A History of the Introduction and Shut Down of Therac-25
The case history is an overview of the case from the design of Therac-25 to the eventual shut-down of the machine pending redesign. It serves as a short history and guide to the case to give you your bearings.
Therac-25 was released on the market in 1983. In 1987, all treatment with the eleven machines in operation was suspended. Those machines were refitted with the safety devices required by the FDA and remained in service. No more accidents were reported from these machines. At about that time, the division of AECL that designed and manufactured Therac-25 became an independent company.
The major innovations of Therac-25 were the double pass accelerator (allowing a more powerful accelerator to be fitted into a small space, at less cost) and the move to more complete computer control. The move to computer control allowed operators to set up the machine more quickly, giving them more time to speak with patients and making it possible to treat more patients in a day. Along with the move to computer control, most of the safety checks for the operation of the machine were moved to software and the hardware safety interlocks removed.
AECL’s FDA Testing and Safety Analysis
Before release of Therac-25 on the US market, AECL obtained approval to market it from the FDA. This approval was obtained by declaring what FDA called pre-market equivalence. Since the software was based on software already in use, and the linear accelerator was a minor modification of existing technology, designation of Therac-25 as equivalent to this earlier technology meant that Therac-25 bypassed the rigorous FDA testing procedures. In 1984, 94% of medical devices entered the market in this manner. This declaration of pre-market equivalence seems optimistic in that most of the safety mechanisms were moved into the software, a major change from previous version of the machine.
In 1983, just after AECL made the Therac-25 commercially available, AECL performed a safety analysis of the machine using Fault Tree Analysis. This involves calculating the probabilities of the occurrence of varying hazards (e.g. an overdose) by specifying which causes of the hazard must jointly occur in order to produce the hazard.
In order for this analysis to work as a Safety Analysis, one must first specify the hazards (not always easy), and then be able to specify the all possible causal sequences in the system that could produce them. It is certainly a useful exercise, since it allows easy identification of single-point-of-failure items and the identification of items whose failure can produce the hazard in multiple ways. Concentrating on items like these is a good way to begin reducing the probabilities of a hazard occurring.
In addition, if one knows the specific probabilities of all the contributing events, one can produce a reasonable estimate of the probability of the hazard occurring. This quantitative use of Fault Tree Analysis is fraught with difficulties and temptations, as AECL’s approach shows.
In order to be useful, a Fault Tree Analysis needs to specify all the likely events that could contribute to producing a hazard. Unfortunately, AECL’s analysis left out consideration of the software in the system almost entirely. Since much of the software had been taken from the Therac-6 and Therac-20 systems, and since these software systems had been running many years without detectable errors, the analysts assumed there were no design problems in the software. The analysts considered software failures like "computer selects wrong mode" but assigned them probabilities like 4 x 10**-9.
These sorts of probabilities are likely assigned based on the remote possibility of random errors produced by things like electromagnetic noise. They do not at all take into account the possibility of design flaws in the software. This shows a major difficulty with Fault Tree Analysis as it is often practiced. If the only items considered are "failure" items (e.g. wear, fatigue, etc.) a Fault Tree Analysis really only gives one a reliability for the system.
AECL's Response to the Accidents
In July of 1985, AECL was notified that a patient in Hamilton had been overdosed. AECL sent a service engineer to the site to investigate. AECL also informed the United States Food and Drug Administration (FDA), and the Canadian Radiation Protection Board (CRPB) of the problem. In addition they notified all users of the problem and issued instructions that operators should visually confirm hardware settings before each treatment. AECL could not reproduce the malfunction, but its engineers suspected that a hardware failure in a microswitch was at fault. They redesigned the hardware and claimed that this redesign improved the safety of the machine by five orders of magnitude. After modifications were made in the installed machines, AECL notified sites that they did not need to manually check the hardware settings anymore.
In November of 1985, AECL heard of another incident in Georgia. The patient in that incident (Linda Knight) filed suit that month based on an overdose that occurred in June. There is no evidence that AECL followed up this case with the Georgia hospital. Though this information was clearly received by AECL, there is no evidence that this information, was communicated internally to engineers or others who responded to later accidents.
In January of 1986, AECL heard from a hospital in Yakima, Washington that a patient had been overdosed. The AECL technical support supervisor spoke with the Yakima hospital staff on the phone, and contacted them by letter indicating that he did not think the damage they reported was caused by the Therac-25 machine. He also notified them that there have "apparently been no other instances of similar damage to this or other patients."
In March of 1986, AECL was notified that the Therac-25 unit in Tyler, Texas had overdosed a patient. They sent both a local Texas engineer and an engineer from their Canada home office to investigate the incident the day after it occurred. They spent a day running tests on the machine but could not reproduce the specific error. The AECL engineer suggested that perhaps an electrical problem had caused the accident. He also said that AECL knew of no accidents involving radiation overexposure with the Therac-25. An independent engineering firm checked out the electric shock theory and found that the machine did not seem capable of delivering an electric shock to a patient.
On April 11th of 1986, AECL was alerted to another overdose that had occurred in Tyler. After communication with the medical physicist at Tyler, AECL engineers were able to reproduce the overdose and the sequences leading up to it.
AECL filed a medical device report with the FDA on April 15, 1986 to notify them of the circumstances that produced the two Tyler accidents.
At this point, the FDA, having been notified of the first Tyler accident by the hospital, declared Therac-25 defective and ordered the firm to contact all sites that used the machine, investigate the problem, and submit a report called a corrective action plan. AECL contacted all sites and recommended a temporary fix involving removing some keys from the keyboard at the computer console.
The FDA was not satisfied with the notification that AECL gave sites, and in May 1986 required AECL to re-notify all sites with more specific information about the defect in the product and the hazards associated with it. AECL was also at this time involved in meetings with a "user's group" of Therac-25 sites to help formulate its corrective action plan. After several exchanges of information among AECL and the FDA (in July, September, October, November, and December of 1986), AECL submitted a revised corrective action plan to FDA.
In January 1987, AECL was notified of another overdose occurring again at the Yakima, Washington hospital. After sending an engineer to investigate this incident, AECL concluded that there was a different software problem that allowed the electron beam to be turned on without the device that spread it to a safe concentration being placed in the beam.
Therac-25 is Shut Down
In February, 1987, the FDA and its Canadian counterpart cooperated to require all units of Therac-25 to be shut down until effective and permanent modifications were made. After another 6 months of negotiation with the FDA, AECL received approval for its final corrective action plan. This plan included numerous software fixes, the installation of independent, mechanical safety interlocks, and a variety of other safety related changes.
Several of the surviving victims or the deceased victim’s families filed suit in US courts against AECL and the medical facilities using Therac-25. All of these suits were settled out of court.
AECL Medical Goes Independent
The division of AECL that designed and manufactured Therac-25 has become an independent private Canadian company. They still make radiation therapy machines.
Government and FDA response to the Accidents
The Therac-25 case pointed to significant weak links in communication between FDA, medical device manufacturers, and their customers or users. Users were not required to report injuries to any government office, or to the manufacturers of the devices that had caused injury.
A 1986 GAO study found 99% of injuries caused by medical devices were not reported to the FDA. At that time, hospitals reported only about 51% of problems to the manufacturer. The hospitals mostly reported dealing with problems themselves. Problems were mainly the result of wear and tear on machines and design flaws.
The breakdown in communication with hospitals and clinics using medical devices prevented FDA from knowing about the isolated and recurring problems with the Therac-25 until after two deaths occurred in Tyler, TX.
Even when the FDA became aware of the problem, they did not have the power to recall Therac-25, only to recommend a recall. After the Therac-25 deaths occurred, the FDA issued an article in the Radiological Health Bulletin (Dec. 1986) explaining the mechanical failures of Therac-25 and explaining that "FDA had now declared the Therac-25 defective, and must approve the company's corrective action program."
After another Therac-25 overdose occurred in Washington state, the FDA took stronger action by "recommending that routine use of the system on patients be discontinued until a corrective plan had been approved and implemented" (Radiological Health Bulletin, March 1987). AECL was expected to notify Therac-25 users of the problem, and of FDA's recommendations.
After the Therac-25 deaths, the FDA made a number of adjustments to its policies in an attempt to address the breakdowns in communication and product approval. In 1990, health- care facilities were required by law to report incidents to both the manufacturer and FDA.
Material from ComputingCases.org, developed by Dr. Charles Huff of St. Olaf College.