Therac-25, a software-controlled radiation therapy machine developed in late 1970s and used to treat cancer, was an extension of Therac-6 and Therac-20 but differed in design as it was fully computer operated. Between 1985 and 1987, at four medical centers, Therac-25 gave extreme overdoses to six patients, causing three of them to lose their lives.
The injuries were due to various reasons including improper safety design, inadequate testing, software bugs, poor systems in reporting and investigating the accidents. The following persons and entities are responsible for the severe radiation overdoses:
The manufacturer’s, Atomic Energy of Canada Ltd. (AECL), decided to remove the independent hardware safety interlock mechanism that prevented the beam from firing in unsafe conditions in the new system when designing safety of the machine was uncalled for. This enabled beams to be fired in incorrect positions causing injuries to patients. The Company should have not eliminated all the safety features in Therac-6 and Therac-20 but instead extended them by making them computer-operated.
Though software reuse is permitted and advantageous when developing software, software applications should not be assumed to be functioning correctly. In addition, it is prudent to know that some programming languages like Java permit software reuse while others do not. It is, therefore, important to identify the platform in which a software application was developed.
The manufacturer’s assumption that the software functions correctly, even if it did so in Therac-6 and Therac-20, was unprofessional. Furthermore, Therac-6 and Therac-20 had safety mechanisms installed and it was very difficult to know if it was the software or safety hardware doing a perfect job. However, the manufacturer should have known that. Though AECL claims the system was extensively tested, investigations revealed there was very little documentation during software development concerning software specifications and testing plan. Therac-25 was a new system and the three types of software testing i.e. unit testing, integration testing, and system testing should have been done to its application (Oladimeji, 2007). This could have enabled identification and fixing of software bugs.
The operator interface was poorly designed. Operators could not understand the error messages. Moreover, the manufacturer knew that the operators get more explanation of such messages from the manuals but did not include them in it. The manufacturer should have included explanations of all error messages in the manual for technicians to refer to in case of a problem.
The setup routines number of bytes was not properly set by the software programmer and this made the flag to overflow at the 256th time and show a value of zero, causing treatment to proceed even before everything is set. Since setup routine may be called hundreds of times while setting up for a treatment, the programmer should have set a higher number of bytes. This would have allowed more tests before treatment. The programmer should have also set the setup value to a single value instead of incrementing it.
The last but not the least, the manufacturer continued to deny that the machine caused the overdose citing that there were no similar cases of injuries led to many overdoses. AECL should realize that machines sometimes do not cause same type of injuries. On hearing of the first overdose case, it should have commenced its investigations immediately. After the second accident and investigations done by AECL, it (AECL) only made some changes. What about the rest? After some hospitals and a Canadian government agency made recommendations to enhance safety, none was implemented. Why? Every stakeholder, including the manufacturer, should have looked at the recommendations and implemented what was in their dockets. This could have prevented the fifth accident.
The hospitals using the facility assumed it was highly reliable. In the first incident of the overdose, when the patient informed the operator that he was feeling unusual, the operator told her that it was impossible. The operator should have taken the patient’s complain seriously and started investigating the cause.
In another facility, the operator was ignorant. He proceeded with the treatment with neither the intercom nor video monitor functioning. He, therefore, did not see or hear that the patient was trying to get up during the overdose. The patient later died. The operator should have made sure everything is set well before proceeding with the treatment. Such ignorance should be sued in court. Relatives of the victim should have sued the operator as well.
Operators saw error messages they could not understand or get from manuals and ignored them, not knowing that this might be an indication of a safety hazard. The operators should have reported this to the manufacturers for further action. Moreover, they should have contacted the manufacturer to understand the meaning of error messages. When operating a machine, it is advisable to know when it functions correctly, when it is about to malfunction, and when it is out of service. This could at times be shown by the software error messages. One cannot afford to keep quiet with error messages in a critical machine like Therac-25.
When medical staff, having noticed an extraordinary radiation overdose they had never seen before on the first patient, they could not relate it to the new machine which had only been in service for two years in some clinics and start investigations. Instead they provided other explanations. Since this had not happened before and there was a new machine in place, they should have doubted the machine first and take the necessary actions.
Having known the ineffectiveness of the machine, medical staff continued using it. Even if the machine had successfully treated many patients before, the cause of the first accident should have been thoroughly investigated and resolved before continuing to use it. In fact, the medical staff should have informed the public about the problem and if possible direct patients to the clinic that had the safety hardware installed in their machine.
Patients and Relatives of Victims
Patients who were severely injured and relatives of those who died due to the overdose should have sued both the AECL and operators for the damages caused. This would have made other operators be more careful while doing their work and AECL to start their investigations early enough to prevent more injuries.
Whereas complex machines like Therac-25 have faults in their operation, such faults can be reduced with the help of stakeholders including manufacturers, programmers, medical staff, operators, and patients.