Project Management Embedded Failures (2) Jack Ganssle

Project Management 

Embedded Failures (2) 

Jack Ganssle 

jack@ganssle.com

The Tacoma Narrows Bridge 

The Tacoma Narrows Bridge 

4 months after opening, Nov 7, 1940 

jack@ganssle.com

Costs 

George Golden Bronx- Tacoma 

Washington Gate Whitestone Narrows 

Completed 1935 1937 1939 1940 

Span 3500 ft 4200 ft 2300 ft 2800 ft 

Cost $59.5m $35m $19.7m $6.4m 

jack@ganssle.com

Titan IVb Centaur 

$500m 

jack@ganssle.com

Ariane 5 

$500m 

jack@ganssle.com

Chinook 

27 dead 

jack@ganssle.com

Patriot Missile 

28 dead, 100 injured 

jack@ganssle.com

Therac 25 

3 dead 

jack@ganssle.com

Radiation Deaths in Panama 

21 dead 

jack@ganssle.com

Our Criminal Behavior 

No Code Inspections 

Implicated in the Chinook helicopter, Multidata 

Radiotherapy device, Therac 25. 

Average uninspected code contains 50-100 bugs 

per 1000 LOC. Inspections find most of these. 

Cheaply. 

jack@ganssle.com

80 

70 

60 

% bugs 

found 

50 

40 

30 

20 

10 

0 

0 100 200 300 400 500 600 700 800 

Lines of code inspected per hour 

jack@ganssle.com


Inadequate testing 

Implicated in the Clementine, NEAR, Mars 

Polar Lander, Pathfinder, Mars Expedition 

Rover, Titan IVb, Ariane, Sea Launch, Chinook, 

Therac 25, Multidata, pacemakers, Los Alamos 

incident, huge digital thermometer. 

jack@ganssle.com


Too expensive to change (dead product)! 

Cost 

to 

update 

the 

software 

Changes slow the 

business down! 

Cleaning up: 

cost = r (“refactoring to clean code”) 

cumulative cost = 1+r+r+r+... 

= 1 + n*r 

Not cleaning up: 

cost = m (“dealing with the mess”) 

cumulative cost = (1)(1+m)(1+m)(1+m)... = (1 + m) n 

Time (actually, number of changes made) 

jack@ganssle.com


Lousy exception handlers 

Implicated in the Ariane, Los Alamos incident, 

Clementine, Yorktown, Mars Expedition Rover, 

and many others 

This means adopting a culture of anticipating 

and planning for failures! 

jack@ganssle.com


Ignoring or cheating the VCS 

Implicated in the NEAR, Pathfinder, Titan IVb, 

EFF, and FAA incidents. 

Find a list of VCSes at: 

www.codeorganizer.com/version_control/tools.htm 

jack@ganssle.com


The use of C! 

jack@ganssle.com

jack@ganssle.com

Bug Rates 

C (worst) 

500 bugs/KLOC 

C (average) 

50-100 bugs/KLOC 

C (auto generated) 12.5 

Ada (worst) 50 

Ada (average) 25 

Ada (auto generated) 4.8 

SPARK (average) 4 

jack@ganssle.com


“The major objection from experienced 

programmers was that the compiler could not 

possibly turn out object code as good as theirs.” 

The real issue: is the code good enough 

jack@ganssle.com


Fact: You can write crappy code in any 

language. 

jack@ganssle.com

Maintainability: C vs C++ 

40% of C bugs took more than 2 hrs to fix; 

70% of C++ bugs took more than 2 hours. 

jack@ganssle.com

Primary Language Used 

jack@ganssle.com


Not using the tools we already have to tame C 

and C++ 

MISRA - www.misra.org.uk 

Lint - www.gimpel.com, or 

www.splint.org 

Safer C - www.leshatton.org/index_SA.html 

Standards – www.ganssle.com 

Static test- complexity and quality analyzers 

jack@ganssle.com


Using lousy watchdogs 

state = 0x5555 

Call WDT_A 

• 

• 

• 

• 

state+= 0x2222 

Call WDT_B 

WDT_A: 

WDT_B: 

halt if state!= 0x5555 

state+=0x1111 

return 

halt if state!= 0x8888 

state=0 

kick dog via two I/Os or MMU 

return 

jack@ganssle.com

Better Watchdogs 

Maxim MAX6323, TI TPS3813 

jack@ganssle.com

The Boss’s Criminal Behavior 

Reuse is not a panacea 

Implicated in the Ariane, Uwatec and many 

others. 

Reuse is extremely difficult. 

See “Confessions of a Used Program Salesman” 

by Will Tracz 

jack@ganssle.com


Reuse is poison! 

jack@ganssle.com

We don’t practice reuse 

jack@ganssle.com

What Does Reuse Mean 

Reuse: building projects one component at a 

time, instead of one line at a time. 

Software Salvaging: Using code not designed 

to ever be reused 

Carrying-over Code – Porting code from an 

old project to a new one 

jack@ganssle.com

Reuse Realities 

Reuse requires: 

• A will to reuse 

• A well-documented set of code 

• Code that has no dependencies 

• An available set of code 

jack@ganssle.com

No Free Lunch 

There’s No Such Thing As A Free Lunch when 

it comes to software reuse. 

1. Before you can develop code for reuse you 

must have developed it at least 3 times. 

2. Before you can reap the benefits of reuse 

you must have reused it 3 times. 

jack@ganssle.com

Griss’s Levels of Software Reuse 

Maturity Level 

Initial 

Salvaging 

Planned reuse 

Systemic reuse 

Level of Reuse 

-20% to 20% 

10% to 50% 

30% to 40% 

50% to 70% 

Requirements 

Biz as usual 

Smart people 

Depends on luck 

Smart people 

Maintenance probs 

Reuse library 

Management support 

Incentives 

Reuse library 

Reuse process 

Reuse metrics 

Education 

Domain-oriented reuse 

80% to 90% 

Domain analysis 

Application generators 

jack@ganssle.com

Reuse Realities 

I/O 

Application 

Algorithms 

jack@ganssle.com


140 

120 

Schedules can’t rule: 

100 

80 

60 

40 

20 

Corollary: Tired people make mistakes 

Implicated in the Clementine, NEAR, Mars 

Polar Lander and many others 

0 

0 0.2 0.4 0.6 0.8 1 1.2 

jack@ganssle.com

Not tracking schedules 

jack@ganssle.com

Not controlling schedules 

1986 2001 

Cost $12.6b $28.7b 

Schedule 9.4 yrs 19.2 yrs 

jack@ganssle.com


Be wary of financial shortcuts! 

Implicated in the Takoma Narrows Bridge, 

Ariane, MGM fire, and many others 

jack@ganssle.com

Are we criminals 

Or are we still in the dark ages 

But there’s a lot we do know, so we’re 

negligent – and will be culpable – if 

we don’t consistently use best 

practices. 

jack@ganssle.com

Remember! 

Enter the evaluation form and be a part of making Øredev even better. 

You will automatically be part of the evening lottery 

jack@ganssle.com

Project Management Embedded Failures (2) Jack Ganssle

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?