Lessons Learned from Therac-25

The death or serious injury of 6 people by Therac-25 was caused, as concluded by Nancy Leveson’s (University of Washington) commission, by Atom Energy of Canada Limited’s (AECL) “bad software design and development practices” in addition to institutional flaws. The issues with Therac-25 were not a single event, they occurred over a period of time with warnings, investigations, legal actions and remedies throughout yet more overdose situations continued to occur. There were many flaws in the system based on the software itself, the testing and review procedures and the organisations and people involved.

The software development process was carried out by a single software engineer who also carried out the majority of the testing. In addition, a design specification was not used and therefore did not consider the risks inherent in change of use and this led to none of the “MALFUNCTION” error codes being explained to the operator and, surprisingly, the system allowed the user to bypass such messages and continue with treatment.

One of the reasons that the flaws were not detected was that Therac-25 was based upon previously used software which had passed U.S. Food and Drug Administration (FDA) testing and therefore was considered to be safe, however the implications of the changes of use from Therac-6 and Therac-20 to Therac-25 were not considered and it is believed that had the software undergone the rigorous testing many of the bugs that caused the problems would have been found. As a result software bugs were present and undetected and the only means of reporting an error was the evidence of physical effects on the patients. In this respect the FDA bear some responsibility for the failure as their assumption that previously approved software would be suitable for a similar purpose was also flawed.

People’s trust and over reliance on software reliability also added to the problems as both AECL and the operators refused, at first, to allocate blame onto Therac-25 despite patient complaints. Even when the first legal action was brought against AECL, the company denied responsibility. Had AECL reacted at this point it is quite possible that further incidents and three fatalities could have been avoided.

The Therac-25 case defines clearly that a lack of action, complacency and poor development and testing processes can have fatal results in critical systems. The fact that the operation dealing with Therac-25 became a separate entity and that all legal actions taken against the AECL and the treatment facilities using Therac-25 were settled out of court points to an admission of guilt.

In all it took four years to solve the problems which, in my opinion, where fatalities have occurred should have had legal ramifications in the FDA’s testing procedures and AECL.

References

Adams & McGrindle (2008) Pandora’s Box: Social & Professional Issues of the Information Age. University of Reading: Wiley.

Gallagher, T (n.d.) Therac-25: Computerized Radiation Therapy [Online]. Available at: http://web.archive.org/web/20071212183729/http://neptune.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.html (Accessed 21 February 2010).

Leveson, N (1995) Medical Devices: The Therac-25 [Online]. Available at: http://sunnyday.mit.edu/papers/therac.pdf (Accessed 21 February 2010).

Wikipedia: Therac-25 [Online]. Available at: http://en.wikipedia.org/wiki/Therac-25 (Accessed 21 February 2010).