What is the 'Therac-25' that caused six serious radiation accidents due to a software bug?


Catalina Márquez

Manufactured by the Atomic Energy of Canada (AECL), Therac-25 is a radiation therapy device that produces electron and x-rays to irradiate patients to treat tumors on the surface and deep of the body. It is one of. The Daily WTF , an overseas blog, explains how this device caused as many as six exposure accidents from 1985 to 1987.

The Therac-25 Incident --The Daily WTF

One of the impressive incidents of Therac-25 occurred on March 21, 1986, at the East Texas Cancer Center (ETCC) in Texas. On this day, the radiologist took the patient to the treatment room and was trying to treat him as usual. After laying the patient on the bed, the technician turns the irradiation part of the Therac-25, which is shaped like a turntable, to set it to 'optical laser mode' and adjusts the laser so that it hits a small area on the back side. The we.

When the adjustment is completed, the engineer turns the irradiation part again, and this time it is set to the 'electron beam mode' that irradiates the electron beam. In addition, a magnet and a metal block were placed between the irradiation area and the patient. The Therac-25 was designed by shaping the electron beam with a magnet and converting it into X-rays with a metal block.

After completing the setting of Therac-25 for electron beam therapy, the technician heads to the next control room and inputs the necessary information to the computer. Normally, the patient and the technician can communicate with each other via the intercom and the video camera, but it happened to be out of order on that day. However, the patient was accustomed to the treatment and had a good understanding of what would happen next, so he said he didn't care much. The Therac-25 and other equipment are extremely difficult to handle, and it was commonplace to say 'something is out of order.'

The technician used the computer input that he should be accustomed to, but on this day he accidentally entered the X-ray 'X' key instead of the electron beam 'E' key. It is believed that this mistake was made because most patients were receiving 'X-ray' treatment, but the technician who noticed the mistake immediately pressed the 'UP' key to return to the field and 'E'. I re-entered the key. Then, after entering the other parameters, I entered the 'B' key for irradiation.

After a while, the computer displayed the error code 'Mal function 54', followed by 'Treatment Pause'. The technician was accustomed to getting errors, so he looked at the chart with all the error codes, but he found that 'Malfunction 54' was 'dose input 2'. It just means. At that time, there was a lack of description about error codes.

The technician had not yet been exposed to radiation, so he decided that the next step would be to release the pause and entered the appropriate 'P' key. It was then that I heard the patient screaming.

The patient knew that he would not feel any pain with this treatment, but at this time he felt a strong burning sensation, like hot coffee pouring on his back. The patient continued to scream for help until the technician paused the irradiation, but during that time he continued to suffer pain like an electric shock.

The Therac-25 caused an obvious medical accident in this way, but when a physicist at the hospital inspected the Therac-25 in question, no abnormalities were found, and it was confirmed that everything was working properly. The patient had a treatment program that received a total

dose of 6000 rads in 6 weeks, and the single dose should have been 180 rads. According to the display of Therac-25, the dose received by the patient on that day was below the standard value, but in reality, the dose was 16,000 to 25,000 rad. The patient was doing well, but was already exposed to a lethal dose of radiation.

The ETCC case was not the only accident caused by Therac-25, but a total of six accidents occurred between June 1985 and July 1987. All of them have caused severe radiation exposure to patients, resulting in the death of five people.

When the incident was first discovered, no one was able to determine the cause. Although it turned out that the irradiation amount was displayed less than the actual amount even though the Therac-25 over-irradiated the radiation as in the ETCC accident, the AECL who received the inquiry said, 'The Therac-25 cannot over-irradiate. Is. '

The Therac-25 software implements key features such as user input and dose adjustment through several modules and assemblies running on the PDP-11 computer that appeared in the 1970s, and a real-time OS that manages them. There was only one person in charge of development. An early version of this software was developed in 1972 and was used in the Shellac-6, the predecessor of the Therac-25. The version was upgraded in 1976 to match the Shellac-20 and Shellac-25 that appeared after that. Therefore, AECL was aware that this software was 'safe because it has been used for a long time.'

The Therac-25 software does not perform a check if the value of the variable is 0, but does a check if it is not 0, a variable that acts as a flag to determine if the turntable is in the correct position. Existed. However, the field width to set the variable is only 1 byte, and if the variable is incremented 256 times from 0, it will return to 0, and if the wrong 0 value matches the operator's input, the turntable is correct. It was later discovered that the irradiation was performed with full energy even if it was not in position.

After the ETCC incident, hospital physicists stopped using the Therac-25 and worked with technicians to determine the cause of the over-irradiation. However, it was not easy to display the error code of 'Mal function 54' that occurred in the ETCC case. He says that he did not have any problems when he entered the hijacking data slowly in the correct procedure.

It was important to reproduce the speed of the 'experienced' technician to cause over-irradiation. Verification reveals that this type of error only occurs if you correct the input within 8 seconds of entering the X-ray pointing to X-ray irradiation. The physicist reported to AECL after confirming the reproducibility of the error, but AECL replied that it could not be reproduced. However, AECL technicians were also instructed on the required speed and admitted that over-irradiation was reproducible.

AECL finally modified the software, but until the modification, the remedy presented by AECL was 'Attach insulating tape to the contacts so that it will not work even if you accidentally enter the UP key, and UP when re-entering. Press the R key instead of the key to reset and re-enter the entire process from the beginning. '

The Daily WTF says, 'Software has become an integral part of modern life, but it's not always tested in a rigorous process. This article has inspired readers to think about software processes. I hope you will. '

in Posted by log1p_kr