[PRL] Therac-25
Philippe Meunier
meunier at ccs.neu.edu
Mon Dec 27 22:55:20 EST 2004
I just came across the story of the Therac-25. It's almost twenty
years old but it's the first time I've heard of that thing. As far as
I can remember it's also the first story I've read where people have
died as a direct result of software bugs.
http://courses.cs.vt.edu/~cs3604/lib/Therac_25/TheracClass.html
The "Class Notes" give a very brief overview. There's a link to an
article ("An Investigation of the Therac-25 Accidents") with much more
details. The article is quite long so here are some highlights:
"The Kennestone physicist later estimated that she received one or two
doses of radiation in the 15,000- to 20,000-rad (radiation absorbed
dose) range. He does not believe her injury could have been caused by
less than 8,000 rads. Typical single therapeutic doses are in the
200-rad range.
[...]
The letter goes on to support this opinion by listing two pages of
technical reasons why an overdose by the Therac-25 was impossible
[...]
In a letter from the manufacturer dated 16-Sep-85, it is stated that
"Analysis of the hazard rate resulting from these modifications
indicates an improvement of at least five orders of magnitude"! With
such an improvement in safety (10,000,000 percent) we did not believe
that there could have been any accelerator malfunction.
[...]
Effective immediately, and until further notice, the key used for
moving the cursor back through the prescription sequence (i.e., cursor
"UP" inscribed with an upward pointing arrow) must not be used for
editing or any other purpose.
To avoid accidental use of this key, the key cap must be removed and
the switch contacts fixed in the open position with electrical tape or
other insulating material. For assistance with the latter you should
contact your local AECL service representative.
[...]
Unfortunately, the AECL response also seems to point out an apparent
lack of documentation on software specifications and a software test
plan.
[...]
The software problem for the second Yakima accident is fairly well
established and different from that implicated in the Tyler accidents.
[...]
based upon past history, I am not convinced that there are not other
software glitches that could result in serious injury
[...]
Amazingly, the test data presented to show that the software changes
to handle the edit problems in the Therac-25 are appropriate prove the
exact opposite result.
Philippe
More information about the PRL
mailing list