When someone receives a cancer diagnosis, they worry about their prognosis and what treatments will be prescribed. They don’t worry about the integrity of the machines that are supposed to save their life. Between 1985 and 1987, a computer program in a promising new linear accelerator delivered massive doses of radiation to six people in Canada and the United States, creating the worst medical accident in the history of linear accelerators.1 The software that ran the Therac-25 machines told the operator that the patient had either been under dosed or had not received a dose at all, while it actually delivered massive, catastrophic, and sometimes fatal overdoses of radiation to the patients it was supposed to save.1, 2
The Accidents
The threshold level for radiation doses is considered to be 500 rads (units of absorbed radiation dose). The software’s first victim, a breast cancer patient, received at least one, if not two doses of radiation between 15,000 and 20,000 rads. The only thing that saved her was the location of the burn and the tightly focused beam. The dose she received was, at the time, the highest dose of radiation received in a medical accident in which the victim survived. In the end, this patient permanently lost the use of her shoulder and arm, as well as the breast that had been overdosed.1
Other victims of the Therac software malfunction soon appeared. In 1985, a female patient received an estimated 15,000 rads and, had she not died of cancer, would have required a full hip replacement at the treatment site. She was only 40 years old.2 The same year, the Therac software caused another overdose that left the victim permanently scarred and disabled.2
The Therac machine didn’t stop with simply maiming its victims. In August of 1986, a patient died of complications from a machine malfunction overdose, but not before suffering horrifying symptoms. Included in the list was the total paralysis of his left arm and both of his legs, as well as his left vocal cord, which left him unable to speak.1 Two additional victims were killed. One male patient reported feeling like his face was on fire and hearing a sizzling sound like frying eggs when he received the overdose. He died three weeks later from the treatment, and the subsequent autopsy showed high-dose radiation injuries to his brain. The last victim received approximately 9,000 rads directly to the chest in 1987 and died from complications of the overdose soon thereafter.1
The Explanation
How did this happen? The Therac-25 linear accelerator was supposed to be the latest in a line of promising new cancer treatments. Upon investigation, the primary root cause was attributed to bad software design and development. Contributing causes included a lack of independent verification for the software code and the fact that the software-hardware combination was not tested until it was assembled in the first hospital.3 A major contributor to the accident was the machine’s lack of hardware safety controls. Previous versions of the machine included hardware safety mechanisms and interlocks while the Therac-25 relied almost entirely upon its software for safety systems. A safety analysis was conducted before the machine was put on the market, but none of the many scenarios presented on the fault tree included software glitches or failures. The only mention of software failures was in a box for “computer selects wrong energy” and “computer selects wrong mode”, which were given probabilities of 10-11 and 4 x 10-9, respectively. It was assumed that the software was safe since the software code had been recycled from previous, successful versions of the machine, additional errors (despite the redesign) were impossible.1, 2
Unfortunately the software safety assumption was incorrect. One glitch in the software delivered massive doses of radiation to the victim if an operator entered and edited the prescription data too quickly. A second software malfunction allowed the machine to activate while in error setting.1, 2 In a deposition for one of the lawsuits resulting from the overdoses, a technician recalled that the machine often produced up to 40 error messages a day, almost all of which could be overridden by the operator pressing a single key. The error messages were numerical codes, and therefore did not immediately mean anything to an operator. The user manual did not detail the meaning of each code. Operators learned to disregard most of the error codes because they often referred to minor mechanical problems that the machine could operate around, and the instructions for the machine gave no indication that any of the codes could present a danger to the patient.1
The Fix
Eventually, the Therac-25 accidents were brought to the attention of regulatory authorities. After the first four overdoses, an accident report was filed with the U.S. Food and Drug Administration (FDA). Between the April 1986 report date and the final injury of January 17, 1987, two revision plans were requested and sent to the FDA. The final revision, which placed several hardware safety controls in the machine and fixed the known software problems, was not installed until six months after the final death.4
Lessons Learned
ERM believes that accidents are caused by one, or a combination of, three things: poor design and equipment, poor procedures, and incompetent, ill-disciplined or undertrained people. The Terac-25 accidents were a result of all three, and those lessons can be applied across industries:
- The importance of careful, error-free design and construction
Machines can be prone to so many errors that they simply became part of a machine’s routine use.1 Such serious design flaws should be dealt with in the design and testing phases to prevent people from becoming complacent in the face of problems down the line.
- Thorough safety procedures for design and operation
Safety procedures surrounding machines both in development and in use often are woefully inadequate. This tragedy shows that a careful risk analysis considering all possible hazard scenarios can make a life-or-death difference. A hazard analysis always must be representative of reality to help prevent such tragedies.
- Adequate training and reference resources
Even the most perfectly designed equipment that has been run through every possible risk and safety scenario can present a serious hazard if its users are not trained properly. Operators of potentially hazardous equipment must be given adequate materials and training so that operators act on error warnings.
Epilogue
That was the 1980s, this is now. And unfortunately the issue of radiation overdoses has not been resolved. At an FDA public meeting June 9-10, 2010, Commander Sean Boyd closed the meeting stating that the committee would review all the feedback and "formulate a strategy of where we should go next." However he also noted that most of the issues are outside the scope of the FDA and remain in the hands of equipment manufacturers to resolve. Cdr Boyd is Chief of the Diagnostic Devices Branch of the Center for Devices and Radiological Health of the FDA. The objective of the public meeting was to "discuss steps that could be taken by manufacturers of linear accelerators, radiation therapy treatment planning systems, and radiation therapy simulators to help reduce misadministration and misaligned exposures." The meeting transcripts are online if you choose to read more: Day 1 http://www.regulations.gov/#!documentDetail;D=FDA-2010-N-0217-0003 and Day 2 http://www.regulations.gov/#!documentDetail;D=FDA-2010-N-0217-0004 .
Videos from the FDA (2009) and Voice of America (2010), specifically addressing CT scans, illustrate the risks.
Radiation Overdoses From CT Scans (video 1:42 min). U.S. FDA. (December 11, 2009) Online at http://www.youtube.com/watch?v=RqrYFx8JZr0 Accessed 02 March 2011.
CT Scan Radiation Draws More Attention (video 3:12 min). Voice of America. (January 30, 2010) online at http://www.youtube.com/watch?v=W_8KZGfF2_8 Accessed 02 March 2011.
References
1. Leveson, Nancy. "Appendix A - Medical Devices: The Therac-25." Safeware: System Safety and Computers. Addison-Wesley, 1995. Online at http://sunnyday.mit.edu/papers/therac.pdf Accessed 17 February 2011.
2. Jacky, Jonathan. "Safety-Critical Computing: Hazards, Practices, Standards, and Regulation." Computerization and Controversy: Value Conflicts and Social Choices. 2nd ed. Academic, 1996. 767-92. Online at http://staff.washington.edu/jon/pubs/safety-critical.html#ref Accessed 17 February 2011.
3. Leveson, Nancy, and Clark Turner. "An Investigation of the Therac-25 Accidents." IEEE Computer 26.7 (1993): 18-41. Undergraduate Courses | Computer Science at Virginia Tech. Online at http://courses.cs.vt.edu/cs3604/lib/Therac_25/Therac_1 Accessed 17 February 2011.
4. "Major Event Time Line." An Investigation of the Therac-25 Accidents. July 1993. Online at http://courses.cs.vt.edu/cs3604/lib/Therac_25/Side_bar_2.html Accessed 17 February 2011.
Photo References
Linear accelerator. Photograph. Shutterstock.com. Accessed 22 February 2011.
Radiation burn scars. Photograph. U.S. National Archives and Records Administration. Science Photo Library. Online at http://www.sciencephoto.com/images/download_lo_res.html?id=773350241 Accessed 22 February 2011.
Radiation burn on hand. 1945. Photograph. By Arnold S. Dion. Wikimedia Commons. Online at http://en.wikipedia.org/wiki/File:Radiation_Burn_Hand_of_Daghlian.png Accessed 22 February 2011.
Contact the ERM North America Risk Practice group, a global leader in assessments of engineering design and operations safety for hazardous facilities. The Risk Practice conducts facility siting, consequence analysis, process hazard assessments, hazard identification, and a host of other safety and hazard analyses.
Join our mailing list to receive monthly Bulletins - Practical Lessons Learned From Major Accidents - upcoming educational events, and other industry-related news.
Visit our Bulletin Archives