Therac-25 Teaching Introduction

This introduction to the Therac-25 case is for teachers of the case. If you have been assigned to read this case you can find the case narrative in the supporting documents for each case.

Here we provide a guide to the case from the inside or from the teacher’s perspective. This section provides you with

• Supporting documents (excerpts from a published analysis of the case, an interview with an operator, a memo from a medical physicist, and references)
• An overview of the Socio-Technical system in which the case is embedded
• Ethical analysis of the case (done using the ImpactCS model)
• Specific assignments that you might use in class

Therac-25: Safety is a System Property

Normally, when a patient is scheduled to have radiation therapy for cancer, he or she is scheduled for several sessions over a few weeks and told to expect some minor skin discomfort from the treatment. The discomfort is described as being on the order of a mild sunburn over the treated area. In the case you are about to read, a very abnormal thing happened to several patients: they received severe radiation burns resulting in disability, and, in 3 cases, death.

The Therac-25 was a device that targeted electron or X-ray beams on cancerous tissue to destroy it. Electron beams were used to treat shallow tissue, while photon beams could penetrate with minimal damage to treat deep tissue. Even though operators were told that there were "so many safety mechanisms" that it was "virtually impossible" to overdose a patient, this is exactly what did occur in six documented cases [Leveson].

These massive radiation overdoses were the result of a convergence of many factors including

• simple programming errors
• inadequate safety engineering
• poor human computer interaction design
• a lax culture of safety in the manufacturing organization
• inadequate reporting structure at the company level and as required by the U.S. government

In presenting this case we are not interested in determining who should be blamed for these accidents. All the cases have already gone through the courts and have been settled. We are interested in helping you learn how to think about the design and use of software in safety-critical applications. What are the responsibilities of the organizations and individuals involved? What design decisions and organizational structures led to the accidents? How might different organizational systems or software design have helped avoid or minimize the harm?

As a computer scientist, you will be focussing on the software in this medical linear accelerator. And indeed there are some clear coding errors on which we can focus. However, the more difficult and dangerous problems are those in the design of the entire system, and in the way the software plays its part in that design. These system safety issues are critical to understanding this case and to understanding what it means to design safe software.

Structure of the Therac-25 Case

Our presentation of the case itself is composed of three parts: introductory materials, a description of the machine, and overviews of the participants in the case. Together, these sections give one a good idea of the information each actor in the case had at the time of the accidents.

We reserve any analysis of this case for the teaching section. However, many of the sections contain broad hints regarding the danger of the machine and the particular ways that inadequate software design might cause harm to patients.

Introductory materials

These provide some background for students to understand the case. There is a general introduction to the case, explanations of how radiation therapy works, and a section on how medical linear accelerators work.

The machine

This section provides an overview of how the Therac-25 machine itself worked. This includes a description of the turntable, the rooms in which the machine is placed, and the role of the operator in setting up the machine.

There is also a section on the design of the software. This is a high-level introduction to the issues involved in the design of the software. The excerpts from Leveson we provide in the resource section provide much more detail, down to two particular coding errors that probably caused some of the accidents.

Finally there is a section specifically on safety. The issues involved in removing the hardware interlocks are explained, as are the issues of sensing the position of the turntable and of reuse of software from older Therac machines.

The Participants

Each of four participants are presented here, along with the accounts of each accident. The perspectives of the designer/manufacturer of Therac, of the FDA, of the hospitals, and of the operators of the machines are all presented in some detail. This will allow you to assign individuals to cover the perspectives of each of these groups.

Using the Therac-25 Case in Class

To get acquainted with the case, we recommend you read as much of the case material as holds your attention. You might then turn to the analysis documents to see how we view the ethical issues in the case. Finally, you might at least look at the overview of the supporting documents we provide.

For a more practical turn, you might choose an exercise from our list of exercises. Each exercise will require the use of different supporting documents and of different pieces of the case presentation.

As you develop the exercise that you want to use in your class, you should think of how you might present it on a web page. We hope soon to provide some support to make it easy for you to construct a web page that presents your exercise, as you have modified it, to your students.

Continue to Socio-Technical Analysis