.

Editor: Bertrand Meyer, EiffelSoft, 270 Storke Rd., Ste. 7, Goleta, CA 93117; voice (805) 685-6869; [email protected]

It’s the . Barry Boehm’s great contribution (“A Spiral Model of Practice Development and Enhance- ment,” Computer, May 1988) was to emphasize the need to handle risk in soft-

Object Technology ware . But Quality To Perfect: First does not use spiral’s idea of repeated analysis-design-implementation cycles. It builds the software, cluster by cluster, using a seamless, reversible process, The Quality as described by Kim Walden in this column (“Reversibility in ,” Sept. 1996). First Model It’s just.... Probably not. Few basic ideas are completely new in software; to a certain extent, all had been said in 1974 Bertrand Meyer, EiffelSoft by Edsger Dijkstra, Tony Hoare, Knuth, , Niklaus Wirth, and a few Ich bin der Geist, der stets verneint, I’ve always worked that way. If that’s others. What counts is how you put the und das mit Recht Mephistopheles really true, congratulations. But I’d like to basic ideas together: what you do, and – Goethe’s Faust, part I (for the trans- see it before I believe it, because some as- also what you don’t do. lation, read on) pects of this process go directly against con- ventional ideas of software development. It’s a personal software process and will not work for large developments. Large aving recently completed a mul- It’s just literate programming. Donald developments are aggregates of personal tiyear writing project, I now Knuth’s literate programming is a great processes, as described by Watts have time to program again. idea. But it’s not Quality First. As I Not just directing development understand it, literate programming is H or looking at specific elements or top-down (it starts from a problem state- Quality First helping fix bugs or even writing library ment), while Quality First is bottom-up builds software, classes (these I never stopped doing), but (it starts with perfecting a small system cluster by cluster, using a sizable development. Such in-depth then adds functionality). Quality First is a seamless reversible involvement is not only pleasurable, it is fundamentally tied to object technology process. indispensable if your job involves con- and . sulting, writing, lecturing, teaching, man- aging, documenting, or selling (or all of It’s just Cleanroom development. Like Humphrey. If you can’t get the personal the above). In particular, if you sell devel- Quality First, Cleanroom emphasizes for- process right, you won’t get the large- opment tools you should use them, too— mal reasoning. Unlike Quality First, it scale processes right. Besides (building and not just for doing demos, teaching shuns unit testing and, in general, the use on an observation I first heard not very classes, or writing manuals. of computers early in the process. Quality long ago from Jean Ichbiah, the designer What the product is does not matter for First constantly relies on computer tools of Ada, who recently built another great this discussion. But I have started to docu- and encourages continuous testing. product with a very small team), it’s ment my own development process because amazing what one person or a tiny I think it may be interesting for others. It’s just rapid prototyping. Absolutely group can do these days with object I call this process the Quality First not. In many respects it’s the opposite. technology, modern tools, top-charged model. This is not a slogan; it describes a Rapid prototyping is about building “personal” computers, the Internet, and central property of the model. It follows something to try a few ideas, then throw- the Web. There remains a need for the from comments made by consultant ing it away to start the real development. massive, warfare types of projects so Roger Osmond, which I will try to sum- With Quality First, you work on the real prominent in the traditional software marize here. thing, right from the start. engineering textbooks—projects which, by the way, probably need the tech- OBJECTIONS It’s incremental development. Yes, so niques described here more than any- First let me try to refute in advance what? All development is incremental. thing else—but more and more some objections you might put forward What matters is how you go from one successful products are, at least initially, as you read about Quality First: increment to the next. the product of guerrilla programming.

102 Computer .

resume like that, I would hire the guy on the spot; Mr. Nice Guy and Ms. Kind Gal need not apply. 100 OSMOND PRINCIPLE Here I will paraphrase the comments Late Roger Osmond made at TOOLS USA debugging (the curves are mine but the ideas—which I hope I am not distorting too much—are definitely his). includes two parts: functionality (how much the software does) and everything else (cor-

Other qualities (percentage) 0 rectness and robustness, efficiency, porta- Functionality bility, extensibility, reusability). Too often, the development scheme is as depicted in Figure 1. You try to Figure 1. The most common development scheme addresses functionality and quality simultane- progress toward the goal—enough func- ously. tionality, good quality—by working on everything at once. In the meantime, the product is not only less-than-functional It’s the cluster model. Yes, but it’s more. tion and verification) you will find all but also less-than-good. You hope, of The cluster model (Object Success: A bugs, so why spend time on things like course, that given enough time you’ll fix Manager’s Guide to Object Technology, design by contract? Some of the online both the functionality and the quality. Prentice Hall, 1995) describes the Usenet discussions following the column This is what I will call the slopy model process of object-oriented software here on the Ariane-5 crash (available at (named for the slow upward slope). development, based on partitioning the http://www.eiffel. com) clearly evidenced As Osmond pointed out, the slopy system into a number of subsystems and that attitude. model is very wrong. In fact, it deserves libraries, the clusters, and applying con- It does not have to be either-or! To say current engineering on the various clus- that careful, formal design removes the ters. Quality First complements the need for testing is just as absurd as to To say that careful, cluster model by telling us how we think that with enough V&V you can formal design removes should be developing the clusters. make up for imperfect software technol- the need for testing ogy. Especially in mission-critical systems is just as absurd A PRIORI AND A POSTERIORI (and how many developments these days as to think that It never ceases to amaze me, when I aren’t?) you need both. You want the with enough V&V you look at the literature and at discussions best a priori efforts, managerial (- can make up for imperfect in places like Computer and IEEE tion, careful design) and technological software technology. Software, not to mention Usenet, how (the most sophisticated method, tools, much we as a community reason in hardware, languages). And you need the “either-or” terms when it comes to soft- a posteriori checks: an independent QA a second ‘p.’ Its flaw becomes very clear ware quality techniques. team, extensive testing, and V&V. in the face of one of the unspoken con- For some, the key is in a priori tech- Your motto should be: Build it so you straints on our industry: the “Can we niques: Just use , and can trust it. Then don’t trust it. ship now?” phenomenon. As Philippe everything will be right. Boris Beizer does Reliability engineering involves redun- Kahn says, “shipping is a feature.” With a hatchet job on some extreme forms of dancy and distrustfulness. Our obvious the slopy model, this question translates this idea—the absurd view that if you are patron saint here is the sulfurous into “Does it do enough?” and “Is it just careful enough you don’t need unit Mephistopheles (here, finally, is the good enough?” testing (“Cleanroom Process Model: A translation): What Osmond advocates—and what Critical Examination,” IEEE Software, the industry needs—is what I will call Mar. 1997, pp. 14-16). I am the spirit that always says no, the Quality First model: Quality remains At the other end of the spectrum you and rightly so. constant. You always strive to get every- find many developers who don’t believe thing right from the start and fix it at all in formal or even semiformal tech- That’s us! (Do get the full quotation, immediately if it is not. The only thing niques, for whatever reason. In much of with Zerstörung—destruction, and all that changes is functionality. Quality current practice, the hope is simply that such great stuff.) This is what I call a with enough testing and V&V (valida- healthy attitude for a QA person. With a Continued on page 105

May 1997 103 .

Object Technology Continued from page 103

First produces the flat line (or at least the 100 perhaps more realistic wavy line) in Figure 2. In this model you never skimp on quality. If the existing functionality does not work perfectly yet, you don’t move on to the next function; you make things right. Why is Quality First so much better? First, it turns the “Can we ship now?”

question into “Does it do enough to Other qualities (percentage) 0 impress the marketplace?” Quality— Functionality other than functionality—is not a party to the decision. If you do decide to ship an early version, you can sleep at night; Figure 2. The Quality First development scheme does not add functionality until the quality is it won’t crash. This model also has a perfect. tremendous effect on developer morale, which feeds back into quality and pro- I always get the cosmetics right before sights. Why would anyone use an ductivity. Knowing that you are not cut- anything else. The syntax should be right untyped or dynamically typed language? ting back on quality (only, if necessary, at all times. More importantly, I con- The argument “we’ll develop faster that on functionality) is a great boost to stantly apply the style rules. Every shop way” makes no sense to me, either theo- everyone’s confidence and leads to should have such rules, which in Eiffel retically or practically. redoubled efforts. And Quality First will are defined in painful detail: header com- To recompile all the time I need fast not take more time from start to finish ments, indexing clauses, commenting recompilation and scalability. Today’s (or to first commercial release). It may styles, name choices, even comment compilers are relatively fast. What’s cru- seem to at first; but soon the efforts start punctuation. None of this will by itself cial, however, is the knowledge that if to pay off, and you can progress much make great software, but if you can’t get you change a few classes it will take a few faster. the details right what guarantee is there Quality engineering beats RAD, every that you will get the rest right? Like time. everyone else I am occasionally tempted Yes, all this is easier said than done. I to cut corners and postpone writing I recompile all the time. wish I could say the products I have been header comments, indexing clauses, and In fact, I get nervous if responsible for always used Quality First the like. But I censure myself because I I haven’t recompiled for and stayed away from the slopy model. I know it means slower progress in the more than 15 minutes. can’t. But Quality First is possible and I end. How much of development is will try to show how. devoted to filling the blank page (or its electronic equivalent) and how much to IMPLEMENTING QUALITY FIRST combing existing text? Far more of the seconds to get the system compiled again, Here is how I work, on the basis of latter, of course, so the crucial need is to whether your total system size is 100 Osmond’s ideas, modern software engi- make this process as smooth and effi- classes, 1,000, or 10,000. I wouldn’t use neering principles, and my own work. cient as possible. the flashiest visual tools in the world, the (One caveat: I analyze, design, and pro- best method, the best language, without gram in Eiffel, using the ISE Eiffel envi- I recompile all the time. In fact, I get the knowledge that the time to process a ronment. This is the technology I have nervous if I haven’t recompiled for more change is independent of the total size. been working with for the past 12 years. than 15 minutes. In this I differ from Regardless of the environment you use, many people. When I explained this con- I intertwine analysis, design, imple- you can find something in this descrip- cept recently to a class, everyone nod- mentation, and maintenance. It’s not that tion that can be applied to your own ded. As soon as I left the room everyone up-front activities are unimportant; it’s method and tools. I hope you find my use started to write and write and write (they rather that I want to transform every- of the first person singular not a sign of called it “design”) and soon none of the thing into a software text right away and conceit but of realism: I am describing programs would compile! We spent two compile it. Sometimes the “software” what I do, and trusting that you will hours getting back on track. text is just analysis—deferred classes in know what to retain, what to reject, and Recompiling supplies type errors, Eiffel, with no implementation at all but what to improve.) which in many cases reflect deeper over- lots of assertions all over to capture the

May 1997 105 .

essential semantics—and I will just use (or at least I believe so), I include a check other country-sensitive value. I know a Eiffel’s Melting Ice compiling technol- instruction to document this belief and company that has to perform 18 compi- ogy the way other approaches would use make it testable. lations for each new release; this should a CASE tool. Later in the process, I will not happen. be able to execute the result. But the I execute with all assertion checking on. process departs, for example, from the The errors that have not been caught by I always have a working system. It is Unified approach. type checking are caught as assertion essential to have a current demo at all The idea of having beautiful “bubble violations. And I am always surprised times, even if it includes only some clus- and arrow” diagrams at the analysis and (even though by now I should know bet- ters or older versions of the less stable design stage, only to switch to a com- ter) when the violated assertion turns out clusters. A working demo is something pletely separate programming language to be one that I had added just for good- you can show to colleagues or customers and the resulting impedance mis- ness’ sake, so convinced was I that it and get feedback. It keeps you honest, could never fail. cutting your grandiose plans down to the level of feasibility. It also safeguards Before being reusable, When I find an error, I ask myself three the method’s emphasis on bottom-up software must be useful, questions. Tom Van Vleck’s delightful incremental development. usable, and used. What short paper (http://www.lilli.com/ I try not to compromise, threeq.html) lists the “three questions I have someone else try to defeat partial however, includes that you should ask about each bug you results. Unfortunately, Mephisto is not correctness, robustness, find”: around (although he seems to have quite extendibility, and a few disciples on Usenet these days). If efficiency. 1. Is this mistake somewhere else also? I had any enemies I would call on them 2. What next bug is hidden behind this to help; short of that, I make sure to tell one? the testers that their job is to displease matches, seems to me incompatible with 3. What should I do to prevent bugs me. The purpose of testing is to find a Quality First process and the seam- like this? bugs. lessness and reversibility of object tech- nology promoted by Kim Walden and I take care of abnormal cases right I don’t strive for perfection. This might Jean-Marc Nerson’s BON approach away. It’s very tempting to concentrate seem to contradict the above but it does (Seamless Object-Oriented Software on the interesting stuff first, and post- not. I know that I have to produce Architecture: Analysis and Design of pone worrying about “stupid” (read, results in my (and my customers’) life- Reliable Systems, Prentice Hall, 1995). novice) users, faulty devices, damaged time. I do know about Web years. I am or unreadable files, unlikely cases, and not equally interested in all software I execute right away after compiling. At so on. I have come to understand that quality factors. There is a tendency, once least, I execute when I have reached an “Let’s make it work now, we’ll make it you have been won over to the benefits executable state (not just deferred classes robust later” is the wrong attitude. It is of reusability, to overgeneralize. I think for analysis and high-level design). when you are writing a certain part of about generalization and reuse all the the processing that you are in the right time, of course, but I refrain from trying I include assertions all over the place. I position to think of all the things that to write a full-fledged reusable compo- rack my brains to spell out all the logical could go wrong, and process them. And nent when all I need is a good module assumptions that underlie my designs. I because error processing is indeed for my current development. If you try never write a routine without checking all tedious, I know of no better way to force to be too general, you don’t produce the applicability conditions first and myself to simplify everything because it anything. Before being reusable, soft- expressing them as Eiffel . is always better to engineer out errors ware must be useful, usable, and used. I write the postconditions, trying to cap- (making sure that they cannot happen) What I try not to compromise, however, ture as much as I can of the result’s prop- than to process them. But after you have includes correctness, robustness, exten- erties. I am never satisfied with a class removed the unnecessary error cases, sibility, and efficiency. until I have written a class invariant that you should take care of the necessary captures its essential semantics. When I ones without delay. redefine a routine in a descendant (sub- class), I check if the original I prepare for internationalization right o the process is not perfect (big must be weakened or the postcondition away. We have a small internationaliza- news). But I think Quality First is strengthened; again, the compiler checks tion library—nothing very deep—that S the right way to go, for projects help me get everything right here. When provides hooks for non-English mes- large and small. I wish everyone applied I call a routine and do not test for the pre- sages and interfaces. Using it takes only it. And I hope you will benefit from it, condition because the context ensures it a few more keystrokes for each string or too. ❖

106 Computer