The Therac-25 is a computerized device that delivers radiation treatment to cancer patients
(see Figure 12). Between June 1985 and January 1987, several of these machines delivered
serious overdoses to at least six patients, killing some of them and seriously maiming the
others.
The machines were controlled by a computer program. Bugs in the program were directly
responsible for the overdoses. According to [1], the program was written by a single programmer,
who had since left the manufacturing company producing the device and could not
be located. None of the company employees interviewed could say anything about the educational
level or qualifications of the programmer.
The investigation by the federal Food and Drug Administration (FDA) found that the
program was poorly documented and that there was neither a specification document nor a
formal test plan. (This should make you think. Do you have a formal test plan for your programs?)
The overdoses were caused by an amateurish design of the software that controlled different
devices concurrently, namely the keyboard, the display, the printer, and the radiation
device itself. Synchronization and data sharing between the tasks were done in an ad hoc
way, even though safe multitasking techniques were known at the time. Had the programmer
enjoyed a formal education that involved these techniques or taken the effort to study
the literature, a safer machine could have been built. Such a machine would have probably
involved a commercial multitasking system, which might have required a more expensive
computer.
The same flaws were present in the software controlling the predecessor model, the
Therac-20, but that machine had hardware interlocks that mechanically prevented overdoses.
Figure 12 Typical Therac-25 Facility
The hardware safety devices were removed in the Therac-25 and replaced by checks in the
software, presumably to save cost.
Frank Houston of the FDA wrote in 1985 [1]: “A significant amount of software for lifecritical
systems comes from small firms, especially in the medical device industry; firms that
fit the profile of those resistant to or uninformed of the principles of either system safety or
software engineering”.
Who is to blame? The programmer? The manager who not only failed to ensure that the
programmer was up to the task but also didn’t insist on comprehensive testing? The hospitals
that installed the device, or the FDA, for not reviewing the design process? Unfortunately,
even today there are no firm standards of what constitutes a safe software design
process.
software, presumably to save cost.
Frank Houston of the FDA wrote in 1985 [1]: “A significant amount of software for lifecritical
systems comes from small firms, especially in the medical device industry; firms that
fit the profile of those resistant to or uninformed of the principles of either system safety or
software engineering”.
Who is to blame? The programmer? The manager who not only failed to ensure that the
programmer was up to the task but also didn’t insist on comprehensive testing? The hospitals
that installed the device, or the FDA, for not reviewing the design process? Unfortunately,
even today there are no firm standards of what constitutes a safe software design
process.
