A Brief History of: The killer Therac-25 Radiotherapy machine (Short Documentary)
Summary
TLDRThe video explores the Therac-25 radiotherapy unit, which due to software flaws, delivered lethal doses of radiation to patients. It discusses the machine's design, its reliance on computer systems over mechanical safety interlocks, and the tragic incidents that occurred between 1985 and 1987. The script also covers the legal actions taken against the manufacturer and the eventual corrective measures implemented to prevent such disasters.
Takeaways
- π¬ The Therac-25 was a radiotherapy unit that used a medical linear accelerator to treat cancer by accelerating electrons to create a high-energy beam.
- β οΈ The unit's software was responsible for controlling the machine, including monitoring status, setting up treatment parameters, and activating the beam, but it had critical flaws that led to overexposure incidents.
- π‘ Therac-25's innovation was a double-pass system that allowed a long accelerator to fit into a smaller space, but this came with increased reliance on software for safety.
- π The software was programmed by a single person and was based on the code from previous models, the Therac-6 and Therac-20, with limited testing and no independent review.
- π« Mechanical interlocks that provided a final safety check in previous models were replaced with software controls in Therac-25, which had undiscovered bugs.
- π€ Therac-25's computer system did not use a standard operating system and had a proprietary real-time OS, which lacked safeguards against software errors.
- π Six incidents of incorrect high current electron beams being delivered to patients occurred between 1985 and 1987, leading to severe injuries and deaths.
- π οΈ After the incidents, the manufacturer, AECL, implemented a corrective action plan including hardware safety interlocks and other hardware and software changes.
- π The incidents highlight the risks of over-reliance on computer systems for safety-critical operations without thorough testing and independent code review.
- π₯ The consequences of the software flaws in Therac-25 were devastating for the patients involved, resulting in severe disabilities and fatalities.
Q & A
What is the primary function of radiation therapy machines?
-Radiation therapy machines are used in the treatment of certain cancers, utilizing ionizing radiation to target and destroy cancer cells while minimizing damage to surrounding healthy tissue.
What safety concerns are associated with radiotherapy units?
-Safety concerns include the accurate dosage of radiation, proper storage and disposal of units, and the reliability of the software controlling the machines to prevent overexposure to patients.
How does a medical linear accelerator like the Therac 25 work?
-A medical linear accelerator, such as the Therac 25, accelerates electrons to create a high-energy beam used for treating localized areas like tumors. It can switch between electron and X-ray modes for different treatment depths.
What was innovative about the Therac 25's design?
-The Therac 25's innovation was the double-pass system, which allowed a long accelerator to be compacted into a smaller space, enabling the delivery of 25 MeV of photons or electrons at various levels.
Why was the software of the Therac 25 considered a critical component?
-The software of the Therac 25 was critical because it controlled the entire unit, including machine status monitoring, treatment setup, beam activation, and safety interlocks, replacing the mechanical interlocks of previous models.
What were the consequences of the software glitches in the Therac 25?
-The software glitches in the Therac 25 led to several incidents of patients receiving overdoses of radiation, resulting in severe injuries and fatalities.
How did the lack of independent software review contribute to the Therac 25 incidents?
-The lack of independent software review meant that issues within the software were not identified and rectified, leading to a false sense of security and complacency among operators.
What actions did AECL take after the incidents with the Therac 25?
-AECL eventually implemented a corrective action plan that included a hardware safety interlock and other hardware and software changes to address the identified software and safety issues.
What was the role of the FDA in the Therac 25 case?
-The FDA launched a probe into the unit's safety systems, which likely prompted AECL to start looking into the system after multiple incidents of overdose had occurred.
How did the design culture and assumptions about the Therac 25's safety contribute to the incidents?
-The design culture assumed that the system would only be linked to hardware failures and that the software was reliable, leading to a lack of consideration for software errors and insufficient testing.
Outlines
π‘ The Farak 25 Radiotherapy Unit and its Software Failures
The video script discusses the Farak 25 radiotherapy unit, a medical linear accelerator used for cancer treatment. It highlights the importance of precision in radiation therapy and the potential dangers of software errors. The Farak 25, developed by AECL and CGR, was designed to deliver precise doses of radiation to cancerous tumors. However, due to software flaws and over-reliance on computer control systems, it led to several incidents of severe radiation overdose, resulting in serious injuries and fatalities. The machine's software, which was not independently reviewed, was responsible for controlling the treatment parameters and activating the radiation beam, but it failed to account for critical errors, leading to tragic consequences.
π¨ The Consequences of Software Errors in Radiotherapy
This section of the script details six incidents involving the Farak 25 radiotherapy unit where patients received dangerously high doses of radiation due to software glitches. The incidents, which occurred between 1985 and 1987, led to severe injuries and deaths. The video describes each case, including the patient's treatment, the operator's actions, and the subsequent health impacts. The software's inability to handle errors properly and the lack of hardware interlocks to prevent overdoses are emphasized as key factors contributing to these tragic outcomes. The script also mentions the legal actions taken against the hospital and the manufacturer following these incidents.
π§ Corrective Actions and Lessons Learned from the Farak 25 Incidents
The final paragraph of the script outlines the corrective actions taken by AECL in response to the overdose incidents involving the Farak 25. These actions included the implementation of a hardware safety interlock and other hardware and software changes to prevent similar errors from occurring. The video concludes with a discussion on the importance of rigorous testing and the dangers of complacency when dealing with life-critical systems. It also reflects on the broader implications of relying on software in medical devices and the need for robust safety measures to protect patients.
Mindmap
Keywords
π‘Radiation Therapy
π‘Ionizing Radiation
π‘Linear Accelerator
π‘Software Bug
π‘Computer Control Systems
π‘Treatment Dose
π‘Malfunction
π‘Mechanical Interlocks
π‘Real-Time Operating System (RTOS)
π‘Hardware Safety Interlock
π‘Overexposure
Highlights
Radiation therapy machines are crucial in the fight against certain cancers, but they require extreme caution in use, storage, and disposal.
The Farak 25 radiotherapy unit had a fault in its software that led to delivering dangerous doses of radiation.
The reliance on computer systems for safety-critical operations in the 1980s resulted in deadly consequences with the Farak 25.
The Farak 25 was a medical linear accelerator that used electrons to treat localized areas, such as tumors.
The machine's advantage was that it left surrounding tissue unaffected, which could be beneficial for certain cancer treatments.
The Farak 25 was developed through a collaboration between AECL and CGR, incorporating a double-pass system for compact design.
The unit used a PDP-11 computer with software controls, replacing mechanical interlocks with software for safety.
The software was not independently reviewed and was developed with limited testing, leading to undiscovered bugs.
The software had a glitch that could cause an overdose if the treatment mode was not correctly aligned with the magnets' settings.
There were six incidents of incorrect high current electron beams being delivered to patients over a two-year period.
The first incident led to a patient experiencing severe burns and the eventual removal of her breast and loss of arm function.
In subsequent incidents, patients experienced symptoms like tingling, redness, and swelling, which were initially dismissed as normal reactions.
Operators became complacent with error messages due to the machine's frequent false alarms, which masked real faults.
AECL initially denied responsibility for the overexposure incidents, maintaining confidence in the unit's software and hardware.
The company eventually implemented a corrective action plan with hardware and software changes after the fifth overdose incident.
The video serves as a cautionary tale about the risks of relying too heavily on computer systems without proper testing and safety measures.
Transcripts
[Music]
radiation
therapy machines are relied on in the
battle against certain cancers
many place their trust and hopes of
survival on the effectiveness of such
equipment
however when harnessing ionizing
radiation extreme caution needs to be
exercised
this goes for the safe storage and
disposal of units but also
and more regularly in the actual dose
used to treat the patients
if you like what we're doing here at
playing difficult consider helping the
channel grow by liking commenting and
subscribing
let's get started
[Music]
today we're looking at the farak 25
radiotherapy unit
and its victims however unlike other
radiotherapy units on this channel
the death toll was equated to a fault
with the unit software
giving dangerous doses of radiation
today i'm going to rate this subject
here on the plainly difficult disaster
scale in the 21st century
we rely on computer control systems for
almost
everything as the accuracy of the
digital realm on the whole outperforms
that of a human
however in the mid to late 1980s the
reliance of a computer system
for safety critical operations led to a
deadly result
unlike other radiotherapy units that use
an active
radioactive source such as cobalt the
frack 25 was a medical linear
accelerator this type of machine
accelerates electrons via a gun
to create a high energy beam the beam is
used for treating a small localized area
usually in the form of a tumor the
advantage
is that the surrounding tissue is
unaffected some cancers can respond
well to small doses of radiation in turn
killing off the deadly cells halting the
spread of the disease
with the thorac machine shallow
treatments are dealt with
accelerated electrons whereas deeper
targets
are reached by converting the beam to
x-ray photobeams
the thrac 25 was a genesis born from a
collaboration
with aecl the atomic energy of canada
limited company and a french company
called
cgr during the 1970s several units were
deployed and put into production
the first of which was the 6 million
electron volt for ac6
followed by the 20 mev dual mode for
rack 20.
both these units used micro computers
but were developed versions of cgr
designs
the computers used in these units only
added the ease of use
and mechanical interlocks was still
employed essentially these units were
standalone
and the machines they were derived from
didn't make use of computers
during the 1970s aecl developed a double
pass system
the innovation of the frac 25 was that
the designers found
a way to fold the beam back and forth so
a very long accelerator could be fit
into a smaller space
the 25 mev for rack 25 made use
of the new system the unit could deliver
25 mev
of photons or electrons at various
levels
it also had a field light mode which
allowed the patient to be correctly
positioned by illuminating the treatment
area with visible light
the unit made use of the same pdp-11
computer
as the 6 and 20. however the computer
was not just an add-on but instead had
the whole unit
controls designed around the computer
system with the extra reliance on the
computer
mechanical interlockings were replaced
with software
this meant that the safety was insured
within the computer
the software for the new unit was
written using the code from the forex 6
as a base
and had evolved to the 25 by the frac
20.
the software was programmed only by one
person in depositions from later
lawsuits
the company admitted to conducting small
amounts of software testing in a
simulator
during development only around 2700
hours of operation was racked up
the software was responsible for machine
status monitoring
inputting desired treatment and setting
up the unit 4 treatment
the software also activated the beam
depending
on operator input and once treatment was
complete would also switch off the beam
this relied on system checks being
carried out by the computer
the computer didn't make use of a
standard operating system and instead
used a proprietary real-time os the
software had four major components
store data a scheduler a set of critical
and non-critical tasks and interrupt
services
the software controlled interlocks were
designed to remove power from the unit
in the case of a failure the system used
a full tree in the event of a hardware
failure
however it did not consider computer
software errors a culture of the design
of the unit
thought that all areas in the system
would only be linked to hardware
failures
there were two ways that the unit
software could shut down operation
treatment suspend or treatment pause a
treatment suspension hinted at
a serious error and required a complete
system restart
a treatment pause which the system
deemed as not serious
only required a single key command to
restart the machine
and all treatment parameters remained
intact the danger of this was that an
operator could quickly override the
system fault
by just using the p key in total the
system would allow five pauses
before a total restart was needed during
development
aecl didn't have the software code
independently reviewed
issues within the software had not been
highlighted on the frac 6
and 20 units due to their hardware
interlocks
thus providing final safety but the
forak 25 had got rid of these and this
would mean
the bugs in the software could ignore
key safety critical systems
in 1975 the prototype of the frac 25 was
constructed
and commercial availability began in
1982
in total 11 units were installed with
five in the usa
and six in canada there are six
incidents of incorrect high current
electron beams
generated in x-ray mode being delivered
to patients
these happened over a two-year period
between 1985 and 1987.
the first instance took place in june
1985 a 61 year old female patient was
receiving follow-up treatment
after removal of a tumor from one of her
breasts she was to receive treatment in
the neighboring lymph nodes
this particular machine had been
operating for six months
at kennestone regional oncology center
in marietta georgia the machine was set
up for what was thought to be
a 10 mev electron dose upon commencement
of treatment
the patient experienced a burning
sensation on the treatment area
after treatment the patient reported
redness and swelling in the area her
shoulder froze and began to experience
spasms
after being admitted to hospital her
doctors continued to send her
for for rack 25 radiation treatments
aecl denied that the machine burned the
patient
and it was thought that her bodily
reaction was normal in connection with a
correct dose
eventually the patient's breast had to
be removed and she completely lost the
use of her shoulder and
arm in october the patient filed suit
against the hospital and the
manufacturer of the machine
the second incident was in july 1985 at
the ontario cancer foundation clinic
in canada the 40 year old patient was on
her 24th treatment from the forac 25.
during the session the unit
initiated a treatment pause due to the
computer indicating that no dose had
been administered
the operator pushed the p button to
override the error the machine shut down
a few more times
each instant being overridden by the
operator however the patient complained
of tingling in the treatment area
and overexposure was suspected with the
patient being hospitalized
they died three months later in relation
to their cancer
the third incident happened at yakima
valley hospital
in 1985. the patient a woman had
developed red parallel strips on the
treatment area on her hip
her condition was thought to be normal
and was sent back for more for
25 sessions radiation overexposure
was not considered until over a year
later eventually the patient received
surgery and experienced minor disability
and scarring
the east texas cancer center in march
1986
would experience the fourth in this
series of incidents the patient
a male was to receive therapy on his
upper back during his ninth treatment
with the machine
the machine had been in operation at the
hospital for two years treating around
500 patients during that period
during setting up the session the
operator had typed in incorrect
treatment information
by indicating x-ray instead of electron
mode
the operator edited this easy to make
mistake by using the cursor up key
she correctly filled in all other
parameters so once the x was changed to
an e
after pressing enter the terminal
display indicated
all parameters were verified next the
system prompted the operator to begin
beam
by pressing the b key the machine shut
down with a treatment pause
and a malfunction 54 error was displayed
on the screen
this error message indicated that either
a dose too high
or a dose too low had been delivered the
display terminal was showing a
substantial
underdose the operator who was
experienced with the machine
thought it was just a usual quirk and
press the p button to proceed
again a malfunction 54 message was
displayed
however due to a malfunction in the
software two doses of the maximum of 25
mev was administered
meanwhile inside the treatment room the
patient felt a burning sensation on his
back
upon the first attempt of delivery of a
dose he had attempted to get up from the
treatment table
before the second dose which had hit him
in his arm
after the second attempt he made his way
to the door of the treatment room
banging on it to get the attention of
the operator
as an unfortunate turn in luck the audio
and video link between the two rooms was
out of order that day
meaning that the operator had no way of
seeing or hearing the patient
the patient eventually lost the use of
his left arm and both legs
was unable to speak and had several
other complications
he died five months later linked to his
incident in the frack 25.
a month later in april at the same
center another instant with the same
operator would take place
much like the previous incident the
operator had incorrectly typed
x instead of e and had gone to correct
her mistake
using the cursor up key what was
different this time was that the
intercom was working and the operator
heard a noise from the machine
and a groan from the patient the
intended dose was 10 mev to the face
however like before this was far
exceeded the patient was rushed to
hospital
where he fell into a coma and passed
away three weeks later
from severe neurological damage the
final incident
occurred at yakima valley hospital in
january 1987
an operator placed a patient for small
position verification doses the total
dose was to be
86 rads which consists of two
verification doses
and then a prescribed dose after
attempting to administer the dose
the machine shut down with a malfunction
message and a treatment pause
the operator push the p button and the
machine paused again
like in every other case the patient had
felt a burning sensation in the
treatment area
which should not have been the case due
to the dose being very low
this patient died three months later and
it was thought that he had received
up to ten thousand rads after each of
the incidents
aecl denied that the units could have
been the cause of the overexposure
as the company had misplaced high levels
of confidence in the software
and hardware combination as long as they
had blind confidence in the unit
faults could not be identified and
rectified as they presented themselves
it wasn't until the fifth instance of
overdose that the company started to
look into the system
although this might have been because
the fda was also launching a probe
into the unit safety systems the key
issue with the frack 25 was in its
software a strange quirk
was once an operator entered information
at the terminal outside the treatment
room
the magnets used to filter and control
radiation levels were set
due to the number of magnets this
process took about eight seconds
if an edit straight away in say under 1
second the software would adjust
accordingly
similarly if an edit was made after the
magnets had been positioned the edit
would be registered
however if an edit was made during the
magnet alignment time
it would not be registered by the system
once the magnets are set
no test is performed by the software to
double check that the treatment
information entered
matches how the magnets are set this
issue is a direct result of the dual
mode element of the machine
much higher levels of radiation are
needed in photon mode to produce the
same levels of output in electron mode
meaning
if the beam is set for photon mode but
the turntable is set up for electron
mode
a radiation overdose occurs and the
operators
were none the wiser the same software
glitch was in the programming of the
frac 20.
however the hardware interlocks
prevented the overdose and
as described at the beginning of the
video these interlocks were not built
into the 25
the other software glitch allowed the
electron beam to activate during field
light mode
during which no beam scanner was active
or target was in place
astringent and extensive testing was not
undertaken by aecl
as only one programmer was used limiting
the amount of program testing that could
be done
during development and also as a result
of stretch resources
code was copied from previous machines
it was assumed by the company that
as previous units have been safe that
adding to an already established
computer system
wouldn't need testing improving the
poorly engineered software had led the
operators and technicians to become
complacent with
the error messages displayed to them
this was because the units would
regularly spew out confusing errors
eventually conditioning operators did
not investigate spurious failures
arguably the operators should have
demanded equipment
that could operate fault free however
aecl had sold them the lie
but the system would not let an instant
of overdose
even though this was proven to be false
aec
l eventually set out a corrective action
plan
which included a hardware safety
interlock and
20 other hardware and software changes
the frac 25
after these changes went back into
service
i hope you enjoyed the video if you'd
like to support channel financially you
can on patreon from one dollar per
creation
that gets you access to votes and early
access to future videos
i have youtube membership as well from
99 pence per month
and that gets you early access to videos
as well
check me out on twitter and also if
you'd like to wear my merch you can
purchase it at my teespring store
and always left to say is thank you for
watching
[Music]
5.0 / 5 (0 votes)