write a three-page analytical essay about the Therac accidents. Examine the case study paying particular attention to how engineering design, project management or teaming decisions resulted in broader implications for business, society and/or the environment.
The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Ltd. (AECL), a Canadian company. AECL had previously collaborated with CGR, a French company, in the development of earlier versions of this machine. The Therac-25 was a dual-mode linear accelerator designed to deliver X-ray photons at 25 MeV, or electrons over a range of energies. The electrons are used to treat tumors relatively close to the surface, while the X-rays can be used therapeutically on deeper tumors. The Therac-25 was not the ” rst radiation therapy machine produced by this partnership; similar machines, the Therac-6 and Therac-20, had been in use for a number of years. Although the previous Therac machines had utilized some level of computer control, they also relied heavily on hardware interlocks to ensure the safe operation of the machine. From the start, the Therac-25 was designed to be controlled by software and did not incorporate the level of hardware safety devices found on the early machines. The accidents involving the Therac-25 date back to the months between June 1985 and January 1987, comprising at least six known events of improper dosing of patients. There were 11 Therac-25 machines installed in the United States and Canada, with accidents occurring on both sides of the border. The six accidents involved overdosing of patients receiving radiation therapy for various types of cancer. Typical of these accidents was what happened to a patient at the East Texas Cancer Center in Tyler, Texas, in March of 1986. At the time of this accident, the Therac-25 had been in operation at this center for two years and had been used to treat over 500 patients. The patient in this case was being treated for a tumor in his back and was undergoing his ninth treatment with this machine. The prescribed treatment was to be 180 rads of 22 MeV electrons over a 10 × 17 cm2 area of his upper back. As the treatment was started, the machine shut down, giving the operator an error code labeled “Malfunction 54.” The meaning of this code was not identi- ” ed in the manual that came with the machine. The machine also showed a “Treatment Pause” and an underdose, indicating that only about 3% of the requested dose had been delivered. Thinking that the treatment was incomplete, the operator told the machine to proceed, but it immediately shut down again. Because the video monitor was not working, the operator was unable to see the patient and didn’t know that after the ” rst dose, the patient had experienced what he described as an electric shock in his back. Knowing that something was wrong, he was attempting to get up when the second dose was delivered with the same painful effect. It was later estimated that the patient had received a total dose of between 16,500 and 25,000 rads, far higher than the 180 rads he was supposed to receive. In addition, the dose was concentrated in an area of approximately 1 cm 2 . As a result of this malfunction, the patient developed symptoms of severe radiation poisoning and eventually died of complications related to the accident. The other six accidents were similar in nature, with similar consequences [ Leveson and Turner, 1993 ]. The proximate cause of these accidents was a “bug” in the software. As the operators became comfortable with the software, they became quite pro” cient and fast at entering the data that set the type of treatment, dose, and energy. However, the hardware of the system required several seconds to reset when a command was changed on the computer keyboard. If the operator input the wrong information initially, quickly changed the settings to the correct ones, and hit the key that turned the beam on, the machine would go ahead and energize the beam, resulting in an incorrect dose being delivered. Basically, the software didn’t wait for the hardware to reset before turning the beam on. Compounding the problem, there were no hardware interlocks available to shut the beam off when excessive doses were detected. The earlier versions of the Therac machines had this type of hardware safety system, but the Therac-25 relied on software to provide this protection [ Casey, 1993 ]. In the wake of these accidents, investigations took place into the reasons for the malfunction of the machine. Two major areas of concern were identi” ed:
Radiation Problems Continue Although the problems with the Therac-25 occurred in the 1980s and were well known in the industry, medical radiation equipment used for cancer therapy continues to have problems, some leading to the deaths of patients. The root cause of these problems is the increasing complexity of the machines and the technologies used for radiation therapy. This complexity is manifested in software glitches and hardware failures and can contribute to human errors that can have devastating results. A 2010 article in the New York Times [ Brogdanich, 2010 ] described in detail two cases of severe patient injury caused by radiation therapy machines using linear accelerator technology. In both of these cases, the computer control system malfunctioned, leading to huge overdoses to the patients. In one case, a man suffering from oral cancer was treated using a linear accelerator system. In this machine, the beam shape and intensity was determined by a sophisticated collimator controlled by computer software. After three treatments, the physician, working with the health physicist responsible for implementing the treatment plan, decided to alter the dosing plan. As the health physicist input the new plan to the computer, the software “froze” and failed to properly store the new program. Because the new program wasn’t stored properly, the computer instead directed the machine to leave the collimator wide open, not only greatly increasing the dose to the patient, but also allowing the dose to be given over a wide part of the patient’s head rather than just to the cancerous area. This accident severely injured the patient, leading to a very slow and painful death from radiation poisoning. Similarly, in the other case reported, a woman undergoing radiation treatment for breast cancer was overdosed. Her treatment was also being done using a linear accelerator system. In this machine, dosing was controlled using a wedge placed in the path of the beam to determine the intensity of the radiation and its location on the patient’s body. In this case, the computer controlling the machine was inadvertently programmed to leave the wedge out of the beam, thus greatly increasing the dose received by the patient. In this case, the patient received a dose 3.5 times larger than planned during each of her 28 radiation sessions. The severe burns resulting from this overdose caused a large hole in the woman’s chest that was painful and took months to heal. Ultimately, she died as a result of this overdose. The Times article reported that New York is among the states with the most stringent requirements for reporting of medical radiation overdose incidents and maintains a database of these events. A review of the New York records indicated that 621 radiation treatment mistakes had been reported between January 2001 and January 2009, including incorrect dosing, irradiation of the wrong location on the patient, and even applying the treatment to the wrong patient. These mistakes were attributed to various causes including hardware malfunctions, computer software malfunctions, and various human errors. When hardware and software malfunctions are the cause, what responsibility do engineers who designed these systems have for the accident? When designing any system with potential implications for human health and safety, engineers must be thorough in design and testing of the system, being especially concerned about anticipating potential failure mechanisms and designing to prevent these possibilities. In addition, fail-safe mechanisms should be incorporated into the design to ensure that failures are detected and do not lead to harm. For radiation therapy equipment, fail-safe means that the machine detects unsafe operating conditions and prevents patient irradiation until the problem is solved. Are engineers who design this sort of equipment also responsible for the human errors that led to patient overdoses? Not all human errors can be anticipated and designed around. However, it is incumbent on a design engineer to design systems so that they are easy to operate and make it simple for operators to use properly. While an engineer cannot always anticipate all of the misuses, or all of the mistakes that might occur on an engineered system, it is essential that engineers try to anticipate these types of problems before they occur and design the system to minimize the possibilities that mistakes can occur.