April 15, 2013 by Ozgur Ozden
HISTORY of THERAC DEVICES and ACCIDENTS
Therac-25 Investigation is known as one of the biggest accidents in medical history. Company called Atomic Energy Commision Limited (AECL) and another French company called CGR were paired up to produce medical linear accelerators. These accelerators are devices where electrons are accelerated by means of a magnetron or klystron and high energy electron beams are produced. These high energy electron beams are used in treatments of cancer. They have capability to destroy tumor by giving very few harm to healthy tissue.
These two company produced different versions starting from Therac-6 which is capable of delivering 6 MeV, then Therac-20 which is with 20 MeV capacity. These two versions does not caused any problems. They were mainly hardware operated and very little software help was used. Almost the same software was used in both versions.
Around 1970 AECL designed a new accelerator called “Double – Pass” system for electron acceleration. This new system requires less space, less energy and faster electron delivery. Also cheaper to manufacture. AECL decided to implement this technology into a new device and called Therac-25 which fires electrons at 25 MeV of energy.
AECL used the same mini computer PDP 11 for all its models. First two models Therac-6 and Therac-20 were mainly mechanical but Therac-25 model built more software oriented rather the hardware. Therac-6 and Therac-20 had mechanical safety locks and circuit breakers but in Therac-25 these features were controlled by software. So this model became almost fully software depended.
There are total number of six accidents reported between the years of 1985 and 1987. In all of these accidents patients overdosed around 15.000 rad to 20.000 rad. Normal treatment dose considered as 200 rad. Two of these accidents resulted in death.
At the first accident AECL did not accept any malfunction. They simply answered as “After careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the Therac-25 or by any operator error (Gallagher,2007).”
AECL tried to reproduce the accidents conditions but could not succeeded. they have claimed that a microswitch might be responsible for the malfunction. Further investigations revealed that a software problem controlling the beam was actually responsible for the malfunction. In 1987 Therac-25 was closed for better developments and improvements.
This chain of events needs to be investigated considering responsibilities of System engineers, software engineers and government or organizational structures. Lessons should be extracted from each one. We will try to take a look at the responsibilities of these one by one.
System engineering: Mechanical safety lock systems were installed in Therac-6 and Therac-20 systems. Even Though the same software bug is also found Therac-20 no accident reported related with this model. Most probably safety locks prevented a catastrophic event in this series. So relying on the software and removing the mechanical safety lock is not a suitable design decision.
Designing a system only controlled by software without a secondary safety mechanism is a design flaw.
Another point that AECL missed is that they performed series of safety checks on the the Therac-25 system but they have not included the software in these tests. (Leveson ,1993)
Software engineers have concluded that software used in previous versions (Therac-6 and Therac-20) is stable and can be transferred to new system. In fact they were wrong. There was a bug in the system but safety locks prevented an accident in these previous models.
So they should have write a new software from scratch for the new system and who knows the bug might have spotted during the rewrite.
Users complained that interface of the software was difficult to use so software engineers should have talk more with the users and make the interface design simpler and user friendly. (Leveson ,1993)
They should have implement a warning system into the software about the overdose release. This automatically shuts down the system to prevent any accident.
They should have test the software under various and extreme conditions including the machine wear off. The software is written by only one person and only tested 2700 hours. (Gallagher, 2007)
FDA was actively involved in the process from the beginning. FDA given a pre-market approval to Therac-25 considering the success of the previous models. FDA should have been more careful about at this stage.
Actually, FDA handled the situation really nice. They have asked for necessary modifications and improvements and at the end they have closed the system. This probably prevented more accidents.
Another lesson learnt by FDA in this accident is reporting sequence. FDA reviewed its follow up procedures and asked hospitals and health centers to report these kind of accidents directly to FDA as well as users..
1- N. G. Leveson and C. S. Turner, An investigation of the Therac-25 accidents, Computer, 26(7): 18–41, 1993 [online] Available at: http://courses.cs.vt.edu/cs3604/lib/Therac_25/Therac_1.html [Accessed: 21 March 2013]
2- Troy Gallagher, Computerized Radiation Therapy, (2007), Online, Available at: http://radonc.wdfiles.com/local–files/radiation-accident-therac25/Therac_UGuelph_TGall.pdf [Accessed: 22 March 2013]
3- Image Online, Available at: http://dead-city.ru/datas/users/1-therac25.png [Accessed: 22 March 2013]
4- A History of the Introduction and Shut Down of Therac-25, Available at: http://www.computingcases.org/case_materials/therac/case_history/Case%20History.html [Accessed: 22 March 2013]