Error messages provided to the operator were cryptic, and some merely. The reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof. It is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. In addition, the therac25 software has more responsibility for maintaining safety than the. However, in the case of therac25, they can be deadly. She made a considerable contribution to system and software safety. The therac25 software lied to the operators, and the machine itself could not detect that a massive overdose had occurred.
These accidents highlighted the dangers of software control of safety critical systems, and. Professionalismtherac25 wikibooks, open books for an open. If i read nancys and clarks article an investigation of therac25 accidents correctly, they mentioned therac25 software was developed based on therac6 software by a single, unidentified programmer. The software of the therac25 also controls the positioning of the turntable, a possible hazard discussed previously, and checks the position of the turntable so that all necessary devices are in place leveson and turner, 1993, p. With the aid of an onboard computer, the device could select multiple. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. The cgr employees modified the software for the therac20 to handle the dual modes. Then, if the operator were to input the incorrect beam type, or err on any data entry, he would be forced to restart the process. The series of accidents involving the therac25 is a good example of exactly this problem.
Lessons for softwareintensive systems learning from therac25 confusing reliability low failure rate with safety lack of defensive design eg software checks complacency about radiation therapy machines inadequate investigation or followup on accident reports specification and documentation after development. An investigation of the therac25 accidents nancy leveson, university of washington clark s. Fixing each individual software flaw as it was found did not solve the devices safety problems. We know that the software for the therac25 was developed by a single person using pdp 11 assembly language, over a period of several years.
Therac25 radiation overdoses your expert root cause. A bug that was discovered in therac25 was later also found in the therac20. A final feature was that some of the old software used in therac 6 and therac 20 was used in the therac 25. Major design flaws in the software development of therac25 randy graebner february 7, 1999 code reuse has long been an accepted practice in software engineering. Previously she worked at university of california, irvine and the university of washington as a faculty member.
A final feature was that some of the old software used in therac6 and therac20 was used in the therac25. Nancy and clark turner spent three years collecting the materials and. Leveson is a leading american expert in system and software safety. This analysis was in the form of a fault tree and apparently excluded the software. Additional functions had to be added because the therac20 and therac25 operates in both xray and electron mode, while the therac6 has only xray mode. The therac25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients. She is professor of aeronautics and astronautics at mit, united states nancy leveson gained her degrees in computer science, mathematics and management from ucla, including her phd in 1980. Computers are increasingly being introduced into safetycritical systems and, as a consequence, have been involved in accidents. Virtually all complex software will behave in an unexpected or undesired fashion under some conditions there will always be another bug. What is the name of the programmer who wrote the therac25. Major design flaws in the software development of therac 25 randy graebner february 7, 1999 code reuse has long been an accepted practice in software engineering.
However, the investigation found that a minimum amount of tests had been run on a simulator, while most of the effort had been directed at the integrated system test. Major design flaws in the software development of therac25. These accidents highlighted the dangers of software control of safetycritical systems, and. The therac25 was a computercontrolled radiation therapy machine produced by atomic. The therac25 ion chambers could not handle the high density of ionization from the unscanned electron beam at highbeam current. This appendix is taken from nancy leveson, safeware. In addition, i will examine the therac25s software bugs. Initially, aecls solution to the problem was to physically disable the up key on all therac 25 operators keyboards. The therac25 software also contained several userfriendly features.
Therac25 software development the software for therac25 was developed by a single person at aecl and was intended to take full advantage of computer control from the outset. The mistakes that were made are not unique to this manufacturer but are, unfortunately, fairly common in. Therac25 overview linear particle accelerator replaced earlier version utilized much more computerized control in particular, more software responsibility for safety maintenance reused some software from earlier versions. Therac 25 computerized radiation therapy report by. As noted earlier, the software for the therac25 and therac20 both evolved from the therac6 software. Fault analysis considered only computer hardware failures therac25 accident history. Feb 18, 2015 it is highly unfair and unethical for that persons name to be known beyond to perhaps potential employers andor an lingering litigation which they are 100% shielded from and thus again not ethical. A bug that was discovered in therac 25 was later also found in the therac 20. The therac25 was the most computerized and sophisticated radiation therapy machine of its time. The use of computers in the medical field is becoming more and more widely used. Lastly, i will look at the governments reactions and explore what has been done to prevent similar.
An investigation of the therac25 accidents cal poly computer. However, in the case of therac 25, they can be deadly. An investigation of the therac25 accidents part iv. Aug 08, 2010 the reasoning given for not including software errors was the extensive testing of the therac25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error proof. My professor investigated the therac25 incident and. Leveson, therac25 accidents the manufacturer said that the hardware and software had been tested over many years. For decades, programmers have been finding ways to cut corners by incorporating old code into the system they are currently creating. The therac25 was not a device anyone was happy to see. In march 1983, a ecl performed a safety analysis on the therac25. The original plan foresaw the production of an integrated system where the software would have complete control of the system. The therac 25 had only software interlocks, which were faulty.