Most active commenters
  • SCdF(5)
  • maweki(4)

←back to thread

The Therac-25 Incident (2021)

(thedailywtf.com)
449 points lemper | 20 comments | 27 Aug 25 06:57 UTC | HN request time: 0.965s | source | bottom
Show context
isopede ◴[27 Aug 25 08:23 UTC] No.45036862[source]
I strongly believe that we will see an incident akin to Therac-25 in the near future. With as many people running YOLO mode on their agents as there are, Claude or Gemini is going to be hooked up to some real hardware that will end up killing someone.

Personally, I've found even the latest batch of agents fairly poor at embedded systems, and I shudder at the thought of giving them the keys to the kingdom to say... a radiation machine.

replies(6): >>45036933 #>>45036958 #>>45037102 #>>45037245 #>>45037729 #>>45042356 #
1. SCdF ◴[27 Aug 25 09:05 UTC] No.45037102[source]
The Horizon (UK Royal Mail accounting software) incident killed multiple postmasters through suicide, and bankrupted and destroyed the lives of dozens or hundreds more.

The core takeaway developers should have from Therac-25 is not that this happens just on "really important" software, but that all software is important, and all software can kill, and you need to always care.

replies(2): >>45037211 #>>45037542 #
2. hahn-kev ◴[27 Aug 25 09:21 UTC] No.45037211[source]
From what I've read about that incident I don't know what the devs could have done. The company sure was a problem but also the laws basically saying a computer can't be wrong. No dev can solve that problem.
replies(6): >>45037255 #>>45037256 #>>45037983 #>>45039517 #>>45040795 #>>45044314 #
3. sim7c00 ◴[27 Aug 25 09:29 UTC] No.45037255[source]
as you point out this was a messup on a lot of levels. its an interesting effect tho not to be dismissed. how your software works and how its perceived and trusted can impact people psychologically.
4. fuckaj ◴[27 Aug 25 09:29 UTC] No.45037256[source]
Given whole truth testimony?
replies(1): >>45038580 #
5. maweki ◴[27 Aug 25 10:07 UTC] No.45037542[source]
But there is still a difference here. Provenance and proper traceability would have allowed the subpostmasters to show their innocence and prove the system failable.

In the Therac-25 case, the killing was quite immediate and it would have happened even if the correct radiation dose was recorded.

replies(2): >>45038610 #>>45040814 #
6. V__ ◴[27 Aug 25 11:06 UTC] No.45037983[source]
> Engineers are legally obligated to report unsafe conduct, activities or behaviours of others that could pose a risk to the public or the environment. [1]

If software "engineers" want to be taken seriously, then they should also have the obligation to report unsafe/broken software and refuse to ship unsafe/broken software. The developers are just as much to blame as the post office:

> Fujitsu was aware that Horizon contained software bugs as early as 1999 [2]

[1] https://engineerscanada.ca/news-and-events/news/the-duty-to-...

[2] https://en.wikipedia.org/wiki/British_Post_Office_scandal

replies(2): >>45044340 #>>45050809 #
7. ◴[27 Aug 25 12:11 UTC] No.45038580{3}[source]
8. scott_w ◴[27 Aug 25 12:14 UTC] No.45038610[source]
I’m not sure it would. Remember that the prosecutors in this case were outright lying to the courts about the system! When you hit that point, it’s really hard to even get a clean audit trail out in the open any more!
9. siva7 ◴[27 Aug 25 13:38 UTC] No.45039517[source]
Then you haven't read deep enough into the Horizon UK case. The lead devs have to take a major blame for what happened as they lied to the investigators and could have helped prevent early on some suicides if they had courage. These devs are the worst kind of, namely Gareth Jenkins and Anne Chambers.
10. SCdF ◴[27 Aug 25 15:09 UTC] No.45040795[source]
The code being absolute dog shit was true regardless of that law's existence. There are plenty of things the developers could have done.

That law is irrelevant to this situation, except in that the lawyers for Fujitsu / Royal Mail used it to imply their code was infallable.

11. SCdF ◴[27 Aug 25 15:11 UTC] No.45040814[source]
I don't understand the distinction here.

> Provenance and proper traceability would have allowed

But there wasn't those things, so they couldn't, so they were driven to suicide.

Bad software killed people. It being slow or fast doesn't seem to matter.

replies(1): >>45048734 #
12. codeulike ◴[27 Aug 25 19:53 UTC] No.45044314[source]
It was a distributed system lashed together by 'consultants' (read: recent graduates with little real world software engineering experience) in an era where best practices around distributed systems were non-existent. They weren't even thinking about what kind of data inconsistencies they might end up with.
13. simulator5g ◴[27 Aug 25 19:55 UTC] No.45044340{3}[source]
I don't think it's fair to blame individual developers for a systemic failure. Its not their fault there is no governing body to award or remove the title of "software engineer" and promote the concept of a software engineer refusing to do something without harming their career. Other engineering disciplines have laws, lobbied for by their governing body, that protect the ability of individual engineers to prevent higher-ups from making grave mistakes.
replies(1): >>45046864 #
14. lmm ◴[28 Aug 25 00:15 UTC] No.45046864{4}[source]
> Its not their fault there is no governing body to award or remove the title of "software engineer" and promote the concept of a software engineer refusing to do something without harming their career.

Those governing bodies didn't form by magic. If you look at how hostile people on this site are to the idea of unionization or any kind of collective organisation, I'd say a large part of the problem with software is individual developers' attitudes.

15. maweki ◴[28 Aug 25 05:29 UTC] No.45048734{3}[source]
Slow killing software can be made more secure by adding the possibility for human review.

Fast killing software is too fast for that.

replies(1): >>45048837 #
16. SCdF ◴[28 Aug 25 05:46 UTC] No.45048837{4}[source]
I'm really trying to understand your point, but I am failing.

It sounds like you're saying that you shouldn't care as much about the quality of "slow killing software" because in theory it can be made better in the future?

But... it wasn't though? Horizon is a real software system that real developers like you and me built that really killed people. The absolutely terrible quality of it was known about. It was downplayed and covered up, including by the developers who were involved, not just the suits.

I don't understand how a possible solution absolves the reality of what was built.

replies(1): >>45050026 #
17. maweki ◴[28 Aug 25 09:06 UTC] No.45050026{5}[source]
I teach the horizon post office scandal in my database courses. And my takeaway is, that software fails. And if people's lives are involved, an audit trail is paramount.

In slowly killing software the audit trail might be faster than the killing. In fast killing software, the audit trail isn't.

replies(1): >>45050803 #
18. SCdF ◴[28 Aug 25 11:19 UTC] No.45050803{6}[source]
Yes, the audit trail that should exist is part of the package. Or more generically, Horizon should have had enough instrumentation, combined with adequate robustness, where they could detect the issues the lack of robustness caused, and resolve those issues without people dying.

My core point is that if you're designing a system, *any system*, you should be thinking about what is required to produce safe software. It isn't just "well I don't work on medical devices that shoot radiation at people, so I don't need to worry"[1]. You still need to worry, you just solve those problems in different ways. It's not just deaths either, it's PII leakage, it's stalking and harassment enablement, it's privilege escalation, etc.

[1] I have heard this, or a variation of this, from dozens of people over the my career. This is my core bug bear about Therac-25, is that it allows people to think this way, and divest themselves of responsibility. I am very happy to hear you are teaching a course about Horizon, because it's a much more grounded example that devs will hopefully see themselves in more. If your course is publicly available btw, I'd love to read it.

replies(1): >>45051770 #
19. donatj ◴[28 Aug 25 11:20 UTC] No.45050809{3}[source]
I have worked in this industry for 20 years and never met a piece of software I would deem "safe". It's all duct tape and spit. All of it.

I have had software professionally audited by third parties more than a few times, and they basically only ever catch surface level bugs. Recently, the same we the audit finished we independently found a pretty obvious sql injection flaw.

I think the danger is not in producing unsafe software. The real danger is in thinking it can ever can be safe. It cannot be, and anyone who tells you otherwise is a snake oil salesman.

If your life depends on software, you are one bit flip from death.

20. maweki ◴[28 Aug 25 13:14 UTC] No.45051770{7}[source]
It's just a course about database design and in the first seminar we look at different news stories that have something to do with databases, like trump putting some random Italian chef on an international sanction list should make us think about primary keys and identifying people.

And the horizon post office scandal is the last and most poignant example that real people are affected by the systems we build and the design decisions we make. That sometimes easy to forget.