The six incidents were the result of both operator error and software defects***. In the first incident, the operator entered incorrect control data and then corrected it by restarting the computer. But in the meantime the patient on the operating table had been exposed to an excessive amount of X-ray beams, and three weeks later the same thing happened: when the computer was restarted the robot supporting the shroud had retracted, but the X-ray beams had not been cut off, and as a result the patient had been exposed to 125 times more radiation than was needed for the required dosage, which ultimately killed him.
The Therac-25 incident was a reminder of the engineering management methodology for software development.
A Typical Case Study of Therac 25 System and Software Safety
Huang Xizi Chen Guangyu
The Therac 25 radiation therapy device in the mid-1980s, in the United States, and in Canada, was the subject of numerous medical errors, and several patients died after treatment. Patients filed lawsuits, which gradually drew media and public attention, and the U.S. Food and Drug Administration (FDA) gradually became involved in investigating the incidents. The investigation was slowed by the device manufacturer's repeated claims of strict quality control, the early departure of some key designers, the lack of original documentation, and the difficulty of recreating the accident scenario, which was finally determined in the late 1980s to be caused by an overdose of radiation, when in fact, the underlying cause was a serious problem in the safety design of the system and software. The Therac 25 accident has now become a classic example of a US university lecturing on software safety design.
I. Therac 25 and its functions
The Therac series of instruments is a medical high-energy electronic linear gas pedal jointly manufactured by Atomic Energy of Canada Limited (AECL) and France's CGL, which is used to kill cancerous cells in diseased tissue while minimizing their impact on surrounding healthy tissue.
Radiation for tumor treatment originated in the 1960s, and the Therac 25 is a third-generation medical high-energy electron linear gas pedal with two modes of operation. One is the accelerated electron mode, which is used to treat relatively superficial lesions. The second is the X-ray mode, which takes a 25 mega-electron volt electron beam and converts it into X-rays, which are used to treat deeper lesions.
The Therac 6 and Therac 20 are the predecessors of the Therac 25, with the Therac 6 having an energy of 6 MeV and only one X-ray mode of operation, and the Therac 20 belonging to the second generation of high-energy electron linear gas pedals for medical use, with an energy of 20 MeV, and two modes of operation for electrons and X-rays. Both models have an independent industry standard hardware control system, and the treatment of the patient is entirely hardware based. The instrument utilizes a hardware anti-locking technique to control the overdose of radiation, which makes the treatment process time-consuming. Both instruments are equipped with a PDP11 computer, but the computer control is auxiliary in nature, the computer software control is only set up to facilitate the operation in some cases.
The Therac 25, manufactured exclusively by AECL, utilizes a dual-pass concept to make the instrument more compact and easier to use.
The Therac 25 has a higher energy capacity, allowing it to treat deeper lesions, reducing treatment costs and time. Unlike the Therac 6 and Therac 20, the PDP11 computer controls all operations of the Therac 25 through software and eliminates the hardware self-locking mechanism.
The operation of the Therac 25 proceeds as follows:
The operator enters the treatment chamber;
The patient is positioned on the treatment table;
The treatment site data is determined, the table is rotated, and the various attachments to the machine are positioned;
The operator exits the chamber;
The various data is entered into the control console;
If the data meets the setup requirements, Verified is displayed on the screen, indicating that the treatment is ready to proceed.
Figure 1 is a full view of the Therac 25 device. Figure 2 shows the console screen display
Figure 1 Full view of the Therac 25 device.
Figure 2 Console screen display
The operator observes the patient's condition through the closed-circuit audio-visual equipment, and if there is any abnormality during the treatment or if the patient complains, the operator can stop the machine in the following ways
1. Suspend Suspend: In the Suspend state the machine has to be restarted in order to run
2. Pause Pause : In the suspended state of the machine just hit the keyboard, you can continue to run
3, each run in the suspension more than 5 times, need to restart.
System error messages are defined as low-priority events, and the meaning of the error messages is vague, such as 'Malfunction 47'
, 'VTILT' and so on. Including minor errors that occur frequently, the Therac 25 may have about 40 errors per day, and very few of the error messages relate to patient safety. Operators take these error messages for granted and do not pay special attention to them.