Six Therac-25 radiation-therapy accidents occurred between June 1985 and January 1987 in the United States and Canada. The Therac-25 was a dual-mode (electron and X-ray) medical linear accelerator built by Atomic Energy of Canada Limited (AECL); it was the successor to the Therac-6 and Therac-20, both of which had been developed jointly with the French firm CGR.

Unlike its predecessors, the Therac-25 was designed from the outset to take “full advantage of computer control”: AECL removed the independent hardware safety interlocks that had been present on the Therac-6 and Therac-20 and pushed those responsibilities into software running on a PDP-11. Several routines were carried over from the older machines. Latent bugs in that inherited code had been masked on Therac-⁶⁄₂₀ by the hardware interlocks; on Therac-25 there was nothing left to catch them.

The core defect was a race condition between the operator-console software and the treatment-control task. If an operator entered the prescription, then quickly used the cursor-up shortcut to edit a parameter (for example, switching from X-ray to electron mode) within roughly 8 seconds of pressing “set”, the bending magnets would not be repositioned even though the on-screen prescription had changed. The patient could receive a high-energy electron beam targeted at a configuration intended for X-ray therapy, with no spreading filter in the path. The machine then displayed a cryptic “Malfunction 54” or similar code, indicating only that the dose was inconsistent with the prescription, with no guidance to the operator about what had happened.

Documented accidents include Marietta, Georgia (Kennestone, June 1985, breast-cancer patient burnt); Hamilton, Ontario (July 1985, cervical-cancer patient — the machine displayed “Malfunction 54” and AECL initially concluded the overdose was “not possible”); Yakima, Washington; Tyler, Texas (twice — March and April 1986, the second of which killed the patient); and Salem, Oregon. Patients received estimated doses of 13,000–25,000 rad in single sessions where 200 rad was the prescription; several died of radiation injuries weeks to months later.

Broader contributing factors: AECL’s incident response was repeatedly inadequate (technicians could not reproduce the bug; the company told other sites the accidents were “not possible”); the FDA was not notified about the first accident because medical-device incident reporting was not yet mandatory (the Safe Medical Devices Act came in 1990); a 1990 GAO study estimated the FDA learned of fewer than 1% of in-hospital deaths, serious injuries, or equipment malfunctions; system-safety analyses by AECL had been performed using fault-tree probabilities such as “computer selects wrong energy: 4×10⁻⁹” without any basis for the numbers, ignoring software faults entirely.