Therac-25

Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) and CGR MeV of France after the Therac-6 and Therac-20 units. It was involved with at least six known accidents between 1985 and 1987, in which patients were given massive overdoses of radiation, which were in some cases on the order of hundreds of grays. At least five patients died of the overdoses. These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics.

Problem description
The machine offered two modes of Radiation therapy:
 * Direct electron-beam therapy, which delivered low doses of high-energy (5 MeV to 25 MeV) electrons over short periods of time;
 * Megavolt X-ray therapy, which delivered X-rays produced by colliding high-energy (25 MeV) electrons into a "target".

When operating in direct electron-beam therapy mode, a low-powered electron beam was emitted directly from the machine, then spread to safe concentration using scanning magnets. When operating in megavolt X-ray mode, the machine was designed to rotate four components into the path of the electron beam: a target, which converted the electron beam into X-rays; a flattening filter, which equalized the x-ray beam intensity; a set of movable blocks (also called a collimator), which shaped the X-ray beam; and an X-ray ion chamber, which measured the strength of the beam.

The accidents occurred when the high-power electron beam was activated for x-ray therapy, without the target having been rotated into place. The machine's software did not detect that this had occurred, and did not therefore prevent the patient from receiving a potentially lethal dose of radiation. The high-powered electron beam directly struck the patients causing the feeling of an intense electric shock and the occurrence of thermal and radiation burns. In some cases, the injured patients died later from radiation poisoning.

Root causes
Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:
 * AECL did not have the code independently reviewed.
 * AECL did not consider the design of the software during its reliability modeling.
 * The system documentation did not adequately explain error codes.
 * AECL personnel initially did not believe complaints.

The researchers also found several engineering issues:
 * The design did not have any hardware interlocks to prevent the electron-beam from operating in its high-energy mode without the target in place.
 * The engineer had reused software from older models. These models had hardware interlocks that masked their software defects. Those hardware safeties had no way of reporting that they had been triggered, so there was no indication of the existence of faulty software commands.
 * The hardware provided no way for the software to verify that sensors were working correctly (see open-loop controller). The table-position system was the first implicated in Therac-25's failures; the manufacturer gave it redundant switches to cross-check their operation.
 * The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly. This was evidently missed during testing, since it took some practice before operators were able to work quickly enough for the problem to occur.
 * The software set a flag variable by incrementing it. Occasionally an arithmetic overflow occurred, causing the software to bypass safety checks.