One Million People writing software

 

SCSC Journal Vol17:1 September 2007

 

I was asked to write something on the un-controversial and sensible topics of language or RTOS selection for critical systems. I could write a piece which would start the usual religious bun fight between devotes of Ada and C (and a lone voice for Forth!) but as I started thinking about it, another, and to my mind, a more important issue came up.

 

I can quote endless articles to support or decry the “real-world” use of almost any language for critical systems.  Though the weight of evidence, both for and against, will probably be concerning C or Ada simply on the number of projects that use them and therefore larger number of case studies for those languages. The Ariane 5 Flight 501(Hatton 1996) shows that mistakes can be made regardless of the programming language in use.   

 

The thing that occurred to me, some years ago, when discussing training and certification of programmers or Software Engineers is that it is the fundamental culture of software development that is a major part of the problem.  None of the programming language surveys or case studies takes this deep seated cultural element into account. How were the programmers of any language trained?  

 

Software is not alone in missing underlying problems. I saw a survey that said: a lot more people who have sex or live together before marriage get divorced than those who don’t. Therefore it proves that sex before marriage is bad.  This completely overlooks the fact that the general mind set of those who don’t believe in sex before marriage also by and large don’t approve of divorce. Whereas those who live together before marriage generally don’t have a problem with divorce either.  As the Hitchhikers Guide (Adams 1979) says: The Answer is 42, the problem is you don’t understand the question. 

 

When the editor saw the first draft of this piece he commented that my language was a little “loose” the problem is: so is the subject.  In the general programming field words and concepts are thrown around, sometimes incorrectly, by many with only the vaguest notion of the definition much less a full understanding of the underlying principals. Also as we are discussing concepts and behaviour not something that can be measured, even if we can show the eventual effects statistically.  I think the culture in which the initial programming skills were learnt is the over riding, but underlying or invisible, force in software Engineering.

 

Generally speaking and I am sure people can cite exceptions, Ada tends to be taught in an environment of, or at least with an emphasis on, high integrity software engineering. The vast majority of Ada programmers will “engineer” the software by natural inclination. Those who don’t will usually be working in an environment where peer pressure will tend towards proper Engineering methods anyway.

 

C on the other hand is not usually taught with anything like the same philosophy. C appears to come from a far less rigorous background where enthusiasts were “hacking” things together in California on the sunny US west coast at the end of the hippy era with beards, sandals and joss sticks.

 

However, even where programming is taught using a “safe” language the culture may not be software engineering. The university that “taught me programming” used Modula 2 because: “it was safe”. Apparently, according to the staff: “C was dangerous and only for hackers”.   The philosophy, at the collage, with Modula 2 was “if it compiled it must be safe”. This was because Modula 2 was “safe” and the compiler did all the required checking.  “Safe” was a label that was applied but not really understood. It was waved around like a talisman.

 

Meanwhile most of the students were busy teaching themselves C with the same philosophy of “if it compiled it was OK” even though they delighted in doing obscure things with the language. This was partly because the system they were learning on, UNIX, was written in C and was the “hacker’s language” and partly so they could get jobs afterwards. Apparently,”everyone” used C but no one used Modula 2.  Fashion not engineering often dictates the languages used .  The problem was none of the students were taught software Engineering or other associated processes and methods such as safe sub-sets, static analysis and unit testing that are required if C is to be used.  Also as C is a free form language any and all styles can be used as takes the writers fancy.

 

This gave us a large number of software people programming in C, a language in which the less disciplined can inadvertently hide many problems giving rise to C as a write only language for hackers.  

 

I still meet many programmers in industry who tell me that if the [C or C/C++] compiler passes it with no errors then the code is OK other than procedural bugs. If it is syntactically correct there is no problem and there is no need to waste time/money on static analysis.  They also seem to think that dynamic testing is “better” than static analysis because the program actually runs and therefore skip static analysis.   They often regard it as an infringement of their civil liberties to have to adhere to a house style for the code.

 

I think it is this underlying attitude to programming that is the problem, not the language used.   I think with the right tools and discipline almost any language could be used for safety critical work.  The main problems in development of safety critical software are usually caused by other areas than the programming language.

 

This is indicated in an analysis of why safety related control systems failed (Bell and Bennett 2000) 44.1 % of failures were down to specification problems only 14.7% were due to design and implementation.  So given the right processes and engineers the problems caused by the choice of language are going to be minor.

I believe that any survey of the usage of programming languages will reflect the underlying culture and initial training to some extent. That is not to say that there aren’t some cowboys programming in Ada and some extremely competent people engineering some highly reliable systems with C. 

 

Les Hatton’s book Safer C (Hatton 1994) goes some way to showing that in a good environment language choice has a minor impact.  In fact as far back as 1985 Cox  (Cox 1985) was also saying that C could be used safely if proper methods were used. There is always the caveat “if proper methods are used”.

 

Last year one of my clients said to me that Modula 2 was a programmer’s language but C was a Software Engineers language. He went on to explain that Modula 2 like a parent stopped you doing silly things but C left it up to the professionalism of the software engineer to do things properly. The Professionalism of the Software Engineer….  Now there is the root of the problem. 

 

Many see themselves as “programmers” and don’t recognise the term “Software Engineer”.  I know a c/C++/C#/java programmers organisation where the majority of the members actually argue against the term “software Engineer” and insist that programming is not a branch of engineering. I note that in V16 i3 of this newsletter there was a comment that the Professionalism Matters seminar was poorly attended a pity. We need to instil a Professional Software Engineer mentality in all practitioners implementing systems containing software no matter if they are a software engineer or a programmer.

 

On a safety critical project many things are regulated, proscribed or have to be certified. However the usual requirement for the programmers is that they can operate a keyboard! Ok, most HR department’s get the brief Degree + 5 years experience in xyz and some buzz words. Why not: “must be a C.Eng” or I. Eng where appropriate?    Why do we not have a requirement for a Professional Software Engineer?  Some one who will Engineer the software rather than just a programmer.

 

In one survey I have on software testing  (Hutcheson 2003)  it shows  that in the USA only 4% of members of testing teams had a degree in computing whereas in the UK it was better at 60%. However, if you go to a hospital and take a survey of how many nurses are qualified in nursing I bet it will be over 99%! What is more they will know al their procedures and stick to them.  Even at local sports events all the first-aiders are trained and certified as a legal requirement and follow procedures. The crucial point is “a legal requirement”….. There is no legal requirement to use a Software Engineer, nor for that matter, is the term “Software Engineer” legally protected. Anyone may style themselves a Software Engineer.

 

In many countries in Europe and even in the USA there are moves for a more professional approach(McConnell 2004) these are similar to the C. Eng, also they are good in theory but not used much in practice. Perhaps it is time it was use in practice?

 

Having said that, at the core, you need well trained Software Engineers, not “programmers”, there more variables to consider than just writing the code.  Things such as the various strengths and weaknesses, not just of the languages but their implementations too.  Many have said that that a comparison of how safe languages are will be pointless, as it is the application they produce is where the safety needs to be. (Storey 1996)  Also, that the tools available for any given language and host-target combination are a far more important factor than the theoretical “safeness” of a language.

 

I was once asked to use a Modula 2 compiler by a client because “mod2 was safe”. However, the compiler, libraries and support tools were so bug ridden it was unusable. The client would not even look at C though the tools for the target were far more comprehensive and robust.  What is better a poor implementation of a theoretically safe language or a robust, well documented implementation of a “less safe” language?

Programming languages can be miss-used. C for example really needs a good style guide, a coding subset and static analysis.  Even Dennis Ritchie the father of C recognised this (Ritchie 1993) back in the mid 1970’s.  However, most other languages can be misused too, no I won’t mention that rocket again….

 

Coming back to the US Joint Strike Fighter I understand that C++ was used rather than Ada for the extremely good technical reason of: “We can get enough C++ programmers but not enough Ada Programmers…” Surely a well trained Software Engineer in a rigorous environment should be able to learn the syntax of a new language reasonably quickly?  The coding of a project is a comprisable small part, the specification, design and testing are larger. With a good design

 

I suspect their background training and approach to programming will have as much of a part to play as the language used when, with hindsight we read the story of the JSF software.   

 

Now, where is my assembler?  I am going to patch the kernel!

 

 

Adams, D. (1979). The Hitchhikers Guide to the Galaxy, Pan.
Bell, R. and P. A. Bennett (2000). "IEC 61508 Functional Safety of Electrical/ electronic/ programmable electronic safety-related systems." Computing & control Engineering Journal 11(1): 3.
Cox, B. (1985). Software IC's and Objective C, Stepstone In.
Hatton, L. (1994). Safer C: Developing Software for High-Integrity and Safety Critical Systems, MCGraw-Hill.
Hatton, L. (1996). SOFTWARE FAILURE: FOLLIES AND FALLACIES: 9.
Hutcheson, M. L. (2003). Software Testing Fundamentals : Methods and Metrics Wiley.
McConnell, S. (2004). Professional Software Development: Shorter Schedules, Higher Quality Products, More Successful Projects, Enhanced Careers, Addison Wesley.
Ritchie, D. M. (1993). The Development of the C Language, AMC.
Storey, N. (1996). Safety-critical computer systems. Harlow, Addison-Wesley.

 

 

> main SCSC page

 

>SCSC Web Site

> Standards

> Published articles

>  Technical Papers

 

> QuEST

 

> Engineers Guides