When the A.H. Robins Company pulled the Dalkon Shield from the U.S. market on June 28, 1974, the gap between what its inventor Dr. Hugh J. Davis had promised and what the device delivered was already measured in dead women: Davis had published a February 1970 study claiming a 1.1 percent pregnancy rate — comparable to the contraceptive pill and better than rival IUDs then quoting 2 to 3 percent — while concealing that he held a financial stake in the product, had followed roughly 640 patients for an average of only 5.5 months, told many of them to use backup contraception during the early cycles, and dropped non-compliant women from the count. Properly designed studies later put the real failure rate at 5 to 10 percent. By the time Robins acquired the device for $750,000 plus royalties in June 1970 and began mass-marketing it in January 1971, the wonder-IUD legend was built on a number its own inventor had manufactured.
The harm was not contraceptive failure alone. The Shield’s distinguishing feature — a multifilament Supramid removal string sheathed in nylon — acted as a wick, drawing bacteria from the vagina past the cervix into the sterile uterus. Women who conceived with the device in place frequently miscarried in the second trimester via septic abortion, an infected and sometimes fatal mid-pregnancy loss; survivors of pelvic inflammatory disease were often left with scarred fallopian tubes and permanent sterility. Roughly 4.5 million units were sold across 80 countries before withdrawal, about 2.5 million of them in the United States. At least seventeen American women died, and hundreds of thousands suffered PID, ectopic pregnancy, or infertility — a casualty pattern with no precedent in modern contraception.
Robins did not recall the devices already inside women’s bodies, and continued overseas distribution after halting U.S. sales. Litigation — not regulation — forced the truth into the open: discovery in cases tried before federal judges Miles W. Lord in Minnesota and later Robert R. Merhige Jr. in Virginia exposed internal memos showing the company had grounds to know of the wicking defect by 1971 and buried them. Facing a litigation tide it could not absorb, Robins filed for Chapter 11 bankruptcy in August 1985. Judge Merhige fixed its liability at $2.475 billion, funded by acquirer American Home Products into the Dalkon Shield Claimants Trust, which processed roughly 200,000 claims. The episode became the proximate political fuel for the 1976 Medical Device Amendments — the first U.S. law to require pre-market review of medical devices — making the Dalkon Shield the catastrophe that wrote the rulebook it had evaded.
When Shiley Inc. and its parent Pfizer pulled the Björk-Shiley Convexo-Concave (BSCC) heart valve from the world market in 1986, the device had been sold for seven years as a refinement of an already trusted prosthesis — and the refinement was the thing that killed people. Co-invented by American engineer Donald Shiley and the Swedish cardiac surgeon Viking Björk, the convexo-concave disc was a geometric tweak meant to improve blood flow over the company’s well-regarded flat-disc tilting valve. To make the new geometry work, the outlet strut that captured the swinging disc was changed and welded to the valve ring. That weld was the flaw. Under the relentless cyclic load of roughly 40 million heartbeats a year, the strut fractured at the weld, the disc escaped, and the valve failed catastrophically — often producing sudden death before the patient could reach an operating room.
The harm was not a rare anomaly tolerated by an unlucky few. Of the roughly 86,000 convexo-concave valves implanted worldwide, more than 600 are documented to have fractured, and in approximately two-thirds of those cases the patient died. The 60-degree version received U.S. Food and Drug Administration approval in 1979; a higher-flow 70-degree variant was sold abroad but never cleared in the United States, and it fractured at even higher rates. Because the failure mode was a fatigue crack that gave no reliable warning, surgeons and patients spent the late 1980s and 1990s trapped in an excruciating calculus: a working valve might snap tomorrow, but elective re-operation to remove it carried its own mortality.
What turned a metallurgical defect into a scandal was the factory. Sworn testimony and a 1984 engineer’s complaint described a Shiley plant in Irvine, California where valves rejected by inspectors were fished back out, reground to hide cracked welds, renumbered, and passed with falsified paperwork — welders were poorly trained, equipment was in “horrible” condition, and struts were forced onto flanges with pliers. The legend of an improved valve concealed a manufacturing line that could not reliably make the one weld on which a patient’s life depended. Litigation, not the FDA, ultimately fixed the price: the Bowling v. Pfizer class action settled in 1992 for roughly $215 million, with a further fund earmarked for future fracture claims, while implanted patients carried the device — and the fear — for the rest of their lives.
When Atomic Energy of Canada Limited (AECL) shipped the Therac-25 medical linear accelerator at the start of the 1980s, it marketed a machine whose safety the manufacturer had quietly relocated from steel to software — and the gap between that promise and the harm was eventually measured in carbonized tissue and dead patients. Earlier models, the Therac-6 and Therac-20, had retained electromechanical interlocks: physical hardware that mechanically blocked the high-power photon beam unless the beam-spreading and flattening apparatus was correctly in place. The Therac-25 deleted those interlocks to cut cost and add flexibility, trusting reused, single-author, unreviewed control code to keep the two beam modes — low-current electron and ~100x-stronger raw photon — from being confused. They were confused. Between June 1985 and January 1987, six patients received massive overdoses; at least three died.
The lethal mechanism was a race condition, not a melodrama. If an operator at the VT-100 terminal entered the prescription, then within roughly eight seconds used the cursor to edit the beam mode from X-ray to electron and pressed Enter, a fast typist could outrun the software’s set-up routine. The machine’s internal state and its physical hardware fell out of sync: the console believed it was delivering a safe electron dose while the accelerator fired an unattenuated photon beam with no spreader in place — a needle of radiation on the order of 15,000 to 25,000 rad against a prescription of roughly 200. A second, independent defect — a one-byte counter that overflowed to zero exactly when an operator hit a particular timing — could disable a safety check entirely. Both bugs were dormant most of the time, which is precisely why they were so dangerous.
For nineteen months AECL insisted the machine could not overdose. After the first injuries the company told hospitals the Therac-25 was incapable of the harm being reported, and could not reproduce the fault in its own facility because its engineers did not type the way an experienced therapist did. The reckoning came not from AECL but from a Tyler, Texas medical physicist, Fritz Hager, who painstakingly reproduced the malfunction, and from the U.S. Food and Drug Administration, which on May 2, 1986 declared the Therac-25 defective under the Radiation Control for Health and Safety Act and required corrective action plans before the machines could resume routine use. The case became — through Nancy Leveson and Clark Turner’s 1993 IEEE Computer investigation — the founding text of software-safety engineering: the canonical proof that a computer can be a murder weapon when its makers treat code as inherently safer than the hardware it replaced.