← Back to context

Comment by jhayward

6 years ago

MCAS was designed by aeronautical engineers, not software engineers. The exact sensors, function, and responses were all specified by aero engineers. The software, as far as we know, was produced using acceptable software engineering processes and functioned exactly as designed.

What, exactly, do you think a PE cert for a software engineer would have done here? Do you think the software people should have refused what the aero people certified as safe?

4 comments

jhayward

Reply
mjevans  6 years ago

Require signing off on something as an Engineer that they understand the scope for which this unit is being utilized and that it is reasonably safe according to the best practices known at the time and their own full and complete understanding of the context.

It gives legal teeth for them to say; "No, this has not yet been proven to be safe, I cannot sign on to that". However at the same time a union or guild is required so that management doesn't penalize for being a moral engineer versus a rubber-stamp engineer.

  • jhayward  6 years ago

    Are you suggesting that these hypothetical software engineers would substitute their opinion for the expertise of domain expert engineers? Or would a software engineer doing flight control software have to first be certified as an aero engineer before touching the keyboard? (Aero engineers do not use the PE system, btw).

    How about people doing software for medical systems? Would they have to go to med school, do a residency, and pass medical boards before coding? How would this work?

    Because refusing to accept specifications from domain experts and substituting your own is a great way to attach personal liability to yourself for something which you are not trained as an a reasonably knowledgeable lay person, much less an expert. I doubt any software engineer could obtain professional liability insurance if that was the practice.

    • mjevans  6 years ago

      In such a case the Avionics Engineer (or whomever's actually designing the flight worthiness and characteristics of the overall system) would produce a white paper that fully describes the operational limits of the system under various conditions. Such a white paper (and it's attached references alone) should be enough to create a fully working simulator; it would also be what is used by the software engineer to confirm that the model they have made behaves within anticipated limits; and probably also would require human review (pilots in the sim, running against the real software with simulated inputs).

      That's the TYPE of thing I expect to happen in this context.

      1 reply →