The Therac$-25$ is a dual$-$mode machine. That is$,$ it can generate an electron beam or an x$-$ray photon beam. The type of beam needed depends on the tumor being treated. The machines linear accelerator produces a high$-$energy electron beam $(25$ million electron volts$)$ that is dangerous. Patients must not be exposed to the raw beam. A computer monitors and controls movement of a turntable that holds three sets of devices. Depending on the intended treatment, the machine rotates a different set of devices in front of the beam to spread it and make it safe. It is essential that the proper protective device be in place when the electron beam is on$.$ A third position of the turntable uses a light beam instead of the electron beam to help the operator position the beam precisely in the correct place on the patients body.Design flawsSoftware and Design ProblemsThe Therac$-25$ followed earlier machines called the Therac$-6$ and Therac$-20.$ It differed from them in that it was fully computer controlled. The older machines had hardware safety interlock mechanisms, independent of the computer, that prevented the beam from firing in unsafe conditions. The design of the Therac$-25$ eliminated many of these hardware safety features. The Therac$-25$ reused some software from the Therac$-20$ and Therac$-6.$ The developers apparently assumed the software functioned correctly. ThisWhen new operators used the Therac$-20,$ there were frequent $.$ The Therac$-20$ software had bugs, butthe hardware safety mechanisms were doing their job. Either the manufacturers did not know of the problems with the Therac$-20,$ or they completely missed the serious implications.The Therac$-25$ malfunctioned frequently. One facility said there were sometimes $40$ dose$-$rate malfunctions in a day, generally underdoses. Thus, operators became used to error messages appearing often, with no indication that there might be safety hazards.There were a number of weaknesses in the design of the operator interface. The error messages that appeared on the display were simply error numbers or obscure messages $($Malfunction $54$ or H$-$tilt$).$ This was not unusual for early computer programs when computers had much less memory and mass storage than they have now. One had to look up each error number in a manual for more explanation. The operators manual for the Therac$-25,$ however, did not include an explanation of the error messages. The maintenance manual did not explain them either. The machine distinguished between errors by the amount of effort needed to continue operation. For certain error conditions, the machine paused, and the operator could proceed $($turn on the electron beam$)$ by pressing one key. For other kinds of errors, the machine suspended operation and had to be completely reset. One would presume that the machine would allow one$-$key resumption only after minor, non$-$safety$-$related errors. Yet one$-$key resumption occurred in some of the accidents in which patients received multiple overdoses.Atomic Energy of Canada, Ltd$.($AECL$),$ a Canadian government corporation, manufactured the Therac$-25.$ Investigators studying the accidents found that AECL produced very little documentation concerning the software specifications or the testing plan during development of the program. Although AECL claimed that they tested the machine extensively, it appeared that the test plan was inadequate. assumption was wrong. shutdowns and blown fuses, but no overdoses Software BugsInvestigators were able to trace some of the overdoses to two specific software errors. Because many readers of this book are computer science students, I will describe thebugs.. These descriptions illustrate the importance of using good programming techniques. Part of the tragedy in this case is that the error was such a simple one, with a simple correction. No good student programmer should have made this error. The solution is to set the flag variable to a fixed value, say $1,$ rather than incrementing it$,$ to indicate that the device needs checking. Other bugs caused the machine to ignore changes or corrections made by the operator at the console. When the operator typed in all the necessary information for a treatment, the program began moving various devices into place. This process could take several seconds. The software checked for editing of the input by the operator during this time and restarted the set$-$up if it detected editing. However, because of bugs in this section of the program, some parts of the program learned of the edited information while others did not. This led to machine settings that were incorrect and inconsistent with safe treatment.Why So Many Incidents?There were six known Therac$-25$ overdoses. You may wonder why hospitals and clinics continued to use the machine after the first one.The Therac$-25$ had been in service for up to two years at some clinics. Medical facilities did not immediately pull it from service after the first few accidents because they did not know immediately that it caused the injuries. Medical staff members considered various other explanations. The staff at the site of the first incident said that one reason they were not certain of the source of the patients injuries was that they had never seen such a massive radiation overdose before. They questioned the manufacturer about the possibility of overdoses, but the company responded $($after the first, third, and fourth accidents$)$ that the machine could not have caused the patient injuries. According to the Leveson and $8\mathrm{.}2$ Case Study: The Therac$-25$From design decisions all the way to responding to the overdose accidents, the manufacturer of the Therac$-25$ did a poor job. The number and pattern of problems in this case, and the way they were handled, suggest serious irresponsibility. This case illustrates many of the things that a responsible, ethical software developer should not do$.$ It illustrates the importance of following good procedures in software development. It is a stark reminder of the consequences of carelessness, cutting corners, unprofessional work, and attempts to avoid responsibility. It reminds us that a complex system can work correctly hundreds ofoperation of potentially dangerous equipmenttimes with a bug that shows up only in unusual circumstanceshence the importance of always following good safety procedures in Safety requires more than bug$-$free code, we consider failures and accidents involving other radiation treatment systems.Check in ACM and IEEE code where the policy is linked and state their numbers.A curie is a measure of radioactivity. A millicurie is one thousand times as much as a$.$This case also illustrates the importance of individual initiative and responsibility. microcurieexamples remind us that individual and management responsibility, good training, and accountability are important no matter what technology we use.