By ThinkReliability Staff

The Therac-25 is a radiation therapy machine used during the mid-80s.  It delivered two types of radiation beams, a low-power electron beam and a high-power x-ray.  This provided the economic advantage of delivering two kinds of therapeutic radiation with one machine.  From June 1985 to January 1987, the Therac-25 delivered massive radiation overdoses to 6 people around the country.  We can look at the causes of these overdoses in a root cause analysis performed as a Cause Map.

The radiation overdoses were caused by delivery of the high-powered electron beam without attenuation.  In order for this to happen, the high-powered beam was delivered, and the attenuation was not present.  The lower-powered beam did not require attenuation provided by the beam spreader, so it was possible to operate the machine without it.  The machine did register an error when the high-powered beam was turned on without attenuation.  However, it was possible to operate the the beam with the error and the warning was overridden by the operators.

The Therac-25 had two different responses to errors.  One was to pause the treatment, which allowed the operators to resume without any changes to settings, and another was to reset the machine settings.  The error resulting in this case, having the high-power beam without attenuation, resulted only in a treatment pause, allowing the operator to resume treatment with an override, without changing any of the settings.  Researchers talking to the operators found that the Therac-25 frequently resulted in errors and so operators were accustomed to overriding them.  In this case, the error that resulted (“Malfunction 54”) was ambiguous and not defined in any of the operating manuals.  (This code was apparently only to be used for the manufacturing company, not healthcare users.)

The Therac-25 allowed the beam to be turned on without error (minus the overridden warning) in this circumstance.  The Therac-25 had no hardware protective circuits and depended solely on software for protection.  The safety analysis of the Therac-25 considered only hardware failures, not software errors, and thus did not discover the need for any sort of hardware protection.  The reasoning given for not including software errors was the “extensive testing” of the Therac-25, the fact that software, unlike hardware, does not degrade, and the general assumption that software is error-proof.  Software errors were assumed to be caused by hardware errors, and residual software errors were not included in the analysis.

Unfortunately the coding used in the Therac-25 was in part borrowed from a previous machine and contained a residual error.  This error was not noticed in previous versions because hardware protective circuits prevented a similar error from occurring.  The residual error was a software error known as a “race condition”.  In short, the output of the coding was dependent on the order the variables were entered.  If an operator were to enter the variables for the treatment very quickly and not in the normal order (such as going back to correct a mistake), the machine would accept the settings before the change from the default setting had registered.  In some of these cases, it resulted in the error described here.  This error was not caught before the overdoses happened because software failures were not considered in the safety analysis (as described above), the code was reused from a previous system that had hardware interlocks (and so had not had these problems) and the review of the software was inadequate.  The coding was not independently reviewed, the design of the software did not include failure modes and the software was not tested with the hardware until installation.

This incident can teach us a lot about over-reliance on one part of a system and re-using designs in a new way with inadequate testing and verification (as well as many other issues).  If we can learn from the mistakes of others, we are less likely to make those mistakes ourselves.  For more detail on this (extremely complicated) issue, please see Nancy Leverson and Clark Turner’s “An Investigation of the Therac-25 Incidents.”

By ThinkReliability Staff

In a previous blog, we outlined the two theories of a 1984 tragedy in Bhopal that resulted in approximately 15,000 deaths. On Monday, June 7, 2010 (nearly 16 years after the incident) 7 former Union Carbide senior employees were convicted of “death by negligence” by an Indian court.  The sentence was two years in jail and a fine of 100,000 rupees (just over $2,000 U.S.).  One former employee who was also charged has since died.  The Union Carbide subsidiary which owned the plant at the time of the leak was also ordered to pay 500,000 rupees as well.

The charges against the company and the senior officials had been reduced from culpable homicide by India’s supreme court in 1996.  The head of Union Carbide has also been charged but extradition requests remain outstanding.

The recent court case has highlighted not only the problems that led to the chemical leak, but problems that result in massive delays in the Indian court system.  The Law Minister has admitted the delay and said “We need to address that.”

Although the court did not release additional information with their ruling, this appears to support the theory that the an equipment or safety system failure (and not employee sabotage) caused the leak.

By ThinkReliability Staff

Last year we wrote a blog about preventing pool injuries, specifically slipping and drowning. However, there’s a lesser known risk from a pool – getting sick from swimming. This is officially known as “recreational water illness” or RWI, and normally involves diarrhea. RWI is estimated to affect approximately 1,000 people a year (according to WebMD) and can cause death, especially in immune-compromised people.

We can perform a proactive root cause analysis to determine what causes these illnesses. Essentially, a person consumes germs by ingesting pool water that contains germs. Pool water becomes contaminated when germs enter the pool from fecal matter. (Easier said than done. Did you know that the average person is wearing 0.14 grams of fecal matter?) So please, keep fecal matter out of the pool. Take a shower before you get in and make sure your kids are using the bathroom regularly elsewhere. (Not surprisingly, kiddie pools are the ‘germiest’.)

Now, pools are treated to prevent these germs from proliferating. However, some combinations of pool chemicals and germs take much too long to work to be effective. (For example, cryptosporidium takes 7 days to be killed in chlorine.) Some pools aren’t getting enough chemicals due to inadequate maintenance. And, there’s some stuff you can put in the pool – namely urine, sunscreen, and sweat – that interacts with chlorine and reduces the effective volume in the pool. So, even though urine itself doesn’t contain germs, don’t pee in the pool. And again, take a shower.

Our solutions to RWI – take a shower, don’t perform any bodily functions in the pool, and don’t swallow the pool water. However, that works for you and your family, but what about the unwashed masses in the pool? The CDC recommends you buy your own water testing kit and test the pool water before you get in. Make sure there’s a pool treatment plan and that it’s being followed, and that all ‘accidents’ are reported immediately. (Yep, even if they’re your fault.) Then lay back, relax, and enjoy your swim.

by Kim Smiley

On May 25, 2010, the National Highway Traffic Safety Administration (NHTSA) released new data about Toyota’s unintended acceleration issues, increasing the number of deaths potentially linked to the issue to 89.  Additionally, the NHTSA stated that nearly 6,200 complaints regarding acceleration issues in Toyotas have been received since 2000.

The acceleration issues have already resulted in massive recalls of Toyota vehicles in the US.  Nearly 5.4 million vehicles were recalled to fix issues with floor mats that could potentially shift out of position and an addition 2.3 million vehicles were recalled to repair sticking accelerator pedals.  No additional causes have been found for the acceleration issues at this time, but there are a wide range of theories that include electronic issues and solar flares.  Toyota denies that there are any additional causes of the acceleration at this time.

The US government is continuing to investigate the claims of unintended acceleration in Toyotas and an independent 15-month study by the National Academy of Sciences will begin in July.

A recent Wall Street Journal article discussed one of the stranger trends that have been found in the Toyota car crash data.  There have been an unusual number of accidents at beauty salons.

Why beauty salons?

Just like any problem, this issue can be investigated using a root cause analysis built as a Cause Map.  In this case, the Safety goal would be impacted because there is a potential for injury for both the driver and people inside the salon.  Additional causes can be added to the Cause Map by, asking “why” questions and adding boxes to the right.

In this example, the article speculates that the some of the potential causes may be the age of the drivers involved (older women tend to visit salons more frequently), location of the salons (many are in strip malls near parking lots) or the architecture of salons (many have large glass windows that might distract drivers).  No formal investigation has been done to determine the actual causes of this strange trend, but it is interesting to lay out the potential causes and see what factors might be contributing to the hair salon car crashes.

Click on the “Download PDF” button above to view the initial Cause Map.