Developers Blamed For The Post Office Horizon Scandal?

I've worked in the government for almost a decade as a software developer, and I have seen some truly appalling systems that are not fit for purpose, developed by big consultancies. It's almost as if delivering a substandard solution is part of their business strategy.

The developers fucked up the software, but there were internal reports by developers to the management at Fujitsu and the Post Office that detailed issues with the system. These reports were ignored and buried. Not only that, they were illegally hidden from discovery in trials.
The developer has some duty of care, but when the issue is reported and the report is buried, they have largely absolved themselves of that duty because the burden of responsibility is now shifted to the management who actually has the power to take action.

Software developers are the easy scapegoat. However senior management at the vendor and Post Office should also share in the blame. How can they not have tested this? Surely failed networking is a requirement. Then you have the failures to own the issue and respond honestly and appropriately. So product and software development did a poor job but the reasons lives were taken and ruined is because organisations didn't act with professionalism once errors were found. It's absolutely disgusting this has gone on for so long. Poor leadership is the root cause sadly.

The behaviour of Fujitsu is shocking. And as they could have predicted, this has now come out, and will cost them in the order of a billion pounds in damages.
I never understand how some people will protect their own image & ego in the short term, while ensuring its destruction in the long term. The managers that made the choice to keep this bug under the rug may well face criminal prosecution.

The biggest scandal here is that judges actually ruled against people on so many cases! Surely there jurisprudence on these cases and as a DA you would have a thorough investigation into the plaintiffs! You know that the post office and their manufactures will hide from a clusterfuck. Also me as a post office employee would immediately blow the whistle when after a new system accounting irregularities popped up on a massive scale; especially with franchisees who have had no inaccuracies every before!

I blame the entire system, from programmers to higher management and costumers, because there is a dangerous generalized trend of putting code out the door instead of focusing on quality code. I sometimes clash with other programmers/managers because I prefer to work slower and put out quality work, covering all potential bugs as much as I can.
I always treat my code as if it could kill someone, even if it is the most simple of programs, because I know that inevitably someone will use that code on something it was not designed for.
I understand that there are financial considerations and that is why I always mention in the job interview that, if a manager wants me just to write code as fast as possible, I am not the guy and they should consider someone else. I prefer to keep looking for a job than to be a part o something that might cause trouble down the line, both for the costumer/users or me (because I might be liable/escape goat for the bad program).
When questioned about why I work like that, I often just reply "A program that works most of the time, does not work when you really need it".

In my 30 years of building these systems, it's very rarely a technical issue (in fact the technical aspects are almost immaterial) ....
it's much more of a management/business problem ... As you say Dave, these systems are organically complex and if anyine loses sight of this, failures can happen.

I've been dressed down a number of times by senior management after identifying bugs as an issue, in IBM and Microsoft Software.
Each time, management made it clear that I was just making excuses for my own failures, because IBM and Microsoft were incapable of releasing bugs in their software.
One particular instance that I was demoted, and given a pay cut for, was when I released an application built with a newer version of the Microsoft C compiler, than the compiler that had been used previously. It was the compiler provided to me by management.
The bug that occurred, that I took heat for, was that the timestamps of all of the records in our code were dramatically changed.
I was able to determine the cause of the problem and demonstrate the bug before Microsoft owned up to it.
Microsoft did release a bug report for this, and fixed the bug in the next version. The bug was caused by the time function using a different base number for 1970, in that release.
Still, the damage was done to my reputation at that company, I soon found another job that paid better, and had better benefits

Seen it firsthand in consultancy, some people don't care past getting through the day. Raising issues might get silenced by leadership or folks just get angry they can't just do happy path development. Sometimes this is simply decided by the client, against all recommendations, often with no traceability.

This is one of the most brilliant pieces of analysis that I've seen since the Post Office scandal finally worked its way into the British psyche. You really got to the root of the problem. I'm really impressed with how you clearly articulated the problems inherent in designing software architectures for Banking and Distributed Systems and how badly software is often written. Even I managed to understand it. 🙂. One thing that I hope will result from this terrible episode in British justice will be for people to no longer just assume that "the computer is always right!" Excellent video! Thank you!!

It's hiding a fundamental problem at Fujitsu to claim the system is "complicated". For example, where a subpostmaster entered a value and realised that value was incorrect ( £1300 entered instead of £1500 say), the subpostmaster could _reverse_ the original entry and then enter the correct value. But Fujitsu's code instead of _subtracting_ ("reversing") the amount _added_ it back on! Two minutes testing by the developer crafting the code would have shown the error. The testing team (if there was one!) could have seen this in short order. Any regression testing (if such was done) should have flagged this. But no! It took a subpostmaster to notify the PO who then notified Fujitsu. There is no "complicated" here, this is Software Development 101, Testing 101 and it seems as if the whole development process was severely lackadaisical and simply not fit for purpose. Yet Rishi Sunak continued to dole out £billions to Fujitsu. It beggars belief really.

In other engineering fields, when the final product is turned over to the buyer or governing body , it's turned in signed by certified people, who are liable in court if what they signed turned out to not be according to standards and specifications.
So I would say that what you should have is a regulatory body that will accept and check these products according to standards ( i guess a body for making them also). Self regulating will never be enough.

Institutional obstinacy. The issue is not the bug but how it was handled and how the post office treated the postmasters.

At the end of the day it's all about incentives. You get what you reward. If keeping technical debt under control and having high levels of test automation are rewarded that is what you will get. If you reward shipping features as fast as possible without regard to maintainability and reliability that is what you will get. Generally non-technical project managers will prioritise doing things quickly over doing things properly. They should not be allowed to rule the roost. Engineers should be able to push back. Perhaps litigation is the only way to ensure quality. If the software fails dramatically the firm who created the software should be liable. That would incentivise quality.

Handling of the bug reports is the shocking thing for me. Who hid the bugs are truly culpable.
Open BTS would have really helped imo. Postmasters would have quickly discovered they are not alone!

I had a manager who thought that distributed consensus was obvious and easy (circa 1991). I had this cool little MIT Press book called, “Algorithms for Mutual Exclusion,” and I quickly realized that none of that was true. Good luck convincing that manager though.
I did the usual thing when faced with incompetent management. I quit. :D
Later I worked for Fujitsu in San Jose. Ugh. That’s my only comment…

Thanks for the clearest explanation of the technical issues that I've seen anywhere. In particular, this is the first I've heard of the size and capabilities of the software team. My perspective is as someone who helped build an SMS-based mobile money transfer system used by millions of people in which the core development team was 5 people so I know that it is possible to build something like this with a small team although this was in 2005. Keeping the electronic view of money transfer in sync with real-world cash movement is a tricky problem that requires careful end-to-end system design, including usability. ACID transactions only go so far - you can't enrol a customer in a transaction and make them rollback if they already left the Post Office. One of the things that I learned is that most software developers don't understand the issues inherent in such a mission-critical, highly scalable and highly reliable system until they have at least one under their belt. Most software developers come from a background in smaller systems in which errors are an exception and error handling is often an afterthought. For these critical systems, coding for errors is the norm and a desirable, non-error situation has to be considered the exception.

A 'duty of care' would be a great way forward for our industry, along with legal ramifications for 'boards of directors' who prosecute people for things they know are false. I also love the quote on Dave's T-shirt of 'The measure of intelligence is the ability to change' a great video all round.

I would like to say, as a professional software developer of 30 years, these are cultural problems.
Quality is built-in actively; it cannot be tested in. This requires an engineering mindset aware of potential for issues, acknowledgement of possibility of issues and tracking / correcting issues as they arise - as part of the software development process. Effort and time is necessary.
The cultural issue comes where management do not accept this, being either self-important / self-inflated (we can do no wrong, as we're the good guys!) - often resistant to communicating problems vertically to top management - OR totally untrained, often just an MBA brought up on accounting, marketing and spreadsheets of budgets.
Short / impossible deadlines do not help, indeed I am aware of an impossible task given to a small team. Two guys delivered a wonderful fantasy (which ticked all the contractual boxes) simply as a response to deliver an 18 month project in 12 weeks, which is all management allowed. I wonder how much financing was responsible for this; the lowest bid won but the output should have been hung up in toilets for wiping purposes. NB this was a complex report and nothing to do with software or the PO issue.

As soon as this blew up over the last few days I was reminded of the classic book, "The Case of the Killer Robot" by Richard Epstein in 1976. It is about a robot that goes wild and kills a person. Who was to blame? The programmers? The CEO's? The managers? The developers' company? Client? The book explores the ethical issues raised. This book should be compulsory reading by all involved in the enquiry. It is used in university courses on ethics in software engineering.

I am a developer who used to work at the post office in McColls, the software was horrible and you didn’t get really much training

The one thing that caught my attention is the corrections that could be made with no audit trail - as if the sub-postmaster themself had done it. That in a production system is farcical.

Fascinating. I was a CPA/CBA, bank auditor in the US for over 30 years, the last 7 before retirement in IT auditing. The core of this unique problem was as pointed out, the amoral collusion between PO management and the vendor.

The enquiry needs to get a hold of the implementation, full testing and audit records, who signed off? I've worked on projects where i managed the user acceptance and regression testing. The crap i copped from Project managers was incredible. The cio et al were paranoid about kpis and performance pay. Telling the board all was in track. Systems signed off as the modules worked, a full test? I refused to sign off until full runs were done. A wages system i worked failed at final pay run an no bank transfers would have a worked. Ten thousand wages employees would not have been paid. I looked around table and said I may have saved OUR jobs. Silence!.

8 software engineers working on this? Seriously? How much did I the taxpayer shell out for this to be built?

The Netherlands had a similar scandal only with childcare benefits, only at an even larger scale with even more severe repercussions for the affected families. People financially ruined, children taken away to the point for so long that even now they're (slowly) being made whole again their children are estranged and no longer want to return.

While software developers have a professional duty to do their best, I feel the main responsibility lies with their principal. This team did not have the skills & knowledge to build this system. Otherwise it would have instituted processes, tests and mechanisms to ensure ACID behaviour. But I don't think you can blame people for something they did not know. The final responsibility is with the principal who trusted them, not the developers. Fujitsu is not a small company and has a LOT of experience with critical systems.
In a normal situation, in a healthy company, the pattern of faulty transactions would have been picked up quite quickly, remedied and its victims compensated. There must have been logs from which the behaviour of the system could have been reconstructed, and the culprit identified. The Post Office didn't do its due dilligence in find the root cause of the problem, but instead assumed the office managers were at fault. Without proof.
And it is a dire indictment against the UK legal system, that they followed the Post Office in its findings, without demanding proper proof that the SW system was not at fault. Courts must be aware that SW can be at fault.

I have worked for software companies in QA developing for the public sector and Ive seen completely incompetent client representatives that overrule technical expertise resulting in substandard solutions.
People have an idea that anything is possible on tiny budgets and are unwilling to compromise on scope. Ive seen one system where the clients force of will meant that the system looked like a cowboy job because the budgetary constraints and the scope and the clients ignorance necessitated hacking their way through it. At one point they insisted that it was ok for us to record the wrong information about employees payroll, to which I said "we wont be doing that unless you put in writing that you are requesting the deliberate non compliance with data protection laws.

Unfortunately sometimes these company offer these contracts to the cheapest developers, some government systems are truly horrific too and are probably on the verge of collapse similar to this.

So many people to blame with this entire thing. So many people knew what was wrong and let it continue. I still don't understand how the judge or judges sent these people to prison despite knowing there were hundreds of other cases. It's baffling.

Having seen the television series and many TH-cam videos on the Post Office disaster this is the first video I have seen that explains the technical structure in a way that anyone could understand especially the current investigators who are not necessarily technically minded. I have developed software in my past that interfaced with the banking systems and as you have explained it is a technical structure. Thank you for your clear explanation

After 30+ years of working as a software developer in various companies, including our government and MOD I've seen plenty of terrible systems, poorly designed systems, poorly tested systems, systems released before completion, and systems that were not fit for purpose. People at the top love to play the blame game, but it's not always that simple. Bugs in code can cause nightmare problems, but are mostly found during testing stages of which there are usually numerous levels. A bad design in the first place ends up coded in and can then be hard to track as the code matches the design.
Nobody at the top wants to take responsibility, so it turns into a bit of a witch hunt to find the scapegoat that everything can be blamed on.

15:23 "2 out of 8 good" Here's my version of this scenario. I was on a financial project years ago. There was a genuine shortage of people with experience of the computer language. But not to worry, another country could supply 6 people with 2 years experience. We took them....2 were good, 2 were ok, 2 struggled. One of those who struggled let slip that none had 2 years experience. They instead were sent on a 2 week training course, sent half way round the world and told to keep their mouths shut. What happened? Not quite what I expected. They were all kept on, the two who struggled moving to the test team (not to denigrate testing, its a skill in itself). What did I learn from this? Suppliers of staff are willing to lie about those they supply. Users of those staff will turn a blind eye so long as they are cheap and a profit can be made by charging them out to the client. If I were the boss, a better approach would have been to hire 6 trainees from the local economy. I'd expect a similar result. 2 good, 2 ok, 2 struggle. But at least you're supporting the native workforce.

The first behavior one must address in networks is that they don't. Network failure is a normal condition. It this surprises a system then the system is prima facia at fault.

Yes, they have some blame, but not that much.
The largest responsibility for this f-up goes to the Post Office and the legislation that didn't do their work (or did they....?). *They* argued to fine the franchisees, to put them in jail, making their lives miserable.

Some professional societies (e.g., IEEE ) have a code of ethics that requires members to refuse work for which they are not competent to deliver with competence and professionalism. The clause reads: "to maintain and improve our technical competence and to undertake technological tasks for others _only_ _if_ _qualified_ _by_ _training_ _or_ _experience_ , or after full disclosure of pertinent limitations;" Another clause that would have helped prevent this kind of debacle reads in part: "to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors..." Not that having a code of ethics will change very much when professional engineers (and/or their management) lack a moral compass.

I've worked in Health IT for 20 years and frankly I think what we see is the tip of the iceberg. There just isn't what you would call a safety culture like we see in other high risk industries. I've banged the drum of good governance and safety within software development companies and received blank stares or worse arrogant waffle from directors who are clearly out of their depth and covering their ass. Then come the toxic managers shouting people down, and then before you know it, the product manager, the developer, the tester, all keep their heads down. I have had employees beg me to not say anything "it will just create problems". It's a shocking attitude and culture. People have and will die.

Last big client I worked for as consultant, I was fired for not timely delivery (but nobody really pressed a deadline)... I think though, it was, because I started asking too many uncomfortable questions and proposing to address the remediation of found IT risks in the official requirements for addressing further in project ... It was my job to assess the IT risk, but the management did not bother me to comply with task description.

How can a £1 billion software project have only 8 developers? I've never worked on any project that big, does anyone know where all the money goes?

I have conducted numerous security consultations for governmental agencies and healthcare public management systems following the enforcement of the EU GDPR law. The overall structure is remarkably poor, with end-of-life servers, no security patches for years, a lack of basic code security policies known to most coders, a non-standardized use of prepared statements in parametric SQL queries and many more horrific things.

Thank you so much for this helpful explanation. I'd love to know more about the help desk data... calls to the desk must have recorded in detail, exactly what was going on in the Horizon system. Somebody, somewhere must have got up one day and decided to limit the spread of that data. I'd like to hear evidence from that person, in which they explain their decision.

Unbelieveable. We know such systems are complex and may have bugs. For this kind of bugs a look into the logs would have been enough. If I see several transactions with repeated data within a small time frame, then we likely have a problem. Should be a piece of cake to write some SQL to filter those out and then compare with the real money to see that this adds up. It would be still a tragedy, but at least it would have been possible to find the cause and fix it and not push those poor guys into the court and often enough into jail.

I wish the managers would go to jail for such behavior. In the end, small workers go to jail, but the managers just pay with the money of the corporation, money that is not their money after all, just like politicians.

As a complete layman with no prior knowledge of the subject but followed the unfolding post office enquiry with interest, your explanation of this complex subject area was really informative. Well done.

Critical work should NEVER be given to people who are just starting or average. UNLESS the people who are allegedly Masters, look over it and confirm it works.
Those critical parts need to have signatures behind them. That developer...everyone... needs to know their system failed so it doesn't happen again.
If an initial company builds a product and sells it to a third party and after some time the third-party reports there's a problem; that company needs to fix it fast at no charge. I'd say for the first 3 years of the product.
However, if that third party knows there's a problem and does not quickly report it and stop the use of the software just to keep the company moving forward. THEY ARE RESPONSIBLE!!! They know a serious problem is in the software. They are willingly ignoring it as if it is a minor inconvenience. They've had multiple reports from multiple employees and still have done nothing about it.

Thank you for explaining this. One of my English friends was telling me about this post office scandal, and I'd wondered how it all happened, plus this brings back fond memories of database and OS classes at university 😊

I'd never heard of all of this before a couple of days ago. It's... gobsmacking. The lengths people in positions of power will go to to prop up their structure - lying, cheating, etc. It's very sad. Sometimes you just have to fall on your sword. The thing is, though, in this case - at least in the beginning - no one even needed to do that. All they had to do is lay down the law to Fujitsu.

Really nice video, takes you through both the info on the scandal and also some of the nitty gritty details on distributed systens, which I much appreciate

In my company we had weekly reviews. These were code and hardware reviews and all developers attended. Any new code written by anyone that week was reviewed by all others (usually senior devs did most of the commenting). The code was criticized by anyone and everyone. The junior devs got their code torn apart for the first few months but it was done in the spirit of the 'greater good'. i.e. making the code better. But it also taught everyone in the group a lot. The code reviews would take 1/2 a day a week (and sometimes several days if a new design review) and may have caused the development time to be 20% longer than it could have been if 100% of the staff were top devs, but by the end of a project we were all good top devs! It was especially good when a junior dev could point out some issues in a senior devs code - gotcha! We could also ask q's like 'I don't understand - why is this code necessary', etc. and we weren't derided for it. We were lucky in that management saw the value in these reviews and didn't try to axe them, even though towards the end of a project, there were hardly any code issues found because we had all got so good!

I'm a software developer. The bugs you describe so well would have been fixable (one Fujitsu developer was arguing to rewrite the cash account module, for example). What's shocking is that instead, they were lied about at various levels of the institutions involved.
It's not the bugs that really cause the problems, it's how the people deal with them.
We as a profession do need to shout loudly when we see this kind of mismanagement: not just "I see bugs" but also "I don't think this organisation is managing bugs properly". Something equivalent also applies to lawyers, of course.

Will this be the same committee examining the closure by the post office of several thousand post office accounts used to pay the most vulnerable blind severely disabled children and adults who have been left destitute,starving, hospitalized as a result they have not seen any income since 2nd june 2022. Will the group compensation for this legally protected group who have had their lives threatened also come from the Fiijitsu compensation scheme?
Will the collapse of the horizen system effect the payments of disability incomes through the post office branches since June 2022 ? under article 11 for human rights for those with disabilities the legislation under the European convention make immediate settlement to these sorely disabled bling adults from the monies allocated by Fujitsu ?

There are I thing two distinct scandals in this whole episode, although I guess they are related. The first one was that not only did ICL as was generate what was obviously a shoddy product but that who ever was responsible for accepting it at the Post Office did so - even though we now know the pilot rollout itself suggested there were issues. The second scandal was that both the Post Office and Fujitsu (as they had become) colluded with each other to seemingly commit perjury - claiming on witness statements that there were no known relevant defects with the system when the inquiry has established that there indeed known problems at least some of that time. This is not only pretending a system was working better than it did, it was doing so to a court at a criminal trial. Whatever the motivation of the Post Office, were Fujitsu that desperate to hold onto a contract?

Developers absolutely should have a duty of care consistent with the potential impact of their work. The main hurdle to overcome is the establishment of a licensing body such as the Bar for lawyers or the Medical board for practicing Physicians. Industry will lobby hard against this as it would reduce the seemingly already insufficient pool of developers, thereby increasing the cost of said developers.
I myself am a developer, and I hope that we can establish such a body as it would enable better protections for the public. We would finally live up to the name "Software Engineer". The biggest improvement will be the establishment of an authority to which concerned developers can report incidents to beyond mere fraud or lying to investors.

8 software engineers on a £1 billion software project. That says everything to me. With terrible UK salaries, that would be less than 1% of the budget spent on software engineering.
I'd be very surprised if any of those 8 ever claimed the system was bug free.
I’m doubtful how good the “good” software engineers were if they couldn’t create a culture to level up the rest of the team to also be good. Though bad middle managers could stop such a culture developing.

Even given the shenanigans between the PO & Fujitsu, how did it manage to go on for so many years? Was there no honest customer who would back the PO Official that the transaction was for 8K & not 24K in the example you cited? In comparison Boeing 737 Max “bug” if it could be called that took 2 crashes - 1 too many & a lucky break with the third incident providentially thwarted allowing the working backward & nailing the MCAS issue on an intact plane with all recorded data to support the findings. The MCAS was a kludge to fit a larger more energy efficient engine on essentially the same fuselage which caused potential stalling due to the new CoG & it got hardcoded into the logic to push the nose down especially on take-off without any override input possible by the Pilot. The FAA was hand in glove with Boeing management essentially letting the lunatics run the asylum. The parallel with the PO/Fujitsu case certainly resonates with the former. It is the innocents that always end up paying the price. Technological development is all nice & good but it should not always be the innocents that end up paying the price of any & all Mistakes that invariably roll down the chain from the very top. In essence the concerned top most officials should be criminally charged & face jail time or worse for failing to exercise duty of care. If they simply get the equivalent of a slap on the wrist, it just sends a message that such behaviour is fair-game especially as they could get away with it at little personal cost. Because there is a cost involved on the other side as well - that of wantonly cutting corners in Boeing’s case at least so their share price could rise by a few more millions come earnings declaration time.

Thank you so much for explaining - can you summarise the alleged 30 or 40 Horizon defects.
Were any sub post offices unscathed - assuming the sub postmasters did not continuously cover (false) small losses out of fear ?
Were crown post offices affected and their postmasters also prosecuted or disciplined ?
Finally could any post office actually have a net profit from these errors ?

I am 60y and have built (or was PM for building) many financial systems (or interfaces) with similar properties. IMHO the lack of proper testing is MUCH MORE to blame than the builders! Errors CAN and WILL happen even with very good builders. Proper testing protocols should be able to catch these errors. And what I do not onderstand is how the "creation" of money was never caught.

That is a masterly statement of the nature of the technical "problem of Horizon". The failure to insist on the highest standards of coding competence in so ambitious a project is deplorable. But stepping back a bit, I cannot see why such a critical system was put out to tender for a single bespoke solution, when several government departments were the "ultimate customers" (e.g. the DSS, who pulled the rug early in the development). That must have lowered the quality of the system requirements definition from the outset, In operation live, it seems to have led inevitably to multi-level towers of administrators in Fujitsu and the PO where communications both across and internal were spasmodic, and responsibility could always be shuffled to "somewhere else". And this in a bureaucracy where "don;t rock the boat" seems to have been the universal management answer to so many concerns expressed by technicians.

Thank you very much. You explained the problems of transaction processing so well. I've been trying to explain the issues you highlighted to friends and yes you don't even need computers for transaction processing to get really challenging.
For example if we are both sat at a table and I give you £10 over the table and you accept then that is a pretty pure and successful transaction. However if you are in another room and you dont want to be disturbed and I slide the £10 under your door how do I know you have received and accepted it. You might, for example, say thank you but are you talking to me or someone on the phone, etc. etc.😊😊

I am a Sw person trying to get a handle on the horizon tech detail. LAN in office WAN above that, interrupted deliveries, lost ones, partial ones, journal all. PLEASE get to the detail. I'll check in regularly with you, don't let me down, all best Jo

I was working as a network technician for a large Telecoms service company installing a VOIP system for a global insurance company. A lot of the so called Project Managers had no technical knowledge and were unable to understand the cause or effect of problems created from time to time during the install. They had the power to throw us off site if we tried to raise concerns and stop them doing something that effected the live network. It was a very messy project.
It niggled the hell out of me that these guys were on astronomical rates.
I imagine the Horizon project is no different.

As a retired one-time s/w developer, whether some developers weren't good enough, monitored etc , it's really a problem about inadequate management re: evaluating human resources & requiring a robust & comprehensive software/system testing regime. And Royal Mail has to take responsibility for just taking Fujitsu's word on all of this. They needed to have a major involvement in the testing process. They called it customer acceptance testing, when I was in IT. The customer being Royal Mail IT implementers. If the duff coders kept on having work farmed out to them, how were they to know what was acceptable & what wasn't.

This is definitely a processes issue. We can't ever completely avoid having bugs, so in any normal software development there needs to be both a process of thorough testing and a process of bug reporting, triaging and management. For something like this they probably needed to put a complete hold on processing any transactions, assembled a team of senior engineers to drop whatever they're working on and stay up until the problem was resolved. There should also be open and effective lines of communication in both directions with the customers and all stakeholders to keep everyone updated on what the problem was and the plan to get it resolved. It's somewhat baffling that none of this happened.

Nicely explained. I previously had watched a computerphile video on this system but enjoyed this one too. I used to program for a living (wouldn't go as far as calling myself a software engineer) and I enjoyed the challenge and the creativity of writing programs but on larger programs I frequently felt out my depth at times and can relate to your point on how it "one of the more complicated things that humans can do" In the end I chose a different profession partly for this reason and partly for the money i.e. In my industry some of the users of the software were getting paid better than the developers!

It's not clear as to the extent that funds were lost due to accounting bugs or the ability of others to alter accounts via widely reported remote access being open.

I've read comments suggesting there was no transactions implemented for the systems at the branches. No idea if that's true but would be a fundamental design error rather than mere bugs.
Also suggested, poor version control of schemas between the apps and databases.
Whose responsible? It's not the 6 inexperienced devs but the leads who hired them, and the management who covered it up.
I've worked on many late and overspent projects but this is better and cheaper than delivering substandard software, LDs and all. On one project, we scrapped what the previous team had spent 2 years working on and started again, gave the management a fright but within 6 months I was on speaking terms with the CEO of the multi-national company.
Starting again isn't always the answer especially when requirements capture is a problem. On my current project, we've incrementally taken it forward to achieve what effectively is a new product.

How often was I told by my superiors that we should hire more engineers and not fewer. That we could hire cheap ones out of college and then teach them. Nvmnd spending time fixing their bugs if we caught them in time, or even more time fixing the damage they’d caused.
I’ve come to believe that the issue is the Dunning Kruger effect - to someone who doesn’t speak Spanish, a beginner with good pronunciation will sound like a Spanish speaker. Since few executives understand much about coding, they tend to manage towards the wrong objectives 😢

Excellent summary. 25 years in ERP PM and consultancy with a couple of bespoke projects in there, nothing is new or unique in this case. The scandal is the continuous coverup.
What I will add that this will only get worse as more and more support and development moves to countries that provide cheaper rates... like India.

One big advantage of today's internet (and social media in particular) is that there now is communication between ordinary people, and thus between victims!
In the past, when you would report a problem with a product (including a problem in software) to the manufacturer, you would usually get the "you are the first one to report that!" reply.
That would give them the opportunity to hint that "it isn't that important" and "it is probably your fault".
But now, people post problems they find on social media. Others read it, and quickly it becomes apparent that multiple people get the "you are the first" reply, and thus the company is LYING.
The fact that this often escalates quickly makes it more difficult for companies to cover-up their mistakes. It would certainly have saved a lot of grief when victims of this problem would have aggressively published their experiences, so that outsiders would have seen the pattern.

It really is baffling that the terminals (and post-offices) didn't keep independent ledgers. Of course that would not fix the click again issue (for that the form would need resetting before enabling the button). And if course there should be separate till receipts.

Typically when taking over new software/hardware teams in product development, I tend to find ... No internal operating standard that stick to measureable and consistent coding conventions. - Even if there is a standard, they dont stick to it. Bad mission planning, Distracting workplaces that attract mishap and error. Use Agile more as a tool to remove quality checks and balances removing scrutiny. Not checking "edge-cases" when making changes and/or using complilers, Poor - or even no testing practices in deployed state out in the field....btw , love the T shirt written in "Quake" speak.

Quality video, very well sir.

I find the lack of communication about these bugs to the security team shocking. There was a wall of silence between the people who knew about the bugs, and the people who were investigating the finances. If I knew about both of these things I would have arranged a meeting between both, but what happened is that the Port Office management, actively kept these two groups separate to save brand reputation. Those postmasters lives were not worth ruining for the reputation of the Post Office.

Software is increasingly important for society. We all rely on it and have no choice but to trust it every day -- it's everywhere, from a silly child's toy, to our boilers, to the cars we drive. Yet every developer here could tell horror stories of rushed development and hacked together code. These aren't rare situations, our industry is rife with it. It has to change.
If software companies were held to the same level we hold chartered accountants or other professions, where a high standard is expected (and where low standards could be dangerous) things would be different.
Companies would have no choice but to give developers the time and resources they need to do a good job.
This problem is only going to get worse as software gets more and more integrated into our daily lives. It's time our profession matured to the next level. Situations like in PCL/Fujitsu, where half a team were "incapable of producing software at a professional level", should never be allowed to happen.
Even if software companies were expected to keep several year's worth of commit histories for their projects, just like finance departments are expected to do for company accounting. That would be a start. (It would have changed everything for the Horizon scandal.)

Issues happen, bugs happen, bad software happens. But it's usually incompetence not malice. Cover ups ruining the lives of people? That obviously happens too, but it's always malice, never incompetence. And that behavior can and should be disincentivized by simply throwing anyone found guilty in jail. When worrying too much about the bonus comes with the possibility of up to 25y jail sentence, people will think a bit more before taking that leap.

I think there must be some people with rather weird psychology involved. Most people, when given the choice between bad and worse, choose bad (expose the issue, instead of standing still and waiting for it explode on their face with 100 x force).

3:36 "980 of their own employees" - nitpick: subpostmasters are not employees of POL, they are self-employed franchisees - which is why they are treated as second class citizens within POL.

We desperately need some conversations about ethics in the software industry.
Unfortunately, us engineers cannot do this alone, and companies are usually solely evaluated based on profits for shareholders, and that often leads to a race to the bottom or harmful practices.
What we can do as engineers is be professional. Hold ourselves to high standards, push back when things are wrong. Otherwise we will be regulated from the outside, with all the problems that will entail.

In any 'normal' (read: ideal) software project, there is an accountable person who acts as the owner of the finished product. Where the product is complex this may be filled by multiple responsible persons, but there is still a single actor who is held to ultimate account for performance against a set of black box behaviours which should include as a minimum: reliability.
The most confounding thing about this whole wretched affair is that we still haven't seen a single person identified as the ultimate product owner - yes we have directors, projects leads and customers ... but no one who was supposed to be the advocate for the end user.

I'd like to recommend a book to engineering managers and executives in Post Office and Fujitsu - "It sounded good when we started - a project managers guide to working with people on projects", by Dwayne Phillips and Roy O'Brien. And anyone working on large, complex and long-lifed systems which need to be supported over extended periods like 20+ years needs to have a look at BSI's PAS 280:2018 "Through-life engineering services - Adding business value through a common framework - Guide".

Agree with everything you said, but one thing that just blows my mind as a database developer who has worked on many complex systems that were probably less important (but we're very robust in their implementation within a team) was it doesn't seem to be as though the Horizon system could have been rigourously tested, if it was tested at all, before signoff and rollout. Having professional experienced testers surely was absolutely necessary on this project whose job was to try and break the system in every circumstance possible.
As a distributed system this should have in part replicated how the system would work in practice. None of this can have been done to any level and although you could have developers developing using TDD practices i think on projects this important you need a separate tariff team. This probably would have pushed the cost up and therefore less profit or maybe not getting the contract in the first place (and another company with exactly the same issues building it instead, so basically a lottery).
The cover up and accusing sub postmasters of basically stealing money when the bugs were known from many past offices, and the ruining of people's lives, is beyond criminal though. Those people who did this need to go to jail.

Hi Dave, it's Garry.. Great video - Failing debounce, ACID and Locking issues. How it is possible that this wasn't picked up in testing...
Would you be able to do a follow on video?
What SDLC model did Horizon use
What CI/CD process did they follow
How did they test the systems (Is it true they had no UAT, Staging platform)
Finally how might Continuous Delivery processes help identify these issues
thanx again

One of the things that I find worrying is that they were still still prosecuting users for the same problems 10 years or so after the first instances. How could the system still have the same known bugs after that time? That has to be mostly down to Fujitsu as a company, although the Post Office should have chased them mercilessly until it was right and it appears that that was the one thing they did not do.

Software companies should be financial responsible for their bugs. They should insure their software . If they have a good quality management, they pay less for their insurance.

"Who should be responsible when crap software hurts people?"
I think we already know the answer to that question.
Its the same answer for similar circumstances such as a plane falling out of the sky because a defective part fails off, a drug causing birth defects, or a make of car bursting into flames in a minor accident due to a petrol tank design defect ..........its the manufacturer of those products that caused harm by being defective.
Of course, there are multiple "harms" in this case.
Fujitsu are responsible for the defective software that caused harm, and the Post Office are responsible for the harm caused by the Horizon system being faulty, and the further harm caused by their doubling down and trebling down on their deceit by denying those defects, informing people that they were the only occurrence of such defects, and the subsequent prosecution of individuals thereafter despite it being known that the system had issues that caused financial loss to incorrectly show up in local Post Office accounts.
There was also the lying about being able to remotely access individual local Post Office systems accounts and alter transactions!
The Post Office have "hurt" the Post Masters using the Horizon system and Fujitsu has hurt its own reputation and also that of the Post Office.

This is depressing. I’ve always wondered how people can use and abuse people beneath them just to satisfy their bosses. Probably why I’ll never be in senior leadership.

As you mention. The scandal isn't that the software failed - the scandal is the fact that the the corporate machine falsely prosecuted for fraud, innocent employees that had nothing to do with the failings. These prosecutions led to multiple people being incorrectly imprisoned and, in several cases, directly led to suicide.
You can blame the software developers for developing software that didn't meet the requirements but that's hardly a scandal (and quite commonplace, actually). Under those conditions, the worst case scenario is that Post Office would have paid a load of money for software that didn't work, but in of itself it wouldn't have led to multiple imprisonments and deaths.

I'm finding myself adding more and more videos of yours to my Architecture and Engie favourite list, I might as well just add the channel at this point :)))

Blame goes to Fujitsu management, for not providing the resources and people to write better software, and for covering it up - But note they dealt directly with the Post Office and did report it to them
The Post Office management knew they had a buggy system, and could have blamed Fujitsu publicly, but instead actively covered it up - that's the real scandal

It is understandable that people are at varying levels of competence. It is not understandable that people with insufficient competence would be let continue to work on the project.
It not only can lead to real harm (it did), but there is a significant risk to a company's reputation (Fujitsu). Additionally, Fujitsu could also have risked losing money, if Post Office demanded that material quality issues had to be fixed without additional compensation.
However, prestige projects, where perhaps a preferred partner is the only bidder (other companies thinking there is no point to bid if the decision has already been made) is not going to improve on software quality.

It seems like the bug was a source of revenue for the managers (possibly in both companies), so that they had a good incentive to cover it up.

As always this breaks down the issue perfectly and I'm not a developer. Thanks as always. 😃

I meant to say in my other screed, thanks for the video, I think I might be hooked on your channel :-)

The more worrying failing is that of the justice system that let innocent people be convicted, and I don't hear that being discussed, interestingly.

As an amature software writer from 1980s to the present day, what has got me baffled is that no one, as yet, has mentioned beta testing of Horizon. Was this ever undertaken? If it was then it would have been known that Horizon was not fit for purpose before it was rolled out. This would add another level of evil intent on the managements of the Post Office and Fujitsu. I hope that someone connected to the Hearing reads this and ask the relevant question.

Well, one thing that adds fuel to the fire is absence of training in companies and requiring the developers to “hit the ground running” (as they put it in job ads). Developers, no matter how much expert they are, need to be given training about the related tech, system design, and approach they should take.
Secondly, since non-technical people do not understand that a softwares are as complex to write as building a skyscraper, or inventing a new type of car. Since they think that a software developer, like an office clerk, just sits on a chair and presses some keys, so they can apply the same “pressure tactics” on software developers to get the job done more quickly as they do with clerks. Result, softwares written in a hurry are badly coded, have bad design shortcuts, and end up buggy and unmaintainable “spaghetti” kind of state. And then the bugs like this happen. Unrealistic deadlines, undue pressure, and non-tech people managing and supervising teams are equally responsible for this mess. If I hire a driver to get me from A to B, and I require him to cover distance of 100km in half an hour whatever happens, everyone knows what will actually happen.

Agree its complex, its basically a mini silo system (tills,servers,etc.) running on each post office branch. The volume of branches and the number of bugs compounded the problem. I've watched a few evidence videos so far. Some of these issues like locking, transaction data sitting on dead hardware is typical. Throw into the mix that most of the people involved worked in the Post Office and Fujitsu for 10+ years hasnt helped....lack of experience and skill you get from different roles.
These days senior management lack any technical expertise to understand software development problems.
The volume of manual steps involved in the extraction process seems to be no ending and most of it was ignored or not practical.
The funny aspect of this is that extracting audit record data, we seem to miss that this was raw level transaction data which your average subpostmanager probably doesn't have a clue to summary given it was probably sizeable in nature.
I've dealt with polling and EOD from a head office point of view, typically you have missing days and even missing hours when errors occur and that doesn't factor in chasing polling issues at stores, etc.

Horizon and its successors have the most appalling design, build and test. Having put in many distributed banking systems the steps in design, build and test were always independently audited. The architects need to be held directly to account for the abysmal design as do those that tested it. As a programme manager, I get rid of those people that did mediocre work because it would cost heavy in test and production those for their weak code.
As to Fujitsu, the government should insist on a full audit of all their systems and require Fujitsu to disclose every piece of material right up to the board.
Previous Post office and Fujitsu directors and senior management should be immediately banned from holding any senior position unless they can prove no role in this mess. And then sued for all their wealth to pay the post masters. Gaol time for anyone that was a party or did nothing knowing about the deception.
THE METROPOLITAN POLICE HAVE FAILED IN THEIR DUTY AS WELL. THE COMMISSIONER NEEDS TO ANSWER FOR THEIR CORRUPT LACK OF PROSECUTIONS. Excuses that the inquiry needs to proceed first is utter rubbish. Criminal matters do not wait for civil matters.

There are some things about the Horisozon Scandal that don't make a lot of sense to me.
1) Why was there an assumption in court that the computers were correct? If the code were perfect, you'd never need hotfixes - but I bet Fujitsu wrote some. And given that my phone, PCs, TV, and even my car nag me to install updates - who imagines that a distributed payment system of that scale would not have bugs? Even a moment's thought shows that this assu
is likely false.
2) Why, in all those court cases, was the bug tracking system not made available through disclosure? That will tell you about the quality of the code. "You say your system operates perfectly - okay, let's see your issue tracking system". And if they don't have a bug tracking system, that will tell you about the quality of the company.
3) How was it that so few developers who'd worked on it fail to blow a whistle? (Side note: at least one did)

Developers deserve a lot of blame here. Of course they are not responsible for the corrupt procurement process, not responsible for the "never admit any failures" MBA culture, but they really built an exceptionally crappy system, even by the British standards. And for this they must be hounded and mocked. Far too often code monkeys get away without their incompetence being exposed and laughed at. This is the time to beat some fear into the bad pseudo-engineers and to remind them what respinsibility is.