients, a metal plate was inserted between the beam and the
patient, which would transform the beam into an x-ray. The manufacturer stated that the
hardware and software were tested and exercised separately and together for several
years.

Department Of Software Engineering

Therac-25
A few components of the Therac-25 are critical in comprehension of the
accidents. To start with, similar to the Therac-6 and the Therac-20, the Therac-25 is
controlled by a PDP-11 PC. Be that as it may, AECL planned the Therac-25 to exploit a
computer-controlled concept from the beginning; they didn't expand on a stand-alone
machine. The Therac-6 and The Therac-20 had been composed around machines that as
of now had histories of clinical use without computer control. The Therac-25 software
had a stand-alone, real time 32K PDP 11/23 operating system. The machine
accommodated two modes; Photon (X-ray) mode and Electron mode. A tungsten shield
was set up for the X-beam mode and expelled for the electron mode as shown in the
figure below:

Figure 1: Photon and Electron Modes of the Therac-25


Note: Gallagher, T. (n.d.). Computerized radiation therapy. Retrieved May 8,
2016 from the World Wide Web:
http://www.kellyhs.org/itgs/ethics/reliability/THERAC-25.htm
Each mode was used interchangeably depending on the severity of the cancer and the
depth of the tumor. Gallagher (n.d.) states that the machine itself is encased in a radiation
treatment room keeping in mind the end goal to minimize exposure to the professionals
working close-by. The patient has sound and visual hardware, permitting correspondence

Department Of Software Engineering

Therac-25
with the professionals. . A typical model of the treatment room is shown in the figure
below:

Figure 2. Typical Therac-25 Facility


Note: Leveson, N., (1995). Medical devices: the therac-25. Safeware: System Safety
and Computers, p.43
The Therac-25 software had a real time 32K PDP 11/23 operating system. The
software had four main components, namely:

Stored Data which included calibration parameters for the accelerator

setup as well as patient-treatment data


A Scheduler which controlled the sequences of all non-interrupt events

and coordinates all concurrent processes


A Set of Critical and Noncritical Tasks
Interrupt Services, which included a clock interrupt service routine, a
scanning interrupt service routine and so on.

Department Of Software Engineering

Therac-25
The software was essentially in charge of:
Monitoring the machine
Accepting the contribution for the treatment
Setting up the machine to manage this treatment,
And at long last controlling the machine to do the treatment
The diagram below quickly represents the set up of the machine. It starts with the PC that
the product is on for the expert to utilize. This is sent to another minicomputer called the
PDP-11. At long last the radiation machine gets the summons and treats the patient

Figure 3. The Set Up of The Therac-25


Note: Gallagher, T. (n.d.). Computerized radiation therapy. Retrieved May 8, 2016 from
the World Wide Web:
http://www.kellyhs.org/itgs/ethics/reliability/THERAC-25.htm

Department Of Software Engineering

10

Therac-25
The design of the turntable (see figure 4) of the Thrac-25 plays a major role in the
accidents. Expert Leveson (1995) explains the role of the turntable as follows:
The upper turntable rotates accessory equipment into the beam path to produce
two therapeutic modes: electron and photon mode. A third position (called the
field light position) involves no beam at all, but rather is used to facilitate correct
positioning of the patient. Because the accessories appropriate to each mode are
physically attached to the turntable, proper operation of the Therac-25 is heavily
dependent on the turntable position, which is monitored by three micro switches.
(p.3-5)

Figure 4. Upper Turntable Assembly


Note: Leveson, N., (1995). Medical devices: the therac-25. Safeware:
System Safety and Computers, p.4
2. WHAT WENT WRONG

Department Of Software Engineering

11

Therac-25
2.1 Software Bug and Failure
Some of the possible causes of the failure of the machine are lack of proper
assessment of the assessment when using it for new machinery, and recurring problems
were never fixed or understood. However the main cause of the problem was a software
bug called a race condition, this is a scenario where different threads of execution fail to
be properly synchronized, with the result being that the software containing the race
conditions can actually make mistakes. The race condition in the Therac-25 software
involved the keyboard input to the radiation therapy machine. If the operator typed
slowly, the bug was unlikely to be triggered. As operators in the hospitals began to get
better at using the machine they began to type faster which then triggered the software
bug. Unfortunately, the effect of the bug was to deliver massive radiation overdoses to
patients
A lesson to be learned from the Therac-25 story is that concentrating on specific
bugs is not the best approach to make a secure system. Practically all complex
programming can be made to act in an unforeseen manner under certain conditions. The
mistakes here included poor software engineering practices and building a machine that
depends on the software for safe operation.
Moreover, the particular programming error is not as imperative as the general
bad design of the entire software. Looking closely at the part of the code blamed for the
Tyler accidents is educational, be that as it may, in demonstrating the general software
design flaws.

Department Of Software Engineering

12

Therac-25

Figure 5. The Tasks and Subroutines in the Code Blamed for the Tyler Accidents
Note: Leveson, N., (1995). Medical devices: the therac-25. Safeware: System Safety
and Computers.
In the code above there is a treatment monitor task, which is Treat for short, and
its main purpose is to control different phases of the radiation treatment by executing
eight of it subroutines. The Tphase variable, which is also know as the treatment phase
indicator, is used to figure out which of the eight subroutines was to be executed. After
the subroutine is executed the treatment monitor task reschedules itself using the reset
subroutine.
One of the eight subroutines, called data entry, or Datent for short, would
communicate with a task called the keyboard handle, which runs simultaneously with
Treat by using variable called the Data-entry completion flag to figure out whether the
data for the prescription has been entered into the computer. After the keyboard handler
acknowledges the completion of the data entry, the Data-entry completion variable

Department Of Software Engineering

13

Therac-25
changes to denote this. The Datent subroutine confirms the change in status and changes
the value of Tphase from Data-entry (1) to Set-Up test (3).
2.2 CASES AND INCIDENTS
In March 1983, AECL performed a safety analysis, which did not include a
software analysis
In June, 1985, Katie Yarborough, a 61 year old woman, who had already
undergone a surgery to remove her tumor, went in for her 12th radiation treatment, where
she was overdosed with over 15,000 rads of radioactive energy because the machine
projected a beam of electrons without spreading it properly as it was supposed to, which
led to a hole in her chest, two unsuccessful surgeries to cover the wound, which later
paralyzed her left arm.
In 1986, Ray Cox went into the clinic for his usual radiation treatment in his
shoulder. The technician accidentally typed in the command "x" into the computer, which
stood for x-ray beam, then immediately realizing the mistake, the technician quickly
changed the "x" into an "e" which stood for electron beam, and hit "enter", telling the
machine that they were ready to start radiation treatment. The technician pressed "b" after
the computer had given the signal of "beam ready"; to deliver the beam to the patient, but
the computer then responded with a message warning them of an error. Usually this
message meant that the treatment had not been delivered, so the technician repeated the
process and delivered another beam to the patient, and yet again, an error message
occurred. While the technician was trying to figure out the problem, Ray was
experiencing son sharp stabbing pains in his back, which was much different than his
usual treatments, so he decided to removed himself from the vicinity of the machine after

Department Of Software Engineering

14

Therac-25
three shocking attempts. This sequence occurred in less than 8 seconds (This particular
sequence, in this time frame, was never tried in the original testing of the machine), and
because the commands were changed so fast, the computer did not respond properly. Ray
was overdosed with blast of 25,000 rads with 25 million volts of energy, which was 125
times more than his regular dose, and his health deteriorated quickly and he died 4
months later.
Apart from Katie and Ray, there were 4 other incidents of where the patients were
unknowingly being exposed to many times the normal dosage of radiation, leaving
terminal effects.
After each overdose the makers of Therac-25 were contacted. After the first
incident the AECL reactions was straightforward, As Leveson (1993) states "after careful
consideration, we are of the opinion that this damage could not have been produced by
any malfunction of the Therac-25 or by any operator error ".
After the second case the AECL sent an administration professional to the Therac25 machine, but he was not able reproduce the glitch and then concluded nothing was
wrong with the source code of software. Some little changes were made to the hardware,
however the principle issues still remained.
It was not until the fifth case that any formal move was made by the AECL. In
any case it was a physicist at the doctor's facility where the fourth and fifth occurrence
occurred in Tyler, Texas who really could repeat the puzzling "breakdown 54". The
AECL at last made a move and rolled out an assortment of improvements in the product
of the Therac-25 radiation treatment framework. The machine itself is still being used
today.

Department Of Software Engineering

15

Therac-25
CONCLUSION
This report has discussed the case of the radiation therapy treatment machine, the
Therac-25.
I have run down the history and background of the machine, with a little
information on the companies responsible for the manufacturing of the machine. I have
also discussed the physical and software design of the machine, whilst highlighting the
specific parts responsible for the accidents. I have written about the accidents and the
lives of the people affected and the specific bug responsible for each accident, as there
were different reasons or circumstances.
In conclusion, this report has highlighted that although computer technology is
essential in the field of medicine, it is imperative that the system program is tested
properly before it is put into official use, so history will not repeat itself.

Department Of Software Engineering

16

Therac-25
REFERENCES
Leveson, N., & Turner, C. S. (1993). An investigation of the Therac-25 accidents part
v. Retrieved May 8, 2016 from the World Wide Web:
http://courses.cs.vt.edu/professionalism/Therac_25/Therac_5.html

Gallagher, T. (n.d.). Computerized radiation therapy. Retrieved May 8, 2016 from the
World Wide Web:
http://www.kellyhs.org/itgs/ethics/reliability/THERAC-25.htm

Computing Cases. (n.d.). CMC response. Retrieved May 08, 2016 from the World Wide
Web:
http://computingcases.org/case_materials/therac/case_history/Case
History.html

Fabio, A., (2015). Killed by a machine: the therac-25. Retrieved April


20, 2016 from

the World Wide Web:


http://hackaday.com/2015/10/26/killed-by-a-

machine-the-therac-25/

Leveson, N., (1995). Medical devices: the therac-25. Safeware: System


Safety and
Computers.

Department Of Software Engineering

17

Therac-25

Department Of Software Engineering

18