Scribd Logo
Upload

Welcome to Scribd!

  • Therac-25: Two Design and Testing Errors

    Uploaded by

    Adam Smith
    565 views2 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    565 views2 pages

    Therac-25: Two Design and Testing Errors

    Uploaded by

    Adam Smith

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Adam Smith

    Professor Rinard, TR11-12noon

    Therac-25: Two Design and Testing Errors

    In their investigation of the Therac-25 accidents, Leveson and Turner describe many engineering

    errors that created and exacerbated the catastrophes. In this paper we will look at one design and one

    testing error; we will evaluate how these blunders contributed to the Therac-25 accidents and how they

    might be prevented in the future.

    The Therac-25 did not include a mechanism for recording events and failures, which seriously

    inflated the time it took to diagnose the machine’s problems. It is important to be able to correct problems

    using good troubleshooting practices. When a user reported abnormal pain and burning, often the operators

    contacted the Therac-25 manufacturer, AECL. This company often sent engineers to investigate, but the

    engineers always had problems reproducing the elusive circumstances that caused the accident. Levenson

    describes one case of this: “[AECL engineers] spent a day running the machine through tests but could not

    reproduce [the error].”1 In this case, the error was attributed to some random and rare force; the faulty

    machine was soon put back into operation. If, however, the Therac-25 had provided an error print-out

    detailing its state and actions during that session, it is likely that the problem could have been diagnosed

    faster and lives could have been saved.

    The engineers designing the Therac-25 also used bad testing practices, which lead to oversights of

    fatal error conditions. Leveson relates this point explicitly when describing the engineering errors made.

    “The software should be subjected to extensive testing and formal analysis at the module and software

    level; system testing alone is not adequate.” AECL had tested the Therac-25 by using it extensively (as a

    system) in their labs and in a hospital. Unfortunately there were an infinitely large number of possible

    inputs to the system; some were operator inputs, while others were mechanical switches and radioactivity

    sensors. As a result, the number of test cases was intractable and not exhausted during AECL’s testing.

    Therefore, fatal errors were overlooked. Good engineering practice could have prevented this.

    1
    An Investigation of the Therac-25 Accidents; Leveson, Turner; P. 28
    In conclusion, we discussed two engineering errors that led to the Therac-25 accidents. There

    were many errors in the situation, but the two critical mistakes made contributed significantly to the

    failures.

    You might also like