1. THERAC – 25 MEDICAL ACCELERATOR
Six people massively overdose between 1985 and 1987 as the results of the Therac-25 accidents were
three of them death and the others got a severe injury. This machine was a computer-based radiation
therapy machine manufactured by Atomic Energy of Canada Limited (AECL). For 35-year history of
medical accelerators, this serial accident has famous as the worst incident [1].
Figure 1. The Therac-25
The first accident occurred in Kennestone Regional Oncology Center, June 3, 1985. According to
Leveson (1995), the details are insufficient. Kennestone facility has operating a Therac-25 about six
months when they handled treatment for a 61-year-old woman in Marietta, Georgia. The therapy was a
follow up medication after removed a malignant breast tumor. She got an overdose when later,
Kennestone physicist estimated it about one or two doses of radiation in the 15,000 to 20,000 rad
(radiation-absorbed dose) range. Due to the incident, the manufacturer and machine operator still
refused to believe that it cause by the Therac-25.
2. Following that, the second accidents happened in Hamilton, Ontario (Canada) on July 26, 1985. A
forty-year-old patient doing the carcinoma of the cervix therapy when the Therac-25 shut down by it
self with H-TILT error message and no dose displayed. The machine paused and the operator pressing
the proceed command. This activity repeated for four times where the machine shut down again and on
the fifth pause the therapy suspend.
The patient told the operator that she felt burning sensation during that time. On the next treatment, she
still complained and on November 3, 1985, she died with an extremely virulent cancer condition. Later,
the AECL technician estimated that she received between 13,000 and 17,000 rads. On the report,
AECL claimed a hardware failure (microswitch) as the caused and modified the machine.
Next accidents involved a woman who has treated during December 1985 (after the Therac-25
modified, in response to Hamilton accident) at Yakima Valley Memorial Hospital, Washington. Her
skin become excessive reddening after the treatment and by the time the reaction become abnormal.
Response for this case when the hospital staff sent a letter to AECL they replay that was impossible it
caused by the Therac-25 by attach two pages of technical reasons to support.
On March 21, 1986, the fourth incident occurred in Tyler, Texas (East Texas Cancer Center). An
oilfield worker, Ray Cox, felt he had a jolt of searing heat during doing the treatment. In other side, the
machine operator got a “Malfunction 54” message displayed on the Therac-25 computer terminal [2].
Cox’s condition become worst over the weeks of the accident and died from complications of the
overdose in Dallas Hospital, September 1986. After simulation, revealed that the patient got a massive
overdose (16,500 to 25,000 rads in less than 1 second over an area of about 1 cm).
About a month later, April 11, 1986, a 66-year-old bus driver has to treat his skin cancer in the same
place as Ray Cox, ETCC in Tyler, Texas. Another accident occurred, again “Malfunction 54” occurred
by the same technician as Tyler case before. Verdon Kidd, the patient moaning for help and on May 1,
1986 he died from the overdose. An autopsy showed an acute high-dose radiation injury to the right
temporal lobe of the brain and the brain stem.
The last serial accident for the Therac-25 was on January 17, 1987 in Yakima, Washington. A
carcinoma patient has to receive 86 rads total exposure for his treatment. During the activity, the
operator gets some unclear point of the message, displayed on the machine, and the unit shut down
with a pause. The operator proceed it again by pressing one key (proceed command) but after that she
3. heard the patient speak on the intercom. The patient died in April from complications related to the
overdose.
The Therac-25 developed by AECL since in the mid-1970s with fully computer controlled. Software in
the Therac-25 based from previous machine, the Therac-6 and the Therac-20. Different with the
Therac-25, both previous machines had hardware safety interlocks mechanism independent of the
computer [3]. “They assumed that the software of the previous version of the accelerator was free of
errors and that it would function properly without the previous design’s mechanical interlocks” [4].
However, this assumption was wrong where the Therac-20 also have problem with the machine but
hardware safety mechanism doing their job well.
Refer to the facts in the Leveson (1995) investigation that the Therac-25 works on the reusable
software where race condition has occurred when implement a multitasking played (concurrent
programming). This bug has been occurring since the Therac-20 where the protection devices do not
allow the beam to turn on and prevent the patient from overdose. In addition, there were a number of
weaknesses in the user interface such as just using one key for proceeds command where it made worst
condition during the machine operation.
Testing process and documentations also have to responsibility in this case. On the Therac-25 user’s
meeting, the manufacturer delegation clarified that they just doing the testing part for “2700 hours of
use”. For this process, they just have sketchy documentation that meant testing does not done well.
Overall, this case gives two main points as a lesson for the developer especially the software industry
where:
Place trust in people, process, systems, and tools without good cause.
Because of success with the previous product, it does not mean can do so now with new
technology without the need to re-assess the risks [5]. If another part of the development has
done well such as testing or maintenance, these problems perhaps never happen.
Lack of documentation will lead to another problem.
In the investigation report found that AECL just have very little documentation during the
process such as software specification and test plan. However, a good documentation will
helpful for monitoring, controlling and maintaining the software without create another problem
such as the first Yakima incident.
4. References
[1] LEVESON, Nancy G. Safeware: System Safety and Computers. Addison-Wesley, 1995.
[2] KLING, Rob. (ed.) Computerization and Controversy. Academic Press, 1996.
[3] Baase, Sara. A Gift of Fire. Prentice Hall, 2003.
[4] POPOVIC, Dobrivoje & Ljubo Vlacic. (ed.) Mechatronics in Engineering Design and
Product Development. Marcel-Dekker Inc, 1999.
[5] Redmill, Felix & Tom Anderson. (ed.) Safety-critical Systems. Chapman & Hall, 1993.
![THERAC – 25 MEDICAL ACCELERATOR
Six people massively overdose between 1985 and 1987 as the results of the Therac-25 accidents were
three of them death and the others got a severe injury. This machine was a computer-based radiation
therapy machine manufactured by Atomic Energy of Canada Limited (AECL). For 35-year history of
medical accelerators, this serial accident has famous as the worst incident [1].
Figure 1. The Therac-25
The first accident occurred in Kennestone Regional Oncology Center, June 3, 1985. According to
Leveson (1995), the details are insufficient. Kennestone facility has operating a Therac-25 about six
months when they handled treatment for a 61-year-old woman in Marietta, Georgia. The therapy was a
follow up medication after removed a malignant breast tumor. She got an overdose when later,
Kennestone physicist estimated it about one or two doses of radiation in the 15,000 to 20,000 rad
(radiation-absorbed dose) range. Due to the incident, the manufacturer and machine operator still
refused to believe that it cause by the Therac-25.](https://image.slidesharecdn.com/11794326-120229005947-phpapp01/85/THERAC-1-320.jpg)
![Following that, the second accidents happened in Hamilton, Ontario (Canada) on July 26, 1985. A
forty-year-old patient doing the carcinoma of the cervix therapy when the Therac-25 shut down by it
self with H-TILT error message and no dose displayed. The machine paused and the operator pressing
the proceed command. This activity repeated for four times where the machine shut down again and on
the fifth pause the therapy suspend.
The patient told the operator that she felt burning sensation during that time. On the next treatment, she
still complained and on November 3, 1985, she died with an extremely virulent cancer condition. Later,
the AECL technician estimated that she received between 13,000 and 17,000 rads. On the report,
AECL claimed a hardware failure (microswitch) as the caused and modified the machine.
Next accidents involved a woman who has treated during December 1985 (after the Therac-25
modified, in response to Hamilton accident) at Yakima Valley Memorial Hospital, Washington. Her
skin become excessive reddening after the treatment and by the time the reaction become abnormal.
Response for this case when the hospital staff sent a letter to AECL they replay that was impossible it
caused by the Therac-25 by attach two pages of technical reasons to support.
On March 21, 1986, the fourth incident occurred in Tyler, Texas (East Texas Cancer Center). An
oilfield worker, Ray Cox, felt he had a jolt of searing heat during doing the treatment. In other side, the
machine operator got a “Malfunction 54” message displayed on the Therac-25 computer terminal [2].
Cox’s condition become worst over the weeks of the accident and died from complications of the
overdose in Dallas Hospital, September 1986. After simulation, revealed that the patient got a massive
overdose (16,500 to 25,000 rads in less than 1 second over an area of about 1 cm).
About a month later, April 11, 1986, a 66-year-old bus driver has to treat his skin cancer in the same
place as Ray Cox, ETCC in Tyler, Texas. Another accident occurred, again “Malfunction 54” occurred
by the same technician as Tyler case before. Verdon Kidd, the patient moaning for help and on May 1,
1986 he died from the overdose. An autopsy showed an acute high-dose radiation injury to the right
temporal lobe of the brain and the brain stem.
The last serial accident for the Therac-25 was on January 17, 1987 in Yakima, Washington. A
carcinoma patient has to receive 86 rads total exposure for his treatment. During the activity, the
operator gets some unclear point of the message, displayed on the machine, and the unit shut down
with a pause. The operator proceed it again by pressing one key (proceed command) but after that she](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)