“Therac-25”的意思、由来-开放百科全书

The Therac-25 was a computer-controlled radiation therapy machine produced by Atomic Energy of Canada Limited (AECL) in 1982 after the Therac-6 and Therac-20 units (the earlier units had been produced in partnership with CGR of France).

It was involved in at least six accidents between 1985 and 1987, in which patients were given massive overdoses of radiation.^[1]{{rp|425}} Because of concurrent programming errors, it sometimes gave its patients radiation doses that were hundreds of times greater than normal, resulting in death or serious injury.^[2] These accidents highlighted the dangers of software control of safety-critical systems, and they have become a standard case study in health informatics and software engineering. Additionally the overconfidence of the engineers^[1]{{rp|428}} and lack of proper due diligence to resolve reported software bugs are highlighted as an extreme case where the engineers' overconfidence in their initial work and failure to believe the end users' claims caused drastic repercussions.

Design

It also included a "Field light" mode, which allowed the patient to be correctly positioned by illuminating the treatment area with visible light.

Problem description

The six documented accidents occurred when the high-current electron beam generated in X-ray mode was delivered directly to patients. Two software faults were to blame.^[3] One, when the operator incorrectly selected X-ray mode before quickly changing to electron mode, which allowed the electron beam to be set for X-ray mode without the X-ray target being in place. A second fault allowed the electron beam to activate during field-light mode, during which no beam scanner was active or target was in place.

Previous models had hardware interlocks to prevent such faults, but the Therac-25 had removed them, depending instead on software checks for safety.

The high-current electron beam struck the patients with approximately 100 times the intended dose of radiation, and over a narrower area, delivering a potentially lethal dose of beta radiation. The feeling was described by patient Ray Cox as "an intense electric shock", causing him to scream and run out of the treatment room.^[4] Several days later, radiation burns appeared, and the patients showed the symptoms of radiation poisoning; in three cases, the injured patients later died as a result of the overdose.^[5]

Root causes

A commission concluded that the primary reason should be attributed to the bad software design and development practices, and not explicitly to several coding errors that were found. In particular, the software was designed so that it was realistically impossible to test it in a clean automated way.^[3]

Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

The software was written in assembly language that might require more attention for testing and good design. However the choice of language by itself is not listed as a primary cause in the report. The machine also used its own operating system.

Leveson notes that a lesson to be drawn from the incident is to not assume that reused software is safe:

"A naive assumption is often made that reusing software or using commercial off-the-shelf software will increase safety because the software will have been exercised extensively. Reusing software modules does not guarantee safety in the new system to which they are transferred..."^[3] This blind faith in poorly understood software coded paradigms is known as cargo cult programming. In response to incidents like those associated with Therac-25, the IEC 62304 standard was created, which introduces development life cycle standards for medical device software and specific guidance on using software of unknown pedigree.^[6]

See also

Notes

1. ^¹²{{cite book|last1=Baase|first1=Sara|date=2008|title=A Gift of Fire|publisher=Pearson Prentice Hall}}
2. ^{{cite journal|url=https://web.archive.org/web/20041128024227/http://www.cs.umd.edu/class/spring2003/cmsc838p/Misc/therac.pdf |last1=Leveson |first1=Nancy G. |last2=Turner |first2=Clark S.|date=July 1993|title=An Investigation of the Therac-25 Accidents|work=IEEE Computer|volume=26|number=7|pages=18–41}}
3. ^¹²³⁴{{cite web|last1=Levenson|first1=Nancy|title=Safeware: System Safety and Computers. Appendix A: Medical Devices: The Therac-25|url=http://sunnyday.mit.edu/papers/therac.pdf|publisher=Addison-Wesley|date=1995}}
4. ^{{cite book|last1=Casey|first1=Steven|title=Set Phasers On Stun - Design and Human Error|publisher=Aegean Publishing Company|pages=11–16}}
5. ^{{cite web|last1=Rose|first1=Barbara Wade|title=Fatal Dose - Radiation Deaths linked to AECL Computer Errors|url=http://www.ccnr.org/fatal_dose.html|website=www.ccnr.org|accessdate=14 June 2016}}
6. ^{{cite journal |url=http://www.mddionline.com/article/developing-medical-device-software-iec-62304 |title=Developing Medical Device Software to IEC 62304 |last=Hall |first=Ken |work=MDDI - Medical Device and Diagnostic Industry |date=June 1, 2010 |accessdate=2016-12-12}}

Design

Problem description

Root causes

See also

Notes

Further reading