Computer Ethics Case study
Michelle_Michy
TheMachine3.pdf
How a Medical Linear Accelerator Works Generating an Electron Beam
Early radiation therapy machines used a radioactive source like cobalt to produce the ionizing radiation needed to treat cancerous tissue. Some machines still use an active radiation source. But most radiation therapy today is done with a linear accelerator. In principle, a linear accelerator works just like the computer monitor you are probably using to read this web page. The electrons are accelerated by the gun in the back of the monitor and directed at the inside of the screen, where phosphors absorb the electrons and produce light. A medical linear accelerator produces a beam of electrons about 1,000 times more powerful than the standard computer monitor. The longer a linear accelerator is, the higher the energy of the beam it can produce. The innovation of Therac 25 was that the designers found a way to fold the beam back and forth so a very long accelerator could be fit into a smaller space. Thus powerful beams could be produced, but within a reasonable amount of space
Getting the Beam into the Body
Patients can be treated directly with the resulting electron beam, as long as the beam is spread out by scanning magnets to produce a safe level of radiation. The medical linear
accelerator spreads and directs the beam at the appropriate place for treatment. The picture below shows a typical medical linear accelerator in operation.
But a difficulty with the electron beam is that it diffuses rapidly in tissue and cannot reach deeper tissue for treatment. The picture below is a simulation (produced by the Stanford Linear Accelerator Center) of an electron beam traveling through air and entering human tissue. You can see the beam quickly diffuses and therefore does not penetrate deeply.
To solve this problem, Therac-25 and many other machines can switch to a mode in which X-ray photons are used for treatment. These penetrate much
more deeply without harming intervening tissue. To do this, the electron beam is greatly increased in intensity and a metal foil followed by a beam "flattener" is placed in the path of the electron beam. This transforms the electron beam into an X-ray (called photons in some literature). This process is inefficient and requires a high intensity electron beam to produce enough X-ray intensity for treatment. Therac-25 used a 25 MeV electron beam to produce an X-ray for treatment. 25 MeV is 25 million electron volts (eV -- an eV is the energy needed to move one electron through a potential of one volt).
Therac-25 was what was called a dual-mode machine. It could produce the low energy electron beams for surface treatment and it could also produce a very high intensity electron beam that would be transformed into an X-ray by placing the metal foil in the path of the beam. The serious danger in a dual mode machine is that the high-energy beam might directly strike the patient if the foil and flattener were not placed in its way.
Radiation Absorbed Dose
Although MeVs are used to measure the strength of the electron beam, the measure used for therapeutic uses is the radiation absorbed dose (rad). This is a measure of the radiation that is absorbed by tissue in a treatment. Standard single radiation treatments are in the range of 200 rads. 500 rads is the accepted level of radation that, if the entire body is exposed to it, will result in the death of 50% of the cases. The unprotected electron beam in the Therac-25 is capable of producing between 15,000 and 20,000 rads in a single treatment. The unprotected beam is never aimed directly at a patient. It is either spread to a safe concentration by scanning magnets or turned into X-rays and reduced by a beam flattener.
How Therac-25 worked A Short History of Therac
There were two previous versions of Therac machines, each produced by CMC in collaboration with a French company, CGR. Therac 6 and Therac 20 (each named for the MeV they could produce) were based on earlier design from CGR. By the time Therac-25 was released for sale, CMC had 13 years of experience with production of medical linear accelerators. Therac-25 was based on these previous versions. Its main innovations were (1) a "double pass" electron beam so the machine could produce more energy in less space, and (2) the addition of extensive computer control of the machine. This latter innovation allowed CMC to move much of the checking for hazardous conditions into the software.
The Therac-25's ancestors, Therac-20 and Therac-6, had used a minicomputer (a DEC PDP-11) to add some convenience to the standard hardware of a medical linear accelerator. They both could work without computer control. CMC determined to make its new model, Therac-25, a tightly-coupled combination of software and hardware. Therac-25 software was not written from scratch, but was built up from components that were borrowed from the earlier versions of Therac.
The Machine in the Room
Therac-25 is not just a machine, but an installation consisting of the machine, the PDP-11 that controlled the machine, the shielded room the machine sits in, and the monitoring and control station.
The control console and printer etc. are all located outside the heavily shielded treatment room. Thus, when pressing the key to begin the treatment, the operator does not have any direct access to the machine or the patient. All the occurrences in the treatment room must be observed through the TV monitor and the intercom. The intercom works both ways, that is, the patient can hear the operator (if the operator presses a switch) and the operator can hear the patient. The patient, however, cannot see anything outside the treatment room, while the operator can look in using the TV monitor.
Switching Between Modes: The Turntable
Therac-25 is a dual mode machine. This means that it can treat the patient with relatively low energy electron beams or with X-ray beams. In addition, Therac-25 had a "field light" position that allowed a standard light beam to shine in the path of treatment to help the operator in setting up the machine. Thus there were three modes in which the Therac- 25 could operate: electron beam and X-ray for treatment, and field light for setup.
Even though they are relatively low energy, the electron beams are too powerful in their raw form to treat the patient. They need to be spread thinly enough to be the right level of energy. To do this, Therac-25 placed what are called scanning magnets in the way of the beam. The spread of the beam (and also it power) could be controlled by the magnetic fields generated by these magnets. Thus for electron beam therapy, the scanning magnets needed to be placed in the path of the beam.
X-ray treatment requires a very high intensity electron beam (25 MeV) to strike a metal foil. The foil then emits X-rays (photons). This X-ray beam is then "flattened" by a device below the foil, and the X-ray beam of an appropriate intensity is then directed to
the patient. Thus, X-ray therapy requires the foil and the flattener to be placed in the path of the electron beam.
The final mode of operation for Therac-25 is not a treatment mode at all. It is merely a light that illuminates the field on the surface of the patient’s body that will be treated with one of the treatment beams. This "field light" required placing a mirror in place to guide the light in a path approximating the treatment beam’s path. This allowed accurate setup of the machine before treatment. Thus, for field light setup, the mirror needed to be placed in the path where one of the treatment beams would eventually go.
In order to get each of these three assemblies (scanning magnets or X-ray target or field light mirror) in the right place at the right time, the Therac-25 designer placed them on a
turntable. As the name suggests, this is a rotating assembly that has the items for each mode placed on it. The turntable is rotated to the correct position before the beam is started up. This is a crucial piece of the Therac-25 machine, since incorrect matching of the turntable and the mode of operation (e.g. scanning magnets in place but Electron beam turned on high for X-ray) could produce potentially fatal levels of radiation.
Setup and Actuation
The Therac-25 operator sets up the patient on the table using the field light to target the beam. In doing this, treatment parameters must be entered into the machine directly in the treatment room.
He or she then leaves the room and uses the computer console to confirm the treatment parameters (electron or X-ray mode, intensity, duration, etc.). The parameters initially entered in the treatment room appear on the console and the operator simply presses return to confirm each one.
The computer then makes the appropriate adjustments in the machine (moving the turntable, setting the scanning magnets, setting beam intensity etc.). This takes several seconds to do. If the operator notices an error in the input parameters, he or she can, during the setup, edit the parameters at the console without having to start all over again from inside the treatment room.
When the computer indicates that the setup has been done correctly, the operator presses the actuation switch. The computer turns the beam on and the treatment begins. There are three possible outcomes at this point, and they all depend on sensors on the machine. If the sensors indicate no trouble, the treatment concludes successfully. If the sensors indicate a minor problem, like the beam being slightly out of tune, the computer turns the beam off immediately. The operator can then press a "proceed" key to retry the treatment up to 5 times. If the sensors indicate a more serious malfunction, like the beam being significantly stronger or weaker, the computer turns the beam off immediately and requires the machine to be completely setup from the beginning.
What Therac-25 Software Did Real-time Software
The software that ran the Therac-25 was real-time software. What does that mean?
Real-time software is software that interacts with the world on the world’s schedule, not the software's. For instance, software to keep a radio tuner on the signal of a drifting station could take two approaches. It might simply update the signal every 0.1 seconds, searching for the strongest signal within some bandwidth. Another approach is to include a sensor that detects when the signal loses strength and only then search for a stronger signal nearby. This latter approach is real-time. If senses the world and responds to changes in the world when those changes occur.
This sort of software (even the simple system just described) is difficult to write and maintain. First, it involves the software in reading and responding to sensors about the state of "the world." With Therac-25, these sensors indicated things like the intensity of the beam, the position of various parts of the machine (e.g. the turntable) and commands entered at the console by the operator. Sensors, of course, can go bad, or give incorrect readings. When they do, the software needs to be able to detect these problems and respond accordingly, or at least fail in a graceful manner that doesn’t endanger life.
In addition, when real-time software has to monitor more than one thing, changes in one area may occur while the software is responding to changes in another. This is like the situation of trying to divide your limited attention to all the things you need to monitor when you are driving a car. While you are watching a red light up ahead, a car may have slipped into your blind spot without you seeing it.
So, Therac software needed to track and respond to several things in real-time without dropping any important balls. What those things are is described in the next section
Design of Software
The main tasks for which the software is responsible include:
Operator
o Monitoring input and editing changes from an operator o Updating the screen to show current status of machine o Printing in response to an operator commands
Machine
o monitoring the machine status o placement of turntable o strength and shape of beam o operation of bending and scanning magnets o setting the machine up for the specified treatment o turning the beam on o turning the beam off (after treatment, on operator command, or if a
malfunction is detected)
The Therac-25 software is designed as a real-time system and implemented in machine language (a low level and difficult to read language). The software segregated the tasks above into critical tasks (e.g. setup and operation of the beam) and non-critical tasks (e.g. monitoring the keyboard). A scheduler handled the allocation of computer time to all the processes except those handled on an interrupt basis (e.g. the computer clock and handling of computer-hardware-generated errors).
As explained above, the difficulty with this kind of software is the handling of things that might be occurring simultaneously. For example, the computer might be setting the magnets for a particular treatment already entered (which can take 8 seconds) while the operator has changed some of the parameters on the console screen. If this change is not detected an incorrect treatment can be given. More dangerous is the possibility that the change only affects the portion of the software that handles beam intensity, while the portion of the software that checks turntable position is left thinking that the old treatment parameters are still in effect.
Sensors on the Machine
The sensors in the machine reported on, among other things, the placement of the turntable and the strength and shape of the beam. In the diagram below, you can see the "transmission monitors" directly below the metal foils designed to produce X-rays. A different monitor was required for X-rays than for the electron beam, and so these
monitors (they were ion chambers) were attached to the turntable underneath either the X-ray foil of the electron beam scanning magnets. No monitor was placed below "field light assembly" and so no measurement can be made of a beam in this position.
System Safety Machine-Based Safety Mechanisms
As the diagram indicates, the Therac-25 linear accelerator was isolated in a heavily shielded room. This shielding protected the operator (who might do as many as 30 treatments in one day) from the low-level radiation that might scatter from the machine. In addition, the machine itself was shielded in many ways to reduce the amount of scattered radiation it would emit. CMC was particularly proud of this innovation in machine shielding, and even published a paper in a technical journal on its design.
Software Based Safety Mechanisms
Previous versions of Therac (Therac-6 and Therac-20) used software to make the hand operation of the machine more convenient. But Therac-25 was completely software controlled. In addition and safety checking was made the job of the software many of the
hardware safety interlocks were removed. Thus, the safe operation of the machine became almost completely the responsibility of the software.
For example, intensity of the beam is monitored by ion chambers placed on the turntable. There were two different ion chambers, one located beneath the scanning magnets that spread the electron beam and one located beneath the foil that turned a high intensity electron beam into X-rays. These chambers monitored the amount of radiation that was being delivered to the patient in each mode (electron beam or X-ray) and each could measure the beam intensity only within the expected range from the beam with which it was paired. If the chamber detected a dose that was different from that assigned to the patient, the software immediately suspended treatment.
If the difference was a minor amount or if the beam intensity was measured as hardly there, the software might allow the operator to retry the treatment up to 5 times before shutting down completely. This retry facility was added to the software because it was a regular occurrence for the beam to be slightly "out of tune" and for the software to suspend treatment.
If the beam intensity was detected to be quite different from the assigned intensity, the software shut the machine down completely and required all the treatment parameters to be entered again.
Safety Analysis of the System
In 1983, just after CMC made the Therac-25 commercially available, CMC performed a safety analysis of the machine using Fault Tree Analysis. This involves calculating the probabilities of the occurrence of varying hazards (e.g. an overdose) by specifying which causes of the hazard must jointly occur in order to produce the hazard.
In order for this analysis to work as a safety analysis, one must first specify the hazards (not always easy), and then be able to specify the all possible causal sequences in the system that could produce them. It is certainly a useful exercise, since it allows easy identification of single-point-of-failure items and the identification of items whose failure can produce the hazard in multiple ways. Concentrating on items like these is a good way to begin reducing the probabilities of a hazard occurring.
In order to be useful, a Fault Tree Analysis needs to specify all the likely events that could contribute to producing a hazard. In addition, if one knows the specific probabilities of all the contributing events, one can produce a reasonable estimate of the probability of the hazard occurring.
Since much of the software had been taken from the Therac-6 and Therac-20 systems, and since these software systems had been running many years without detectable errors, the analysts assumed there were no design problems in the software. The analysts did consider software failures like "computer selects wrong mode" but assigned them probabilities like 4 x 10**-9. These sorts of probabilities are likely assigned based on the
remote possibility of random errors produced by things like electromagnetic noise. They do not take into account the possibility of design flaws in the software.
