SystemsEngineeringforSoftwareEngineersIanSommervilleComputingDepartment,LancasterUniversity,LancasterLA14YR,UKis@comp.lancs.ac.ukAbstractThispaperdescribeshowwehavemodifiedasoftwareengineeringstreamwithinacomputersciencecoursetoincludebroaderconceptsofsystemsengineering.Wejustifythisinclusionbyshowinghowmanyreportedproblemswithlargesystemsarenotjustsoftwareproblemsbutrelatetosystemissuessuchashardwareandoperationalprocesses.Wedescribewhatwemeanby‘systemsengineering’andgoontodiscusstheparticularcoursestructurewhichwehavedeveloped.Weexplain,insomedetail,thecontentsoftwospecificsystemsengineeringcourses(SoftwareIntensiveSystemsEngineeringandCriticalSystemsEngineering)anddiscusstheproblemsandchallengeswehavefacedinmakingthesechanges.IntheAppendix,weprovidedetailsofthecasestudieswhichareusedaslinkingthemesinourcourses.IntroductionSoftwareengineeringgetsareallybadpress.Alltoooften,wereadhorrorstoriesofhowsoftwareengineeringprojectshavegonewrongwithmassivedelaysandcostoverruns.Thesoftware‘crisis’whichfirstemergedover30yearsagoisstillclaimedbysomeauthorssuchasPressman[1],whorenamesitas‘software’schronicaffliction’,tobearealityofcurrentsoftwaredevelopment.High-profilesystemfailuressuchastheDenverAirportbaggagehandlingsystem(intheUSA)andtheLondonAmbulancedespatchingsystem(intheUK)havebeenwidelypublicised.Softwareandthepoorstateofsoftwareengineeringhasbeenblamedforthesefailures.Asanillustrationofthis,considerthereportedproblemswiththeDenverairportbaggagehandlingsystem.Thisisanautomatedsystemtomovebaggagefromaircrafttoterminalswhichreliesonsoftware-controlledbaggagecartspropelledbylinearinductionmotors.Therewereseriousproblemsinthedevelopmentandcommissioningofthissystem.ThisdelayedtheopeningofthenewDenverairportandmeantthattheairportmanagersincurredsignificantcostsafteropeningbecausethesystemwaslesseffectivethanplanned.IntheScientificAmericanofSeptember1994,problemswiththissystemwerediscussedinanarticleheadlined“Software’sChronicCrisis”[2].Theauthorofthearticlewrote:“...Forninemonths,thisGulliverhasbeenheldcaptivebyLilliputians-errorsinthesoftwarethatcontrolsitsautomatedbaggagesystem...”Hegoesontodiscussgeneralproblemswithsoftwaredevelopmentandengineeringandillustratesthesewithotherexamplesofcancelledprojectswhichheclaimswereduetosoftwarefailures.Thegeneralimpressionfromthiswidely-readarticleisthattheproblemsoftheDenverairportsystemwereexclusivelysoftwareproblems.However,whenwelookatanotheraccountoftheDenverAirportsystem[3],weseethattheproblemswiththesystemweremuchmorethansoftwareproblems.Theyincludedproblemsofsystemacquisition,volatilerequirements,managementandhardwaredesign.Thesystemisimmenselycomplexandincludes:•over17milesoftrack•5.5milesofconveyors•4000baggagecarts(telecarts)•5000electricmotors•2,700photocells•59barcodereaderarrays•311radiofrequencyreaders•morethan150computersTheintentionofthesystemwasthatbaggagetransferwouldbehandledautomaticallyusingasystemofconveyorsandbaggagecartswhichdeliveredindividualbagstospecifieddestinationsintheairport.Theairportauthoritiesdecidedtoacquireasystemwhichwasbasedononebagpercartratherthanatestedsystembasedonmulti-bagcarts.Thiswasinspiteofaconsultancyreportwhichstated:“Withregardstothesingle-bagDCV,consideringtheprototypestatewestronglyfeelthatitisnotcapableofbeingimplementedwithintheprojectschedule”Whilethesystemwasbeingdeveloped,therequirementschangedradicallyandthesoftwarewasexpectedtocopewiththechange:“InMay1992,theairlinesandthecityorderedamajorrevisionoftheautomatedbaggagesystemwhileitisunderconstruction”Therewereproblemswiththemanagementofthedifferentcontractorswhowereresponsiblefordevelopingandinstallingthesystem:“21October1992:aBAEsuperintendentcomplainedthatanothercontractorwasdenyinghiscrewsaccesstotheworksite.Infightingcontinuedthrough1993”Thehardwaredesigncauseddifficultiesandthehardwaredidnotoperatecorrectlyinsomesituations:“Thebaggagesystemcontinuedtounloadbagseventhoughtheywerejammedontheconveyorbelt.Thisproblemoccurredbecausethephotoeyeatthislocationcouldnotdetectthepileofbagsonthebeltandhencecouldnotsignalthesystemtostop”Aswellasalloftheseproblems,therewerealsoproblemswiththesoftware:“Thetimingbetweentheconveyorbeltsandthemovingtelecartswasnotproperlysynchronisedcausingbagstofallbetweentheconveyorbeltandthetelecarts”Therefore,wecanseethattheproblemswiththissystemwerereallymuchbroaderthansimplysoftwareproblems.Blamingthedelaysanddifficultiesonpoorsoftwareengineeringmisrepresentsreality.Bettersoftwareengineeringmayhaveavoidedsomeoftheproblemsbutthisprojectwasprobablydoomedfromtheoutset.Thesystem,asawhole,andnotjustthesoftwarefailedtooperatecorrectly.Asimilarpictureemergesinotherhigh-profilesystemsfailures.Theyareoftenrepresentedinthepressasbeingprimarilysoftwarefailuresbut,whenwelookattheminmoredetail,weseethattheproblemsarenotonlysoftwareproblemsbutarearesultofmoregeneralfailingsinthesystemsengineeringprocess.TheofficialreportofwhytheLondonAmbulanceDespatchingSystemfailedidentifiedothertypesofsystemproblemwhichcanarise:“thesystemreliedonatechnicalcommunicatio