Therac-25: How Design Flaws Turned a Lifesaving Machine Deadly
Katerina Harrison wrote MedWrench's newest blog. Check it out!
Tue Aug 20 2024
Radiation therapy is a non-invasive method of cancer treatment that has been successfully used in patients for over 100 years. It uses ionizing radiation which, although highly toxic to living cells, can painlessly kill and control cancerous growthby targeting the growth with a beam of energy. Due to the highly harmful nature ofthis treatment, machines administering this radiation should be designed with robust safety features and thoroughly tested to prevent possibly overdosing the patient, which unfortunately was not the case with the Therac-25.
The Therac-25 was a radiation therapy machine that began being produced byAtomic Energy Canada Limited (AECL) in 1982. It stood out from other machines ofits kind at the time due to its two treatment modes: electron-beam therapy, a low-dose beam of electrons for shallow cancer treatment, and megavolt X-ray therapy, a high-dose beam of photons for the treatment of cancer deep inside the body. Having dual modes eliminated the need for hospitals to have two separate machines, thereby increasing efficiency and saving space. Although the Therac-25 successfully treated hundreds of patients, it had major design flaws which led to six known incidents of patient harm. Firstly, the machine relied only on software safety checks and did not include any type of hardware safety checks. The hardware safety interlocks featured in the previous models, Therac-6 and Therac-20, would prevent the radiation from being administered if the machine hardware was set up incorrectly for the required mode. Software safety checks, however, rely solely on computer checks to verify the correct operation of the machine. Secondly, although Therac-25 featured software safety checks, the software was written by a single person and was not independently reviewed for faults as it was based on previous code. Due to these flaws and more which were later uncovered, six major incidents occurred where patients were severely harmed or killed.
The first incident was in 1985 and involved a 61-year-old patient in Georgia who was set to receive 200 radiation absorbed dose (rad) on her left clavicle, but the machine delivered 100 times that at 20,000 rad. To put this in perspective,Homeland Security states that, “[a] lethal dose with NO medical intervention to50% of the population after 60 days is between 320 and 450 rad.” The patient toldthe technician that she felt that she was burned, but was assured that this was not possible. Weeks later, she developed paralysis in her left arm and shoulder and wasrequired to get her breast amputated due to the radiation overdose. Although she survived, this was the start of something that would cause devastating events for more patients.
A second incident, also in 1985, involved a patient who had developed an erythema(skin inflammation) after being treated by a Therac-25 in Ontario. She was supposed to receive 200 rad but was suspected of receiving a radiation overdose of20,000 rad. When the hospital reported this to a professional organization, AECL contacted the hospital with a letter stating that it is impossible to receive radiation overdose from the Therac-25 as there cannot be a failure in the system or fault of the operator which would cause this to occur. Due to this injury, the patient developed skin necrosis six months later. She received skin grafts but they were not successful as the surrounding tissue continued to succumb to necrosis.
In a third 1985 incident, a 40-year-old Washington patient was receiving treatment in her cervix. As the operator pressed “proceed” to deliver the dose, they received an error message indicating that no radiation had been administered. The operator tried again and the error message re-appeared. The operator repeated this five times, not knowing that this was a software fault and the treatment was being administered each time, with an estimated total dose of 17,000 rad. The patient died of cancer a few days later but the autopsy revealed that she would have required a hip replacement due to the radiation overdose. An AECL engineer who was sent to examine the machine after the incident determined that the microswitches that controlled the turntable were faulty. This prompted AECL to introduce a software update to all Therac-25 machines, which the company claimed would increase safety by 9,999,900%. This, however, did not prevent the Therac-25 from further patient harm in the coming years.
In 1986, a fourth incident occurred in Texas where a patient was set to receive 180rad on their back. As the operator switched the mode from megavolt X-ray to electron beam and administered the dose, the patient heard a crackling sound andfelt a shock. An error code “Malfunction 54” was displayed in the command window which meant that the actual dose given was too high or too low. Thedosimeter showed that only 6 rad was administered, so the operator proceeded again. As he did this, he was unaware that the patient was getting up from the table to notify the operator of the sound he heard, which made the radiation be administered into the patient’s arm. This caused an erythema which a physician concluded was caused by electric shock. In reality, the crackling sound was due tothe ionization chambers being oversaturated which caused an incorrect value to display on the dosimeter. From these two doses, the patient was irradiated with an estimated 16,500 to 25,000 rad. The patient experienced many side effects to his health such as paralysis throughout his body and myelitis in his spine; he died five months later. Following the incident, AECL technicians were called. They we reunable to replicate the error code and the machine was back in service only two weeks later.
A fifth incident occurred with the same Therac-25 only 4 days after it was back inservice from the previous case. Once the operator switched the mode from megavolt X-ray to electron beam and administered the dose, the “Malfunction 54”error code displayed once again. The operator promptly checked on the patient who described feeling an electric shock on the treated area, which was their face.The patient died less than a month later. Their autopsy revealed significant radiation damage to their brain. After this incident, the operator and hospital physicist got to work to determine the cause of this error code. After many trials tore produce the code, they found that it occurs when the machine is operated after rapidly changing the modes. This is due to the hardware having a duration of 8seconds when switching the magnetic plates, which filter the beams, from megavolt X-ray to electron beam and vice versa. Although the command window of the software states that it is ready to administer the treatment, it has no way of verifying that the hardware is in the proper position to do so. When the operator presses “proceed” within those 8 seconds, it irradiates the patient with a high-energy unfiltered beam. Following this discovery, AECL created a software update to monitor data entry which was reviewed by the FDA and implemented into all Therac-25 machines. This, unfortunately, did not stop another fatal incident from occurring.
The sixth and final incident happened in 1987 when a 65-year-old patient inWashington was prescribed 86 rad for a carcinoma on his back. Instead of 86 rad, the machine delivered 10,000 rad, which led to the patient’s death three months later. This incident was found to be due to a previously unidentified software bug.The software had a 256-byte counter to check the turntable position. If the counter was at any value other than zero, it would consider it an “error” and would not allow the radiation to be administered. The bug occurred when the counter reached its maximum value of 255, causing it to reset back to 0 and therefore momentarily allowing treatment to proceed. In this case, the operator unfortunately happened to press “proceed” at this very instant. After this incident, the hospital ceased the use of its Therac-25.
Following the final incident, all Therac-25 machines were shut down while AECL added numerous software and hardware features to prevent future adverse events.The incidents of patient harm caused by Therac-25 led to the implementation of stricter safety and testing guidelines in the healthcare technology industry. As healthcare technology continues to evolve, let the case of Therac-25 serve as a stark reminder of the importance of robust safety features and thorough testing, and the catastrophic consequences that can occur when they are overlooked.