Sie sind auf Seite 1von 22

Chapter 1

Issues—The Software Crisis

1. Introduction to Chapter This chapter describes some of the current issues


and problems in system development that are caused
The term "software crisis" has been used since the by software—software that is late, is over budget,
late 1960s to describe those recurring system devel- and/or does not meet the customers' requirements or
opment problems in which software development needs.
problems cause the entire system to be late, over Software is the set of instructions that govern the
budget, not responsive to the user and/or customer actions of a programmable machine. Software includes
requirements, and difficult to use, maintain, and application programs, system software, utility soft-
enhance. The late Dr. Winston Royce, in his paper ware, and firmware. Software does not include data,
Current Problems [1], emphasized this situation when procedures, people, and documentation. In this tuto-
he said in 1991: rial, "software" is synonymous with "computer pro-
grams."
The construction of new software that is both Because software is invisible, it is difficult to be
pleasing to the user/buyer and without latent certain of development progress or of product com-
errors is an unexpectedly hard problem. It is pleteness and quality. Software is not governed by the
perhaps the most difficult problem in engi- physical laws of nature: there is no equivalent of
neering today, and has been recognized as such Ohm's Law, which governs the flow of electricity in a
for more than 15 years. It is often referred to as circuit; the laws of aerodynamics, which act to keep an
the "software crisis". It has become the longest aircraft flying stably in the air; or Maxwell's Equa-
continuing "crisis" in the engineering world, tions, which describe the radiation of energy from an
and it continues unabated. antenna.

7*

1
In addition, software is not manufactured like has been pointed out in the press [2], the State of Cali-
hardware; it does not have a production phase nor fornia has had problems with computer projects of
manufactured spare parts like hardware; it is typically over $1 billion in value, and the problems resulted
custom-built, not assembled from existing components from the acquisition policies of the State of California
like hardware. Even in today's society, software is (how contractors and consultants are selected and
viewed with suspicion by many individuals, such as managed by the State), and from hardware-software
senior managers and customers, as somewhat akin to integration difficulties, as well as from causes strictly
"black magic." related to software development.
The result is that software is one of the most diffi- The article identifies the first use of the term
cult artifacts of the modern world to develop and "software engineering" in a 1968 conference of the
build. NATO Science Committee in Garmisch, Germany.
(See also the Bauer article in this Tutorial.) Many
2. Introduction to Papers approaches that have been proposed to improve soft-
ware development are discussed; the author feels that
The opening paper fortuitously appeared in a most of these ideas have not lived up to the expecta-
recent issue of Scientific American as the editors were tions of their originators. Also discussed is the idea
casting about for a way to incorporate a recent rash of that there are no "silver bullets." (See the article by
high-publicity software problems into the motivation Brooks in this chapter.)
for this tutorial. The paper defines and presents essen- The Scientific American article looks favorably on
tially all the major issues currently plaguing software the use of formal specification methods to solve the
development and maintenance. The article is problem of software quality, and on "software reuse"
"popular" rather than technical in the sense that it is (the ability to use a software product developed for
journalistic in style and focuses on popular perceptions one application again later for another application) to
of software as "black magic," but it raises many is- solve the productivity or cost problem.
sues that software professionals need to be familiar The Software Engineering Institute's Capability
with. It is also worth noting that many of the prob- Maturity Model was also favorably mentioned (see the
lems described are partly or largely due to non- article by Paulk, Curtis, Chrissis, and Weber in this
software issues such as politics, funding, and exter- Tutorial) as a motivation to software developers to
nal constraints, but again the software professional improve their practices. The paper reports an SEI
needs to know that problems unrelated to software finding that approximately 75 percent of all software
engineering must overcome if software projects are developers do not have any formal process or any pro-
to be successful. ductivity or quality metrics.
The term "software crisis" not unexpectedly origi- Because software development depends on an edu-
nated with the military, for that is where large, com- cated workforce and good communications rather than
plex "real-time" software was first developed. More on a fixed plant of any kind, software is inherently a
recently, as civilian and commercial software systems suitable export product for developing countries.
have approached and exceeded military systems in Although the US is still strong in software design and
size, complexity, and performance requirements, the project management, the article notes that third world
"software crisis" has occurred in these environments countries—notably India and Far Eastern countries—
as well. It is noteworthy that the Scientific American are capable of producing many more "lines of code"
article mentions military systems only peripherally. per dollar.
The article begins with a discussion of the highly- A sidebar by Dr. Mary Shaw provides a view of
publicized and software-related failure of the baggage software engineering's history, and of how that history
system at the new Denver International Airport. As of may serve as a roadmap for software engineering's
the date of the article, opening of the airport had been future. Finally, the paper urges education of computer
delayed four times, for almost a year, at a cost to the science students in software engineering as an essen-
airport authority of over $1 million a day. tial step toward resolving the software crisis.
Almost as visible in recent months, and also men- The second and last article in this chapter, "No
tioned in the article, are failures of software develop- Silver Bullets: Essence and Accidents of Software
ment for the Department of Motor Vehicles (DMV) of Engineering," is by Fred Brooks, one of the legendary
the State of California, and for the advanced air traffic figures in software engineering. He has been called the
control system of the US Federal Aviation Admini- father of software engineering project management in
stration (FAA). The DMV project involved attempts to the United States. He worked at IBM in the 1960s and
merge existing, separately developed systems that was the software project manager for the OS/360
managed driver's licenses and vehicle registrations. As operating system.

2
This paper, which he wrote in 1987, states that "no • Unified programming environment
single technique exists to solve the software crisis, that
there is no silver bullet." The easy problems Brooks also cites the Ada language, object-
("accidents") have been solved and the remaining dif- oriented programming, artificial intelligence, expert
ficulties are "essential." He views the solution to the systems, and "automatic" programming (automated
software crisis as a collection of many software engi- generation of code from system specification and
neering tools and techniques that, used in combination, design) as technologies with the potential for improv-
will reduce or eliminate software problems. Although ing software. From the perspective of another eight
Brooks sees no single solution to the software crisis, years, the Al-related technologies for the most part
no single technology or management technique, he have yet to fulfill the potential that Brooks saw for
does see encouragement for the future through disci- them in 1987.
plined, consistent efforts to develop, propagate, and
exploit many of the software tools and techniques that
are being developed today. (In a report, also written in
1987 [3], Brooks states his belief that most software
development problems of the US Department of
Defense are managerial rather than technical.) 1. Royce, Winston, "Current Problems," in Aero-
space Software Engineering: A Collection of Con-
Brooks believes the hard part of building software cepts, edited by Christine Anderson and Merlin
is the specification and design of a system, not the Dorfman, American Institute of Aeronautics, Inc.,
coding and testing of the final product. As a result, he Washington DC, 1991.
believes that building software will always be hard.
2. "State Fears a Computer Nightmare; Costly
There is no apparent simple solution. Brooks describes 'Screw-Ups' Found in Many Government Proj-
the three major advances in software development as: ects," Sacramento Bee, Sacramento, Calif., June
16,1994.
• The use of high level languages
3. "Report of the Defense Science Board Task Force
• The implementation of time-sharing to im- on Military Software," Office of the Under Secre-
prove the productivity of programmers and tary of Defense for Acquisition, Department of
the quality of their products Defense, Washington, DC, Sept. 1987.

3
TRENDS IN COMPUTING

Software's Chronic Crisis


by W. Wayt Gibbs, staff writer

D enver's new international air-


port was to be the pride of the
Rockies, a wonder of modern
engineering. Twice the size of Manhat-
tan, 10 times the breadth of Heath-
some three quarters of all large sys-
tems are "operating failures" that ei-
ther do not function as intended or
are not used at all.
The art of programming has taken
row, the airport is big enough to land 50 years of continual refinement to
three jets simultaneously—in bad reach this stage. By the time it reached
weather. Even more impressive than 25, the difficulties of building big
its girth is the airport's subterranean software loomed so large that in the
baggage-handling system. Tearing like autumn of 1968 the NATO Science
intelligent coal-mine cars along 21 Committee convened some 50 top
miles of steel track, 4,000 indepen- programmers, computer scientists
dent "telecars" route and deliver lug- and captains of industry to plot a
gage between the counters, gates and course out of what had come to be
claim areas of 20 different airlines. A known as the software crisis. Al-
central nervous system of some 100 though the experts could not con-
computers networked to one another trive a road map to guide the indus-
and to 5,000 electric eyes, 400 radio try toward firmer pound, they did
receivers and 56 bar-code scanners coin a name for that distant goal:
orchestrates the safe and timely ar- software engineering, now defined
rival of every valise and ski bag. formally as "the application of a sys-
At least that is the plan. For nine tematic, disciplined, quantifiable ap-
months, this Gulliver has been held proach to the development, opera-
captive by Lilliputians—-errors in the tion and maintenance of software."
software that controls its automated A quarter of a century later soft-
baggage system. Scheduled for take- ware engineering remains a term of
off by last Halloween, the airport's aspiration. The vast majority of com-
grand opening was postponed until puter code is still handcrafted from
December to allow BAE Automated raw programming languages by arti-
Systems time to flush the gremlins sans using techniques they neither
out of its $193-million system. Decem- measure nor are able to repeat con-
ber yielded to March. March slipped sistently. "It's like musket making
to May. In June the airport's planners, was before Eli Whitney," says Brad J.
their bond rating demoted to junk Cox, a professor at George Mason
and their budget hemorrhaging red University. "Before the industrial rev-
ink at the rate of $1.1 million a day in olution, there was a nonspecialized
interest and operating costs, conced- approach to manufacturing goods
ed that they could not predict when that involved very little interchange-
the baggage system would stabilize ability and a maximum of craftsman-
enough for the airport to open. ship. If we are ever going to lick this
To veteran software developers, the software crisis, we're going to have to
Denver debacle is notable only for its stop this hand-to-mouth, every-pro-
visibility. Studies have shown that for granrnier-biiflds-everything-from-the-
every six new large-scale software ground-up, preindustrial approach."
systems that are put into operation, The picture is not entirely bleak. In-
two others are canceled. The average tuition is slowly yielding to analysis
software development project over- as programmers begin using quanti-
shoots its schedule by half; larger tative measurements of the quality of
projects generally do worse. And the software they produce to improve

"Software's Chronic Crisis" by W.W. Gibbs from Scientific American, Sept. 1994, pp. 86-95.
Reprinted with permission. Copyright © 1994 by Scientific American, Inc. All rights reserved.

4
the way they produce it. The mathemat- bedded in light switches, you've got to Getting software right the first time
ical foundations of programming are get the software right the first time be- is hard even for those who care to try.
solidifying as researchers work on ways cause you're not going to have a chance The Department of Defense applies rig-
of expressing program designs in alge- to update it," says Mary M. Shaw, a pro- orous—and expensive—testing stan-
braic forms that make it easier to avoid fessor at Carnegie Mellon. dards to ensure that software on which
serious mistakes. Academic computer "The amount of code in most con- a mission depends is reliable. Those
scientists are starting to address their sumer products is doubling every two standards were used to certify Clemen-
failure to produce a solid corps of soft- years," notes Remi H. Bourgoi^Jon, di- tine, a satellite that the DOD and the
ware professionals. Perhaps most im- rector of software technology at Philips National Aeronautics and Space Admin-
portant, many in the industry are turn- Research Laboratory in Eindhoven. Al- istration directed into lunar orbit this
ing their attention toward inventing the ready, he reports, televisions may con- past spring. A major part of the Clem-
technology and market structures need- tain up to 500 kilobytes of software; an entine mission was to test targeting
ed to support interchangeable, reusable electric shaver, two kilobytes. The pow- software that could one day be used in
software parts. er trains in new General Motors cars a space-based missile defense system.
"Unfortunately, the industry does run 30,000 lines of computer code. But when the satellite was spun around
not uniformly apply that which is well- and instructed to fix the moon in its
known best practice/' laments Larry E. sights, a bug in its program caused the
Druifel, director of Carnegie Mellon Uni- 100 spacecraft instead to fire its maneuver-
versity's Software Engineering Institute. U.S. MANNED ing thrusters continuously for 11 min-
In fact, a research innovation typically CO SPACEFLIGHT utes. Out of fuel and spinning wildly,
PROGRAM
requires 18 years to wend its way into SPACE the satellite could not make its rendez-
the repertoire of standard programming 75 STATION vous with the asteroid Geographos.
techniques. By combining their efforts, Errors in real-time systems such as
academia, industry and government Clementine are devilishly difficult to
may be able to hoist software develop- 50 spot because, like that suspicious sound
ment to the level of an industrial-age en-
gineering discipline within the decade. § * SPACE
in your car engine, they often occur only
when conditions are just so [see "The
If they come up short, society's head- § MERCURY SHUTTLE Risks of Software," by Bev Uttlewood
long rush into the information age will 25 and Lorenzo Strigini; SCIENTIFIC AMER-
GEMINI
be halting and unpredictable at best. i ICAN, November 1992]. "It is not clear
-APOLLO that the methods that are currently
Shifting Sands 0 used for producing safety-critical soft-
1960 1970 1980 1990 2000 ware, such as that in nuclear reactors
"We will see massive changes [in SOURCE: Barry W. Boehm or in cars, will evolve and scale up ade-
computer use] over the next few years, quately to match our future expecta-
10,240
causing the initial personal computer tions," warned Giiles Kahn, the scien-
5,120 PLANNED
revolution to pale into comparative in- tific director of France's INRIA research
significance," concluded 22 leaders in 2,560 laboratory, at the Hedsor Park meeting.
software development from academia, 1,280 "On the contrary, for real-time systems
industry and research laboratories this 640 ACTUAL I think we are at a fracture point."
past April. The experts gathered at Hed- Software is buckling as well under
320
sor Park, a corporate retreat near Lon- tectonic stresses imposed by the in-
don, to commemorate the NATO con- 160 exorably growing demand for "distrib-
ference and to analyze the future direc-
tions of software. "In 1968 we knew
i 80 U.S. AVERAGE
PROJECT
uted systems": programs that run coop-
eratively on many networked comput-
40
what we wanted to build but couldn't," SCHEDULE ers. Businesses are pouring capital into
20
reflected Cliff Jones, a professor at the distributed information systems that
10
University of Manchester. "Today we they hope to wield as strategic weap-
are standing on shifting sands." 0 ons. The inconstancy of software de-
0 10 20 30 40 50 60
The foundations of traditional pro- MONTHS velopment can turn such projects into
gramming practices are eroding swiftly, SOURCE: Software Productivity Research Russian roulette.
as hardware engineers churn out ever 10,240 Many companies are lured by goals
faster, cheaper and smaller machines. * 5,120
that seem simple enough. Some try to
Many fundamental assumptions that reincarnate obsolete mainframe-based
programmers make—for instance, their 2,560 software in distributed form. Others
acceptance that everything they pro- 1,280 want to plug their existing systems into
duce will have defects—must change in 640 one another or into new systems with
response. "When computers are em- 320 which they can share data and a friend-
| , 160
lier user interface. In the technical lingo,
connecting programs in this way is of-
80 U.S. AVERAGE ten called systems integration. But Bri-
SOFTWARE IS EXPLODING la size as so-

i
40 CANCELLATION an Randell, a computer scientist at the
ciety comes to rely on more powerful PROBABILITY
computer systems (top). That faith is 20 University of Newcastle upon Tyne, sug-
often rewarded by disappointment as 10 gests that "there is a better word than
most large software projects overrun 0 integration, from old RAJ. slang: name-
their schedules (middle) and many fail 0 10 20 30 40 50 ly, *to graunch,* which means 'to make
outright (bottom)—usually after most of PERCENT to fit by the use of excessive force/ "
the development money has been spent. SOURCE: Software Productivity Research
It is a risky business, for although

5
software seems like malleable The challenge of complexity is not moaned an internal FAA report.
stuff, most programs are actually only large but also growing. The bang Alarmed by skyrocketing costs and
intricate plexuses of brittle logic that computers deliver per buck is dou- tests that showed the half-completed
through which data of only the bling every 18 months or so. One result system to be unreliable, FAA adminis-
right kind may pass, like hand- is "an order of magnitude growth in trator David R. Hinson decided in June
made muskets, several programs system size every decade—for some in- to cancel two of the four major parts
may perform similar functions dustries, every half decade," Curtis says. of the AAS and to scale back a third.
and yet still be unique in design. To keep up with such demand, pro- The $144 million spent on these failed
That makes software difficult to grammers will have to change the way programs is but a drop next to the $1.4
modify and repair. It also means that they work. "You can't build sky- billion invested in the fourth and cen-
that attempts to graunch sys- scrapers using carpenters," Curtis quips. tral piece: new workstation software
tems together often end badly. for air-traffic controllers.
In 1987, for example, Califor- Mayday, Mayday That project is also spiraling down
nia's Department of Motor Vehi- the dram- Now running about five years
cles decided to make its custom- When a system becomes so complex late and more than $1 billion over bud-
ers' lives easier by merging the that no one manager can comprehend get, the bug-infested program is being
state's driver and vehicle reg- the entirety, traditional development scoured by software experts at Carnegie
istration systems—a seemingly processes break down. The Federal Avi- Mellon and the Massachusetts Institute
straightforward task. It had ation Administration (FAA) has faced of Technology to determine whether it
hoped to unveil convenient one- this problem throughout its decade-old can be salvaged or must be canceled
stop renewal kiosks last year. In- attempt to replace the nation's increas- outright. The reviewers are scheduled
stead the DMV saw the projected ingly obsolete air-traffic control system to make their report in September.
cost explode to 6.5 times the [see "Aging Airways," by Gary Stix; SCI- Disaster will become an increasingly
expected price and the delivery ENTIFIC AMERICAN, May]. common and disruptive part of soft-
date recede to 1998. In Decem- The replacement, called the Advanced ware development unless programming
ber the agency pulled the plug Automation System (AAS), combines all takes on more of the characteristics of
and walked away from the seven- the challenges of computing in the an engineering discipline rooted firmly
year, $44.3-million investment. 1990s. A program that is more than a in science and mathematics {see box on
Sometimes nothing fails like million lines in size is distributed across page 92]. Fortunately, that trend has al-
success. In the 1970s American hundreds of computers and embedded ready begun. Over the past decade in-
Airlines constructed SABRE, a vir- into new and sophisticated hardware, dustry leaders have made significant
tuosic, $2-billion flight reservation sys- all of which must respond around the progress toward understanding how to
tem that became part of the travel in- clock to unpredictable real-time events. measure, consistently and quantitative-
dustry's infrastructure. "SABRE was the Even a small glitch potentially threat- ly, the chaos of their development pro-
shining example of a strategic informa- ens public safety. cesses, the density of errors in their
tion system because it drove American To realize its technological dream, products and the stagnation of their
to being the world's largest airline," re- the FAA chose IBM's Federal Systems programmers' productivity. Research-
calls Bill Curtis, a consultant to the Soft- Company, a well-respected leader ers are already taking the next step:
ware Engineering Institute. in software development that has finding practical, repeatable solutions
Intent on brandishing software as ef- since been purchased by Loral. to these problems.
fectively in this decade, American tried FAA managers expected (but did
to graunch its flight-booking technolo- not demand) that IBM would use Proceeds of Process
gy with the hotel and car reservation state-of-the-art techniques to es-
systems of Marriott, Hilton and Budget. timate the cost and length of the In 1991, for example, the Software
In 1992 the project collapsed into a project. They assumed that IBM Engineering Institute, a software think
heap of litigation. "It was a smashing would screen the requirements tank funded by the military, unveiled
failure," Curtis says. "American wrote and design drawn up for the sys- its Capability Maturity Model (CMM).
off $165 million against that system." tem in order to catch mistakes "It provides a vision of software engi-
The airline is hardly suffering alone. early, when they can be fixed in neering and management excellence,"
In June IBM's Consulting Group released hours rather than days. And the beams David Zubrow, who leads a proj-
the results of a survey of 24 leading FAA conservatively expected to ect on empirical methods at the insti-
companies that had developed large pay about $500 per line of com- tute. The CMM has at last persuaded
distributed systems. The numbers were puter code, five times the indus- many programmers to concentrate on
unsettling: 55 percent of the projects try average for well-managed de- measuring the process by which they
cost more than expected, 68 percent velopment processes. produce software, a prerequisite for
overran their schedules and 88 percent According to a report on the any industrial engineering discipline.
had to be substantially redesigned. AAS project released in May by Using interviews, questionnaires and
The survey did not report one critical the Center for Naval Analysis, the CMM as a benchmark, evaluators
statistic: how reliably the completed IBM's "cost estimation and devel- can grade the ability of a programming
programs ran. Often systems crash be- opment process tracking used in- team to create predictably software that
cause they fail to expect the unexpected. appropriate data, were performed meets its customers' needs. The CMM
Networks amplify this problem. "Dis- inconsistently and were routinely ig- uses a five-level scale, ranging from
tributed systems can consist of a great nored" by project managers. As a re- chaos at level 1 to the paragon of good
set of interconnected single points of sult, the FAA has been paying $700 to management at level 5. To date, 261
failure, many of which you have not $900 per line for the AAS software. One organizations have been rated.
identified beforehand," Randell ex- reason for the exorbitant price is that "The vast majority—about 75 per-
plains. "The complexity and fragility of "on average every line of code devel- cent—are still stuck in level 1," Curtis
these systems pose a major challenge." oped needs to be rewritten once," be- reports. "They have no formal process,

6
no measurements of what they do and Mathematical Re-creations Some developers are at last shedding
no way of knowing when they are on that illusion and rethinking software as
the wrong track or off the track alto- Even the best-laid designs can go something to be grown rather than
gether." (The Center for Naval Analysis awry, and errors will creep in so long built. As a first step, programmers are
concluded that the AAS project at IBM as humans create programs. Bugs increasingly stitching together quick
Federal Systems "appears to be at a squashed early rarely threaten a proj- prototypes out of standard graphic in-
low 1 rating.") The remaining 24 per- ect's deadline and budget, however. terface components, like an architect's
cent of projects are at levels 2 or 3. Devastating mistakes are nearly always scale model, a system prototype can
Only two elite groups have earned those in the initial design that slip un- help clear up misunderstandings be-
the highest CMM rating, a level 5. Mo- detected into the final product. tween customer and developer before a
torola's Indian programming team in Mass-market software producers, be- logical foundation is poured.
Bangalore holds one title. LoraTs (for- cause they have no single customer to Because they mimic only the outward
merly IBM's) on-board space shuttle please, can take a belated and brute- behavior of systems, prototypes are of
software project claims the other. The force approach to bug removal: they little help in spotting logical inconsis-
Loral team has learned to control bugs release the faulty product as a "beta" tencies in a system's design. "The vast
so well that it can reliably predict how version and let hordes of users dig up majority of errors in large-scale soft-
many will be found in each new ver- the glitches. According to Charles Si- ware are errors of omission," notes
sion of the software. That is a remark- monyi, a chief architect at Microsoft, Laszlo A. Belady, director of Mitsubishi
able feat, considering that 90 percent the new version of the Windows oper- Electric Research Laboratory. And mod-
of American programmers do not even ating system will be beta-tested by els do not make it any easier to detect
keep count of the mistakes they find, 20,000 volunteers. That is remarkably bugs once a design is committed to
according to Capers Jones, chairman of effective, but also expensive, inefficient code.
Software Productivity Research- Of those and—since mass-produced PC prod- When it absolutely, positively has to
who do, he says, few catch more than a ucts make up less than 10 percent of be right, says Martyn Thomas, chair-
third of the defects that are there. the $92.8-billlon software market in man of Praxis, a British software com-
Tom Peterson, head of Loral's shuttle the U.S.—usually impractical. pany, engineers rely on mathematical
software project, attributes its success Researchers are thus formulating analysis to predict how their designs
to "a culture that tries to fix not just several strategies to attack bugs early will behave in the real world. Unfortu-
the bug but also the flaw in the testing or to avoid introducing them at all. nately, the mathematics that describes
process that allowed it to slip through." One idea is to recognize that the prob- physical systems does not apply within
Yet some bugs inevitably escape detec- lem a system is supposed to solve al- the synthetic binary universe of a com-
tion. TTiefirstlaunch of the space shut- ways changes as the system is being puter program; discrete mathematics, a
tle in 1981 was aborted and delayed for built. Denver's airport planners saddled far less mature field, governs here. But
two days because a glitch prevented the BAE with $20 million worth of changes using the still limited tools of set theo-
five on-board computers from synchro- to the design of its baggage system long ry and predicate calculus, computer
nizing properly. Another flaw, this one after construction had begun. IBM has scientists have contrived ways to trans-
in the shuttle's rendezvous program, been similarly bedeviled by the indeci- late specifications and programs into
jeopardized the Intelsat-6 satellite res- sion of FAA managers. Both companies the language of mathematics, where
cue mission in 1992. naively assumed that once their design they can be analyzed with theoretical
Although the CMM is no panacea, its was approved, they would be left in tools called formal methods.
promotion by the Software Engineering peace to build it.
Institute has persuaded a number of
50 175
leading software companies that quan-
titative quality control can pay off in
the long run. Raytheon's equipment di- 150
vision, for example, formed a "software 40
S
engineering initiative" in 1988 after P 2
flunking the CMM test. The division be- 125 3
gan pouring $1 million per year into
refining rigorous inspection and test- 30
I 100
ing guidelines and training its 400 pro-
grammers to follow them.
m u. z I
Within three years the division had o o 20 75 m
jumped two levels. By this past June,
most projects—including complex ra-
LU Z
OCJU
DC
LU
50
I
dar and air-traffic control systems- m
were finishing ahead of schedule and 10
under budget. Productivity has more rn
25
than doubled. An analysis of avoided
rework costs revealed a savings of
$7.80 for every dollar invested in the 0 0
1987 1988 1989 1990 1991 1992 1993 1994
initiative. Impressed by such successes,
SOURCE: Raytheon
the U.S. Air Force has mandated that all
its software developers must reach lev- RAYTHEON HAS SAVED $17.2 million in software costs since 1988, when its equip-
el 3 of the CMM by 1998. NASA is re- ment division began using rigorous development processes that doubled its pro-
portedly considering a similar policy. grammers' productivity and helped them to avoid making expensive mistakes.

7
Progress toward Professionalism
ENGINEERING EVOLUTION
PARADIGM SCIENCE
Skilled craftsmen
Established procedure
Pragmatic refinement
^PRODUCTION
Training in mechanics PROFESSIONAL ENGINEERING
Virtuosos and talented amateurs Economic concern for cost
Educated professionals
Design uses intuition and brute force and supply of materials
Analysis and theory
Haphazard progress Manufacture for sale
Progress relies on science
Knowledge transmitted slowly COMMERCIALIZATION Analysis enables new applications
and casually Market segmentation by product
Extravagant use of materials variety
Manufacture for use rather than
for sale
CRAFT

T l ngineering disciplines share common stages in their ematical modeling, proven design solutions and rigorous
JD evolution, observes Mary M. Shaw of Carnegie Mellon quality-control methods—and their efforts usually succeed.
University. She spies interesting parallels between soft- Software, Shaw points out, is somewhat less mature,
ware engineering and chemical engineering, two fields more like a cottage industry than a professional engineer-
that aspire to exploit on an industrial scale the processes ing discipline. Although the demand for more sophisticat-
that are discovered by small-scale research. ed and reliable software has boosted some large-scale pro-
Like software developers, chemical engineers try to de- gramming to the commercial stage, computer science
sign processes to create safe, pure products as cheaply and (which is younger than many of its researchers) has yet to
quickly as possible. Unlike most programmers, however, build the experimental foundation on which software en-
chemical engineers rely heavily on scientific theory, math- gineering must rest.

CHEMICAL ENGINEERING 1774: Joseph Priestley isolates oxygen


1808: John Dalton publishes his atomic theory
1887: George E. Davis identifies functional operations
1775: French Academy offers reward 1922: Hermann Staudinger explains polymerization
for method to convert brine (salt)
to soda ash (alkali) SCIENCE

^PRODUCTION PROFESSIONAL ENGINEERING


COMMERCIALIZATION 1915: Arthur D. Little refines and
demonstrates unit operations
CRAFT 1823: Nicolas Leblanc's industrial alkali
1994: Du Pont operates chemi-
process first put into operation
1300s: Alchemists discover alcohol cal megaplants
1850s: Pollution of British Midlands
1700s: Lye boiled to make soap by alkali plants
Most dyes made from vegetables 1857: William Henry Perkin founds synthetic
dye industry

SOFTWARE ENGINEERING 1956: IBM invents FORTRAN


1968: Donald E. Knuth publishes his theory of algorithms
and data structures
1970s: Structured programming methods 1972: Smalltalk object-oriented language released
gain favor 1980s: Formal methods and notations refined
1980s: Fourth-generation languages released
1990s: Reuse repositories founded ^SCIENCE

Wmotmmmw PROFESSIONAL ENGINEERING


COMMERCIALIZATION 1994: Isolated examples only of
algorithms, data structures,
CRAFT 1980s: Most government and management compiler construction
information systems use some
1950s: Programs are small and intuitive production controls
1970s: SABRE airline reservation
system is rare success Some safety-critical systems (such
1990s: Most personal computer software as m defense and transportation) use
is still handcrafted rigorous controls

8
Praxis recently used formal methods On the other side of the Atlantic, for- tions intended to boost produc-
on an air-traffic control project for mal methods by themselves have yet to tivity—many have even presented
Britain's Civil Aviation Authority. Al- catch OIL "I am skeptical that Americans demonstration projects to "prove"
though Praxis's program was much are sufficiently disciplined to apply for- the verity of their boasts. Advo-
smaller than the FAA'S, the two shared mal methods in any broad fashion," cates of object-oriented analysis
a similar design problem: the need to says David A. Fisher of the National In- and programming, a buzzword du
keep redundant systems synchronized stitute of Standards and Technology jour, claim their approach repre-
so that if one fails, another can instant- (NIST). There are exceptions, however, sents a paradigm shift that will
ly take over. "The difficult part was most notably among the growing circle deliver "a 14-to-l improvement in
guaranteeing that messages are deliv- of companies experimenting with the productivity," along with higher
ered in the proper order over twin net- "dean-room approach" to programming. quality and easier maintenance,
works," recalls Anthony Hall, a princi- Hie dean-room process attempts all at reduced cost.
pal consultant to Praxis. "So here we to meld formal notations, correctness There are reasons to be skepti-
tried to carry out proofs of our design, proofs and statistical quality control cal. "In the 1970s structured pro-
and they failed, because the design was with an evolutionary approach to soft- gramming was also touted as a
wrong. The benefit of finding errors at ware development. like the microchip paradigm shift," Curtis recalls.
that early stage is enormous," he adds. manufacturing technique from which it "So was CASE [computer-assisted
The system was finished on time and takes its name, dean-room development software engineering]. So were
put into operation last October. tries to use rigorous engineering tech- third-, fourth- andfifth-generationlan-
Praxis used formal notations on only niques to consistently fabricate prod- guages. We've heard great promises for
the most critical parts of its software, ucts that run perfectly the first time. technology, many of which weren't
but other software firms have employed Programmers grow systems one func- delivered."
mathematical rigor throughout the en- tion at a time and certify the quality of Meanwhile productivity in software
tire development of a system. GEC Als- each unit before integrating it into the devdopment has lagged behind that of
thom in Paris is using a formal method architecture. more mature disciplines, most notably
called "B" as it spends $350 million to Growing software requires a whole computer hardware engineering. "I
upgrade the switching- and speed-con- new approach to testing. Traditionally, think of software as a cargo cult," Cox
trol software that guides the 6,000 elec- developers test a program by running says. "Our main accomplishments were
tric trains in France's national railway it the way they intend it to be used, imported from this foreign culture of
system. By increasing the speed of the which often bears scant resemblance hardware engineering—faster machines
trains and reducing the distance be- to real-world conditions. In a dean- and more memory." Fisher tends to
tween them, the system can save the room process, programmers try to as- agree: adjusted for inflation, "the value
railway company billions of dollars that sign a probability to every execution added per worker in the industry has
might otherwise need to be spent on path—correct and incorrect—that been at $40,000 for two decades," he as-
new lines. users can take. They then derive test serts. "We're not seeing any increases."
Safety was an obvious concern. So cases from those statistical data, so "I don't believe that," replies Richard
GEC developers wrote the entire design that the most common paths are test- A. DeMillo, a professor at Purdue Uni-
and final program in formal notation ed more thoroughly. Next the program versity and head of the Software Engi-
and then used mathematics to prove runs through each test case and times neering Research Consortium. "There
them consistent. "Functional tests are how long it takes to fail. Those times has been improvement, but everyone
still necessary, however, for two rea- are then fed back, in true engineering uses different definitions of productivi-
sons," says Fernando Mejia, manager fashion, to a model that calculates how ty." A recent study published by Capers
of the formal development section at reliable the program is. Jones—but based on necessarily dubi-
GEC. First, programmers do occasion- Early adopters report encouraging re- ous historical data—states that U.S. pro-
ally make mistakes in proofs. Secondly, sults. Ericsson Telecom, the European grammers churn out twice as much
formal methods can guarantee only telecommunications giant, used clean- code today as they did in 1970.
that software meets its specification, room processes on a 70-programmer The fact of the matter is that no one
not that it can handle the surprises of project to fabricate an operating sys- really knows how productive software
the real world. tem for its telephone-switching com- developers are, for three reasons. First,
Formal methods have other problems puters. Errors were reportedly reduced less than 10 percent of American com-
as well. Ted Ralston, director of strate- to just one per 1,000 lines of program panies consistently measure the pro-
gic planning for Odyssey Research As- code; the industry average is about 25 ductivity of their programmers.
sociates in Ithaca, N.Y., points out that times higher. Perhaps more important, Second, the industry has yet to settle
reading pages of algebraic formulas is the company found that devdop- on a useful standard unit of measure-
even more stultifying than reviewing ment productivity increased by ment. Most reports, including those
computer code. Odyssey is just one of 70 percent, and testing produc- published in peer-reviewed computer
several companies that are trying to au- tivity doubled. science journals, express productivity
tomate formal methods to make them in terms of lines of code per worker
less onerous to programmers. GEC is No Silver Bullet per month. But programs are written in
collaborating with Digilog in France to a wide variety of languages and vary
commercialize programming tools for Then again, the industry has enormously in the complexity of their
the B method. The beta version is being heard tell many times before of operation. Comparing the number of
tested by seven companies and institu- "silver bullets" supposedly able to lines written by a Japanese program-
tions, including Aerospatiale, as well as slay werewolf projects. Since the mer using C with the number produced
France's atomic energy authority and 1960s developers have peddled by an American using Ada is thus like
its defense department. dozens of technological innova- comparing their salaries without con-
verting from yen to dollars.

9
Third, Fisher says, "you can walk into and the University of Maryland. Basili Fisher favors the idea that compo-
a typical company and find two guys helped to found the laboratory in 1976. nents should be synthesized on the fly.
sharing an office, getting the same sal- Since then, graduate students and NASA Programmers would "basically capture
ary and having essentially the same programmers have collaborated on "well how to do it rather than actually doing
credentials and yet find a factor of 100 over 100 projects," Basili says, most it," producing a recipe that any comput-
difference in the number of instruc- having to do with building ground-sup- er could understand. "Then when you
tions per day that they produce." Such port software for satellites. want to assemble two components, you
enormous individual differences tend would take this recipe and derive com-
to swamp the much smaller effects of patible versions by adding additional
technology or process improvements. elements to their interfaces. The whole
After 25 years of disappointment Just Add Water thing would be automated," he explains.
with apparent innovations that turned Even with a $150-million incentive
out to be irreproducible or unscalable, Musket makers did not get more pro- and market pressures forcing compa-
many researchers concede that com- ductive until Eli Whitney figured out nies to find cheaper ways of producing
puter science needs an experimental how to manufacture interchangeable software, an industrial revolution in
branch to separate the general results parts that could be assembled by any software is not imminent. "We expect
from the accidental. "There has always skilled workman. In like manner, soft- to see only isolated examples of these
been this assumption that if 1 give you ware parts can, if properly standard- technologies infiveto seven years—and
a method, it is right just because I told ized, be reused at many different scales. we may not succeed technically either,"
you so," complains Victor R. Basili, a Programmers have for decades used li- Fisher hedges. Even when the technolo-
professor at the University of Maryland. braries of subroutines to avoid rewriting gy is ready, components will find few
"People are developing all kinds of the same code over and over. But these takers unless they can be made cost-ef-
things, and it's really quite frightening components break down when they are fective. And the cost of software parts
how bad some of them are," he says. moved to a different programming lan- will depend less on the technology in-
Mary Shaw of Carnegie Mellon points guage, computer platform or operating volved than on the kind of market that
out that mature engineering environment. "The tragedy is that as arises to produce and consume them.
fields codify proved solutions in hardware becomes obsolete, an excel- Brad Cox, like Fisher, once ran a soft-
handbooks so that even novices lent expression of a sorting algorithm ware component company and found
can consistently handle routine written in the 1960s has to be rewrit- it hard going. He believes she has fig-
designs, freeing more talented ten," observes Simonyi of Microsoft. ured out the problem—and its solution.
practitioners for advanced proj- Fisher sees tragedy of a different Cox's firm tried to sell low-level pro-
ects. No such handbook yet ex- kind. "The real price we pay is that as a gram parts analogous to computer
ists for software, so mistakes are specialist in any software technology chips. "Whafs different between soft-
repeated on project after project, you cannot capture your special capa- ware ICs [integrated circuits] and sili-
year after year. bility in a product. If you can't do that, con ICs is that silicon ICs are made of
DeMillo suggests that the gov- you basically can't be a specialist." Not atoms, so they abide by conservation
ernment should take a more ac- that some haven't tried. Before moving of mass, and people therefore know
tive role. "The National Science to NIST last year, Fisher founded and how to buy and sell them robustly," he
Foundation should be interested served as CEO of Incremental Systems. says. "But this interchange process that
in funding research aimed at ver- "We were truly world-class in three of is at the core of all commerce just does
ifying experimental results that the component technologies that go not work for things that can be copied
have been claimed by other peo- into compilers but were not as good in in nanoseconds." When Cox tried sell-
ple," he says. "Currently, if it's not the other seven or so," he states. "But ing the parts his programmers had cre-
groundbreaking, first-time-ever- we found that there was no practical ated, he found that the price the mar-
done research, program officers way of selling compiler components; ket would bear was far too low for him
at the NSF tend to discount the we had to sell entire compilers." to recover the costs of development.
work." DeMillo knows whereof he So now he is doing something about The reasons were twofold. First, re-
speaks. From 1989 to 1991 he di- that. In April, NIST announced that it casting the component by hand for each
rected the NSF'S computer and compu- was creating an Advanced Technology customer was time-consuming; NIST
tation research division. Program to help engender a market for hopes to clear this barrier with its Ad-
Yet "if software engineering is to be component-based software. As head of vanced Technology Program. The other
an experimental science, that means it the program, Fisher will be distributing factor was not so much technical as cul-
needs laboratory science. Where the $150 million in research grants to soft- tural; buyers want to pay for a compo-
heck are the laboratories?" Basili asks. ware companies willing to attack the nent once and make copies for free.
Because attempts to scale promising technical obstacles that currently make "The music industry has had about a
technologies to industrial proportions software parts impractical. century of experience with this very
so often fail, small laboratories are of The biggest challenge is to find ways problem," Cox observes. "They used to
limited utility. "We need to have places of cutting the ties that inherently bind sell tangible goods like piano rolls and
where we can gather data and try things programs to specific computers and to sheet music, and then radio and televi-
out," DeMillo says. "The only way to do other programs. Researchers are inves- sion came along and knocked all that
that is to have a real software develop- tigating several promising approach- into a cocked hat." Music companies
ment organization as a partner." es, including a common language that adapted to broadcasting by setting up
There have been only a few such part- could be used to describe software agencies to collect royalties every time
nerships. Perhaps the most successful parts, programs that reshape compo- a song is aired and to funnel the mon-
is the Software Engineering Laboratory, nents to match any environment, and ey back to the artists and producers.
a consortium of NASA's Goddard Space components that have lots of optional Cox suggests similarly charging users
Flight Center, Computer Sciences Corp. features a user can turn on or off. each time they use a software compo-

10
A Developing World
Since the invention of computers, Americans have $92,8-billion market. But several trends may propel
dominated the software market. Microsoft alone pro- exports beyond the $1-billion mark as early as 1997.
duces more computer code each year than do any of The single most important factor, Pawar asserts, is
100 nations, according to Capers Jones of Software the support of the Indian government, which has eased
Productivity Research in Burlington, Mass. U.S. suppli- tariffs and restrictions, subsidized numerous software
ers hold about 70 percent of the worldwide software technology parks and export zones, and doled out five-
market. year tax exemptions to software exporters. 'The open-
But as international networks sprout and large cor- ing of the Indian economy is acting as a very big cata-
porations deflate, India, Hungary, Russia, the Philip- l y s t / Pawar says.
pines and other poorer nations are discovering in soft- It certainly seems to have attracted the attention of
ware a lucrative industry that requires the one resource large multinational firms eager to reduce both the cost
in which they are rich: an underemployed, well- of the software they need and the amount they build
educated labor force. American and European giants are in-house. The primary cost of software is labor. Indian
now competing with upstart Asian development com- programmers come so cheap—$125 per unit of soft-
panies for contracts, and in response many are forming ware versus $925 for an American developer, accord-
subsidiaries overseas. Indeed, some managers in the ing to Jones—that some companies fly an entire team
trade predict that software development will gradually to the U.S. to work on a project. More than half of
split between Western software engineers who design India's software exports come from such "body shop-
systems and Eastern programmers who build them. ping," although tightened U.S. visa restrictions are
"In fact, it is going on already/ says Laszlo A. Be- stanching this flow.
lady, director of Mitsubishi Electric Research Labora- Another factor, Pawar observes, is a growing trust in
tory. AT&T, Hewlett-Packard, IBM, British Telecom and the quality of overseas project management. "In the past
Texas Instruments have all set up programming teams two years, American companies have become far more
in India. The Pact Group in Lyons, France, reportedly comfortable with the offshore concept," he says. This is
maintains a "software factory" in Manila. "Cadence, a result in part of success stories from leaders like Citi-
the U.S. supplier of VLSI design tools, has had its corp, which develops banking systems in Bombay, and
software development sited on the Pacific rim for sev- Motorola, which has a top-rated team of more than 150
eral years," reports Martyn Thomas, chairman of Praxis. programmers in Bangalore building software for its Iridium
"ACT, a U.K.-based systems house, is using Russian satellite network.
programmers from the former Soviet space program," Offshore development certainly costs less than
he adds. body shopping, and not merely because of saved air-
So far India's star has risen fastest. "Offshore de- fare. "Thanks to the time differences between India and
velopment [work commissioned in India by foreign the U.S., Indian software developers can act the elves
companies] has begun to take off in the past 13 to 24 and the shoemaker," working overnight on changes
months," says Rajendra S. Pawar, head of New Delhi- requested by managers the previous day, notes Richard
based NUT, which has graduated 200,000 Indians from Heeks, who studies Asian computer industries at the
its programming courses. Indeed, India's software ex- University of Manchester in England.
ports have seen a compound annual growth of 38 per- Price is not everything. Most Eastern nations are still
cent over the past five years; last year they jumped 60 weak in design and management skills. "The U.S. still has
percent—four times the average growth rate world- the best system architects in the world," boasts Bill Cur-
wide. tis of the Software Engineering Institute. "At large sys-
About 58 percent of the $360-million worth of tems, nobody touches us." But when it comes to just
software that flowed out of India last year ended up in writing program code, the American hegemony may be
the U.S. That tiny drop hardly makes a splash in a drawing to a close.
1985 16
1986 110
INDIA'S
1987 139 SOFTWARE
1988 »52 EXPORTS
(MILLIONS OF
1989 MB7 U.S. DOLLARS)
1990 HM100
1991 HN128
1992 MM164
1993 NHH225

1996 NOT AVAILABLE


1997 11,000
SOURCES: NUT, NASSCOM

11
nent "In fact," he says, "that model cess control, advanced technological ties offer graduate programs in soft-
could work for software even more eas- tools and interchangeable parts promis- ware engineering; five years ago there
ily than for music, thanks to the infra- es to transforni not only how program- were just 10. None offer undergraduate
structure advantages that computers ming is done but also who does it. degrees. Even academics such as Shaw,
and communications give us. Record Many of the experts who convened at DeMillo and Basili agree that computer
players don't have high-speed network Hedsor Park agreed with Belady that science curricula generally provide poor
links in them to report usage, but our "in the future, professional people in preparation for industrial software de-
computers do." most fields will use programming as a velopment. "Basic things like designing
Or will, at least. Looking ahead to the tool, but they won't call themselves code inspections, producing user docu-
time when nearly all computers are con- programmers or think of themselves as mentation and maintaining aging soft-
nected. Cox envisions distributing soft- spending their time programming. They ware are not covered in academia," Ca-
ware of all kinds via networks that link will think they are doing architecture, pers Jones laments.
component producers, end users and or traffic planning or film making.11 Engineers, the infantry of every in-
financial institutions. "It's analogous to That possibility begs the question of dustrial revolution, do not spontane-
a credit-card operation but with ten- who is qualified to build important sys- ously generate. TTiey are trained out of
tacles that reach into PCs," he says. Al- tems. Today anyone can bill herself as the bad habits developed by the crafts-
though that may sound ominous to a software engineer. "But when you have men that preceded them. Until the
some, Cox argues that "the Internet now 100 million user-programmers, frequent- lessons of computer science inculcate a
is more like a garbage dump than a ly they wil be doing things that are life desire not merely to build better things
farmer's market. We need a national in- critical—building applications that fill but also to build things better, the best
frastructure that can support the distri- prescriptions, for example,11 notes Bar- we can expect is that software develop-
bution of everything from Grandma's ry W. Boehm, director of the Center for ment will undergo a slow, and proba-
cookie recipe to Apple's window man- Software Engineering at the University bly painful, industrial evolution.
agers to Addison-Wesley's electronic of Southern California. Boehm is one of
books." Recognizing the enormity of the an increasing number who suggest cer-
cultural shift he is proposing, Cox ex- tifying software engineers, as is done FURTHER READING
pects to press his cause for years to in other engineering fields. ENCYCLOPEDIA OF SOFTWARE ENGINEER-
come through the Coalition for Electron- Of course, certification helps only if ING. Edited by John J. Mardniak. John
ic Markets, of which he Is president programmers are properly trained to Wiley & Sons, 1994.
The combination of industrial pro- begin with. Currently only 28 universi- SOFTWARE 2000: A VIEW OF THE FUTURE
Edited by Brian Randell, Gill Ringland
and Bill Wulf. ICL and the Commission
of European Communities, 1994.
FORMAL METHODS: A VIRTUAL LIBRARY.
Jonathan Bowen. Available in hypertext
on the World Wide Web as http://www.
comlab.ox.ac.uk/archive/formah
methods.html

12
Ho SUucr JlnUd
Essence and Accidents of
Software Engineering
Frederick R Brooks, Jr.
University of North Carolina at Chapel Hill

f all the monsters that fill the throughs—and indeed, I believe such to be
Fashioning complex
conceptual constructs O nightmares of our folklore, none
terrify more than werewolves,
because they transform unexpectedly
inconsistent with the nature of soft-
ware—many encouraging innovations are
under way. A disciplined, consistent effort
is the essence; from the familiar into horrors. For these, to develop, propagate, and exploit these
one seeks bullets of silver that can magic- innovations should indeed yield an order-
accidental tasks arise ally lay them to rest. of-magnitude improvement. There is no
in representing the The familiar software project, at least as royal road, but there is a road.
seen by the nontechnical manager, has The first step toward the management
constructs in something of this character; it is usually in- of disease was replacement of demon
language. Past nocent and straightforward, but is capable
of becoming a monster of missed sched-
theories and humours theories by the germ
theory. That very step, the beginning of
progress has so ules, blown budgets, and flawed products. hope, in itself dashed all hopes of magical
So we hear desperate cries for a silver solutions. It told workers that progress
reduced the accidental bullet—something to make software costs would be made stepwise, at great effort,
tasks that future drop as rapidly as computer hardware and that a persistent, unremitting care
costs do. would have to be paid to a discipline of
progress now depends But, as we look to the horizon of a cleanliness. So it is with software engi-
decade hence, we see no silver bullet. neering today.
upon addressing the There is no single development, in either
essence. technology or in management technique,
that by itself promises even one order-of-
magnitude improvement in productivity,
Does it have to be
in reliability, in simplicity. In this article, I hard?—Essential
shall try to show why, by examining both difficulties
the nature of the software problem and the
properties of the bullets proposed. Not only are there no silver bullets now
Skepticism is not pessimism, however. in view, the very nature of software makes
Although we see no startling break- it unlikely that there will be any—-no in-
ventions that will do for software prod-
This article was first published in Information Process- uctivity, reliability, and simplicity what
ing '86, ISBN No. (M44-70O77-3, H.-J. Kuglcr, ed.,
electronics, transistors, and large-scale
Elsevirr Science Publishers B.V. (North-Holland) ©
IFIP 1986.
integration did for computer hardware.

Reprinted from Computer, Vol. 20, No. 4, Apr. 1987, pp. 10-19.
Copyright © 1987 by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

13
We cannot expect ever to see twofold gains orders-of-magnitude more states than difficulty of enumerating, much less
every two years. computers do. understanding, all the possible states of
First, one must observe that the anom- Likewise, a scaling-up of a software en- the program, and from that comes the
aly is not that software progress is so slow, tity is not merely a repetition of the same unreliability. From complexity of function
but that computer hardware progress is so elements in larger sizes, it is necessarily an comes the difficulty of invoking function,
fast. No other technology since civilization increase in the number of different ele- which makes programs hard to use. From
began has seen six orders of magnitude in ments. In most cases, the elements interact complexity of structure comes the diffi-
performance-price gain in 30 years. In no with each other in some nonlinear fashion, culty of extending programs to new func-
other technology can one choose to take and the complexity of the whole increases tions without creating side effects. From
the gain in either improved performance much more than linearly. complexity of structure come the un-
or in reduced costs. These gains flow from The complexity of software is an essen- visualized states that constitute security
the transformation of computer manufac- tial property, not an accidental one. trapdoors.
ture from an assembly industry into a pro- Hence, descriptions of a software entity Not only technical problems, but
cess industry. that abstract away its complexity often management problems as well come from
Second, to see what rate of progress one abstract away its essence. For three cen- the complexity. It makes overview hard,
can expect in software technology, let us turies, mathematics and the physical thus impeding conceptual integrity. It
examine the difficulties of that tech- sciences made great strides by constructing makes it hard to find and control all the
nology. Following Aristotle, I divide them simplified models of complex phenomena, loose ends. It creates the tremendous
into essence, the difficulties inherent in the deriving properties from the models, and learning and understanding burden that
nature of software, and accidents, those verifying those properties by experiment. makes personnel turnover a disaster.
difficulties that today attend its produc- This paradigm worked because the com-
tion but are not inherent. plexities ignored in the models were not Conformity. Software people are not
The essence of a software entity is a con- the essential properties of the phenomena. alone in facing complexity. Physics deals
struct of interlocking concepts: data sets, It does not work when the complexities are
relationships among data items, algo- the essence.
rithms, and invocations of functions. This Many of the classic problems of devel-
essence is abstract in that such a concep- oping software products derive from this
tual construct is the same under many dif- essential complexity and its nonlinear in-
ferent representations. It is nonetheless creases with size. From the complexity
highly precise and richly detailed. comes the difficulty of communication
/ believe the hard part of building soft- among team members, which leads
ware to be the specification, design, and to product flaws, cost overruns,
testing of this conceptual construct, not schedule delays. From the
the labor of representing it and testing thecomplexity comes the
fidelity of the representation. We still
make syntax errors, to be sure; but they
are fuzz compared with the conceptual
errors in most systems.
If this is true, building software will
always be hard. There is inherently no
silver bullet.
Let us consider the inherent properties
of this irreducible essence of modern soft-
ware systems: complexity, conformity,
changeability, and invisibility.

Complexity. Software entities are more


complex for their size than perhaps any
other human construct because no two
parts are alike (at least above the statement
level). If they are, we make the two similar
parts into a subroutine—open or closed.
In this respect, software systems differ
profoundly from computers, buildings, or
automobiles, where repeated elements
abound.
Digital computers are themselves more
complex than most things people build:
They have very large numbers of states.
This makes conceiving, describing, and
testing them hard. Software systems have

14
with terribly complex objects even at the new computers, then at least new disks, lack not only impedes the process of
"fundamental" particle level. The phys- new displays, new printers come along; design within one mind, it severely hinders
icist labors on, however, in a firm faith and the software must be conformed to its communication among minds.
that there are unifying principles to be new vehicles of opportunity.
found, whether in quarks or in unified- In short, the software product is embed-
field theories. Einstein argued that there ded in a cultural matrix of applications, Past breakthroughs
must be simplified explanations of nature, users, laws, and machine vehicles. These solved accidental
because God is not capricious or arbitrary. all change continually, and their changes
No such faith comforts the software en- inexorably force change upon the software
difficulties
gineer. Much of the complexity that he product.
If we examine the three steps in soft-
must master is arbitrary complexity,
ware-technology development that have
forced without rhyme or reason by the Invisibility. Software is invisible and un-
been most fruitful in the past, we discover
many human institutions and systems to visualizable. Geometric abstractions are
that each attacked a different major dif-
which his interfaces must conform. These powerful tools. The floor plan of a build-
ficulty in building software, but that those
differ from interface to interface, and ing helps both architect and client evaluate
difficulties have been accidental, not
from time to time, not because of necessity spaces, traffic flows, views. Contra-
essential, difficulties. We can also see the
but only because they were designed by dictions and omissions become obvious.
natural limits to the extrapolation of each
different people, rather than by God.
such attack.
In many cases, the software must con-
form because it is the most recent arrival
on the scene. In others, it must conform Despite progress in High-level languages. Surely the most
because it is perceived as the most restricting and simplifying powerful stroke for software productivity,
conformable. But in all cases, much com- reliability, and simplicity has been the pro-
plexity comes from conformation to other software structures, they gressive use of high-level languages for
interfaces; this complexity cannot be remain inherently programming. Most observers credit that
simplified out by any redesign of the soft- unvisualizable, and thus development with at least a factor of five
ware alone. in productivity, and with concomitant
do not permit the mind to
gains in reliability, simplicity, and com-
Changeability. The software entity is use some of its most prehensibility.
constantly subject to pressures for change. powerful conceptual tools. What does a high-level language ac-
Of course, so are buildings, cars, com- complish? It frees a program from much
puters. But manufactured things are infre- of its accidental complexity. An abstract
quently changed after manufacture; they program consists of conceptual con-
are superseded by later models, or essen- Scale drawings of mechanical parts and structs: operations, data types, sequences,
tial changes are incorporated into later- stick-figure models of molecules, al- and communication. The concrete ma-
serial-number copies of the same basic though abstractions, serve the same pur- chine program is concerned with bits, reg-
design. Call-backs of automobiles are pose. A geometric reality is captured in a isters, conditions, branches, channels,
really quite infrequent; field changes of geometric abstraction. disks, and such. To the extent that the
computers somewhat less so. Both are The reality of software is not inherently high-level language embodies the con-
much less frequent than modifications to embedded in space. Hence, it has no ready structs one wants in the abstract program
fielded software. geometric representation in the way that and avoids all lower ones, it eliminates a
In part, this is so because the software of land has maps, silicon chips have dia- whole level of complexity that was never
a system embodies its function, and the grams, computers have connectivity inherent in the program at all.
function is the part that most feels the schematics. As soon as we attempt to dia- The most a high-level language can do is
pressures of change. In part it is because gram software structure, we find it to con- to furnish all the constructs that the pro-
software can be changed more easily—it is stitute not one, but several, general grammer imagines in the abstract pro-
pure thought-stuff, infinitely malleable. directed graphs superimposed one upon gram. To be sure, the level of our thinking
Buildings do in fact get changed, but the another. The several graphs may represent about data structures, data types, and
high costs of change, understood by all, the flow of control, the flow of data, pat- operations is steadily rising, but at an ever-
serve to dampen the whims of the terns of dependency, time sequence, decreasing rate. And language devel-
changers. name-space relationships. These graphs opment approaches closer and closer to
All successful software gets changed. are usually not even planar, much less the sophistication of users.
Two processes are at work. First, as a soft- hierarchical. Indeed, one of the ways of Moreover, at some point the elabora-
ware product is found to be useful, people establishing conceptual control over such tion of a high-level language creates a tool-
try it in new cases at the edge of or beyond structure is to enforce link cutting until mastery burden that increases, not re-
the original domain. The pressures for ex- one or more of the graphs becomes hierar- duces, the intellectual task of the user who
tended function come chiefly from users chical.1 rarely uses the esoteric constructs.
who like the basic function and invent new In spite of progress in restricting and
uses for it. simplifying the structures of software, Time-sharing. Time-sharing brought a
Second, successful software survives they remain inherently unvisualizable, and major improvement in the productivity of
beyond the normal life of the machine thus do not permit the mind to use some of programmers and in the quality of their
vehicle for which it is first written. If not its most powerful conceptual tools. This product, although not so large as that

15
brought by high-level languages.
Time-sharing attacks a quite different To slay the werewolf
difficulty. Time-sharing preserves im-
mediacy, and hence enables one to main- Why a silver bullet? Magic, of course. Silver is identified with the moon and thus
tain an overview of complexity. The slow has magic properties. A silver buliet offers the fastest, most powerful, and safest
way to slay the fast, powerful, and Incredibly dangerous werewolf. And what could
turnaround of batch programming means
be more natural than using the moon-metal to destroy a creature transformed
that one inevitably forgets the minutiae, if under the light of the full moon?
not the very thrust, of what one was think- The legend of the werewolf is probably one of the oldest monster legends
ing when he stopped programming and around. Herodotus in the fifth century BC gave us the first written report of
called for compilation and execution. This werewolves when he mentioned a tribe north of the Black Sea, called the Neuri,
interruption is costly in time, for one must who supposedly turned Into wolves a few days each year. Herodotus wrote that he
refresh one's memory. The most serious didn't believe it.
effect may well be the decay of the grasp of Sceptics aside, many people have believed in people turning into wolves or
all that is going on in a complex system. other animals. In medieval Europe, some people were killed because they were
Slow turnaround, like machine-lan- thought to be werewolves. In those times, it didn't take being bitten by a werewolf
to become one. A bargain with the devil, using a special potion, wearing a special
guage complexities, is an accidental rather
belt, or being cursed by a witch could all turn a person into a werewolf. However,
than an essential difficulty of the software medieval werewolves could be hurt and killed by normal weapons. The problem
process. The limits of the potential con- was to overcome their strength and cunning.
tribution of time-sharing derive directly. Enter the fictional, not legendary, werewolf. The first major werewolf movie, The
The principal effect of time-sharing is to Werewolf of London, in 1935 created the two-legged man-wolf who changed Into a
shorten system response time. As this monster when the moon was full. He became a werewolf after being bitten by one,
response time goes to zero, at some point it and could be killed only with a silver bullet. Sound familiar?
passes the human threshold of notieeabil- Actually, we owe many of today's ideas about werewolves to Lon Chaney Jr.'s
ity, about 100 milliseconds. Beyond that unforgettable 1941 portrayal in The Wolf Man. Subsequent films seldom strayed far
threshold, no benefits are to be expected. from the mythology of the werewolf shown in that movie. But that movie strayed
far from the original mythology of the werewolf.
Would you believe that before fiction took over the legend, werewolves weren't
Unified programming environments.
troubled by silver bullets? Vampires were the ones who couldn't stand them. Of
Unix and Interlisp, thefirstintegrated pro- course, if you rely on the legends, your only salvation if unarmed and attacked by a
gramming environments to come into werewolf is to climb an ash tree or run into a field of rye. Not so easy to find in an
widespread use, seem to have improved urban setting, and hardly recognizable to the average movie audience.
productivity by integral factors. Why? What should you watch out for? People whose eyebrows grow together, whose
They attack the accidental difficulties Index finger is longer than the middle finger, and who have hair growing on their
that result from using individual programs palms. Red or black teeth are a definite signal of possible trouble.
together, by providing integrated libraries, Take warning, though. The same symptoms mark people suffering from hyper-
unified file formats, and pipes and filters. trichosis (people born with hair covering their bodies) or porphyria. In porphyria, a
person's body produces toxins called porphyrins. Consequently, light becomes
As a result, conceptual structures that in
painful, the skin grows hair, and the teeth may turn red. Worse for the victim's
principle could always call, feed, and use
reputation, his or her Increasingly bizarre behavior makes people even more
one another can indeed easily do so in suspicious of the other symptoms. It seems very likely that the sufferers of this
practice. disease unwittingly contributed to the current legend, although in earlier times
This breakthrough in turn stimulated they were evidently not accused of murderous tendencies.
the development of whole toolbenches, It is worth noting that the film tradition often makes the werewolf a rather sym-
since each new tool could be applied to any pathetic character, an innocent transformed against his (or rarely, her) will into a
programs that used the standard formats. monster. As the gypsy said in The Wolf Man,
Because of these successes, environ-
ments are the subject of much of today's
Even a man who is pure at heart,
software-engineering research. We look at And says his prayers at night,
their promise and limitations in the next Can become a wolf when the wolf bane blooms,
section. And the moon is full and bright.

Hopes for the silver


Now let us consider the technical devel- — Nancy Hays
opments that are most often advanced as Assistant Editor
potential silver bullets. What problems do
they address—the problems of essence, or
the remaining accidental difficulties? Do
they offer revolutionary advances, or in-
cremental ones?

Ada and other high-level language ad- TheBettman


vances. One of the most touted recent de-

16
velopments is Ada, a general-purpose which should be hidden. Examples are gramming. In this approach human ex-
high-level language of the 1980's. Ada not Ada packages (with private types) and perts are studied to determine what
heuristics or rules of thumb they use in
only reflects evolutionary improvements Modula's modules.
solving problems... . The program is
in language concepts, but indeed em- Hierarchical types, such as Simula-6Ts designed to solve a problem the way that
bodies features to encourage modern classes, allow one to define general in- humans seem to solve it.
design and modularization. Perhaps the terfaces that can be further refined by pro- The first definition has a sliding mean-
Ada philosophy is more of an advance ing. . . . Something can fit the definition
viding subordinate types. The two con-
of AI-1 today but, once we see how the
than the Ada language, for it is the cepts are orthogonal—one may have program works and understand the prob-
philosophy of modularization, of abstract hierarchies without hiding and hiding lem, we will not think of it as AI any
data types, of hierarchical structuring. without hierarchies. Both concepts repre- more, . . . Unfortunately I cannot iden-
Ada is over-rich, a natural result of the sent real advances in the art of building tify a body of technology that is unique to
process by which requirements were laid this field. . . . Most of the work is prob-
software. lem-specific, and some abstraction or
on its design. That is not fatal, for sub- Each removes yet another accidental creativity is required to see how to transfer
setted working vocabularies can solve the difficulty from the process, allowing the it.
learning problem, and hardware advances designer to express the essence of the I agree completely with this critique.
will give us the cheap MIPS to pay for the design without having to express large The techniques used for speech recog-
compiling costs. Advancing the structur- amounts of syntactic material that add no nition seem to have little in common with
ing of software systems is indeed a very those used for image recognition, and
good use for the increased MIPS our both are different from those used in
dollars will buy. Operating systems, loudly expert systems. I have a hard time seeing
decried in the 1960's for their memory and
Many students of the art how image recognition, for example, will
cycle costs, have proved to be an excellent hold out more hope for make any appreciable difference in pro-
form in which to use some of the MIPS object-oriented gramming practice. The same problem is
and cheap memory bytes of the past hard-
ware surge.
programming than for true of speech recognition. The hard thing
about building software is deciding what
Nevertheless, Ada will not prove to be
other technical fads of one wants to say, not saying it. No facilita-
the silver bullet that slays the software the day. tion of expression can give more than mar-
productivity monster. It is, after all, just ginal gains.
another high-level language, and the big- Expert-systems technology, AI-2,
gest payoff from such languages came information content. For both abstract deserves a section of its own.
from the first transition—the transition up types and hierarchical types, the result is to
from the accidental complexities of the remove a higher-order kind of accidental Expert systems. The most advanced
machine into the more abstract statement difficulty and allow a higher-order expres- part of the artificial intelligence art, and
of step-by-step solutions. Once those ac- sion of design. the most widely applied, is the technology
cidents have been removed, the remaining Nevertheless, such advances can do no for building expert systems. Many soft-
ones will be smaller, and the payoff from more than to remove all the accidental dif- ware scientists are hard at work applying
their removal will surely be less. ficulties from the expression of the design. this technology to the software-building
I predict that a decade from now, when The complexity of the design itself is essen- environment. 3»5 What is the concept, and
the effectiveness of Ada is assessed, it will tial, and such attacks make no change what are the prospects?
be seen to have made a substantial dif- whatever in that. An order-of-magnitude An expert system is a program that
ference, but not because of any particular gain can be made by object-oriented pro- contains a generalized inference engine
language feature, nor indeed because of all gramming only if the unnecessary type- and a rule base, takes input data and
of them combined. Neither will the new specification underbrush still in our pro- assumptions, explores the inferences
Ada environments prove to be the cause of gramming language is itself nine-tenths of derivable from the rule base, yields
the improvements. Ada's greatest contri- the work involved in designing a program conclusions and advice, and offers to
bution will be that switching to it occa- product. I doubt it. explain its results by retracing its reasoning
sioned training programmers in modern for the user. The inference engines typ-
software-design techniques. Artificial intelligence. Many people ex- ically can deal with fuzzy or probabilistic
pect advances in artificial intelligence to data and rules, in addition to purely deter-
Object-oriented programming. Many provide the revolutionary breakthrough ministic logic.
students of the art hold out more hope for that will give order-of-magnitude gains in Such systems offer some clear advan-
object-oriented programming than for software productivity and quality.3 I do tages over programmed algorithms
any of the other technical fads of the day. 2 not. To see why, we must dissect what is designed for arriving at the same solutions
I am among them. Mark Sherman of Dart- meant by "artificial intelligence." to the same problems:
mouth notes on CSnet News that one must D.L. Parnas has clarified the termi- • Inference-engine technology is devel-
be careful to distinguish two separate ideas nological chaos 4 : oped in an application-independent
that go under that name: abstract data Two quite different definitions of A! way, and then applied to many uses.
types and hierarchical types. The concept are in common use today. AI-1: The use One can justify much effort on the in-
of computers to solve problems that ference engines. Indeed, that
of the abstract data type is that an object's
previously could only be solved by apply- technology is well advanced.
type should be defined by a name, a set of ing human intelligence. AI-2: The use of a
proper values, and a set of proper opera- specific set of programming techniques • The changeable parts o f the
tions rather than by its storage structure, known as heuristic or rule-based pro- application-peculiar materials are en-

17
coded in the rule base in a uniform important is the twofold task of knowl- • There are many known methods of
fashion, and tools are provided for edge acquisition: finding articulate, self- solution to provide a library of alter-
developing, changing, testing, and analytical experts who know why they do natives.
documenting the rule base. This reg- things, and developing efficient tech- • Extensive analysis has led to explicit
ularizes much of the complexity of niques for extracting what they know and rules for selecting solution techniques,
the application itself. distilling it into rule bases. The essential given problem parameters.
The power of such systems does not prerequisite for building an expert system It is hard to see how such techniques
come from ever-fancier inference mecha- is to have an expert. generalize to the wider world of the or-
nisms, but rather from ever-richer knowl- The most powerful contribution by ex- dinary software system, where cases with
edge bases that reflect the real world more pert systems will surely be to put at the ser- such neat properties are the exception. It is
accurately. I believe that the most impor- vice of the inexperienced programmer the hard even to imagine how this break-
tant advance offered by the technology is experience and accumulated wisdom of through in generalization could occur.
the separation of the application complex- the best programmers. This is no small
ity from the program itself. contribution. The gap between the best Graphical programming. A favorite
How can this technology be applied to software engineering practice and the subject for PhD dissertations in software
the software-engineering task? In many average practice is very wide—perhaps engineering is graphical, or visual, pro-
ways: Such systems can suggest interface wider than in any other engineering gramming—the application of computer
rules, advise on testing strategies, remem- discipline. A tool that disseminates good graphics to software design. 6»7 Sometimes
ber bug-type frequencies, and offer opti- practice would be important. the promise held out by such an approach
mization hints. is postulated by analogy with VLSI chip
Consider an imaginary testing advisor, "Automatic" programming. For almost design, in which computer graphics plays
for example. In its most rudimentary 40 years, people have been anticipating so fruitful a role. Sometimes the theorist
form, the diagnostic expert system is very and writing about "automatic program- justifies the approach by considering
like a pilot's checklist, just enumerating ming/* or the generation of a program for flowcharts as the ideal program-design
suggestions as to possible causes of diffi- solving a problem from a statement of the medium and by providing powerful
culty. As more and more system structure problem specifications. Some today write facilities for constructing them.
is embodied in the rule base, and as the as if they expect this technology to provide Nothing even convincing, much less ex-
rule base takes more sophisticated account the next breakthrough.5 citing, has yet emerged from such efforts. I
of the trouble symptoms reported, the Parnas4 implies that the term is used am persuaded that nothing will.
testing advisor becomes more and more for glamor, not for semantic content, In the first place, as I have argued
particular in the hypotheses it generates asserting, elsewhere,8 the flowchart is a very poor
and the tests it recommends. Such an In short, automatic programming abstraction of software structure. Indeed,
expert system may depart most radically always has been a euphemism for program- it is best viewed as Burks, von Neumann,
from the conventional ones in that its rule ming with a higher-Jeve! language than was and Goldstine's attempt to provide a
presently available to the programmer.
base should probably be hierarchically desperately needed high-level control lan-
modularized in the same way the corre- He argues, in essence, that in most cases guage for their proposed computer. In the
sponding software product is, so that as it is the solution method, not the problem, pitiful, multipage, connection-boxed
the product is modularly modified, the whose specification has to be given. form to which the flowchart has today
diagnostic rule base can be modularly One can find exceptions. The technique been elaborated, it has proved to be useless
modified as well. of building generators is very powerful, as a design •—•»'*-
The work required to generate the and it is routinely used to good advantage t o o l -
diagnostic rules is work that would have to in programs for sorting. Some systems for program-
be done anyway in generating the set of integrating differential equations have mers
test cases for the modules and for the sys- also permitted direct specification of the draw
tem. If it is done in a suitably general problem, and the systems have assessed
manner, with both a uniform structure for the parameters, chosen from a library of
rules and a good inference engine avail- methods of solution, and generated the
able, it may actually reduce the total labor programs.
of generating bring-up test cases, and help These applications have very favorable
as well with lifelong maintenance and properties:
modification testing. In the same way, one • The problems are readily charac-
can postulate other advisors, probably terized by relatively few parameters.
many and probably simple, for the other
parts of the software-construction task.
Many difficulties stand in the way of the
early realization of useful expert-system
advisors to the program developer. A
crucial part of our imaginary scenario is
the development of easy ways to get from
program-structure specification to the
automatic or semiautomatic generation of Tho 8©ttm3n Archivo

diagnostic rules. Even more difficult and

18
flowcharts after, not before, writing the reduce the program-testing load, it cannot Promising attacks on the
programs they describe. eliminate it.
Second, the screens of today are too More seriously, even perfect program conceptual essence
small, in pixels, to show both the scope verification can only establish that a pro-
gram meets its specification. Hie hardest Even though no technological
and the resolution of any seriously detailed
part of the software task is arriving at a breakthrough promises to give the sort of
software diagram. The so-called "desktop
complete and consistent specification, and magical results with which we are so fami-
metaphor" of today's workstation is in-
much of the essence of building a program liar in the hardware area, there is both an
stead an "airplane-seat" metaphor. Any-
is in fact the debugging of the specification. abundance of good work going on now,
one who has shuffled a lap full of papers
and the promise of steady, if unspecta-
while seated between two portly passen-
Environments and tools. How much cular progress.
gers will recognize the difference—one can
more gain can be expected from the ex- All of the technological attacks on the
see only a very few things at once. The true
ploding researches into better program- accidents of the software process are
desktop provides overview of, and ran-
ming environments? One's instinctive fundamentally limited by the productivity
dom access to, a score of pages. Moreover,
reaction is that the big-payoff prob- equation:
when fits of creativity run strong, more
than one programmer or writer has been lems—hierarchical file systems, uniform
known to abandon the desktop for the file formats to make possible uniform pro- time of task=J£ {frequency)t x (time) t
i
more spacious floor. The hardware tech-
nology will have to advance quite substan- If, as I believe, the conceptual compo-
tially before the scope of our scopes is suf- Language-specific smart nents of the task are now taking most of
ficient for the software-design task. editors promise at most the time, then no amount of activity on the
More fundamentally, as I have argued task components that are merely the ex-
freedom from pression of the concepts can give large
above, software is very difficult to
visualize. Whether one diagrams control syntactic errors and productivity gains.
flow, variable-scope nesting, variable simple semantic errors. Hence we must consider those attacks
cross-references, dataflow, hierarchical that address the essence of the software
data structures, or whatever, one feels problem, the formulation of these com-
only one dimension of the intricately in- gram interfaces, and generalized tools- plex conceptual structures. Fortunately,
terlocked software elephant. If one were the first attacked, and have been some of these attacks are very promising.
superimposes all the diagrams generated solved. Language-specific smart editors
are developments not yet widely used in
by the many relevant views, it is difficult to Buy versus build. The most radical
extract any global overview. The VLSI practice, but the most they promise is possible solution for constructing soft-
analogy is fundamentally misleading—a freedom from syntactic errors and simple ware is not to construct it at all.
chip design is a layered two-dimensional semantic errors. Every day this becomes easier, as more
description whose geometry reflects its Perhaps the biggest gain yet to be real- and more vendors offer more and better
realization in 3-space. A software system ized from programming environments is software products for a dizzying variety of
is not. the use of integrated database systems to applications. While we software engineers
keep track of the myriad details that must have labored on production methodology,
Program verification. Much of the ef- be recalled accurately by the individual the personal-computer revolution has
fort in modern programming goes into programmer and kept current for a group created not one, but many, mass markets
testing and the repair of bugs. Is there of collaborators on a single system. for software. Every newsstand carries
perhaps a silver bullet to be found by Surely this work is worthwhile, and monthly magazines, which sorted by
eliminating the errors at the source, in the surely it will bear some fruit in both machine type, advertise and review dozens
system-design phase? Can both productiv- productivity and reliability. But by its very of products at prices from a few dollars to
a few hundred dollars. More specialized
ity and product reliability be radically nature, the return from now on must be
sources offer very powerful products for
enhanced by following the profoundly dif- marginal.
the workstation and other Unix markets.
ferent strategy of proving designs correct
Workstations. What gains are to be ex- Even software tools and environments can
before the immense effort is poured into be bought off-the-shelf. I have elsewhere
implementing and testing them? pected for the software art from the cer-
proposed a marketplace for individual
I do not believe we willfindproductivity tain and rapid increase in the power and modules.9
magic here. Program verification is a very memory capacity of the individual work-
powerful concept, and it will be very im- station? Well, how many MIPS can one Any such product is cheaper to buy than
portant for such things as secure operat- use fruitfully? The composition and edit- to build afresh. Even at a cost of one hun-
ing-system kernels. The technology does ing of programs and documents is fully dred thousand dollars, a purchased piece
not promise, however, to save labor. Veri- supported by today's speeds. Compiling of software is costing only about as much
fications are so much work that only a could stand a boost, but a factor of 10 in as one programmer-year. And delivery is
few substantial programs have ever been machine speed would surely leave think- immediate! Immediate at least for prod-
time the dominant activity in the program- ucts that really exist, products whose de-
verified.
veloper can refer products to a happy user.
Program verification does not mean mer's day. Indeed, it appears to be so now.
More powerful workstations we surely Moreover, such products tend to be much
error-proof programs. There is no magic
here, either. Mathematical proofs also can welcome. Magical enhancements from better documented and somewhat better
be faulty. So whereas verification might them we cannot expect. maintained than home-grown software.

19
The development of the mass market is, puters day in and day out on various ap- moreover, things that act, that move, that
I believe, the most profound long-run plications without ever writing a program. work. The dynamics of that action are
trend in software engineering. The cost of Indeed, many of these users cannot write hard to imagine. So in planning any soft-
software has always been development new programs for their machines, but they ware-design activity, it is necessary to
cost, not replication cost. Sharing that are nevertheless adept at solving new prob- allow for an extensive iteration between
cost among even a few users radically cuts lems with them. the client and the designer as part of the
the per-user cost. Another way of looking I believe the single most powerful soft- system definition.
at it is that the use of n copies of a software ware-productivity strategy for many or- I would go a step further and assert that
system effectively multiplies the produc- ganizations today is to equip the it is really impossible for a client, even
tivity of its developers by n. That is an computer-naive intellectual workers who working with a software engineer, to
enhancement of the productivity of the are on the firing line with personal com- specify completely, precisely, and correct-
discipline and of the nation. puters and good generalized writing, ly the exact requirements of a modern soft-
The key issue, of course, is applicabil- drawing, file, and spreadsheet programs ware product before trying some versions
ity. Can I use an available off-the-shelf and then to turn them loose. The same of the product.
package to perform my task? A surprising strategy, carried out with generalized Therefore, one of the most promising of
thing has happened here. During the mathematical and statistical packages and the current technological efforts, and one
1950's and 1960's, study after study some simple programming capabilities, that attacks the essence, not the accidents,
showed that users would not use off-the- will also work for hundreds of laboratory of the software problem, is the devel-
shelf packages for payroll, inventory con- scientists. opment of approaches and tools for rapid
trol, accounts receivable, and so on. The prototyping of systems as prototyping is
requirements were too specialized, the Requirements refinement and rapid part of the iterative specification of
case-to-case variation too high. During the prototyping. The hardest single part of requirements.
1980's, we find such packages in high building a software system is deciding A prototype software system is one that
demand and widespread use. What has precisely what to build. No other part of simulates the important interfaces and
changed? the conceptual work is as difficult as performs the main functions of the in-
Not the packages, really. They may be establishing the detailed technical re- tended system, while not necessarily being
somewhat more generalized and some- quirements, including all the interfaces to bound by the same hardware speed, size,
what more customizable than formerly, people, to machines, and to other software or cost constraints. Prototypes typically
but not much. Not the applications, systems. No other part of the work so crip- perform the mainline tasks of the applica-
either. If anything, the business and scien- ples the resulting system if done wrong. tion, but make no attempt to handle the
tific needs of today are more diverse and No other part is more difficult to rectify exceptional tasks, respond correctly to in-
complicated than those of 20 years ago. later. valid inputs, or abort cleanly. The purpose
The big change has been in the hard- Therefore, the most important function of the prototype is to make real the con-
ware/software cost ratio. In 1960, the that the software builder performs for the ceptual structure specified, so that the
buyer of a two-million dollar machine felt client is the iterative extraction and refine- client can test it for consistency and
that he could afford $250,000 more for a ment of the product requirements. For the usability.
customized payroll program, one that truth is, the client does not know what he Much of present-day software-acquisi-
slipped easily and nondisruptively into the wants. The client usually does not know tion procedure rests upon the assumption
computer-hostile social environment. To- what questions must be answered, and he that one can specify a satisfactory system
day, the buyer of a $50,000 office machine has almost never thought of the problem in advance, get bids for its construction,
cannot conceivably afford a customized in the detail necessary for specification. have it built, and install it. I think
payroll program, so he adapts the payroll Even the simple answer—"Make the new this assumption is fundamentally
procedure to the packages available. Com- software system work like our old manual wrong, and that many
puters are now so commonplace, if not yet information-processing system" software-acquisition
so beloved, that the adaptations are ac- —is in fact too simple. One never * problems
cepted as a matter of course. wants exactly that. Complex
There are dramatic exceptions to my software systems are,
argument that the generalization of soft-
ware packages has changed little over the
years: electronic spreadsheets and simple
database systems. These powerful tools,
so obvious in retrospect and yet so late in
appearing, lend themselves to myriad
uses, some quite unorthodox. Articles and
even books now abound on how to tackle
unexpected tasks with the spreadsheet.
Large numbers of applications that would
formerly have been written as custom pro-
grams in Cobol or Report Program Gener-
ator are now routinely done with these
Th© Bsttmsn Archive
tools.
Many users now operate their own com-

20
spring from that fallacy. Hence, they can- Table 1. Exciting vs. useful but ferences between the great and the average
not be fixed without fundamental revi- unexciting software products. approach an order of magnitude.
sion—revision that provides for iterative
development and specification of pro- Exciting Products A little retrospection shows that
totypes and products. Yes No although many fine, useful software sys-
tems have been designed by committees
Incremental development—grow, don't Unix Cobol and built as part of multipart projects,
build, software. I still remember the jolt I APL PL/1 those software systems that have excited
felt in 1958 when I first heard a friend talk Pascal Algol passionate fans are those that are the prod-
about building a program, as opposed to Modula MVS/370 ucts of one or a few designing minds, great
writing one. In a flash he broadened my Smalltalk MS-DOS designers. Consider Unix, APL, Pascal,
whole view of the software process. The Fortran Modula, the Smalltalk interface, even
metaphor shift was powerful, and accu- Fortran; and contrast them with Cobol,
rate. Today we understand how like other PL/I, Algol, MVS/370, and MS-DOS.
building processes the construction of (See Table 1.)
software is, and we freely use other Hence, although I strongly support the
elements of the metaphor, such as specifi- technology-transfer and curriculum-de-
cations, assembly of components, and velopment efforts now under way, I think
scaffolding. double when the first picture from a new the most important single effort we can
The building metaphor has outlived its graphics software system appears on the mount is to develop ways to grow great
usefulness. It is time to change again. If, as screen, even if it is only a rectangle. One designers.
I believe, the conceptual structures we always has, at every stage in the process, a No software organization can ignore
construct today are too complicated to be working system. I find that teams can this challenge. Good managers, scarce
specified accurately in advance, and too grow much more complex entities in four though they be, are no scarcer than good
complex to be built faultlessly, then we months than they can build. designers. Great designers and great
must take a radically different approach. The same benefits can be realized on managers are both very rare. Most
Let us turn to nature and study com- large projects as on my small ones.l ] organizations spend considerable effort in
plexity in living things, instead of just the finding and cultivating the management
dead works of man. Here we find con- Great designers. The central question in prospects; I know of none that spends
structs whose complexities thrill us with how to improve the software art centers, equal effort in finding and developing the
awe. The brain alone is intricate beyond as it always has, on people. great designers upon whom the technical
mapping, powerful beyond imitation, rich We can get good designs by following excellence of the products will ultimately
in diversity, self-protecting, and self- good practices instead of poor ones. Good depend.
renewing. The secret is that it is grown, not design practices can be taught. Program- My first proposal is that each software
built. mers are among the most intelligent part organization must determine and pro-
So it must be with our software systems. of the population, so they can learn good claim that great designers are as important
Some years ago Harlan Mills proposed practice. Hence, a major thrust in the to its success as great managers are, and
that any software system should be grown United States is to promulgate good that they can be expected to be similarly
by incremental development.10 That is, modern practice. New curricula, new nurtured and rewarded. Not only salary,
the system should first be made to run, literature, new organizations such as the but the perquisites of recognition—office
even if it does nothing useful except call Software Engineering Institute, all have size, furnishings, personal technical equip-
the proper set of dummy subprograms. come into being in order to raise the level ment, travel funds, staff support—must
Then, bit by bit, it should be fleshed out, of our practice from poor to good. This is be fully equivalent.
with the subprograms in turn being devel- entirely proper. How to grow great designers? Space
oped—into actions or calls to empty stubs Nevertheless, I do not believe we can does not permit a lengthy discussion, but
in the level below. make the next step upward in the same some steps are obvious:
I have seen most dramatic results since I way. Whereas the difference between poor • Systematically identify top designers
began urging this technique on the project conceptual designs and good ones may lie as early as possible. The best are often not
builders in my Software Engineering in the soundness of design method, the the most experienced.
Laboratory class. Nothing in the past difference between good designs and great • Assign a career mentor to be respon-
decade has so radically changed my own ones surely does not. Great designs come sible for the development of the prospect,
practice, or its effectiveness. The ap- from great designers. Software construc- and carefully keep a career file.
proach necessitates top-down design, for tion is a creative process. Sound • Devise and maintain a career-devel-
it is a top-down growing of the software. It methodology can empower and liberate opment plan for each prospect, including
allows easy backtracking. It lends itself to the creative mind; it cannot inflame or carefully selected apprenticeships with top
early prototypes. Each added function inspire the drudge. designers, episodes of advanced formal
and new provision for more complex data The differences are not minor—they are education, and short courses, all inter-
or circumstances grows organically out of rather like the differences between Salieri spersed with solo-design and technical-
what is already there. and Mozart. Study after study shows that leadership assignments.
The morale effects are startling. En- the very best designers produce structures • Provide opportunities for growing
thusiasm jumps when there is a running that are faster, smaller, simpler, cleaner, designers to interact with and stimulate
system, even a simple one. Efforts re- and produced with less effort.12 The dif- each other. D

21
artificial intelligence and software engi-
Acknowledgments neering), J. Mostow, guest ed., Vol. 11,
No. 11, Nov. 1985, pp. 1257-1267.
I thank Gordon Bell, Bruce Buchanan, Rick 6. Computer (special issue on visual pro-
Hayes-Roth, Robert Patrick, and, most gramming), R . B . Graphton and T.
especially, David Parnas for their insights and Ichikawa, guest eds., Vol. 18, No. 8, Aug.
stimulating ideas, and Rebekah Bierly for the 1985.
technical production of this article. 7. G. Raeder, " A Survey o f Current
Graphical Programming Techniques,"
Computer (special issue on visual pro-
gramming), R.B. Graphton and T.
Ichikawa, guest eds., Vol. 18, No. 8, Aug.
1985, pp. 11-25.
References 8. HP. Brooks, The Mythical Man-Month,
1975, Addison-Wesley, Reading, Mass.,
1. D.L. Parnas, "Designing Software for New York, Chapter 14.
Ease of Extension and Contraction," 9. Defense Science Board, Report of the
IEEE Trans. Software Engineering, Vol. Task Force on Military Software, in press.
5, No. 2, Mar. 1979, pp. 128-138.
10. H.D. Mills, "Top-Down Programming in
2. G. Booch, "Object-Oriented Design," Large Systems," in Debugging Tech-
Software Engineering with Ada, 1983, niques in Large Systems, R. Ruskin, ed.,
Benjamin/Cummings, Menlo Park, Prentice-Hall, Englewood Cliffs, N.J.,
Calif. 1971.
3. IEEE Trans, Software Engineering 11. B.W. Boehm, " A Spiral Model of
(special issue on artificial intelligence and Software Development and Enhance-
software engineering), J. Mostow, guest m e n t , " 1985, TRW t e c h . report
ed,, Vol. 11, No. 11, Nov. 1985. 21-371-85, TRW, Inc., 1 Space Park,
4. D.L. Parnas, "Software Aspects of Redondo Beach, CA 90278.
Strategic Defense Systems," American 12. H. Sackman, W.J. Erikson, and E.E.
Scientist, Nov. 1985. Grant, *'Exploratory Experimental
5. R. Baker, MA 15-Year Perspective on Studies Comparing Online and Offline
Automatic Programming," IEEE Trans. Programming Performance," CACM,
Software Engineering (special issue on Vol. 11, No. 1, Jan. 1968, pp. 3-11.

22

Das könnte Ihnen auch gefallen