An Investigation of the Therac-25 Accidents Nancy G. Leveson, University of Washington Clark S. Turner, University of California, Irvine A thorough account of the Therac-25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. omputers are increasingly being introduced into safety-critical systems and, as a consequence, have been involved in accidents. Some of the most widely cited software-related accidents in safety-critical systems involved a computerized radiation therapy machine called the Therac-25. Between June 1985 and January 1987, six known accidents involved massive overdoses by the Therac-25 -with resultant deaths and serious injuries. They have been described as the worst series of radiation accidents in the 35year history of medical acceler- ators.’ With information for this article taken from publicly available documents, we present a detailed accident investigation of the factors involved in the overdoses and the attempts by the users, manufacturers, and the US and Canadian govern- ments to deal with them. Our goal is to help others learn from this experience, not to criticize the equipment’s manufacturer or anyone else. The mistakes that were made are not unique to this manufacturer but are, unfortunately, fairly common in other safety-critical systems. As Frank Houston of the US Food and Drug Admin- istration (FDA) said, “A significant amount of software for life-critical systems comes from small firms, especially in the medical device industry; firms that fit the profile of those resistant to or uninformed of the principles of either system safety or software engineering.“’ Furthermore, these problems are not limited to the medical industry. It is still a common belief that any good engineer can build software, regardless of whether he or she is trained in state-of-the-art software-engineering procedures. Many companies building safety-critical software are not using proper procedures from a software-engineering and safety-engineering perspective. Most accidents are system accidents; that is, they stem from complex interac- tions between various components and activities. To attribute a single cause to an accident is usually a serious mistake. In this article, we hope to demonstrate the complex nature of accidents and the need to investigate all aspects of system development and operation to understand what has happened and to prevent future accidents. Despite what can be learned from such investigations, fears of potential liability 18 001X-916?/93/0700-0018903 00 @ 1993 IEEE COMPUTERor loss of business make it difficult to find out the details behind serious engi- neering mistakes. When the equipment is regulated by government agencies, some information may be available. Oc- casionally. major accidents draw the at- tention of the US Congress or President and result in formal accident investiga- tions (for instance, the Rogers commis- sion investigation of the Challenger ac- cident and the Kemeny commission investigation of the Three Mile Island incident). The Therac-25 accidents are the most serious computer-related accidents to date (at least nonmilitary and admit- ted) and have even drawn the attention of the popular press. (Stories about the Therac-2.5 have appeared in trade jour- nals, newspapers. People Magazine, and on television’s 20120 and McNeil/ Lehrer News Hour.) Unfortunately. the previous accounts of the Therac-25 prob- lems have been oversimplified, with misleading omissions. In an effort to remedy this, we have obtained information from a wide vari- ety of sources, including lawsuits and the US and Canadian government agen- cies responsible for regulating such equipment. We have tried to be very careful to present only what we could document from original sources, but there is no guarantee that the documen- tation itself is correct. When possible, we looked for multiple confirmingsourc- es for the more important facts. We have tried not to bias our descrip- tion of the accidents, but it is difficult not to filter unintentionally what is de- scribed. Also, we were unable to inves- tigate firsthand orget information about some aspects of the accidents that may be very relevant. For example, detailed information about the manufacturer’s software development, management, and quality control was unavailable. We had to infer most information about these from statements in correspondence or other sources. As a result, our analysis of the acci- dents may omit some factors. But the facts available support previous hypoth- eses about the proper development and use of software to control dangerous processes and suggest hypotheses that need further evaluation. Following our account of the accidents and the re- sponses of the manufacturer, govern- ment agencies, and users, we present what we believe are the most compel- ling lessons to be learned in the context July 1993 of software engineering, safety engineer- ing, and government and user standards and oversight. Genesis of the Therac-25 Medical linear accelerators (linacs) accelerate electrons to create high- energy beams that can destroy tumors with minimal impact on the surrounding healthy tissue. Relatively shallow tissue is treated with the accelerated electrons; to reach deeper tissue, the electron beam is converted into X-ray photons. In the early 1970s Atomic Energy of Canada Limited (AECL) and a French company called CGR collaborated to build linear accelerators. (AECL is an arms-length entity, called a crown cor- poration, of the Canadian government. Since the time of the incidents related in this article, AECL Medical, a division of AECL, is in the process of being privatized and is now called Theratron- its International Limited. Currently, AECL’s primary business is the design and installation
View Full Document