Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited. It was involved with at least six known accidents between 1985 and 1987, in which patients were given massive overdoses. These accidents highlighted the dangers of software control of safety-critical systems (see computer bug).

The machine had two treatment modes that used an energy source and a diffusion device that was rotated in front of the source. The accidents occurred when the energy source was activated without the appropriate diffusion device. Researchers who investigated the accidents found several contributing causes. These included the following institutional causes:

• The software code was not independently reviewed.
• The software design was not documented with enough detail to support reliability modelling.
• The system documentation did not adequately explain error codes.
• AECL personnel were at first dismissive of complaints.

The researchers also found several engineering issues:

• The design did not have hardware interlocks to prevent the source from coming on with the wrong diffusion device.
• Software from older models had been reused without properly considering the hardware differences.
• The software assumed that sensors always worked correctly, since there was no way to verify them. (see open loop)
• The equipment control task did not properly synchronize with the operator interface task, so that race conditions occurred if the operator changed the setup too quickly.
• Arithmetic overflows could cause the software to bypass safety checks.

These incidents have become a standard case study in the history of computing and medicine.

See also

• Ariane 5 Flight 501

External links

• An Investigation of the Therac-25 Accidents (IEEE Computer) (http://courses.cs.vt.edu/~cs3604/lib/Therac_25/Therac_1.html)
• Short summary of the Therac-25 Accidents (http://neptune.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.html)