1. What additional measures must be taken in the development of software that, if it fails, can...

Question:

1. What additional measures must be taken in the development of software that, if it fails, can cause loss of human life?

2. What can organizations do to reduce the negative consequences of software development problems in the production of their products and the operation of their business processes and facilities?


Medical linear accelerators have long been a critical piece of medical equipment in the fight against cancer. Linear accelerators deliver radiation therapy to cancer patients by accelerating electrons to create high-energy beams, which can kill cancer tumors without impacting surrounding healthy tissue. Tumors close to the skin can be treated with the accelerated electrons; however, for tumors that are more deeply embedded, the electron beam is converted into an X-ray photon beam, which is diffused using a beam spreader plate. The Canadian firm Atomic Energy of Canada Limited (AECL) and a French company named CGR collaborated to build two models of medical linear accelerators. One model, theTherac-6, was capable of producing only X-rays that could be used to kill tumors close to the skin. A later model, the Therac-20, was capable of producing both X-ray photons and electrons and thus could kill both shallow and deeply embedded tumors. Computer software was used to simplify the operation of the equipment but not to control and monitor its operation. Instead, industry standard hardware safety features were built into both models. After the business relationship between the two firms failed, AECL went on to build theTherac-25 based on a new design concept. Unlike the Therac-6 and Therac-20, which operated without significant computer controls, computer software was used to both control and monitor the Therac-25 accelerator. The software for the Therac-25 was based on modified code from the Therac-6. The software monitored the machine, accepted technician input for specific patient treatment, initialized the machine to administer the defined treatment, and controlled the machine to execute the defined treatment. The machine was enclosed in the patient treatment room to prevent radiation exposure to the technicians. Audio and visual equipment allowed the patient to communicate with the technicians. A total of 11 Therac-25 machines were installed in the United States and Canada. Over a19-month period from June 1985 to January 1987, six serious incidents involving the use of the device occurred. In each of the incidents, the patient received an overdose of radiation. Four of the patients died from the overdose, and another eventually had to have both breasts removed and lost use of her right arm as a result of the overdose. A final patient received burns and was only able to fully recover several years after the incident. Following each incident, AECL was contacted and asked to investigate the situation. However, AECL at first refused to believe that its machine could have been responsible for an overdose. Indeed, following the third incident, AECL responded, “After careful consideration, we are of the opinion that this damage could not have been produced by any malfunction of the Therac-25 or by any operator error.” AECL made some minor changes to the equipment, but because the company did not address the root cause of the problem, additional incidents occurred. Finally, a physicist at a hospital where two incidents occurred was able to re-create the malfunction and show that the problem was due to a defect in the machine and its software. A failure occurred when a specific sequence of keystrokes was entered by the operator. Because this sequence of keystrokes was nonstandard, the problem rarely occurred and went undetected for a long time. Entry of this combination of keystrokes within a period of eight seconds did not allow time for the beam spreader plate to be rotated into place. The software did not recognize the error, and the patient was then hit with a high-powered electron beam roughly 100 times the intended dose of radiation. In early 1987, the Food and Drug Administration (FDA) and Health Canada (the Canadian counterpart to the FDA) insisted that all Therac-25 units be shut down. Within the next six months, AECL implemented numerous code changes, installed independent hardware safety locks, and implemented other changes to correct the problem. After these changes, the Therac-25 device continued to be safely used for many years. However, at least three lawsuits were filed against AECL and the hospitals involved in the earlier incidents. The lawsuits were settled out of court, and the results were never revealed.

Fantastic news! We've Found the answer you've been seeking!

Step by Step Answer:

Related Book For  book-img-for-question
Question Posted: