Therac-25 Analysis and Research
The Therac 25
A case study in safety failure
• Radiation therapy machine • “The most serious computer-related accidents to date” • People were killed • Reference:
Nancy Leveson and Clark Turner, “The Investigation of the Therac-25 Accidents”, Computer, 26, 7 (July 1993) pp 18-41.
Therac 25 Background
• Medical linear accelerator developed by Atomic Energy of Canada, Ltd. in mid-1970s • Delivers 25 MeV photons or electrons of various energies • Controlled by PDP-11 minicomputer • Software responsible for safety • Software adapted from earlier Therac-6 & Therac 20 systems, which had hardware interlocks for safety
The Therac 25
Therac 25 Turntable
Therac 25 Turntable
• Electron mode • 5-25 MEV • Magnets spread beam • Ion chamber monitor • X-ray mode • 25 MEV electrons hit target • “Beam flattener” attenuates • 100x beam current • Ion chamber monitor • Field-light mode • No current • Mirror & light used to check alignment • No ion chamber (since not treating)
Therac 25 Turntable
• Computer adjusts turntable position • Microswitches detect turntable setting • 3-bit binary code used to encode turntable setting • Software checks replace hardware interlocks
Therac 25 Software Development
• • • • • • • Evolved from Therac 6 system (1972-1976) Incorporated some Therac 20 code, as well Written in PDP-11 assembler Custom operating system Little documentation during development Minimal unit and software testing Q/A testing was 2700 hours of use as integrated system • Programmer left AECL in 1986, little information available about his background
Therac 25 Software Functions
• Monitors machine status • Sets up machine for treatment • Turns beam on and off in response to operator • Monitors interlocks • If fault, either prevents treatment start or causes a pause/suspend
Therac 25 Software Structure
• Critical tasks:
– Treatment monitor – Servo – Housekeeping
• Non-critical tasks:
– Checksum – Keyboard – Calibration – etc.
•
A case study in safety failure
• Radiation therapy machine • “The most serious computer-related accidents to date” • People were killed • Reference:
Nancy Leveson and Clark Turner, “The Investigation of the Therac-25 Accidents”, Computer, 26, 7 (July 1993) pp 18-41.
Therac 25 Background
• Medical linear accelerator developed by Atomic Energy of Canada, Ltd. in mid-1970s • Delivers 25 MeV photons or electrons of various energies • Controlled by PDP-11 minicomputer • Software responsible for safety • Software adapted from earlier Therac-6 & Therac 20 systems, which had hardware interlocks for safety
The Therac 25
Therac 25 Turntable
Therac 25 Turntable
• Electron mode • 5-25 MEV • Magnets spread beam • Ion chamber monitor • X-ray mode • 25 MEV electrons hit target • “Beam flattener” attenuates • 100x beam current • Ion chamber monitor • Field-light mode • No current • Mirror & light used to check alignment • No ion chamber (since not treating)
Therac 25 Turntable
• Computer adjusts turntable position • Microswitches detect turntable setting • 3-bit binary code used to encode turntable setting • Software checks replace hardware interlocks
Therac 25 Software Development
• • • • • • • Evolved from Therac 6 system (1972-1976) Incorporated some Therac 20 code, as well Written in PDP-11 assembler Custom operating system Little documentation during development Minimal unit and software testing Q/A testing was 2700 hours of use as integrated system • Programmer left AECL in 1986, little information available about his background
Therac 25 Software Functions
• Monitors machine status • Sets up machine for treatment • Turns beam on and off in response to operator • Monitors interlocks • If fault, either prevents treatment start or causes a pause/suspend
Therac 25 Software Structure
• Critical tasks:
– Treatment monitor – Servo – Housekeeping
• Non-critical tasks:
– Checksum – Keyboard – Calibration – etc.
•