180 Chapter 6

                  extremely low probabilities to those faults. As a result, the assessment was very inaccu-
                  rate.

                  When the first report of an overdose was reported to AECL in 1985, they sent an engineer to
                  the site to investigate. They also filed a report with the FDA and the Canadian Radiation Pro-
                  tection Board (CRPB). AECL also notified all users of the fact that there had been a report
                  and recommended that operators should visually confirm hardware settings before each treat-
                  ment. The AECL engineers were unable to reproduce the fault, but suspected that it was due
                  to the design and placement of a microswitch. They redesigned the microswitch and modi-
                  fied all of the machines that had been deployed. They also retracted their recommendation that
                  operators should visually confirm hardware settings before each treatment.

                  Later that year, a second incident occurred. In this case, there is no evidence that AECL took
                  any action. In January of 1986, AECL received another incident report. An employee at
                  AECL responded by denying that the Therac-25 was at fault, and stated that no other similar
                  incidents had been reported. Another incident occurred in March of that year. AECL sent an
                  engineer to investigate. The engineer was unable to determine the cause, and suggested that it
                  was due to an electrical problem, which may have caused an electrical shock. An independent
                  engineering firm was called to examine the machine and reported that it was very unlikely that
                  the machine could have delivered an electrical shock to the patient. In April of 1986, another
                  incident was reported. In this case, the AECL engineers, working with the medical physicist at
                  the hospital, were able to reproduce the sequence of events that lead to the overdose.
                  As required by law, AECL filed a report with the FDA. The FDA responded by declaring the
                  Therac-25 defective. AECL was ordered to notify all of the sites where the Therac-25 was
                  in use, investigate the problem, and file a corrective action plan. AECL notified all sites, and
                  recommended removing certain keys from the keyboard on the machines. The FDA responded
                  by requiring them to send another notification with more information about the defect and the
                  consequent hazards. Later in 1986, AECL filed a revised corrective action plan.

                  Another overdose occurred in January 1987, and was attributed to a different software fault. In
                  February, the FDA and CRPB, both ordered that all Therac-25 unites be shut down, pending
                  effective and permanent modifications. AECL spent six months developing a new correc-
                  tive action plan, which included a major overhaul of the software, the addition of mechanical
                  safety interlocks, and other safety-related modifications.


                  6.3.2 Overview of design flaws

                  The Therac-25 was controlled by a DEC PDP-11 computer. The PDP-11 was the most popu-
                  lar minicomputer ever produced. Around 600,000 were produced between 1970 and 1990 and