History's Worst Software Error

00:00

katie yarborough woke up on a warm clear

00:02

june day in 1985 and prepared for her

00:06

12th cancer treatment

00:08

the 61 year old manicurist got dressed

00:10

and drove herself to the kennestone

00:12

regional oncology center in marietta

00:14

georgia where a state-of-the-art linear

00:16

accelerator called the therac-25

00:18

would direct high-energy electrons and

00:21

or x-rays into her lymph nodes as it had

00:23

done for patients in the area thousands

00:26

of times before

00:27

the therac would need only a few seconds

00:29

to painlessly deliver around 200 rads to

00:32

her upper left chest

00:34

but that day

00:35

something went wrong

00:37

yarborough felt a red-hot sensation

00:39

instead of nothing

00:41

you burned me

00:42

she told the technician who quickly

00:44

assured her that this wasn't possible

00:47

over the next few weeks she would need

00:49

one breast fully removed and her left

00:51

arm would become completely paralyzed

00:54

but her useless arm didn't stop her from

00:56

living her life or from driving

00:59

she died five years later when her car

01:01

was struck by a truck

01:03

on a georgia highway

01:05

katie yarborough was the first victim of

01:08

what would be later called some of the

01:09

worst software caused accidents in

01:12

history

01:13

this

01:14

is the true story

01:16

of the therak-25

01:28

how do you treat an insidious and

01:30

deep-seated disease like cancer and its

01:32

many forms without invasive and

01:35

dangerous surgeries

01:36

one answer in use for over a hundred

01:38

years now is radiation or radiotherapy

01:43

the concept is simpler than its name

01:45

suggests

01:46

radiation in the form of high energy

01:48

particles and photons can ionize or

01:51

otherwise change atoms and molecules

01:54

in a sensitive structure like dna enough

01:57

of this damage can lead to the death of

01:59

a cell

02:00

a disease like cancer progresses through

02:03

the unchecked division of cells so why

02:05

not try blasting these mutants with

02:07

radiation that can by its very nature

02:09

pass invisibly through body tissue

02:12

what began in earnest only after world

02:14

war ii and the first nuclear reactors is

02:17

now a highly sophisticated field that

02:20

uses three-dimensional body imaging and

02:22

targeted beams of radiation from linear

02:24

particle accelerators to prevent

02:27

halt and otherwise destroy cancer cells

02:30

in the best cases radiotherapy is

02:32

considered an effective weapon in 4 out

02:35

of 10 cancers

02:36

no scalpel required

02:38

in 1976 aecl medical a division of

02:42

atomic energy of canada limited

02:44

developed a revolutionary double pass

02:46

accelerator which streamlined linear

02:48

accelerator designs by using

02:50

electromagnets to send beams through a

02:52

target twice instead of once

02:55

the therak-25 was one such double pass

02:58

machine 7 feet high and 12 feet wide

03:01

smaller than previous accelerators also

03:04

unlike the accelerators of old the

03:06

therac-25 was run principally by

03:08

software instead of hardware lines of

03:11

code instead of interdependent physical

03:14

mechanisms

03:15

in 1983 aecl performed a safety analysis

03:18

on the new machine and started selling

03:20

the therak25 to excited customers

03:23

this state-of-the-art device was in high

03:25

demand

03:27

however

03:28

left out of that 1983 analysis was any

03:30

interrogation of the software that ran

03:33

these complicated devices of the code

03:35

based on the older therak-20 model and

03:38

written by a single person

03:40

a coding hobbyist

03:42

who left the company in 1986.

03:45

he remains unidentified to this day

03:49

two weeks after katie yarborough told

03:51

her technician that she felt a burning

03:53

sensation during her cancer treatment

03:55

there was a red mark the size of a dime

03:57

on her chest

03:59

and directly opposite that mark a larger

04:01

disc on her back

04:03

tim still the medical physicist at

04:05

kennestone examined her

04:08

that looks like the exit dose made by an

04:10

electron beam

04:12

he said

04:13

it looked nothing like what could be

04:15

created by her prescribed 200 rad dose

04:18

the physicist later estimated what

04:20

actually hit yarborough was closer to 20

04:23

000 rats hundreds of times more than

04:26

what you'd receive standing inside a

04:28

failed reactor at fukushima daiichi

04:32

but dr still wasn't able to recreate a

04:34

beam of that strength with the machine

04:36

himself so he contacted a professional

04:38

organization to tell them what had

04:40

happened he quickly got a call from the

04:43

aecl in response telling him to stop

04:45

making these claims without any proof

04:48

they assured him that such an overdose

04:51

simply wasn't possible

04:56

over the next few weeks the dime-sized

04:59

red circle on yarborough's chest became

05:01

a hole

05:03

skin grafts failed as any new tissue

05:06

simply rotted away

05:08

her left breast recently cancer-free

05:11

had to be entirely removed

05:13

her left arm

05:14

was now immobile

05:16

many sources report it was though a

05:18

slow-motion gunshot wound had gone

05:21

through her chest and out of her back

05:24

yarburo would hire a lawyer and sue the

05:26

hospital and aecl in the october of 1985

05:31

but she wouldn't live to find out the

05:33

reason why nanoscopic bullets

05:36

had done this to her

05:39

seven weeks later concerningly similar

05:41

to katie yarbrough a 40 year old woman

05:44

with cervical cancer arrived for her

05:45

most recent therak-25 treatment at the

05:48

hamilton regional cancer center in

05:50

ontario canada

05:53

she too was hit with a slow-motion

05:55

bullet complaining of tingling electric

05:58

shocks during treatment

06:00

it would be later estimated that what

06:02

the therak operator had mistakenly

06:04

irradiated her hip width several times

06:07

was a total

06:08

of 17 000 rats

06:11

a larger dose than what harry dogly and

06:14

junior or louis slaughten received

06:16

from the demon core

06:19

the aecl was informed immediately and

06:22

had an engineer dispatch to examine the

06:24

unit

06:25

the micro switches that controlled the

06:26

position of the unit's turntable were

06:28

deemed faulty and a software change to

06:31

constantly check the turntable position

06:33

was introduced

06:35

aecl would later claim in a september

06:37

letter to customers that this change had

06:39

increased the safety of the therac-25 by

06:42

five orders of magnitude

06:44

but

06:45

the cervical cancer patient died a month

06:47

before this pronouncement

06:49

on november 3rd

06:51

her official cause of death was her

06:52

cervical cancer

06:54

though an autopsy revealed that if she

06:56

had lived her hip

06:58

obliterated by high energy radiation

07:01

would have to have been entirely

07:02

replaced

07:04

five days later a letter from the

07:05

canadian radiation protection bureau

07:08

begged aeco for hardware fail-safes and

07:11

additional software changes but nothing

07:13

came of it

07:16

a month after the heavily irradiated

07:18

cervical cancer patient died it happened

07:20

again

07:21

a therak-25 unit at the yakima valley

07:24

memorial hospital in washington state

07:26

supposed to be now 9 million percent

07:28

safer hit another cervical cancer

07:31

patient in the hip with more radiation

07:33

than what cecil kelly endured when a

07:35

whirlpool of plutonium

07:37

went prompt critical in his face

07:40

thankfully the woman ultimately suffered

07:42

only minor disability and scarring

07:45

the more impactful outcome was that

07:47

doctors and therak-25 operators in the

07:49

u.s and canada were now talking to each

07:51

other

07:52

something was going on that the aecl

07:55

obviously wasn't addressing or didn't

07:57

care to

07:58

two months later aecl declared that

08:01

after careful consideration we are of

08:04

the opinion that this damage could not

08:06

have been produced by a malfunction of

08:08

the therac-25 or by any operator error

08:12

end quote

08:13

however

08:15

over the next 12 months

08:17

therap-25 malfunction and operator error

08:20

would kill three cancer patients

08:25

the therac-25 software likely had around

08:28

100 000 lines of code

08:30

small by today's standards but

08:32

complicated nonetheless

08:34

and error-prone

08:36

operators would later testify that they

08:38

encountered as many as 4 serious error

08:40

messages a day

08:42

many of those errors would simply read

08:44

malfunction with a number from 1 to 64.

08:48

these numbers were not explained not by

08:50

aecl not in any

08:52

manual operators also admitted that they

08:55

became accustomed to this ambiguity

08:58

rather than fearful of it

09:00

they could and did simply press p to

09:03

proceed

09:04

without knowing whether or not an error

09:06

code was benign or potentially deadly

09:09

it was part of the job to keep an

09:11

expensive and sought after machine like

09:13

the therak running

09:14

malfunction 54 one of these mysterious

09:18

undefined errors would turn out to be

09:20

the one you couldn't skip past

09:23

but it would take three catastrophes

09:25

before anyone figured out what they were

09:27

allowing to happen

09:28

[Music]

09:31

voyn ray cox lay beneath the therak-25

09:34

unit at the east texas cancer center in

09:36

tyler texas for his ninth cancer

09:38

treatment a technician set his dose at

09:41

180 rads

09:43

then she noticed a mistake

09:45

she had selected x for x-ray instead of

09:48

e for electron beam

09:51

she quickly moved the cursor made the

09:53

change and activated the machine

09:56

malfunction 54.

09:58

used to this by now she hit proceed

10:00

anyway

10:01

mr cox then felt a powerful shock

10:05

according to reporting done by barbara

10:06

wade rose cox tried to get up but

10:09

because the intercom for the room just

10:11

happened to be broken that day the

10:13

technician didn't see him struggling

10:15

or hear him screaming

10:17

so she hit him again

10:19

another shock ripped through mr cox

10:22

the technician only stopped when she

10:24

heard cox slamming the door she was

10:26

behind with his fists

10:28

he was examined by physicians

10:30

and sent home

10:31

told to return if anything changed

10:34

a few weeks later he returned to the

10:36

hospital

10:37

spitting up blood

10:39

[Music]

10:40

after the accident no one can reproduce

10:43

malfunction 54.

10:45

aecl told the hospital that an overdose

10:47

was impossible suggesting maybe it was

10:50

indeed an electric shock that produced

10:52

the sensations mr cox felt but

10:54

ruled that out too

10:56

the company claimed it knew of no other

10:58

similar accidents so the use of the

11:01

therak unit resumed 17 days later

11:05

voin ray cox died the following august

11:08

after receiving a calculated dose higher

11:10

than the worst dose a liquidator would

11:12

receive when the chernobyl nuclear power

11:14

plant exploded

11:16

just a month later

11:19

only four days after the therac at the

11:21

east texas cancer center was back online

11:24

66 year old bus driver vernon kidd

11:26

walked through the lobby on the way to

11:28

his scheduled treatment

11:29

he was to have a therak-25 aimed at the

11:32

skin cancer on his face

11:34

malfunction 54

11:37

treatment proceeded

11:39

a loud noise brought the technician back

11:40

into the room to find mr kidd writhing

11:43

in pain

11:44

confused

11:46

he said it had felt like something hit

11:48

him on the side of the face

11:50

he saw a flash of light

11:52

heard an intense

11:53

sizzling sound

11:55

the therak-25 unit at the center was

11:57

shut down until the cause could be

11:58

determined

12:00

verdan kidd died a month later from

12:02

radiation-induced damage to his brain

12:04

and brain stem

12:06

his death

12:07

four months before the death of voyn ray

12:09

cox was the first recorded fatality from

12:12

radiation treatment

12:13

in medical history

12:16

the therac technician on site that day

12:19

and physicist dr fritz hager stayed the

12:21

weekend after the kid accident

12:23

attempting to recreate malfunction 54

12:26

the malfunction that aecl said wasn't

12:28

possible

12:29

they changed the machine's modes moved

12:31

the cursor quickly up and down and typed

12:34

in different treatment instructions for

12:36

hours upon hours and then suddenly

12:39

they did it

12:40

dr hager telephoned to aecl immediately

12:43

the fda already investigating the

12:45

accidents declared the therak-25

12:48

defective and demanded a corrective

12:50

action plan or cap from the company

12:53

a letter soon went out from the aecl to

12:56

all therac-25 users

12:59

quote effective immediately and until

13:01

further notice the key used for moving

13:03

the cursor back through the prescription

13:05

sequence must not be used for editing or

13:07

any other purpose

13:09

end quote it was something that everyone

13:12

had missed and it was finally going to

13:14

be fixed

13:15

but

13:16

even after everyone knew what

13:18

malfunction 54 was and how to fix it

13:21

the accidents continued

13:26

you don't think of software as something

13:28

being able to fail

13:30

once working code is in a computer how

13:32

could it bend like a steel beam or break

13:35

like a pane of glass

13:37

but like any machine there's a

13:38

difference between how it's supposed to

13:40

be used in theory and how it's actually

13:43

used in practice

13:45

the therac-25 used magnets to filter and

13:48

control powerful beams of radiation

13:50

magnets that after an input was received

13:53

physically took eight seconds to move

13:56

everything into position

13:59

fine in theory

14:01

what dr hager had figured out was that

14:03

if an operator set radiation levels and

14:06

then made a change to those levels

14:08

within the eight seconds it took for the

14:10

magnets to move

14:12

the change was not detected the magnets

14:14

were already in motion

14:16

this could and did allow powerful

14:19

unfiltered beams of radiation to strike

14:22

patients

14:25

this animation reproduced in spanish

14:27

shows the sequence of events needed to

14:29

produce malfunction 54.

14:32

in theory an operator would make a

14:34

change and then wait for the magnets in

14:36

the machine to move

14:38

but an experienced operator working with

14:40

the therac every single day encountering

14:42

multiple error messages a shift is in

14:45

practice more than likely of making a

14:48

change like changing a beam from x-ray

14:50

to electron within 8 seconds

14:53

there was no code in place to check

14:55

whether the prescribed input on the

14:57

monitor match what the machine was

14:59

actually set up to do

15:01

the therac-25's reliance on software and

15:04

not hardware interlocks like previous

15:06

models

15:07

also meant that input errors didn't have

15:10

mechanical fail-safes that wouldn't

15:12

listen to the mistakes that ended up

15:14

fatally irradiating people

15:18

with malfunction 54 finally identified

15:21

aecl sent the first corrective action

15:23

plan to the fda part of which were

15:26

changes to the therax software to tell

15:28

the machine where the cursor actually

15:30

was

15:31

the cap was revised twice by the fda

15:33

over the next few months and tharac25s

15:36

were back in use before the end of the

15:37

year

15:39

six weeks later

15:41

a therak unit killed again

15:44

on january 17th 1987 glenn dodd 65

15:49

walked into the yakima valley memorial

15:51

hospital for treatment of a carcinoma

15:54

his disease was to be flooded with 86

15:56

rats

15:58

the therak instead bombarded the man's

16:00

chest with ten thousand

16:03

he died from acute radiation poisoning

16:05

three months later

16:07

the staff at yakima reportedly stopped

16:09

using the machine altogether after this

16:11

accident they were paranoid they thought

16:14

this had been fixed

16:15

this was safe

16:17

what did they miss

16:18

what was going on

16:20

eventually it was discovered that the

16:22

therac25 had another invisible software

16:25

error

16:26

inside the code was a so-called

16:28

housekeeper task that would constantly

16:30

check whether or not the machine's

16:31

turntable was in the correct position

16:33

make adjustments if necessary and then

16:36

revert to zero

16:37

anything other than a zero in the code

16:39

therefore was an error and the machine

16:42

would not proceed with treatment again

16:45

good in theory

16:46

however like your car's odometer this

16:49

code ticked up checks only until a

16:51

certain value in this case one byte of

16:54

memory

16:55

256

16:57

after that it would tick over to zero

16:59

out of necessity

17:01

if a technician entered an erroneous

17:03

treatment at this precise moment

17:06

just an instant before the next check

17:08

the computer would read a zero

17:10

no errors

17:11

and proceed

17:13

this is called arithmetic overflow

17:16

and it's what killed glenn dodd

17:19

in february 1987 the fda again declared

17:23

the therak 25 defective recommended that

17:25

all units be taken out of service until

17:28

corrective action could be taken

17:30

finally the accident stopped

17:36

after months of revisions aecl told

17:38

customers that the fda had accepted a

17:41

final corrective action plan it included

17:43

23 software changes and six hardware

17:46

safety features

17:47

the largest of which was a dose per

17:49

pulse monitor affixed to the machine

17:51

that would shut down dangerous doses

17:54

even if all the software safety checks

17:56

failed

17:57

however

17:58

unsurprisingly

17:59

after high profile and unprecedented

18:02

accidents

18:03

the therak was no more

18:05

in 1988 aecl dissolved their medical

18:08

division and lawsuits from families were

18:11

settled out of court

18:12

at the time of this recording with a

18:14

cursory search i was unable to find any

18:16

hospital actively using a therap-25

18:20

even if they are which isn't unlikely

18:22

the machines are probably under a

18:24

different name or company

18:26

even without any further incidents to

18:28

point to today

18:30

no hospital wants to draw active

18:32

comparison

18:33

to disaster

18:36

today the therac25 is more a staple of

18:39

ethics and computer science class

18:41

required readings than it is of medicine

18:43

a unique case study of what can go wrong

18:45

when new technology is trusted

18:47

implicitly and when ethical decision

18:50

making malfunctions aecl assumed that

18:52

the software for the therac-25 written

18:55

by a single unidentified hobbyist and

18:58

imported from the older therak-20 model

19:00

did not have residual software errors to

19:02

be tested

19:03

it didn't consider how the machine was

19:05

being used in practice never envisioning

19:08

something like malfunction 54

19:10

the company repeatedly denied knowing of

19:12

any accidents and believed that

19:14

overdoses were impossible

19:17

it made proclamations like five orders

19:19

of magnitude increases in safety that

19:22

were physically impossible

19:24

today the fda requires documentation on

19:27

all software for new medical products

19:30

which the therac-25 didn't have

19:32

that can be investigated independently

19:36

ten years after the deadliest software

19:38

errors in history reporter barbara wade

19:41

rose asked bill bird the lawyer for the

19:43

first therac victim katie yarborough to

19:45

comment on the events

19:48

quote

19:49

the thing that amazes me

19:50

is that the people who develop these

19:52

machines are surely some of the most

19:54

brilliant people in the world

19:56

this machine was unbelievably

19:58

sophisticated

19:59

and yet

20:01

nobody would have gotten hurt

20:03

if somebody had just used common sense

20:08

until next time

20:12

[Music]

20:21

[Music]

20:34

[Music]

20:41

[Music]

21:04

you