Benjamin O’Connor                                                                                                                                             Saltzer TR1 34-303

 

Safe Code Reuse and the Therac-25 Accidents

With the object-oriented programming paradigm, and fast data dissemination via the Internet, reuse of code has become a common and encouraged practice among software engineers.  The Therac-25 accidents caused by software design flaws give us great pause with regard to the safety of code reuse in critical systems.  In the specific case of the Therac-25 system, the old Therac-6 and Therac-20 code could have been reused in a safe and reasonable manner if certain aspects of the development and design of the Therac-25 were different.

            In general, code reuse can be safe if the code is being reused in similar hardware and operating environments.  The Therac-25 would have been as safe as the previous series if similar hardware safety precautions were used.  Instead, safety interlocks in the old series’ hardware were not present in the design of the Therac-25.  Such safety mechanisms were available and proven to work effectively by preventing patient harm in Therac-20 systems.  Instead of reusing the hardware interlock architecture of the past Therac series, the system relied entirely on software.  A change from having strict hardware safety precautions, to having none, should definitely warrant a new design in software to account for the added safety responsibility of the program execution.   

            In most cases, a new application with certain functionality can safely reuse code from previous applications of that functionality designed for the same hardware operation.  An example of this code reuse would be a new version of a computer operating system.  Certainly, an entire operating system can not be re-designed and re-coded from scratch each time new technology arrives and new functionality is to be added.  On the other hand, when creating new software for a certain application to be used in a certain environment, old code made for a completely different operating environment or for completely different application can never be used safely or reasonably.  For example, code segments from control software for hydroelectric power generation facilities could not be reused in new control software for a coal plant, or a nuclear facility.  The Therac-25 accidents teach us that a “per-case” analysis must take place to decide whether certain code can or should be reused safely and reasonably.  Software engineers certainly should not have a complacent “it worked before, so it’ll work here” code reuse attitude.