An investigation of the therac25 accidents essay 10546. The fda, which was already investigating the safety of the therac25 as a result of the first tyler. In accordance with annex of the convention on international civil aviation of 7 december 1944 and article 24 of the federal air navigation law, the sole purpose of the investigation of an aircraft accident or serious incident is to prevent future accidents or serious incidents. An investigation of the therac 25 accidents nancy leveson, university of washington clark s. Introduction to conflicting n811be accident investigation. Therac 25 software due to overdose accidents the quality assurance of. The pilot was tasked with spraying crop with fungicide in a paddock situated in an undulating timbered area. Turner, university of california, irvine reprinted with permission, ieee computer, vol. The second, higher energy mode, used the full power of the machine at 25 million electron volts.
A more intensive program of surveillance by the federal aviation administration may lead to the detection and. It delivered two types of radiation beams, a lowpower electron beam and a highpower xray. Much of this is due to the work of nancy leveson, a software safety expert. The user manual did not explain or even address the error codes, so the operator pressed the p. Pdf computer software plays an important role in various industries. The fda declared the therac 25 defective under the radiation control for health and safety act and. Between june 1985 and january 1987, the therac25 medical electron accelerator was involved in six massive radiation overdoses. Therac25 radiation overdoses your expert root cause. Section 509d7 of the new york state vehicle and traffic law vtl requires that you complete this statistical report and file it with your article 19a annual affidavit of compliance. An investigation of the therac 25 accidents part iii nancy leveson, university of washington.
The pilot advised the inverness approach controller that he was en route from carlisle to wick, 44 nm west of. Conduct of investigations by the rail accident investigation branch 6. Therac6 and therac20 had histories of clinical use without computer control therac25 software had more responsibility for safety than in previous machines. The first mode consisted of an electron beam of 200 rads that was aimed at the patient directly. The big picture the therac25 was a computerized radiation therapy machine 11 machines were installed us and canada in 19851987 there were 6 known accidents where massive overdoses were made patients died or suffered serious injuries these were traced to race conditions in reading operator input unique early investigation of safetycritical. The therac 25 a case study in safety failure radiation therapy machine the most serious computerrelated accidents to date people were killed reference. A detailed accident investigation, drawn from publicly available docu ments, can be found. The therac 25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac 6 and therac 20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. During the time span of june 1985 to january 1987, it. An investigation under controlled laboratory conditions matteo ottaviania, knut stamnesa, jeff koskulicsa, hans eideb, steve longc, wenying sud, warren wiscombee alight and life laboratory, stevens institute of technology, hoboken, nj 07030 bscientic computing group, usit, university of oslo, n0316 oslo, norway cairsea interaction research facility, nasa wallops flight facility. Aecl performs a safety analysis of therac25 which apparently excludes an analysis of software. The fda declared the therac25 defective under the radiation control for health and safety act and. Fatal dose radiation deaths linked to aecl computer errors. It is not the purpose of this activity to apportion blame or liability.
Several fcatures of the therac 25 are important in understanding the acci dents. The national transportation safety board determines that the probable cause of this accident was the failure of the operator and the pilotincommand to assure proper load distribution during the jumper exit procedure. Turner, university of california, irvine a thorough account of the therac25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. Computers are increasingly being introduced into safetycritical systems and, as a consequence, have been involved in accidents. An investigation of the therac25 accidents nancy g. An investigation of the therac25 accidents computer. The therac25 machine was a stateoftheart linear accelerator developed by. Persons conducting, participating in or assisting with an investigation by the rail accident. Therac 6 and therac 20 had histories of clinical use without computer control therac 25 software had more responsibility for safety than in previous machines. Software in the therac6 and therac20 was reused in the therac25. Citeseerx document details isaac councill, lee giles, pradeep teregowda. An updated version of the original accident investigation paper by nancy leveson i have updated and changed slightly the original accident report. The experience illustrates a number of principles that are vital to understanding how and why the design and analysis of safetycritical systems must be done in a methodical way according to established principles. The therac 25 was the most computerized and sophisticated radiation therapy machine of its time.
An investigation of the therac25 accidents stanford university. However, aecl designed the therac 25 to take advantage of com puter control from the outset. Unfortunately, six accidents involving significant overdoses of radiation to. The therac25 was a computercontrolled radiation therapy machine produced by atomic energy of canada limited aecl in 1982 after the therac6 and therac20 units the earlier units had been produced in partnership with cgr of france it was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation. A detailed accident investigation, drawn from publicly available docu ments, can. The therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available. Chapter 2 railway accident and serious incident investigation. On april 1, 1986, the crpb and the bureau of medical devices were merged to form the bureau of. Untitled the cognitive systems engineering laboratory at ohio. The therac25 is a radiation therapy machine used during the mid80s. How accident investigation can influence railway technology. On october 25, 2000, panel members revisited the applied hydraulics yard once again in an attempt to locate serial numbers for the purpose of determining the crane manufacturer and model. Feb 17, 2014 the therac 25 accidents form the basis for what is often considered the bestdocumented software safety casestudy available.
Therac 25 aecl designed therac 25 to use computer control from the start. An investigation of the therac25 accidents nancy leveson, university of washington clark s. An investigation of the therac25 accidents part iii. The therac25 was a computercontrolled radiation therapy machine produced by atomic. For six unfortunate patients in 1986 and 1987, the therac25 did the unthinkable. A thorough account of the therac25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. The wind was from the east at 10 15 kt, and the pilot elected to commenced the first spray run in a downwind direction. Investigating accidents before they happen william reynard. An investigation of the therac 25 accidents computer.
The aircraft and railway accidents investigation commission araic, kokutetsudojiko chosa iinkai was a commission belonging to japan. In manual mode, a radiotherapy technician would physically set up. A historical perspective on aviation accident investigation. The therac 25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients.
As a result, several people died and others were seriously injured. Aircraft and railway accidents investigation commission. Therac25 accident historycontinued accidents continued in 1986 and 87 traced to operator behavior keyboard entry timing related several different software problems eventually implicated related to concurrency lack of lockingatomic operations for access to shared variables therac25 retrospective. The operators manual supplied with the machine does not ex. Therac25 was a machine that had tow main treatment modes. I dont know whether to post this here or in the editorial section of the site, so i put it both places. Aug 08, 2010 the therac 25 is a radiation therapy machine used during the mid80s. The fda investigation was well under way when aecl produced a medical device report to discuss the details of the radiation overexposures at tyler. With the aid of an onboard computer, the device could select multiple. The therac25 accidents are the most serious computerrelated accidents to date at least. Commission members are appointed by the transport minister to research causes of aircraft and railway accidents and to suggest improvements to prevent similar. First, like the therac6 and the therac20, the therac25 is con. Turner, university of california, irvine a thorough account of the therac 25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. Transport accident investigation commission act 1990 no 99.
An investigation of the therac25 accidents computer author. Therac 25 background medical linear accelerator developed by atomic energy of canada, ltd. The purpose of this paper is to investigate that learning, and to. Nioshtic2 publications search 20041929 accident and. Researchers who investigated the accidents found several contributing causes. Investigation of crane accident and injury south timbalier.
Aecl performs a safety analysis of therac 25 which apparently excludes an analysis of software. An investigation of the therac25 accidents part iii nancy leveson, university of washington. Citeseerx an investigation of the therac25 accidents. This act may be cited as the transport accident investigation commission amendment act 1999, and is part of the transport accident investigation commission act 1990 the principal act. An investigation of the therac 25 accidents nancy g. The views expressed are mine and mine alone ludwig benner this set of documents compares an ntsb investigation with a subsequent investigation by. To aid in the investigation, the panel requested and received various documents from burlington resources, crown oilfield services, applied.
Pdf motorcycle accident cause factors and identification. Lawsuits were filed, and no investigations took place. Therac25 aecl designed therac25 to use computer control from the start. This provided the economic advantage of delivering two kinds of therapeutic radiation with one machine. A detailed accident investigation, drawn from publicly available docu. Katie yarborough was the first of the therac25 accidents. The therac 25 software disaster the therac 25 is a computerized medical radiation therapy machine for cancer patients. Article 19a motor carrier annual statistical report. A thorough account of the therac 25 medical electron accelerator accidents reveals previously unknown details and suggests ways to reduce risk in the future. Nancy leveson and clark turner, the investigation of the therac25 accidents, computer, 26, 7 july 1993 pp 1841. Handbook of human factors and ergonomics 4th edition. Software in the therac 6 and therac 20 was reused in the therac 25.
To the best of your knowledge and ability, please provide answers to the following questions. The flight left dallas with 5 crewmembers and 41 passengers on board. Chapter 2 railway accident and serious incident investigation japan transport safety board annual report 2012 48 taken in the suita engine depot the day after the accident brake handle acknowledge button master controller controllers in the cab of the accident locomotive ats lamp 2. The train consisted of 2 head end locomotives and 73 cars. During the time span of june 1985 to january 1987, it was the source of six fatal or near fatal overdoses. A history of the introduction and shut down of therac25. July 29,1983 in a pr newswire the canadian consulate general announces the introduction of the new therac 25 machine manufactured by aecl medical, a division of atomic energy of canada limited. First, like the therac 6 and the therac 20, the therac 25 is controlled by a pdp 11. Turner, an investigation of the therac25 accidents, in ethics and computing. Abstract on june 2, 1983, air canada flight 797, a mcdonnell douglas dc932, of canadian registry cftlu, was a regularly scheduled international passenger flight from dallas, texas, to montreal, quebec, canada, with an en route stop at toronto, ontario, canada. This case study presents system and software engineering issues relevant to the accidents associated with the therac25 medical linear. A detailed investigation of the factors involved in the softwarerelated overdoses and attempts by users, manufacturers, and government agencies to deal with the accidents is presented. Case study therac 25 page 1 of 3 therac 25 the therac 25 machine was a stateoftheart linear accelerator developed by the company atomic energy canada limited aecl and a french company cgr to provide radiation treatment to cancer patients.
235 80 167 1089 912 667 568 276 1373 1112 763 1021 94 1456 574 1278 779 409 850 1321 1069 9 316 330 1448 686 958 195 1170 769 442 56 1445 173 488 151 336