Douglas Soo
6.033 Section 1, Professor Dally
Paper #1: Therac-25 vs. Therac-20

On the surface, the primary reason that Therac-20 killed far fewer people than Therac-25 was the fact that Therac-20 had hardware interlocks, while Therac-25 did not. Thus, while the hardware interlocks on Therac-20 prevented software errors from causing problems, Therac-25 had no similar mechanism. However, looking past the immediate causes of the problem, we find that a more general reason for the difference was a substantial increase in the complexity of the system underlying Therac-25. In particular, Therac-25 had a higher level of complexity, as well as a lower level of modularity and abstraction than Therac-20.

One of the reasons that the Therac-25 was more complex than the Therac-20 was Therac-25's use of software interlocks as opposed to hardware interlocks. While hardware interlocks have a fairly limited number of situations in which they are expected to operate, the number of possible problems with a software interlock is much higher, especially in a complicated, multi-tasking system like the Therac-25's. According to Saltzer, one of the components of complexity is the number of interconnections in the system. The Therac-20's hardware interlocks thus required a significantly smaller number of interconnections between the hardware and the software. Thus, using software interlocks increased the total complexity of the system.

In terms of modularity, both the Therac-20 and Therac-25 can be though of as two main parts, the hardware module, and the software module. The Therac-25's use of software interlocks resulted in a decrease in its modularity compared to the Therac-20, as using software interlocks required the Therac-25's software to work much more closely with the hardware. This made the boundaries between the two systems less clear-cut, reducing their modularity.

In addition, the Therac-25 had a lower level of abstraction than the Therac-20. One of the components of abstraction is the lack of propagation of effects from one module to another. The hardware interlocks in Therac-20 served to reduce the propagation of errors caused by the software, while the lack of interlocks in Therac-25 allowed software errors to propagate all the way through the system, with their resulting consequences.

In summary, the Therac-25, by increasing overall complexity, as well as reducing modularity and abstraction, resulted in a system that was much more prone to fail, with results that were catastrophic.