The Race Condition That Killed Three Cancer Patients

In June 1986, a Therac-25 radiation therapy machine at the East Texas Cancer Center delivered roughly 100 times the prescribed dose to a patient named Ray Cox. He left the room with a burn across his shoulder and died four months later. His was one of three deaths linked to the same machine between 1985 and 1987 — six known accidents in all, on a unit used in cancer clinics across the US and Canada.

The Therac-25, made by Atomic Energy of Canada Limited (AECL), had two beam modes: a low-power electron beam used directly on the patient, and a high-power X-ray beam that fired through a metal target to attenuate the dose. The earlier Therac-6 and Therac-20 had a hardware interlock that physically blocked the X-ray beam from firing without the target in place. The Therac-25 dropped the interlock and relied on software alone.

The bug had two halves. If a technician entered "X" for X-ray and then used the up arrow to change it to "E" for electron within eight seconds, certain internal state failed to refresh; the machine could fire the high-current beam without the target. And a flag variable elsewhere was incremented on every pass instead of being set to a fixed value. Once it rolled over, it briefly read zero — the value the safety checks treated as "all clear."

AECL's first response was a memo arguing that overdose was impossible. Nancy Leveson's 1993 investigation, the canonical write-up, found that the same software faults had existed in the earlier Therac models. The hardware interlocks had simply never let the bug reach a patient.

The Therac-25 is now the textbook example of why safety-critical software needs more than software.