Therac-25 : Summary

• Malfunction Complacency• Race condition (turntable / energy mismatch)• Data overflow (turntable not positioned)

time‘85 ‘86 ‘88‘87M

icro

-sw

itch

blam

ed a

nd re

plac

ed

Soft

/Har

dwar

e ch

ange

s ig

nore

d

Ove

rdos

e de

clar

ed im

poss

ible

Soft

war

e fa

ult i

denti

fied

Def

ectiv

e an

d CA

P re

ques

ted

Soft

war

e fa

ult i

denti

fied

Def

ectiv

e an

d CA

P re

ques

ted

Mod

ifica

tions

(inc

ludi

ng h

ardw

are

inte

rlock

s) a

ppro

ved

Colin Barrett, Michael Pappas, Li Qingyi

FDA

notifi

ed b

y AE

CL

Therac-25 : Procedural Failings

• Only one software engineer• In assembly language with bespoke scheduler• Overreliance in software integrity• No documentation for users or internally

• No Quality Assurance for software• No meaningful testing strategy• No understanding of the risks• No design capturing full feature set and reuse

If it wasn’t these bugs there probably were othersColin Barrett, Michael Pappas, Li Qingyi

Therac-25 : Procedural Failings

• Poorly conceived product from failed consortium• Pressure to supress faults• Ignoring previous incidents• Fixes failed to find root cause• Fixes to appease regulators (e.g. update micro-

switch)• Workarounds (remove key)• Only investigating hardware / external influences

Colin Barrett, Michael Pappas, Li Qingyi

N G Leveson, C S Turner, “An investigation of the Therac-25 Accidents”, IEEE Computing, Vol. 26 No. 7 1993 pp. 18-41