Comment by cameronbrown
6 years ago
Our industry needs to take the 'Engineer' part of Software Engineering a lot more seriously. A professional certification to use the title is looking more and more important with each incident like this, otherwise developers have no teeth to push back when flaws like this are brushed aside by management to save money/reduce costs/etc.. Cyber security, data ethics,.. many things in programming could benefit from certification, and having to legally sign off on your own work.
First off, this is nonsense: the software was doing exactly what it was meant to (and designed to) do. Hardware engineers chose not to provide multiple sensors to validate AoA, hardware engineers did not provide a human-capable override. MCAS was designed to not be disabled by pilots, because doing so would make the plane a different aircraft according to the FAA.
Anyway I have yet to see a software related “certificate” that isn’t rote-learnable, comically high level, or both.
You also have to ask, what are you certifying?
All of these are fairly trivial to avoid in small programs:
* Use after free * time of check/time of use * out of bounds * numeric overflow
Especially in any kind of test environment where you are being extra careful.
Then there’s the language problem: many engineers have to use multiple languages, some only have to use “safe” languages. Should you require a different cert for each?
You’re also saying “not everyone gets to write software anymore” because the certification won’t be free.
How does open source then work? Clearly people working on the Linux kernel should be certified, so now you’re saying Linux should only accept patches from people who live in countries that can provide the required certs.
> Hardware engineers chose not to provide multiple sensors to validate AoA, hardware engineers did not provide a human-capable override. MCAS was designed to not be disabled by pilots, because doing so would make the plane a different aircraft according to the FAA.
I have two comments. One replace hardware engineers with 'management'
The second when I've read people talk about validating the AOC readings it makes me twitch a bit. Partly because my day job involves firmware that manages a self organizing sensors network. Validation of sensor data sounds easy until you force yourself to conceptualize what the system can know based on the actual data it sees and not your perceptions.
More there is a strong tendency to over focus on the ordinary case. And not all the edge cases. Very often dealing with edge cases is the fundamental problem. Consider designing the front end of a car. The primary design goal is actually 'passengers don't die when you drive it into a tree'
Problem with the MCAS system is it needs to work under all the edge cases, not just when the plane is flying in smooth air while the pilot is pulling the nose up. Like during a hard turn into wind-shear.
I don't mean validation == determine which one is correct, I mean "make sure they agree" and don't trust them otherwise, which, as far as I can tell, is how other Boeing systems work?
I mean there's also the space shuttle system where you have N redundant systems controlling N separate motors (or whatever), and assume that if you'll never have >= N/2 producing incorrect output. That's a "no validation" approach that works by virtue of the correct instruments literally overpowering the incorrect ones.
4 replies →
This isn't a certification problem. It's an engineering ethics problem.
The pass the buck circle jerk is how this design flaw came to exist. Everyone in the engineering organization needs to have the balls to point out systems design errors. Management needs to listen to them and not issue "make it work" marching orders. Regulators need to not delegate their responsibility to the previous.
More than one person could have put their foot down and demanded triple redundancy. That this didn't happen suggests even more safety concerns lurk in all of Boeing's products.
You also have to ask, what are you certifying?
Currently, the avionics software is certified, not the software engineer. The FAA-delegate safety reviewers get special training, but otherwise a bachelor's degree in a related discipline is the standard for an individual contributor's formal education.
There is arduous process in place to help ensure that commercial avionics software is produced to an acceptable level of quality. Problems can still get through, but the process helps weed out a lot of issues that you'd likely see in non-safety-critical software.
The original comment was saying a certificate for software engineering, and my response was in that context - what qualities of an individual engineer should be measured.
1 reply →
Nobody is saying that you can't be a programmer, or a dev, you just can't be a software engineer without a certification.
Why, so the software engineer can be a scapegoat if something goes wrong?
Certify the software, not the person.
3 replies →
Certifying design engineers is the old school dumb way of doing things. The better modern way is to certify the design process and to provide domain specific training to engineers involved.
You're right, you just can't get a job as a programmer. You also can't contribute to many major OSS projects.
3 replies →
this was a systems engineering failure. nothing more. the system is designed to find these and remove them. it has not been determined if this is because of cost cutting or management pressure. could be, but it is also possible it is just an error made by people.
Every 737 has multiple AoA sensors. (Reportedly each computer is only wired to one though).
Only one of which apparently fed into MCAS.
> Hardware engineers chose not to provide multiple sensors to validate AoA.
In effect you've just shifted the blame. Developers working at the lower levels could've pushed back on this harder if they were legally required to. My point is if mechanical and electronic engineers are liable then so should software guys - they need more power to say no.
> You also have to ask, what are you certifying?
An argument could be made that formal verification & ethics would be useful in this context.
> You’re also saying “not everyone gets to write software anymore” because the certification won’t be free.
Degrees aren't free either. Most developers aren't working in aerospace and won't need the rigour.
> How does open source then work?
I'm not talking about OSS. I'm talking about people who work with software that can kill people. If the Linux kernel is used as a technology in these machines then the software 'engineer' who made that decision is legally liable. The blame stops with them.
> In effect you've just shifted the blame.
No. If the bug was in the software (say the bug was numeric underflow leading to crashing) it would be software. In this case the software engineers would have been told "here is your current AoA" and adjust the plane correctly in response. The hardware engineers/designers then provided them with unvalidated data, and I assume no details on the error rate (presumably because that would get the whole system flagged by the FAA as being nonsense)
> Degrees aren't free either. Most developers aren't working in aerospace and won't need the rigour.
"most" != all, literally my point. Also at what level does it kick in: OS developers? If they're using a licensed OS like QNX should all the QNX engineers need to be certified for avionics? How about linux?
> I'm not talking about OSS
So you're saying OSS shouldn't be used in commercial industry?
If you work on linux: that's used in medical hardware, so it seems like all contributors should have your new Certificate in Not Killing People.
But also, at what distance from killing people does this license cease being relevant? You worked on (say) a firewall product on some device, it fails to prevent some attack and the medical device kills someone.
Or the radio stack?
etc
3 replies →
MCAS was designed by aeronautical engineers, not software engineers. The exact sensors, function, and responses were all specified by aero engineers. The software, as far as we know, was produced using acceptable software engineering processes and functioned exactly as designed.
What, exactly, do you think a PE cert for a software engineer would have done here? Do you think the software people should have refused what the aero people certified as safe?
Require signing off on something as an Engineer that they understand the scope for which this unit is being utilized and that it is reasonably safe according to the best practices known at the time and their own full and complete understanding of the context.
It gives legal teeth for them to say; "No, this has not yet been proven to be safe, I cannot sign on to that". However at the same time a union or guild is required so that management doesn't penalize for being a moral engineer versus a rubber-stamp engineer.
Are you suggesting that these hypothetical software engineers would substitute their opinion for the expertise of domain expert engineers? Or would a software engineer doing flight control software have to first be certified as an aero engineer before touching the keyboard? (Aero engineers do not use the PE system, btw).
How about people doing software for medical systems? Would they have to go to med school, do a residency, and pass medical boards before coding? How would this work?
Because refusing to accept specifications from domain experts and substituting your own is a great way to attach personal liability to yourself for something which you are not trained as an a reasonably knowledgeable lay person, much less an expert. I doubt any software engineer could obtain professional liability insurance if that was the practice.
2 replies →
Most software engineers don’t even have a college degree in computer science, and now we want them to get a professional certification? Good luck with that.
https://stackoverflow.blog/2016/10/07/do-developers-need-col...
The title 'Software Engineer' is an over used term imo that describes any developer out there.
That title should be reserved for those that have the same credentials as an ME, EE, etc. Someone who is a CS degree holder or a self taught comp dev have in no way the same training as someone with a CE degree.
Engineers are able to take their PE exam in either CE or SE. https://ncees.org/engineering/pe/
> Engineers are able to take their PE exam...
Provided you have a PE credentialed coworker who can vouch for you. That is a chicken and egg problem for most people in an organization with no PEs.
Looks like they are discontinuing the SE exam.
I'm self taught and blow most out of the water with software and hardware engineering. Most college degrees, even for CS majors, are a joke.
If anything you've just reinforced my point that there needs to be a higher barrier to entry when dealing with software that can critically affect human life.
I’m not disagreeing with you but, a change like that is going to upend the labor market and put a lot of people out of a job.
2 replies →
certifications are nonsense I hear this everywhere I go any time I mention oh I'm thinking about doing XYZ certification it's like don't waste your time doing that just learn what you're talking about and prove it certifications have a lot of work around sort whatever anybody can study and pass a test doesn't mean you can do the work
Software certs have a bad name because of things like Oracle and Microsoft multiple choice tested certifications that are cheated outrageously, and crap like one-day certified ScrumMaster nonsense.
Probably the better model would be the apprentice/journeyman/master progression from the medieval trade guilds.
But how do you establish the ranks, and who oversees the process and ensures friends don't up-rank their friends?
1 reply →
So one so outdated that no discipline uses?
anti degree anti cert anti everything arbitrary $ barrier
With this power, comes serious responsibility. If an engineer signs off on a design that they know to be fundamentally unsafe, that engineer has liability regardless of the internal pressures placed on them.
The incentives just aren’t there though. Performance reviews are all about impact, and engineers who focus on quality instead of impact are worse off in career advancement. Likewise with the incentives on companies; companies that do slow but careful development get overtaken by faster moving competitors which reward impactful employees.
And it isn’t even clear to me that most consumers would prioritize security / stability over feature-sets when choosing software.
How does a software engineer know that something is safe? Do they need to be aerospace engineers as well? Do they need to go over the full schematics of the hardware their software is running on?
Yes!
If you are in a context where your software has significant implications on the state of a physical system, you must be willing to work with the other engineers to make sure you've accommodated all the eventualities you can.
Part of being an Engineer is knowing what you don't know, yet following through and making sure you connect with the people who do in order to ensure all relevant questions are asked and answered.
2 replies →
>>> If an engineer signs off on a design that they know to be fundamentally unsafe
The problem is you don't know its unsafe. It sometimes takes a disaster to shed lite on a problem. Engineering and design is hard.
Couldn't you make this argument about a mechanical engineer?
This is already the case for mechanical engineers, or any other Professional Engineer.