Therac -25

Therac-25 Overview. What was the Therac-25? How did it relate to previous models? In what ways was it similar/different? Was the Therac-25 reliable?
Therac-25CS4001 Kristin MarsicanoTherac-25 Overview
  • What was the Therac-25?
  • How did it relate to previous models? In what ways was it similar/different?
  • Was the Therac-25 reliable?
  • Therac-25 Overview
  • Linear accelerator used to create high-energy electron beams to treat shallow tumors and x-ray beams to reach deeper tumors
  • Differed from Therac-6 and Therac-20:
  • computer was coupled with the system such that the hardware could not function without the computer (e.g. turntable set up)
  • relied on the computer for safety checks; did not include the hardware safety features of previous models (which allowed for cost savings)
  • Similar to Therac-6 and Therac-20:
  • Shared a common code base
  • Used a computer to augment user
  Was Therac-25 reliable?
  • Worked tens of thousands of times before overdosing anyone
  • Over course of 20 months (June 1985-July 1987) it administered massive overdoses to 6 patients, resulting in 3 deaths
  • Was notorious for displaying non-descript errors that had
  no negative side-effects (e.g. up to 40 times a day)

Do not confuse reliability with safety!

Under what conditions did the lethal doses occur?
  • Fast-typing operators
  • Race condition between magnet positioning and screen edits
  • Software relies on positioning of cursor to determine if edits have been made
  • Change from X-Ray mode to Electron mode made before magnets finish moving; software doesn’t check cursor position until after magnets have stopped
  • Set button
  • Race condition between “gun ready” variable, gun positioning, and “Set” button
  • 0 means gun is ready and will fire; 1-255 means not ready; increments as gun is moving and rolls over as necessary (which means it might be 0 when the gun is not really ready!
  • What parties were involved?
  • Patients and their families
  • AECL (maker of the machine)
  • Developers
  • Hospital where machine was used (and the technicians)
  • AECL Mistakes
  • Assumed error was only in software
  • Did not design system to be fail-safe (fail-safe means no single point of failure will lead to catastrophe); instead the Therac-25 relied 100% on the software to ensure safety of the system
  • Lack of software and hardware devices to detect and communicate an overdoes
  • Presumed correctness of reused code; assumed there were no errors in the previous code base when indeed there were
  • Management allowed the software to be developed without adequate documentation (e.g. no user manual for error codes)
  • Did not communicate fully with its customers with regards to the accidents
