Therac-25 was a new generation medical linear accelerator for treating cancer. It incorporated the most recent computer control equipment. Therac-25's computerization made the laborious process of machine setup much easier for operators, and thus allowed them to spend minimal time in setting up the equipment. In addition to making setup easier, the computer also monitored the machine for safety. With the advent of computer control, hardware based safety mechanisms were transferred to the software. Hospitals were told that the Therac-25 medical linear accelerator had "so many safety mechanisms" that it was "virtually impossible" to overdose a patient. Normally, when a patient is scheduled to have radiation therapy for cancer, he or she is scheduled for several sessions over a few weeks and told to expect some minor skin discomfort from the treatment. The discomfort is described as being like a mild sunburn over the treated area. But in this case on safety critical software, you will find that some patients received much more radiation than prescribed
Therac -25 Timeline
This time line is largely adopted from the Computing Cases website. The website developer, Charles Huff, has provided this module's author with a more detailed unpublished version (that provides the real names of the patients left out in Computing Cases) that the author has adopted here. Readers should note that this time line also overlaps with that provided by Leveson and Turner. (See below for two references where the Turner and Leveson time line can be found.)
|
Early1970's |
AECL and a French Company (CGR) collaborate to build Medical Linear Accelerators (linacs). They develop Therac-6, and Therac-20. (AECL and CGR end their working relationship in 1981.) |
|
1976 |
AECL develops the revolutionary "double pass" accelerator which leads to the development of Therac-25. |
|
March, 1983 |
AECL performs a safety analysis of Therac-25 which apparently excludes an analysis of software. |
|
July 29,1983 |
In a PR Newswire the Canadian Consulate General announces the introduction of the new "Therac 25" Machine manufactured by AECL Medical, a division of Atomic Energy of Canada Limited. |
|
ca. Dec. 1984 |
Marietta Georgia, Kennestone Regional Oncology Center implements the new Therac-25 machine. |
|
June 3, 1985 |
Marietta Georgia, Kennestone Regional Oncology CenterKatherine (Katy) Yarbrough, a 61-year-old woman is overdosed during a follow-up radiation treatment after removal of a malignant breast tumor. Tim Still, Kennestone Physicist calls AECL asking if overdose is possible; three days later he is informed it is not. |
|
July 26, 1985 |
Hamilton, Ontario, Canada. Frances Hill, a 40-year-old patient is overdosed during treatment for cervical carcinoma. AECL is informed of the injury and sends a service engineer to investigate. |
|
November 3, 1985 |
Hamilton Ontario patient dies of cancer, but it is noted on her autopsy that had she not died, a full hip replacement would have been necessary as a result of the radiation overdose. |
|
November 8, 1985 |
Letter from CRPB to AECL requesting additional hardware interlocks and changes in software. Letter also requested treatment terminated in the event of a malfunction with no option to proceed with single key-stroke. (under Canada's Radiation Emitting Devices Act.) |
|
November 18, 1985 |
Katy Yarbrough _les suit against AECL and Kennestone Regional Oncology Center. AECL informed officially of Lawsuit. |
|
December 1985 |
Yakima Valley Memorial Hospital, Yakima Washington. A woman being treated with Therac-25 develops erythema on her hip after one of the treatments. |
|
January 31, 1986 |
Staff at Yakima sends letter to AECL and speak on the phone with AECL technical support supervisor. |
|
February 24, 1986 |
AECL technical support supervisor sends a written response to Yakima claiming that Therac-25 could not have been responsible for the injuries. |
Scenario: You are an engineer working for AECL sent to investigate an alleged overdosing incident at the Ontario Cancer Foundation in Hamilton. Ontario. The following is the description provided to you of what happened:
On July 26, 1985, a forty-year old patient came to the clinic for her twenty-fourth Therac-25 treatment for carcinoma of the cervix. The operator activated the machine, but the Therac shut down after five seconds with an HTILT error message. The Therac-25's console display read NO DOSE and indicated a TREATMENT PAUSE
Since the machine did not suspend and the control display indicated no dose was delivered to the patient, the operator went ahead with a second attempt at a treatment by pressing the Proceed Command Key, expecting the machine to deliver the proper dose this time. This was standard operating procedure, and Therac-25 operators had become accustomed to frequent malfunctions that had no untoward [bad] consequences for the patient. Again the machine shut down in the same manner. The operator repeated this process four times after the original attempt the display showing NO DOSE delivered to the patient each time. After the fifth pause, the machine went into treatment suspend, and a hospital service technician was called. The technician found nothing wrong with the machine. According to a Therac-25 operator, this scenario also was not unusual.
After treatment, the patient complained of a burning sensation, described as an "electric tingling shock" to the treatment area in her hip....She came back for further treatment on July 29 and complained of burning, hip pain, and excessive swelling in the region of treatment. The patient was hospitalized for the condition on July 30, and the machine was taken out of service. (Description taken from Nancy Leveson, Safeware, pp 523-4)
You give the unit a thorough examination and are able to find nothing wrong. Working with the operator, you try to duplicate the treatment procedure of July 26. Nothing out of the ordinary happens. Your responsibility is to make a recommendation to AECL and to the Ontario Cancer Foundation. What will it be?
1. Identify key components of the STS
|
Part/ Level of Analy- |
Hard- |
Soft- |
Physical Sur- |
People, Groups, & Roles |
Proce- |
Laws & Regul- |
Data & Data Struct- |
2. Specify the problem:
2a. Is the problem a disagreement on facts? What are the facts? What are cost and time constraints on uncovering and communicating these facts?
2b. Is the problem a disagreement on a critical concept? What is the concept? Can agreement be reached by consulting legal or regulatory information on the concept? (For example, if the concept in question is safety, can disputants consult engineering codes, legal precedents, or ethical literature that helps provide consensus? Can disputants agree on positive and negative paradigm cases so the concept disagreement can be resolved through line-drawing methods?
2c. Use the table to identify and locate value conflicts within the STS. Can the problem be specified as a mismatch between a technology and the existing STS, a mismatch within the STS exacerbated by the introduction of the technology, or by overlooked results?
|
STS/ Value |
Safety (freedom from harm) |
Justice (Equity & Access) |
Privacy |
Property |
Free Speech |
|
Hardware/ software |
|||||
|
Physical Surroundings |
|||||
|
People, Groups, & Roles |
|||||
|
Procedures |
|||||
|
Laws |
|||||
|
Data & Data Structures |
3. Develop a general solution strategy and then brainstorm specific solutions:
|
Problem / Solution Strategy |
Disagreement |
Value Conflict |
Situational Constraints |
||
|
Factual |
Conceptual |
Integrate? |
Tradeoff? |
Resource? Technical? Interest |
|
3a. Is problem one of integrating values, resolving disagreements, or responding to situational constraints?
3b. If the conflict comes from a value mismatch, then can it be solved by modifying one or more of the components of the STS? Which one?
4. Test solutions:
|
Alter- |
Reversi- |
Value: Justice |
Value: Responsi-bility |
Value: Respect |
Harm |
Code |
|
A #1 |
||||||
|
A #2 |
||||||
|
A #3 |
5. Implement solution over feasibility constraints
|
Alter-native Con- |
Resource |
Interest |
Technical |
||||
|
Time |
Cost |
Indivi- |
Organi-zation |
Legal/ Social |
Avai- |
Manufact-urability |
|
|
1 |
|||||||
|
2 |
|||||||
|
3 |
|||||||
- 1511 reads
