Therac - 25 Therac – 25 was a medical device, intended to provide therapeutic radiation Developed by AECL (Atomic Energy of Canada, Ltd.)
Therac – 25 Operation Two modes of operation: X-ray mode and Electron Beam mode Electron beam controlled by magnets X-ray mode generated by high energy (25 MeV electron beam) through flattener
Therac-25 Operation (cont.) Picture from Medical Devices: Therac 25 by Nancy Leveson, U. of Washington
Therac – 25 Fault assessment Programming errors have been reduced by extensive testing Software quality does not degrade over time Minute (10 -9 ) probabilities of random computer events Conclusion: Software is safe
Therac – 25 User Interface Operators entered information at a keyboard Repeated ENTER key could be used to re-use settings Error messages in the form: MALFUNCTION N. Press P to proceed after faults
Therac – 25 : Failures Several sites (Marietta, Georgia; Hamilton, Ontario; Yakima, Washington; Tyler, Texas) have abnormal events Patients complain of pain during treatment Six patients died AECL initially unable to reproduce faults
Therac – 25: What went wrong? Software problem: Well trained operators could make changes to settings faster than machine could react System design problem: No safety interlocks on turntable. Management problem: Software not considered during hazard analysis
DC – 10 : Early history Long range airliner entered service 1967 Bottom cargo bay opened outwards: better than competing designs Control system ran through floor
DC-10 : Cargo doors Outward opening doors are pressurized Solenoid (electrically driven) valves power latches to close doors Problem: solenoids cannot self-check
DC – 10: Cargo doors (cont.) Solution: Install a window near latch Ground crew should visually inspect that latch is closed Labels to that effect placed on aircraft
DC-10 : First incident American Airlines Flt 96 (Detroit-Buffalo) June 12, 1972 Latch fails Fuselage crumples, losing almost all control Pilots manage to land aircraft No loss of life
DC-10 : Second incident Turkish Airlines Flt 981 (Paris-London) March 3, 1974 Window labelled in English, Turkish Baggage handler not trained for the aircraft; reads French, Arabic
DC-10 : Second incident (cont.) Latch fails All control lines severed when fuselage crumples Plane lost with no survivors
DC-10 : Lessons learned Importance of redundancy and self- checking Mandatory recall should have occurred after first incident Design flaw?
Evolution of household wiring Knob and tube (pre 1930s construction) Single conductors Ceramic knobs and tubes insulate wire No ground Still found in older homes.
Aluminum wiring Used in 1970s when aluminum was cheaper than copper Aluminum is a slightly worse conductor than copper, has different thermal expansion rates Different expansion rates lead to loose (high impedance) connections Has caused fires, but safe when properly installed
Ground fault interruption A proper household circuit
Ground fault interruption What happens when you touch the hot wire
Ground fault interruption GFCI can detect the current imbalance Currents of 100mA can be fatal GFCI will trip at 5mA
Safety codes Developed over time to respond to problems CSA in Canada is an engineering body dedicated to developing codes to prevent household and industrial accidents Household code prevents fires, electrocutions by specifying wire gauge, loading rules, GFCIs, grounding, etc.
Industrial safety Safety PLC Computer system that can be used in safety critical applications Includes multiple redundancy and constant self-checking
Industrial safety (cont.) Light curtain Uses infrared beams to detect human presence and stop dangerous machines Includes multiple redundancy and self- checking
Industrial safety (cont.) Saw Stop blade stops when it encounters flesh This feature is not yet required by law or safety codes