The Therac-25 Incident (2021)

(thedailywtf.com)

449 points lemper | 3 comments | 27 Aug 25 06:57 UTC | HN request time: 0.001s | source

Show context

isopede ◴[27 Aug 25 08:23 UTC] No.45036862[source]▶

I strongly believe that we will see an incident akin to Therac-25 in the near future. With as many people running YOLO mode on their agents as there are, Claude or Gemini is going to be hooked up to some real hardware that will end up killing someone.

Personally, I've found even the latest batch of agents fairly poor at embedded systems, and I shudder at the thought of giving them the keys to the kingdom to say... a radiation machine.

replies(6): >>45036933 #>>45036958 #>>45037102 #>>45037245 #>>45037729 #>>45042356 #

SCdF ◴[27 Aug 25 09:05 UTC] No.45037102[source]▶

>>45036862 #

The Horizon (UK Royal Mail accounting software) incident killed multiple postmasters through suicide, and bankrupted and destroyed the lives of dozens or hundreds more.

The core takeaway developers should have from Therac-25 is not that this happens just on "really important" software, but that all software is important, and all software can kill, and you need to always care.

replies(2): >>45037211 #>>45037542 #

maweki ◴[27 Aug 25 10:07 UTC] No.45037542[source]▶

>>45037102 #

But there is still a difference here. Provenance and proper traceability would have allowed the subpostmasters to show their innocence and prove the system failable.

In the Therac-25 case, the killing was quite immediate and it would have happened even if the correct radiation dose was recorded.

replies(2): >>45038610 #>>45040814 #

SCdF ◴[27 Aug 25 15:11 UTC] No.45040814[source]▶

>>45037542 #

I don't understand the distinction here.

> Provenance and proper traceability would have allowed

But there wasn't those things, so they couldn't, so they were driven to suicide.

Bad software killed people. It being slow or fast doesn't seem to matter.

replies(1): >>45048734 #

maweki ◴[28 Aug 25 05:29 UTC] No.45048734[source]▶

>>45040814 #

Slow killing software can be made more secure by adding the possibility for human review.

Fast killing software is too fast for that.

replies(1): >>45048837 #

SCdF ◴[28 Aug 25 05:46 UTC] No.45048837[source]▶

>>45048734 #

I'm really trying to understand your point, but I am failing.

It sounds like you're saying that you shouldn't care as much about the quality of "slow killing software" because in theory it can be made better in the future?

But... it wasn't though? Horizon is a real software system that real developers like you and me built that really killed people. The absolutely terrible quality of it was known about. It was downplayed and covered up, including by the developers who were involved, not just the suits.

I don't understand how a possible solution absolves the reality of what was built.

replies(1): >>45050026 #

1. maweki ◴[28 Aug 25 09:06 UTC] No.45050026[source]▶

>>45048837 #

I teach the horizon post office scandal in my database courses. And my takeaway is, that software fails. And if people's lives are involved, an audit trail is paramount.

In slowly killing software the audit trail might be faster than the killing. In fast killing software, the audit trail isn't.

replies(1): >>45050803 #

2. SCdF ◴[28 Aug 25 11:19 UTC] No.45050803[source]▶

>>45050026 (TP) #

Yes, the audit trail that should exist is part of the package. Or more generically, Horizon should have had enough instrumentation, combined with adequate robustness, where they could detect the issues the lack of robustness caused, and resolve those issues without people dying.

My core point is that if you're designing a system, *any system*, you should be thinking about what is required to produce safe software. It isn't just "well I don't work on medical devices that shoot radiation at people, so I don't need to worry"[1]. You still need to worry, you just solve those problems in different ways. It's not just deaths either, it's PII leakage, it's stalking and harassment enablement, it's privilege escalation, etc.

[1] I have heard this, or a variation of this, from dozens of people over the my career. This is my core bug bear about Therac-25, is that it allows people to think this way, and divest themselves of responsibility. I am very happy to hear you are teaching a course about Horizon, because it's a much more grounded example that devs will hopefully see themselves in more. If your course is publicly available btw, I'd love to read it.

replies(1): >>45051770 #

3. maweki ◴[28 Aug 25 13:14 UTC] No.45051770[source]▶

>>45050803 #

It's just a course about database design and in the first seminar we look at different news stories that have something to do with databases, like trump putting some random Italian chef on an international sanction list should make us think about primary keys and identifying people.

And the horizon post office scandal is the last and most poignant example that real people are affected by the systems we build and the design decisions we make. That sometimes easy to forget.

↑