The Therac-25 — the Software Bug That Radiated Patients to Death

When Atomic Energy of Canada Limited (AECL) shipped the Therac-25 medical linear accelerator at the start of the 1980s, it marketed a machine whose safety the manufacturer had quietly relocated from steel to software — and the gap between that promise and the harm was eventually measured in carbonized tissue and dead patients. Earlier models, the Therac-6 and Therac-20, had retained electromechanical interlocks: physical hardware that mechanically blocked the high-power photon beam unless the beam-spreading and flattening apparatus was correctly in place. The Therac-25 deleted those interlocks to cut cost and add flexibility, trusting reused, single-author, unreviewed control code to keep the two beam modes — low-current electron and ~100x-stronger raw photon — from being confused. They were confused. Between June 1985 and January 1987, six patients received massive overdoses; at least three died.

The lethal mechanism was a race condition, not a melodrama. If an operator at the VT-100 terminal entered the prescription, then within roughly eight seconds used the cursor to edit the beam mode from X-ray to electron and pressed Enter, a fast typist could outrun the software’s set-up routine. The machine’s internal state and its physical hardware fell out of sync: the console believed it was delivering a safe electron dose while the accelerator fired an unattenuated photon beam with no spreader in place — a needle of radiation on the order of 15,000 to 25,000 rad against a prescription of roughly 200. A second, independent defect — a one-byte counter that overflowed to zero exactly when an operator hit a particular timing — could disable a safety check entirely. Both bugs were dormant most of the time, which is precisely why they were so dangerous.

For nineteen months AECL insisted the machine could not overdose. After the first injuries the company told hospitals the Therac-25 was incapable of the harm being reported, and could not reproduce the fault in its own facility because its engineers did not type the way an experienced therapist did. The reckoning came not from AECL but from a Tyler, Texas medical physicist, Fritz Hager, who painstakingly reproduced the malfunction, and from the U.S. Food and Drug Administration, which on May 2, 1986 declared the Therac-25 defective under the Radiation Control for Health and Safety Act and required corrective action plans before the machines could resume routine use. The case became — through Nancy Leveson and Clark Turner’s 1993 IEEE Computer investigation — the founding text of software-safety engineering: the canonical proof that a computer can be a murder weapon when its makers treat code as inherently safer than the hardware it replaced.