The Therac-25 removed hardware safety interlocks from earlier models (Therac-6, Therac-20), relying entirely on software for safety. A race condition between the operator interface and beam control allowed full-power radiation when the machine should have been in low-power mode.
Led to complete overhaul of FDA software regulation for medical devices. Nancy Leveson's investigation became the canonical case study in software safety engineering, taught in universities worldwide. Established the principle that software must not be the sole safety layer.
The Incidents
Between June 1985 and January 1987, the Therac-25 radiation therapy machine — manufactured by Atomic Energy of Canada Limited — delivered massive radiation overdoses to at least six patients at facilities in the United States and Canada. Three patients died. Others suffered severe radiation injuries including radiation burns, amputation, and permanent disability.
The Root Cause
The Therac-25 was the third generation of a medical linear accelerator series. Its predecessors — the Therac-6 and Therac-20 — included hardware safety interlocks that physically prevented the machine from delivering high-energy beams in the wrong configuration. The Therac-25 removed these hardware interlocks and relied entirely on software to enforce safety.
The software contained a race condition. When a skilled operator entered treatment parameters quickly — editing the beam type from X-ray to electron mode faster than a certain speed — the software would update the display to show the new mode while the hardware remained configured for the previous mode. The machine would fire a 25 MeV beam (intended for X-ray production through a target) directly at the patient without the target in place, delivering radiation doses hundreds of times higher than intended.
The bug was nearly impossible to reproduce because it required specific timing — the operator had to be fast enough to trigger the race condition. In testing, testers were careful and deliberate. In clinical use, experienced operators were fast. Experience killed patients.
The Pattern
The Therac-25 is not just a software bug story. It is a story about what happens when an entire safety architecture is replaced by software without retaining independent hardware verification. Every layer of the failure contributed: software that was reused without re-verification, error messages that were cryptic and routinely ignored ("MALFUNCTION 54"), a corporate response that blamed operators rather than investigating the machine, and a regulatory framework that didn't know how to evaluate software safety.
Why It Matters
The Therac-25 established principles that are now foundational in safety-critical systems engineering: software must not be the sole safety layer. Race conditions can kill. If you cannot reproduce a reported failure, the bug is real — your test is inadequate. And an error message that operators learn to ignore is not a safety mechanism — it is training operators to bypass safety.