Information Technology Reference
In-Depth Information
It is unlikely that static analysis would have found the problem because it was
one of logic and not a problem of syntax. Pair programming probably would not
have worked either because the problem originated in requirements and design.
Finding the problem via testing obviously did not occur, and it is uncertain if
testing was the best solution. The problem seemed to be that there was insufficient
attention paid to false positives.
1986: Therac 25 Radiation Poisoning
Between 1985 and 1987, a number of patients treated with the Therac 25 radiation
therapy device received doses much higher than prescribed: some were 100 times
larger.
There were two radiation levels with this machine: high power and low power.
Older machines by the same company had hardware interlocks that prevented the
high-power mode from being turned on by accident. In the Therac 25, the hard-
ware interlocks had been removed and replaced by software interlocks, which
failed to operate under some conditions.
Worse, apparently the operating console did not inform operators when high
power was in use. There was an error message and the machine stopped, but it
only said “malfunction” and did not state what the problem was. Operators could
then push a button to continue administering the radiation.
Because of serious injury to patients, the Therac 25 problems were extensively
studied by several government agencies. Readers who want a more complete dis-
cussion can do a Google search on “Therac 25” to get detailed analyses.
Lessons learned:
The lessons learned from this problem are that medical devices
that can kill or harm patients need state-of-the-art quality control. The Therac 25
apparently was inept in quality control, and government regulatory agencies did
not properly oversee them.
Problem avoidance:
The Therac 25 problems could probably have been found by
any combination of inspections, static analysis, and risk-based testing. Later in-
vestigations by government agencies found laxness in all forms of quality control.
Apparently, there were no formal inspections, no static analysis, no risk analys-
is, and far less rigorous testing than needed. Pair programming would not have
worked because the problem spanned the physical operating console and inad-
equate training of personnel as well as software problems.
Search WWH ::
Custom Search