Page 194 - ARM 64 Bit Assembly Language
P. 194
Abstract data types 181
used for a variety of purposes, including embedded systems, education, and general data pro-
cessing. It was a 16-bit computer and was far less powerful than a Raspberry Pi. The Therac-
25 computer was programmed in assembly language by one programmer and the source code
was not documented. Documentation for the hardware components was written in French. Af-
ter the faults were discovered, a commission concluded that the primary problems with the
Therac-25 were attributable to poor software design practices, and not due to any one of sev-
eral specific coding errors. This is probably the best known case where a poor overall software
design, and insufficient testing, led to loss of life.
The worst problems in the design and engineering of the machine were:
• The code was not subjected to independent review.
• The software design was not considered during the assessment of how the machine could
fail or malfunction.
• The operator could ignore malfunctions and cause the machine to proceed with treatment.
• The hardware and software were designed separately and not tested as a complete system
until the unit was assembled at the hospitals where it was to be used.
• The design of the earlier Therac-6 and Therac-20 machines included hardware interlocks
which would ensure that the X-ray mode could not be activated unless the tungsten radia-
tion shield was in place. The hardware interlock was replaced with a software interlock in
the Therac-25.
• Errors were displayed as numeric codes, and there was no indication of the severity of the
error condition.
The operator interface consisted of a keyboard and text-mode monitor, which was common
in the early 1980s. The interface had a data entry area in the middle of the screen and a com-
mand line at the bottom. The operator was required to enter parameters in the data entry area,
then move the cursor to the command line to initiate treatment. When the operator moved the
cursor to the command line, internal variables were updated and a flag variable was set to in-
dicate that data entry was complete. That flag was cleared when a command was entered on
the command line. If the operator moved the cursor back to the data entry area without enter-
ing a command, then the flag was not cleared, and any subsequent changes to the data entry
area did not affect the internal variables.
A global variable was used to indicate that the magnets were currently being adjusted. This
variable was modified by two functions, and did not always contain the correct value. Adjust-
ing the magnets required about eight seconds, and the flag was correct for only a small period
at the beginning of this time period.
Due to the errors in the design and implementation of the software, the following sequence of
events could result in the machine causing injury to, or even death of, the patient:
