Information Technology Reference
In-Depth Information
1
2
3
…
255
0
1
2
3
4
1
2
3
…
251
252
253
254
255
0
SET
WAIT
SET
PROCEED
(a)
(b)
FIGURE 8.6
The Therac-25 could administer radiation too soon if the operator hit the SET
button at precisely the wrong time. As long as the electron beam gun was out of position, a
software task kept incrementing an 8-bit variable. (a) Usually when the operator hit the SET
button, the variable was not zero and the system would wait, just as it was supposed to. (b) If
the operator hit the SET button just as the variable rolled over from 255 to 0, the system
would administer radiation, even though the gun was out of position.
ironic that the safety of the system actually decreased as the experience of the operator
increased.
Another race condition was responsible for the overdoses at the Yakima Valley
Memorial Hospital (Figure 8.6). It occurred when the machine was putting the electron
beam gun back into position. A variable was supposed to be 0 if the gun was ready to fire.
Any other value meant the gun was not ready. As long as the electron beam gun was out
of position, one task kept incrementing that variable. Unfortunately, the variable could
only store the values from 0 to 255. Incrementing it when it had the value 255 would
result in the variable's value rolling over to 0, like a car's odometer.
Nearly every time that the operator hit the SET button when the gun was out of
position, the variable was not 0 and the gun did not fire (a). However, there was a very
slight chance that the variable would have just rolled over when the operator hit the SET
button (b). In this case the accelerator would emit a charge, even though the system was
not ready.
Let's consider some of the mistakes AECL made in the design, development, and support
of this system.
When accidents were reported, AECL focused on identifying and fixing particular
software bugs. This approach was too narrow. As Nancy Leveson and Clark Turner point
out, “most accidents are system accidents; that is, they stem from complex interactions
between various components and activities” [48]. The entire system was broken, not
just the software. A strategy of eliminating bugs assumes that at some point the last bug
