The FAQs
Rich business card Barrett Engineering Consulting
CLICK HERE for help with Fastening, Materials, Corrosion, Structural & Mechanical Design

sci.engr.* FAQ on Failures:
THERAC-25
Copyright 1995-2000 by Ron Graham
Ron Graham, rgraham@tcnj.edu
with Tim Fulcher, timjfulcher@yahoo.com

The THERAC-25 radiation treatment device was originally marketed by Atomic Energy of Canada, Ltd. (AECL) It had two modes of operation:

  1. X -- X-rays, 25 MeV (25 Krads)
  2. E -- electron beam, 200 rads

Cancer patients undergoing treatment in E mode were in a few cases subjected to accidental X-ray exposure (at 125 times the recommended radiation dose for their illnesses), and some died, due to a design flaw in the THERAC-25.

The accidental exposure came from the following sequence of events:

  1. Technician enters "X" on the keyboard.
  2. Screen indicates "X-ray Mode."
  3. Technician recognizes a mistake and edits it, using the "UP" key to cursor back over the "X."
  4. Technician enters "E."
  5. Screen indicates "Electron Beam Mode."
  6. Technician sees this is the right setting and hits the "RETURN" key.
  7. Screen indicates "Beam Ready."
  8. Technician enters "B" to fire the beam.

    (The above sequence of events took eight seconds, or less.)

  9. Screen indicates "Malfunction 54." Patient has been blasted with X-rays!
  10. Technician doesn't understand malfunction message and can't hear patient whimpering in the next room. Technician repeats steps 7-9 until patient gets up and runs away!

In one celebrated case, the radiological physicist and oncologist on duty could see nothing wrong with the device -- they ran it through a series of prescribed tests that showed nothing abnormal. And the patient injured by the X-ray had no visible sign of burns. But that patient, Voyne Ray Cox, died four months later.

Investigators later learned that AECL engineers didn't realize that steps 1-8 could be performed within eight seconds. Those steps evidently outraced the THERAC computer's duty cycle, retracting a protective tungsten target plate and resetting the mode from the technician's point of view, but leaving the power setting to maximum. There was no microswitch or mechanical verification of the computer's response.

Their initial fix of the problem was to tell users to SELLOTAPE over the backspace button.

References

Casey, S. Set Phasers on Stun. Aegean Publishing, 1998.

[Return to FAQ on Failures] [Rhetoric Table of Contents] [Apollo 1] [USS Thresher] [Aircraft] [Mars Climate Orbiter] [Union Carbide Bhopal]