The Therac-25 Bug Was Eight Seconds of Typing

On March 21, 1986, an oil-field worker named Ray Cox lay on the table at the East Texas Cancer Center in Tyler, expecting his ninth treatment. The operator typed 'x' for X-ray mode, noticed the error, hit cursor-up, typed 'e' for electron mode, and pressed Enter. The whole correction took maybe five seconds. The Therac-25's console reported "Malfunction 54" and a low dose. Cox had actually just absorbed a beam that should have been fired through a tungsten target with all the shielding in place — and wasn't. He died five months later.

The Therac-25 was a computer-controlled radiation therapy machine built by Atomic Energy of Canada Limited. Its predecessors, the Therac-6 and Therac-20, had hardware interlocks that physically prevented the wrong beam from leaving the head. The Therac-25 dropped them. The interlocks were now in software, and the software was rushed PDP-11 assembly that used a single shared variable to track the magnet position and to read operator input.

If the operator changed the beam setup within about eight seconds — the time the bending magnets needed to settle — the edit was accepted on the screen but not in the variable the safety check actually read. The machine fired a 25-MeV electron beam at full current with no target in place. Doses ran roughly a hundred times the intended level.

Nancy Leveson and Clark Turner spent three years reconstructing the accidents for IEEE Computer. They counted six confirmed overdoses between 1985 and 1987, three of them fatal. AECL's first response was to insist overdoses were impossible. They changed their position only after a physicist at Yakima Valley reproduced the bug on demand. The fix in the field, before the recall, was a piece of tape over the cursor-up key.