When Software Kills: Fatal Bugs in the Therac-25

Do you have a source for the computer-side technical stuff? I have read a lot of what's online about Therac-25 but never seen what exactly happened, e.g. that it didn't check which way the turn table was turning.

so, the operator entered "execute small dose radiation" and the machine went "execute order 66". i've been hit with mains voltage some times but those electrons would have felt like hell's whip. man, those poor patients.

@@ΝίκοςΙστοσελίδα the references section on the Wikipedia article about the Therac-25 have some good technical details. In particular, the articles by Nancy Leveson.

@@tammymakesthings Alright, thanks! Funny thing, I looked up Frank Borger (mentioned in another comment) and I ended up finding an IEEE publication I don't remember reading. The more info, the better.

I wonder why on earth didn't the machine just have an "execute button" and THEN it started moving the target, check that everything is ok, etc. It seems like a LOT safer way to do it.

there is many more about cancer and moneylooters to say

The only time those safe guards are removed/disabled is for testing/maintenance, at no other time should safe guards be removed/disabled.

@@tonysolar284 yup, and even then if we can do it without, we do that first
The very first day of my apprenticeship I was told "overriding interlocks is an action of last resort. It is never to be done lightly and we test it has been reinstated before handing the machine back to clinical"

And of course, most of these can only be stripped away in service mode, which you are very intentionally told repeatedly to not treat any human or animal with.

​@@tonysolar284they usually can't be. Treatment, at least on the Varian machines, needs to happen in "record and verify" mode. No one should be in the room when it's beaming on in service mode.

I guess it proves viewers liked that version better. What else do YOU think it proves?

Back in the 1980s & 1990s, I was a mainframe system administrator in a state govt. bureau agency. When our Director approved the creation of the first LAN, the task went to a member of the Clerical team because he was the only employee who had his own PC at home, and nobody in my team knew what to do. It took a lot of years to develop a culture of discipline in the "gifted amateurs" (as one of my colleagues referred to them).
In 1977, I did a Fortran programming project in one of our client departments, and saw a piece of code writted by one of their Clerical officers. It achieved Integer Division by repeatedly subtracting the divisor from the dividend, in a DO loop counting the iterations! He had no idea that there were integer & floating point division instructions in a CPU.

The title "Engineer" is reserved in every jurisdiction in the United States. In order to bill oneself as an Engineer, one must pass professional exams and work under the supervision of an experienced Registered Engineer for a number of years in a sort of apprenticeship before acquiring a registration or license. However, industry has arranged exceptions in the statutes to allow them to grant "engineer" titles to employees who haven't spent a single day in a college classroom studying the discipline in which they are employed.

@@Milosz_Ostrow OTOH, some of us dropped out of college, and ended up, say, programming for the DoD. It happens. You cannot discount "gifted amateurs".
Is Bill Gates a "software engineer"?

I worked for a company that thought programmers were simply overpaid clerks. Ironic when you consider that they were selling a software product. It was a hellacious experience dealing with these idiots.

​@@Milosz_OstrowMany of the best software developers are mostly self-trained. Because it's a new science where there is a constant need for new learning. Requiring a huge amount of will to constantly improve.
This isn't that compatible with a traditional engineering education.

Well said.

Can you explain how adding images to a script detracts? If it's the same content, but more interesting visuals, I'm not sure how that's a step backwards. But interested to learn!

@@DavesGarage I don't really understand what the *sexy* thumbnail has to do with this story. As for the AI images, it takes us out of the story when we are shown photos of obviously nonexistent machines and plastic looking people. Real historical pictures of similar machines and scenarios would be much better. Your audience tends to be one with a bit more technical knowledge, seeing utter gibberish displayed on a fake computer screen in a photo detracts from that technical and historical feel you have often with your channel. Not to mention, many people dislike AI images due to copyright and ethical usage issues surrounding it all right now.

@@DavesGarage Allow me to explain Dave:
Lose the tits on the inappropriate, sexually suggestive, insensitive thumbnail and regarding adding AI imagery for the sake of it, it's a matter of content for content sake, not always needed.

He's right, not appropriate, bad judgement

Yeah. Getting told by the boss that "Some gamers are so upset they started a new subreddit about the problem, which is in your code" is quite different from "The plane suddenly went into a nose-dive and all 300 passangers and the crew died... the problem has been identified as being in one of your code blocks".

@@andersjjensen Imagine how stressful it would be to write code for launch systems used for nuclear weapons!

Yeah, I could never write software people's lives depend on. I'm waaaaaay too clumsy and forgetful

To take it one step further. There is no such thing as bug-free code because such a construct would require bug-free OS's, bug-free Firmware, and Bug-free Hardware. Based on issues we have seen in just the past few years when it comes to CPU hardware-level errors, it stands to reason that the conclusion that bug-free software is impossible is correct even for seemingly simple constructions.

I heard that there was a bug free version of "Hello World", written in machine language on bare metal, running on a COSMAC Elf, in 1977. Things were simpler then.

@@JamieStuff Oddly, I was an RCA 1802 programmer in 1978-1979.

⁠@@JamieStuff I remember the RCA COSMAC ELF and the 1802 processor. Subroutines were a pain to code. I worked for a lab which had a job developing a communication device to be deployed on a satellite. The 1802 was chosen for the processor because its CMOS architecture made it more impervious to effects of cosmic radiation in space. I believe the first CMOS Intel processor was a version of the 8085 in about 1985. We would have preferred the 8085, but it wasn’t going to be space qualified soon enough.

@@trapfethen exactly, not sure such a thing is even possible because entropy

But how did someone manage to put WinDOS code on the Therac-25? OR was this Therac-25 code such sloppy hot garbage that it appealed enough to Dave to base DOS/Windows on it? YES! That would explain how he knows enough about it to make a video about it!

@@JPs-q1o No idea what nonsense that is about. Moreover I have no idea whether it makes sense to try to explain things to you.

@@Amstelchen Don't feed the troIIs, no matter how hungry we look.

Would you happen to know a good read or watch on that there collapsery?

@@hedlund lmk if you find one. Thanks

The US version is known as the Order of the Engineer, and is a stainless steel ring worn on pinky.

And they are willing to bet their job on that?
There is testing and the results.

@@20chocsaday I would edit their code because they wouldn't. It would then pass the extensive tests I was using.

Thenin lies the ERROR. Humans have ERRORS. Not the code. Code is produced by HUMANS. We have yet to find a way to protect ours selves from OURSELVES. - - - - I wonder who produced our code? 😆😆😆😆😆

Also, management won't allocate any time for a belt and braces approach where errors that get through one level of code get trapped by the next.

@@_Mentat For nuclear work, you get the time and money! For example, Canada used Formal methods to write a few lines of code which controlled the safety of their reactors. Those few lines of totally bug free code cost a fortune!

The insurance industry won't underwrite it.

Agreed

The risk of loss of human life is also huge when humans are driving the vehicles. Would it still not be better to use autonomous vehicles (including bugs) if the death toll is less than human drivers?

@@chrisg6597 Try to solve the question of why an accident happened.
You will have arguements going back to the mines where children pull rare ores out of the earth.
As well as the years of testing software.

No more so than with human drivers, I suspect.

When doing something where people's lives are at stake, it requires very different mindset.
Operating system: Preferably no operating system. I don't think there are many that can be used.
Language: That is easy. When there is garbage collection cycle or memory allocation fails because of memory fragmentation, that can cause airplanes to drop or nuclear meltdown if used in wrong place. That safety critical scene is likely still C, Ada and perhaps very small subset of C++.
Unit tests: Good for developing normal business application to cover something but they are nowhere near enough if human lives are at stake
Software usually doesn't need to be error free. Quality, and process to achieve desired quality should be specified.

@@gruntaxeman3740 Exactly this - as a programmer with 30 years of professional experience (mostly in the medical field, no less), I'm constantly shocked at the number of "engineers" that we hire that have absolutely zero idea of how the full software stack that they're using actually works. They've been trained to see everything below them as a black box that is guaranteed to work every time and will magically solve problems with parallelism, threading, memory management, and data persistence. In a perfect world, I'd agree with you that we'd ditch everything but the application, and make the application its own operating system. In the real world, I'd very much like to see hardened, full real-time operating systems that can guarantee responsiveness in a given number of clock cycles.
What I get is Windows. Even though my work is mostly EMR related (as opposed to medical device), I've just seen so much crap stacked SO HIGH that it seems a special miracle every time a patient encounter succeeds.
In the medical field, if you don't understand the full stack from the machine code writing the registers all the way up the stack to the user interface, you're simply begging for trouble.

I will shamefully admit to a morbid curiosity in trying to identify the programmer. his name is known to a handful of University professors that worked the investigation.
ironically, I do take great pleasure in thinking of it as one of the first internet celebrities that has never been doxxed

@@miscellaneousHandle "I will shamefully admit to a morbid curiosity in trying to identify the programmer"
Same here. For years I have always wondered how this person has avoided being named. It is fascinating....

Seen again?

The programmer wasn’t the person most responsible for the problem, it was whoever decided to remove the hardware safety interlock. The same software bug was on the previous model, and no one got injured because of a hardware safety interlock.

@@romangeneral23The programmer wasn’t the person primarily responsible, it was whoever decided to not have a hardware interlock like the previous model (which had the same software bug, but no one was injured).

But how did someone manage to put WinDOS code on the Therac-25? OR was this Therac-25 code such sloppy hot garbage that it appealed enough to Dave to base DOS/Windows on it? YES! That would explain how he knows enough about it to make a video about it!

The United States now has a variant of the Engineer's Ring. My diploma doesn't technically say "engineer" so I wasn't invited, but my partner was.

Most software engineers understand that one but manglement usually has a problem understanding it.

But you can try..?

Tell that to the "AGILE" idiots 😃

"The Mythical Man Month"

His scripts have been sounding AI-generated lately as well… sad, used to love this channel

"We’re pretty accustomed to PCs being reliable these days"
Ehh.. I wouldn't trust any PC to run anything critical without much lower level safety catches in place (external to the PC).

@@patrikfloding7985 Also - in the late 1980s or maybe early 1990s, I went with friends to Cedar Point amusement parks near Sandusky, Ohio. There was a ride called Demon Drop that dropped a car about 50 feet and then dissipated energy by rolling with the occupants flat on their backs down a short track with retarders. The was a hut at the bottom of the ride. There was clearly visible through the window a generic tower case PC, probably ‘286 machine, with no-name amber screen monitor. I couldn’t make out what was on the screen, but I’m glad I saw that _after_ going on the ride. In all honesty my guess is the PC was there collecting performance data and the ride was controlled by ladder logic - at least I hope.

Yup. I A/B tested it on a lark (it's an AI creation, and I didn't ask for cleavage!), and it performed vastly better.

@@DavesGarage I do wonder about the viewer retention difference though. Did people who clicked on the cleavage thumbnail still stick around? Please make a video about this!

Like all those strange machines and devices in those old Frankenstein movies.

You might like the “diode gone wild” TH-cam channel. I think he’s in the Czech Republic. He’s had quite a few episodes demonstrating and taking apart Soviet era electronics. The guy is super smart.

when i was a kid and i went to the hospital i wasn't even allowed to look at the machines i would ask doctors about how they worked but they didn't answer a very toxic environment .

@@belstar1128 that's sad

Ha yep, I have vague memories of this story from my CS ethics course. Definitely a tale to learn about for software engineers, but the thumbnail left me wondering what it had to do with the subject, lol. The AI generated vignette left me chuckling too.
I guess Dave is trying to spice things up?

Thumbnail got my view!

Very similar to the Federal Air Regulations. There's a saying in the aviation community, "The FARs are written in blood.". A large percentage of them are the result of lessons learned the hard way.
Also, the primary reason for warning labels on ladders is not to prevent accidents, it is to prevent successful lawsuits when accidents do occur. It's possible to manufacture ladders that are many times safer than the ones you buy at the home store. It would just be impossible for a homeowner to afford, store, or even lift one. It's also why the user manuals for even complex power tools spend very few words on how to use the tool. Instead they are filled with "warnings" like "Do not operate with guards removed"..

It's pretty bizarre. The vid had a more tasteful one initially, and the AI cheesecake isn't at all this channel's usual style.

So an ugly person in the thumbnail would have been better? Can you explain why?

hm. i see the point on both sides. however, i do find it a bit risque unnecessarily. but we shouldnt let the image on the cover take away from a very well put together video.

@@DavesGarage The best way I could explain it is that I (and a few other commenters) feel that imagery that's designed to generate a prurient interest in the viewer cheapens the grim reality of the story being told. It's a question of tone mismatch as much as anything else.

The reason that code went into production as egregiously as it has is linked to the reason the individual responsible for it not only wasn't jailed or even fined; we aren't even allowed to know their name. When someone has had that level impunity, how long do you reckon they'll keep caring, realistically?

Since when has Therac made a pager...

I suspect the pager software was reprogrammed to trigger a small explosive on a specific text msg. Took some know how and quite a bit of planning in fairness.

And now two-way radios aka Walkie Talkies. A bunch exploded today.

​@@mlann2333 But like, did they have access to the _whole_ pager supply line?
I wonder if this is more a Stuxnet situation, and they were just normal pagers that somehow had a way to weaponize (overvolt) their batteries?

It's quite a sophisticated mod to add an explosive charge _and_ trigger it when a particular alphanumeric string is displayed - not received; displayed!
And somewhere there must be an auto-dialer messaging each pager.....

Hey, at least I don't strap my cat to my vacuum for a photo op ;-)

Perfectionism isn’t universal, sadly. Remember the metallurgist who got done for having pencil-whipped decades of strength test results on submarine steel because she thought the test standard was too extreme? We are fortunate that there was so much extremity built into the standard, because no amount of perfectionism downstream can compensate for that kind of confident incorrectness hidden in the supply chain.

​@@tinad8561Very well put. Think of the nuclear power industry. Adm. Rickover was right in his management of the Navy nuclear power program. High standards in ALL aspects, human and machine.

Yep. In government, we are presumed correct and therefore we have much greater responsibility to be so.

I am 52 years old. I reached my first 100 thousand dollars in just 3 months. I started with 20k investing in Bitcoin ETFs and other dividend income. My medium-term goal is to reach one million dollars before I turn 55.

Cryptocurrency investments pay a higher percentage return than any other investment. Mainly Bitcoin ETFs, which mostly pay out every week

This year I reached 100 thousand invested in Bitcoin ETFs and other dividend income, it was exactly 1 year and 4 months, I already accelerated to reach 200 thousand, I think I will reach the goal sooner

Success is always the greatest happiness, I have been in the market since 2020, I have a total of 945 thousand dollars with my 75 thousand dollars invested in Bitcoin ETFs and other dividend yields Investing in cryptocurrencies was the best decision I made in my life

How did you achieve this in a short period of time?

At the time very few people in any engineering discipline understood some of the unique issues with software based systems, including most programmers. Testing would likely not have revealed anything as the problem surfaced when the operator did certain things at a certain pace (according to this video).

@@patrikfloding7985 I don't know. I think that's bad excuse. On such high safety level needing device every single possible scenario should've been taking into account. But it's bizarre that physically existing safety locks weren't there. Working in industry PLC programmers f'up all the time working in hurry and bit left handed. But equipment I'm involved doesn't doesn't hurt people if done wrong. Well in some equipment there exists safety relays to prevent door opening if machine is in production, even when program should handle it. But if there are such things in packaging equipment, it's absurd that radiation related devices where made in such haste. Especially considering how much money is involved in medical equipment.

But was the real research how many developers would write such code? (I hope so!)

​@@afaulconbridgeWhy do you hope that?

​@@chrismoferBecause it is less unethical and dangerous than running the machines for the experiment they are asking the code to be deloped for. It is removed by several steps.

​@gm2407 Great that you replied. Ethics seems like an afterthought these days in business and many other areas.

@@halbos7637 The thing that bothers older people about younger people is lack of forethought about others and consequences. But the truth is it is most people in a lot of situations that don't consider things deeply. Habit, time constraints, lack of reprocussions observed. Ethics is a subject as deep as the universe but can only really be estimated like the movement of celestial bodies via calculus.

If you had clicked on it with the original thumbnail, you could have at that time. But it appears you did not visit the video until I updated to this thumbnail. Perhaps you missed it the first time around.

@@DavesGarage Hey Dave, maybe take your attitude down a notch and realize that not everybody is subscribed to your channel, and even if someone is, then maybe they don't watch the video immediately when you release it. People do have lives and responsibilities, you know. Not all of us are rich and can do whatever the hell we want. And for the record, it would have been worse if the OP *HAD* shared the video before you changed the thumbnail, because their intended audience would have viewed the video AFTER you changed the thumbnail and they would have seen this thumbnail.

Good idea. Massive scandal that one.

Elvis.

Agreed

Good one!

IIRC some of his original Task Manager code is still in the current version. But I might be wrong.

This question makes me think back to the Y2K crisis. Code that assumed the first two digits of a year were "19" was likely to break in the year 2000. I know people who were fixing code written in the late 1970s, which was 20 years earlier. That code was sometimes written in languages that were only known by retired former employees, who made a fortune consulting!

@@HweolRidda
Lessons were learned. Some companies make big offers for information systems to government. To maximize profits, they just put there Oracle Forms, make things around proprietary CRM/ERP or other turd. The they make fortune later and stocks go up!

Explain why it's bad. Maybe I have a blind spot. But I don't see why an attractive person in the thumbnail is a problem....

@@DavesGarage sexy click bait is going to drag in views that you don't want. It damages the brand you've been building. You've done such an amazing job of being an authority on technology. I'd hate to see that reputation squandered. Ultimately it's your channel and you have the right to run it the way you please, best of luck.

@@DavesGarage "Explain why it's bad. Maybe I have a blind spot. But I don't see why an attractive person in the thumbnail is a problem" - I know that clickbait thumbnails have become almost standard on TH-cam, but there are reasons that people hate them. Speaking only for myself, I expect a thumbnail to be relevant to the video. Unless there is a Julie Gonzalo doppelgänger in this story, the thumbnail is not relevant, thus the only purpose it serves is to trick people into clicking on your video. That's another thing -- most people don't like to be tricked like that.

It worked exactly as intended, so yes.

@@RS-ls7mm Oh yeah and what did he intended with it?
It would be nice that for once tech bros would understand that women work in this industry too and acting like wankers is just cringe, is not "fun" or "cool" in any way.
I had respect for him but it seems this issue runs deep in the "culture" of men in tech industry, not beign able to see women like normal humans and the constant need to sexualize us.

@@squirrelingaround As your kind is so quick to point out, its not for you.

@@squirrelingaround How arrogant that you think everything has to be designed just for you.

​@@squirrelingaroundI agree - the video is a bit of an abberation in terms of what Dave's videos are usually like, I.e. very good.
This video went hard on the AI pictures - not necessarily just the thumbnail, but they detract from what was supposed to be a factual representation.
The most egregious moment was the use of a stereotype sysadmin picture - long haired slim white dude fresh out of the 70s - when the script inferred nothing of the sort.
Maybe lay off the genAI for a while - the videos are usually awesome😊

Nope. Boeing had great senior quality assurance engineers.
The problem? They were too good. So they got fired. Because their found issues would affect the time plan. Managers wanted people who wasn't so strict when producing/evaluating all quality documents, and when verifying everything was done to spec.

That was 40 years ago, so hopefully the coder is retired by now. Not to give a pass to the coder, but race conditions in software can be very difficult to detect and duplicate for analysis, especially when they’re triggered by an anomalous state of peripheral devices.
When I did mainframe work we had a GIGO (garbage in - garbage out) card deck of random unformatted data which we forced programs to process as input to see if the program properly handled totally unexpected exceptions.
I’m not sure you could call it a race condition, but rather a cascading failure when the entire Bell System long distance telephone network collapsed for almost a day in 1990. The problem happened when a switching fabric experienced an overload. The exception was handled with a break statement which was intended to drop the thread of processing out of an _if_ conditional. The problem is that _break_ is only relevant to _case_ structures, but anywhere else in K&R C, _break_ is treated as a no-op. Execution simply continued in the _if_ leaving the switch locked up. That locked up switch caused load to transfer to other switches which in turn overloaded with the unexpected traffic until the entire system was gridlocked. The vagaries of C, an apparently inexperienced programmer, not enough code review, and a rare but possible condition conspired to set off a disaster.

boeing probably hired people based on everything with the exception of being good at their job.

@@Geek-A-Hertz8707 As I understand it, having a (detectable) heart beat was and still is an absolute requirement.

A physical device that will kill if there's a firmware bug, in today's sofware environment? Holy...

as described: it was not a software bug - it was leaded at sabotage based on profits.
perfect murder ?

Modern machines have both hardware and software interlocks. That same fault would be impossible to happen for several reasons - I work on these exact type of machines (Linear accelerators) and if something even 1/1000 as bad happened the machine would stop treating and alert everyone, and, if you're getting treatment in Manhattan, I might get a call.

@@blevin591 thank you, that is relieving.. I live in Jordan and the country is well known with advanced healthcare treatments.

Yup, Kyle did a great job. Enough so that I had to go in a totally different direction, so did!

You didn't watch it until I changed it, so you tell me!

@@DavesGarage I only came in to comment, not watch and removed from my watch list. Normally I block channels that do that but maybe I should.

I appreciate the feedback. I wanted to do a different approach for this video, or the first couple of minutes. And so I did... and made it the way I wanted. I worry less about the "right" way or algorithm-friendly some days, I guess.

@@DavesGarage totally fair. Thank you for taking the feedback in the manner in which it was intended. I'll still be watching your videos regardless ☺

Absolutely. Much of application level software has loads of race condition issues. And by application level I include all OS software that's not part of the kernel or drivers (utilities, etc).

Air Inter in France crashed due to a software design issue in the late 80s.

Run by industries they’re supposed to regulate.

He or she got paid to program, so was a professional programmer. Pretty standard to be mostly self-taught back in those days.

Boeing managed to kill 300 with the same lack of testing and managers rushing a product to market.
Boeing employees are striking now in protest to return those quality checks, but management is threatening them as a consequence.
I'm afraid Boeing is going to continue to kill customers and astronauts.

Perhaps you should tell them: "computers rarely make mistakes. Software makes them all the time".

I was amending a feed formulation program (written in DIBOL running on a Vax). In those days we coded in coding sheets then went to site and keyed in the changes directly onto the live system.
Working on the calculation for quantity of active ingredient (drugs) to add to the feed. Active ingredients had potency values which need to be factored in.
I had miskeyed an extra 0 in the calculation which resulted in 10x the amount of active ingredient were added to the feed than there should be.
When a farmer fed the feed to his cows, it killed them all.
The animal feed company was liable because they were supposed to be running the new system along side their old system and cross checking but didn’t they just ran with the new untested code.