









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The importance of software engineering in producing cost-effective and reliable software, with a focus on the software life cycle and current challenges in requirements engineering and management. It mentions various systems and approaches to address these challenges, such as ISDOS/CARA, SREP, and integrated technology-management approaches.
Typology: Lecture notes
1 / 16
This page cannot be seen from the preview
Don't miss anything!










IEEE TRANSACTIONS ON^ COMPUTERS, VOL.^ C-25, NO.^ 12, DECEMBER^1976
Abstract-This paper provides a definition of the term "software engineering" and a survey of the current state of the art^ and^ likely future trends in the field. The survey covers the technology avail- able in the various phases of the software life cycle-requirements engineering, design, coding, test, and maintenance-and in^ the overall area of software management and integrated technology- management approaches. It is oriented primarily toward^ discussing the domain of applicability of techniques (where and when they work), rather than how they work in detail. To cover the^ latter,^ an extensive set of 104 references is provided. Index Terms-Computer software, data^ systems, information systems, research and development, software^ development,^ soft- ware engineering, software management.
I. INTRODUCTION r (^) HE annual cost of software in the U.S. is approximately 20 billion dollars. Its rate of growth is considerably greater than that of the economy in^ general.
that software demand over the years 1975-1985^ will^ grow
the growth rate in^ software supply^ at^ current^ estimated growth rates of the software labor force^ and^ its^ productivity
about 11.5-17 percent per year over the^ years 1975-
In addition, as we continue to^ automate^ many^ of^ the processes which control^ our^ life-style-our^ medical equipment, air traffic control, defense^ system, personal records, bank accounts-we continue to^ trust^ more^ and more in the reliable functioning of^ this proliferating mass
well and to perform well. This paper will begin with a definition^ of^ "software^ en- gineering." It will then survey^ the^ current^ state^ of^ the^ art
future trends.
II. DEFINITIONS Let (^) us begin by defining "software engineering." We will
Manuscript received June 24, 1976; revised August 16, 1976. The author is with the TRW Systems and Energy Group, Redondo Beach, CA 90278. (^1) Another trend has been added to Fig. 1: the growth of software maintenance, which^ will^ be discussed later.
but also the associated documentation required^ to-develop, operate, and^ maintain^ the^ programs.^ By^ defining^ software in this broader sense,^ we^ wish^ to^ emphasize the necessity of (^) considering the generation of timely documentation as
We (^) can then combine this with a definition of "engineer- ing" to produce the following definition. Software Engineering: The^ practical application^ of scientific knowledge^ in^ the^ design^ and^ construction^ of computer programs and the^ associated^ documentation required to develop, operate, and maintain them.
The first concerns the necessity of considering a broad enough interpretation of the word "design" to cover the extremely important activity^ of^ software requirements engineering. The second point^ is^ that^ the^ definition^ should
activities of^ redesign and^ modification^ often^ termed "software maintenance." (Fig. 2 indicates^ the^ overall^ set
point is that^ our store^ of^ knowledge^ about^ software^ which can really be called "scientific knowledge" is a rather small base upon which to build an engineering discipline. But, of course, that is what makes software engineering such a fascinating challenge at this time. The remainder of this paper will discuss the state of the art of software (^) engineering along the lines of the software life cycle depicted in Fig. 2. Section III contains a discus- sion of software requirements engineering, with some mention of the problem of determining overall system requirements. Section IV discusses both preliminary de- sign and detailed design technology trends. Section V
Section VI covers both software testing and the overall life cycle concern^ with^ software^ reliability.^ Section^ VII^ dis- cusses the highly important but largely neglected area of software maintenance. Section VIII surveys software management concepts and techniques, and discusses the
concludes with an assessment of the current state of the
above.
survey is oriented primarily toward discussing the domain
1226
BOEHM: SOFTWARE ENGINEERING
Fig. 1. Hardware-software cost trends.
Fig. 2. Software life cycle.
rather than how they work in detail. An extensive set of references is provided for readers wishing to pursue the latter.
III. SOFTWARE REQUIREMENTS ENGINEERING
A. Critical Nature of Software Requirements Engineering
cation-which can serve as a basis for common (^) agreement
The extreme importance of such a specification is (^) only now becoming generally recognized. Its (^) importance derives from two main characteristics: 1) it is easy to delay or avoid
and expensive to correct later. Fig. 3 shows a summary of current experience at IBM
[4], GTE^ [5], and^ TRW^ on^ the relative^ cost^ of^ correcting software errors as a function of the phase in which they are corrected. Clearly, it pays off to invest effort in finding requirements errors early and correcting them in, say, 1 man-hour rather than waiting to find the error during
it. Besides the cost-to-fix problems, there are other critical problems stemming from a lack of a good requirements
impossible, for lack of a well-specified "top"; 2) testing is
user is frozen (^) out, because there is no (^) clear statement of
in (^) control, as (^) there is no clear statement of what the project
B. (^) Current Practice
glish. They abound with ambiguous terms ("suitable,"
1227
BOEHM: SOFTWARE ENGINEERING
standard line printer. Much of the current work on ISDOS/CARA is oriented (^) toward remedying such limita- tions, and extending the^ system to further^ support soft- ware design.
of (^) ISDOS; it uses the (^) ISDOS data management system, and is (^) primarily organized into a (^) language, the require- ments statement (^) language (RSL), and an (^) analyzer, the requirements evaluation and (^) validation system (REVS). SREP contains (^) a number of extensions and innovations which are needed for requirements engineering in real-time software (^) development projects. In (^) order to represent real-time performance (^) requirements, the individual functional requirements can be joined into stimulus-re- sponse networks^ called^ R-Nets.^ In^ order^ to^ focus^ early attention on software (^) testing and (^) reliability, there are
R-Nets. For (^) early requirements validation, there are capabilities for^ automatic^ generation of^ functional simu- lators from^ the requirements statements. And, for adap-
configuration control, traceability to design, and extensive report generation and consistency checking. Current SREP limitations (^) again mostly reflect delib- erate (^) design decisions centered around the (^) autonomous, highly real-time process-control problem of (^) ballistic missile
man-machine interactions are (^) missing. Portability is a problem: although some parts run on several (^) machines, other (^) parts of the (^) system run (^) only on a TI-ASC (^) computer with a (^) very powerful but (^) expensive multicolor interactive graphics terminal. However, the system has been designed with the use of (^) compiler generators and (^) extensibility fea- tures which should allow these limitations to be rem- edied.
to (^) replace the functions of (^) currently performed by pro- grammers. If successful, could they drive software costs
need to determine what software the system should pro-
are of central concern in automatic programming re- search. Two main directions are being taken in this research.
is to work within a general problem context, relying on only general rules of^ information processing (items must be
have both a "then" and an "else," etc.) to resolve am-
biguities, deficiencies, (^) or inconsistencies in the problem statement. This (^) approach encounters formidable problems in natural language processing and may require (^) further restrictions to make it (^) tractable. The other direction, exemplified by the work of Martin at MIT [15], is to work within a particular problem area, such as inventory control, where there is enough of a gen- eral model of software (^) requirements and acceptable ter- minology to make the problems of resolving (^) ambiguities, deficiencies, and (^) inconsistencies reasonably tractable. This second approach has, of course, been used in the past in various forms of "programming-by-question- naire" and application generators [1], [2]. Perhaps (^) the most widely used are the (^) parameterized application generators developed for use on the IBM System/3. IBM has some more (^) ambitious efforts on requirements specification underway, notably one called the Application Software Engineering Tool [16] and one (^) called the Information Automat [17], but further information is needed to assess their current status and directions. Another avenue involves the formalization and speci- fication of required properties in a software specification (reliability, maintainability, portability, etc.). Some success has been experienced here for small-to-medium (^) systems, using a^ "Requirements-Properties Matrix" to help analysts infer additional requirements implied by such (^) consider- ations (^) [18].
D. Trends
In the area of requirements statement languages, we will see further efforts either to extend the ISDOS-PSL and SREP-RSL capabilities to handle further areas of appli- cation, such as man-machine interactions, or to develop language variants specific to such areas. It is still an open
retain its utility. Other open questions are those of the nature, "which representation scheme is best for describing requirements in a certain area?" BMDATC is sponsoring some work here in representing general data-processing system requirements for the BMD problem, involving Petri nets, state transition diagrams, and predicate cal-
A good deal more can and will be done to extend the capability of requirements statement analyzers. Some extensions are fairly straightforward consistency checking; others, involving the use of relational operators to deduce derived requirements and the detection (and perhaps
Other advances will involve the use of formal require-
software life cycle. Examples include requirements-de-
derway), the automatic generation of test cases from re- quirements statements, and, of course, the advances in automatic programming involving the generation of code from (^) requirements.
1229
IEEE TRANSACTIONS ON (^) COMPUTERS, DECEMBER 1976
Progress (^) will not necessarily be evolutionary, though. There is always a good chance of a breakthrough: some key concept which will simplify and formalize large regions of the problem (^) space. Even then, though, there will always remain difficult regions which will require human insight and (^) sensitivity to come up with an acceptable set of soft- ware requirements. Another trend involves the impact of having formal, machine-analyzable requirements (and design) specifi- cations on our (^) overall inventory of software code. Besides improving software reliability, this will make our software
particular machine configuration. It is interesting to speculate on what impact this will have on hardware ven- dors in the future.
IV. SOFTWARE DESIGN
A. The Requirements/Design Dilemma Ideally, one would like to have a complete, consistent, validated, unambiguous, machine-independent specifi- cation of software requirements before proceeding to software design. However, the requirements are not really validated until it is determined that the resulting system can be built for a reasonable cost-and to do so requires
ciated hardware designs needed). This dilemma is complicated by the huge number of
signer had only a few alternatives to choose from in se- lecting a central processing unit (CPU), a set of peripher- als, a^ programming language, and an ensemble of support software. In^ the 1970's, with rapidly evolving mini- and microcomputers, firmware, modems, smart (^) terminals, data management systems, etc., the designer has an enormous number of alternative design components to sort out
By the 1980's, the number of possible design combinations will be formidable.
it reduces the number of alternatives he must consider.
B. Current Practice
process; There is relatively little effort devoted to design validation and risk analysis before committing to a par-
TABLE I Design Degrees of Freedom for New Data Processing Systems (Rough Estimates)
Likely Choices Possibilities Choices Element (1950's) (1970's) (1970's) CPU 5 200 100 Op-Codes fixed variable (^) variable Peripherals (per function) 1 200 100 Programming language 1 50 5- Operating system 0-1 10 5 Data management system 0 100 30
ticular software design. Most software errors are made during the^ design phase. As^ seen^ in^ Fig. 4, which^ summa- rizes several software error analyses by IBM [4], [19] and TRW (^) [20], [21], the ratio of design to coding errors gener- ally exceeds 60:40. (For the TRW data, an error was called a design error if and only if the resulting fix required a change in the detailed design specification.) Most software design is still done bottom-up, by devel- oping software components before addressing interface and integration issues. There is, however, increasing suc- cessful use of top-down design. There is little organized knowledge of what a software designer does, how he does it, or of what makes a good software designer, although
Freeman [22].
C. Current Frontier Technology Relatively little is available to help the designer make the overall hardware-software tradeoff analyses and de- cisions to appropriately narrow the large number of design degrees of freedom available to him. At the micro level,
but at the macro level, not much is available beyond gen- eral system engineering techniques. Some help is provided via (^) improved techniques for (^) simulating information sys- tems, such as the Extendable Computer System Simulator
thorough functional simulation^ of^ the system for design
architecture. (^) Often, it is also assumed that the data structure has also been established. (These assumptions
provide a procedure for organizing and developing the control structure of a program in a way which focuses (^) early attention on the critical issues of integration and interface definition. It begins with a top-level expression of a hier-
routine controlling an "input," a "process," and an "out-
1230
IEEE TRANSACTIONS ON COMPUTERS, DECEMBER (^1976)
level modules in sequence, in a loop, or in an if/else rela- tionship?), the lack of summary information about data, the unwieldiness of the graphics on large systems, and the manual nature of the technique. Some attempts have been made to automate the representation and generation of HIPO's such as Univac's PROVAC System (^) [36].
remedy some of these (^) disadvantages, although they lose the advantage of representing the processes connecting the
a more compact summary of a module's inputs and outputs which is less unwieldy on large problems. They also provide some extra symbology to remove at least some of the se-
ships. Several other similar conventions have been developed
difficulty of^ any such manual system is the difficulty of keeping the design consistent and (^) up-to-date, especially on large problems. Thus, a (^) number of systems have been developed which store design (^) information in (^) machine- readable form. This simplifies updating (and reduces update errors) and facilitates generation of selective design summaries and simple consistency checking. Experience has shown that even a simple set of (^) automated consistency checks can catch dozens of (^) potential problems in a large design specification (^) [21]. Systems of this nature that have been reported include (^) the Newcastle TOPD system (^) [401,
System [41], and Univac's PROVAC (^) [361; several more are under development. Another machine-processable (^) design representation is provided by Caine, Farber, and Gordon's Program Design Language (PDL) System [42]. This system accepts con- structs which have the form of (^) hierarchical structured programs, but instead of the actual code, the designer can write some English text describing what the segment of code will do. (This representation was (^) originally called
makes updating much easier; it also provides a (^) number of useful formatted summaries of the design (^) information, although it still lacks some wished-for features to support terminology control and version control. The (^) program-like representation makes it easy for programmers to read and write PDL, albeit less easy for nonprogrammers. Initial results in using the PDL system on projects have been quite favorable.
D. Trends
readable form, there is a fair amount of pressure from users
etc. We should continue to see such added (^) capabilities, and
design (^) systems for software. Besides improvements in
Some initial (^) attempts have been made (^) by Hoare (^) [44] and others to provide a data (^) analog of the basic (^) control struc- tures in structured (^) programming, but with less practical impact to date. Additionally, there will be more integration and traceability between the (^) requirements specification,
icant implications regarding the improved (^) portability of a user's software. The proliferation of minicomputers and (^) microcompu- ters will continue to complicate the designer's job. It is difficult enough to derive or use principles for (^) partitioning software jobs on single machines; additional degrees of freedom and concurrency problems just make things so much harder. Here again, though, we should expect at least some initial guidelines for decomposing information pro- cessing jobs into separate concurrent (^) processes. It is still not clear, however, how much one can formalize the software design process. Surveys of software designers have indicated a wide variation in their design styles and approaches, and in their receptiveness to using formal design procedures. The key to good software design still lies in getting the best out of good people, and in struct- uring the job so that the less-good people can still make a positive contribution.
This section will be brief, because much of the material
"Computer Languages" [3].
A. Current Practice
Many organizations are moving toward using structured
limited number (^) of control structures-generally SE- QUENCE, IFTHENELSE, CASE, DOWHILE, and DOUNTIL-
though, often in assembly language and particularly for the rapidly proliferating minicomputers and microcompu- ters.
B. Current Frontier Technology
structured code and additional valuable features such (^) as
to support the programming of concurrent processes. Ex-
procedures and their data have been embodied in recent
Automated aids include support systems for top-down
1232
BOEHM: SOFTWARE ENGINEERING
COLUMBUS [51]. Another novel aid is the Code Auditor program [50] for automated standards compliance checking-which guarantees that the standards are more than just words. Good programming practices are now becoming codified into style handbooks, i.e., Kernighan
C. Trends It is difficult to clean up old programming languages or to introduce new ones into widespread practice. Perhaps the (^) strongest hope in (^) this direction is the current De- partment of Defense (DoD) effort to define requirements for its future (^) higher order (^) programming languages [54], which (^) may eventually lead to the development and wide- spread use of^ a cleaner programming language. Another trend will be an (^) increasing capability for (^) automatically generating code^ from design specifications.
VI. SOFTWARE TESTING AND RELIABILITY
A. Current Practice
tivities are still not considered until the code has been run the first time and found not to work. In general, the high
fort) is^ due^ to^ the^ high cost^ of^ reworking the code^ at^ this
activities. In addition, most testing is still a tedious manual process which is error-prone in itself. There are few effective cri- teria used for answering the question, "How much testing is enough?" except the usual "when the budget (or schedule) runs out." However, more and more organiza- tions are now using disciplined test planning and some objective criteria such as "exercise every instruction" or "exercise every branch," often with the aid of automated test monitoring tools and test case planning aids. But other technologies, such as mathematical proof techniques, have
ware.
B. Current Frontier Technology
reliability analysis and fitting them to observed software error rates [55]. These models worked at times, but often
ena. This was primarily because of fundamental differ-
ware-oriented assumptions on which the models were based. For example, software components do not degrade due to wear or fatigue; no imperfection or variations are introduced in making additional copies of a piece of soft-
ware (except possibly for a class of easy-to-check copying
different software configuration than previously, unlike most hardware replacement repairs.
nations of the previous error histories in terms of appro- priate software phenomenology. They are based on a view of a software program as a mapping from a space of inputs
processing of a sequence of points in the input space, dis- tributed according to an operational profile [57], and of
(see Fig. 5). This approach encounters severe problems of scale on large programs, but can be used conceptually as a means of appropriately conditioning time-driven reli-
truly reliable reliability-estimation methods for soft- ware.
the rates of fixing serious errors and of fixing minor errors vary with management direction. ("Close out all problems quickly" generally gets minor simple errors fixed very quickly, as compared to "Get the serious problems fixed first.")
software reliability techniques [4], [19], (^) [601, identification of the requirements and design phases as key leverage points for cost savings by eliminating errors earlier (Figs. 2 and 3), and guidelines for organizing test efforts (for example, one recent analysis indicated that over half the
ever, the proliferation of definitions of various terms (error,
tremely difficult to compare error data from different sources. Some efforts to establish a unified software reli-
and data collection procedures are now under way at USAF Rome Air Development Center, and within the IEEE Technical Committee on Software Engineering.
been found helpful. More detailed discussion of these aids
a) Static code analysis: Automated aids here include
more detailed data-type checking. Code auditors check for
1233
BOEHM: (^) SOFTWARE ENGINEERING
about one man-month of expert effort was required to prove 100 lines of code [67]. The largest program to be proved correct to date contained about 2000 statements [68]. Again, automation can help out on some of the com- plications. Some automated verification systems exist,
[70]. In general, such systems do not work on programs in the more common languages such as Fortran or Cobol.
propositions. An (^) excellent survey of program verification
Besides size and language limitations, there are other
niques. Computations on (^) "real" variables involving trun-
Programs with nonformalizable (^) inputs (e.g., from a (^) sensor where one has just a rough idea of its (^) bias, signal-to-noise ratio, etc.) are impossible to handle. (^) And, of (^) course, pro-
which is itself incorrect with (^) respect to the (^) system's proper functioning. (^) Finally, there is no (^) guarantee that the (^) proof
have subsequently been demonstrated to have (^) holes in
It has been said and often repeated that "testing can be used to demonstrate the presence of errors but never their
admitted that "program proving can be used to demon- strate the presence of errors but never their absence."
the error detection (^) problem, or what the price will be in program slowdown.
C. (^) Trends
As we continue to collect and analyze more and more data on^ how, when, where, and why people make software errors, we will^ get added insights on how to avoid making
tactics (^) (not only in testing but throughout the software life cycle), how^ to^ develop or evaluate new automated aids, and
how to (^) develop useful methods for (^) predicting software reliability. Some automated (^) aids, particularly for static
languages and compilers. We should see some (^) added useful
some (^) appropriate way. Symbolic execution capabilities will probably make their way into automated aids for test (^) case
Continuing work into the (^) theory of software testing should (^) provide some refined concepts of (^) test validity, re- liability, and completeness, plus a better theoretical (^) base for supporting hybrid test/proof (^) methods of verifying programs. Program proving techniques and aids will be- come more powerful in the size and range of programs they handle, and hopefully easier to use and (^) harder to misuse. But many of their basic limitations will remain, (^) particu- larly those involving real variables and (^) nonformalizable inputs. Unfortunately, most of these helpful capabilities will be available only to people working in higher order (^) languages. Much of the progress in test technology will be (^) unavailable to the increasing number of people who find (^) themselves spending more and more time testing (^) assembly language software written for minicomputers and (^) microcomputers with poor test support capabilities. (^) Powerful cross-com- piler capabilities on large host machines and micropro- grammed diagnostic emulation (^) capabilities [77] should provide these people some relief after a while, but a great deal of software testing will regress back to earlier gener- ation "dark ages."
VII. SOFTWARE MAINTENANCE
A. Scope of Software Maintenance Software maintenance is an extremely important (^) but highly neglected activity. Its importance is clear from Fig. 1: (^) about 40 percent of the overall hardware-software dollar is going into software maintenance today, and this number is (^) likely to grow to about 60 percent by 1985. It will con- tinue to grow for a long time, as we continue to add to our inventory of code via development at a faster rate than we make (^) code obsolete. The (^) figures above are only very approximate, because our (^) only data (^) so far are based on highly approximate def- initions. It is hard to (^) come up with an unexceptional def- inition of software (^) maintenance. Here, we define it as "the process of modifying existing (^) operational software while leaving its primary functions intact." It is useful to divide software (^) maintenance into two categories: software update, which results in (^) a changed functional specification for the software, and (^) software repair, which leaves the functional (^) specification intact. A (^) good discussion of soft- ware repair is (^) given in the (^) paper by Swanson [78], who
(of processing, performance, or (^) implementation failures),
1235
IEEE TRANSACTIONS (^) ON COMPUTERS, DECEMBER 1976
MINIMUM-VARIANCE UNBIASED ESTIMATOR. (^) * .* SPACE
OPERATIONAL ESTIMATION PROBLEMS
adaptive maintenance (to changes in the (^) processing or data environment), and perfective maintenance (for enhancing performance or maintainability). For either update or repair, three main functions are-
Understanding the existing software: This implies the need for good documentation, good traceability between requirements and code, and well-structured and well- formatted code. Modifying the existing software: This implies the need
to expand and which minimize side effects of (^) changes, plus easy-to-update documentation. Revalidating the modified software: This implies the need for software structures which facilitate selective re-
cient. Following a short discussion of current practice in
below as a framework for discussing current frontier technology in software maintenance.
B. Current Practice As indicated in Fig. 6, probably about 70 percent of the overall cost of software is spent in software maintenance.
General Motors is about 75 percent, and that GM is fairly
cates that about 60 percent of GTE's 10-year life cycle costs for real-time software are devoted to maintenance. On two Air Force command and control software systems, the maintenance portions of the 10-year life cycle costs were
very efficiently. On one aircraft computer, software de-
Despite its size, software maintenance is a highly ne- glected activity. In general, less-qualified personnel are assigned to maintenance tasks. There are few good general principles and few studies of the process, most of them
Further, data processing practices, are usually optimized
MAINTENANCE DEDELOPMENT GEN. TEL. + ELECT.
USAF C+C NO. 1
USAF C+C NO. 2
GENERAL (^) MOTORS
(^0 20 40 60) s PERCENT OF 10-YEAR LIFE-CYCLE COSTS
100
Fig. 6. Software life-cycle cost breakdown.
mizing around development cost and schedule criteria
with (^) increased software maintenance costs [1].
C. Current Frontier (^) Technology
have largely been discussed in^ previous sections: structured programming, automatic formatting, and code auditors
and comment cards.
1236
IEEE TRANSACTIONS ON COMPUPERS, DECEMBER 1976
the "software physics" lines being investigated by Halstead [97] and others; some interesting initial results have been obtained here, but their utility for practical cost estimation remains to be demonstrated. A good review of the software cost estimation area is contained in [98].
structured code); the ability to perform a software update and at the same time perform a set of timely, consistent project status updates (new version number of module, closure of software problem report, updated status logs); or simply the improvement in software system integration achieved when all participants are using the same devel- opment concept, ground rules, and support software. The most familiar of the integrated approaches is the IBM "top-down structured programming with chief pro- grammer teams" concept. A good short description of the
available in a 15-volume series of reports done by IBM for
tured approach was discussed earlier. The Chief Pro- grammer Team centers around an individual (the Chief) who is (^) responsible for designing, coding, and integrating the (^) top-level control structure as well as the key compo-
agement and customer interface functions. The Chief is assisted by a Backup (^) programmer who is (^) prepared at
as needed.
quite successful, but the Chief Programmer concept has had mixed results [99]. It is difficult to find individuals with enough energy and talent to perform all the above
otherwise, you have concentrated most of the project risk in a single individual, without a good way of finding out whether or not he is in trouble. The Librarian and Pro- gramming Support Library concept have generally been quite useful, although to date the concept has been ori- ented toward a batch-processing development environ- ment. Another "structured" integrated approach has been developed and used at SofTech [38]. It is oriented (^) largely around a hierarchical-decomposition design approach, guided by formalized sets of principles (modularity, ab- straction, localization, hiding, uniformity, completeness, confirmability), processes (purpose, concept, mechanism, notation, usage), and goals (modularity, efficiency, reli- ability, understandability). Thus, it accommodates some economic considerations, although it says little about any other management considerations. It appears to work well for SofTech, but in general has not been widely assimilated elsewhere. A more management-intensive integrated approach is the TRW software development methodology exemplified in the paper by Williams [50] and the TRW Software De- velopment and Configuration Management Manual [100], which has been used as the basis for several recent gov- ernment in-house software manuals. This approach fea- tures a coordinated set of high-level and detailed man-
and time budgets, problem identification and closure, etc.-and unified documentation and management devices such as the Unit Development Folder. Portions of the approach are still largely manual, although additional
project planning and monitoring system, a software de-
of success it will have.
tronics (^) Laboratory Center (^) [102]. It (^) currently consists primarily of a framework within which a wide range of aids
installment contains text editors, compilers, assemblers,
1238
BOEHM: SOFTWARE ENGINEERING
SDL itself is only a part of a more ambitious integrated approach, ARPA's National Software Works (NSW) [102]. The initial objective here has been to develop a "Works Manager" which will allow a software developer at a ter- minal to access a wide variety of software development tools on various computers available over the ARPANET. Thus, a developer might log into the NSW, obtain his source code from one computer, text-edit it on another, and perhaps continue to hand the program to^ additional computers for test instrumentation, compiling, executing, and postprocessing of output data. Currently, an initial version of the Works Manager is operational, along with a few tools, but it is too early to assess the likely outcome and payoffs of the project.
C. Trends In the area of management techniques, we are probably entering a consolidation period, particularly as the U.S. DoD proceeds to implement the upgrades in its standards and procedures called for in^ the recent DoD Directive
should produce a set of software management guidelines
technology than the ones currently in use. It is likely that they will also be more comprehensible and less encum- bered with DoD jargon; this will make them more useful to the software field in general. Efforts to develop integrated, semiautomated systems for software development will continue at a healthy clip. They will run into a number of challenges which will probably take a few years to work out. Some are technical, such as the lack of a good technological base for data
complex software support tools. Some are economic and managerial, such as the problems of pricing services, pro- viding tool warranties, and controlling the evolution of the system. Others are environmental, such as the proliferation of minicomputers and microcomputers, which will strain
Even if the various integrated systems do not achieve all their goals, there will be a number of major benefits from the effort. One is of course that a larger number of support tools will become available to a larger number of people (another major channel of tools will still continue
marketplace). More importantly, those systems which
free-form tool box) will eliminate a great deal of the se- mantic confusion which currently slows down our group
learned how to talk to each other about our software problems, we tend to do pretty well.
IX. CONCLUSIONS Let us^ now assess the current state of the art of tools and
TABLE II Applicability of Existing Scientific Principles
Software Hardware Dimension Engineering Engineering Scope Across Some principles for com- Many principles ap- Life Cycle ponent construction plicable across and detailed design, vir- life cycle, e.g., tually none for system communication design and integration, theory, control e.g., algorithms, auto- theory. mata theory. Scope Across Some (^) principles for "sys- Many principles ap- Application tems" software, virtu- plicable across ally none^ for^ applica- entire^ application tions software, e.g., system, e.g., con- discrete mathematical trol theory appli- structures. cation. Engineering Very few principles Many principles ap- Economics which apply to system ply well to system economics, e.g., algo- economics, e.g., rithms. strength of mate- rials, optimization, and control the- ory. Required Very few^ principles for-^ Many principles Training mulated for^ consump- formulated for tion by technicians, consumption by e.g., structured code, technicians, e.g., basic math (^) packages. handbooks for structural design, stress testing, maintainability.
Table II presents a (^) summary assessment of the extent to which current software engineering techniques are based
The summary assessment covers four dimensions: the extent to which existing scientific principles apply across the entire software life cycle, across the entire range of software applications, across the range of engineering-
across the range of personnel available to perform software development.
Table II that software engineering is in a very primitive state as compared to hardware engineering, with respect to its range of scientific foundations. Those scientific principles available to support software engineering ad-
design and coding of systems software by experts in a relatively economics-independent context. Unfortunately, the most pressing software development problems are in an area we shall call Area 2: requirements analysis design, test, and maintenance of applications software by tech- nicians3 in an economics-driven context. And in Area 2, our scientific foundations are so slight that one can seri-
(^3) For example, a recent survey of 14 installations in one large organi- zation produced the following profile of its "average coder": 2 years col- lege-level education, 2 years software experience, familiarity with 2 programming languages and 2 applications, and generally introverted, sloppy, inflexible, "in over his head," and undermanaged. Given the continuing increase in demand for software personnel, one should not assume that this typical profile will improve much. This has strong im- plications for effective software engineering technology which, like ef- fective software, must be well-matched to the people who must use it.
1239
BOEHM: SOFTWARE ENGINEERING
Eng., pp. 358-363, Dec. 1975. [52] B. W. (^) Kernighan and^ P. J.^ Plauger, The^ Elements^ of Programming Style. New York: McGraw-Hill, 1974. 153] H. F. Ledgard, Programming^ Proverbs.^ Rochelle^ Park, NJ: Hayden, 1975 [54] W. A. Whitaker etal., "Department of Defense requirements for high order computer programming languages: 'Tinman,' " Defense Advanced Research Projects Agency, Apr. 1976. [55] Proc. 1973 IEEE Symp. Comput. Software Reliability, Apr.-May
[56] E. C. Nelson, "A statistical basis for software reliability assess- ment," TRW Systems, Redondo Beach, CA, rep. TRW-SS-73-03, Mar. 1973. [57] J. R. Brown and M. Lipow, "Testing for software reliability," in Proc. 1975 Int. Conf. Reliable Software, Apr. 1975, pp. 518-527. [58] J. D. Musa, "Theory of software reliability and its application," IEEE Trans. Software Eng., pp. 312-327, Sept. 1975. [59] R. J. Rubey, J. A. Dana, and P. W. Biche, "Quantitative Aspects
June 1975. [60] T. A. Thayer, M. Lipow, and E. C. Nelson, "Software reliability study," TRW Systems, Redondo Beach, CA, rep. to RADC, Con- tract F30602-74-C-0036, Mar. 1976. [61] D. J. Reifer, "Automated aids for reliable software," in Proc. 1975 Int. Conf. Reliable Software, Apr. 1975, pp. 131-142. [62] C. V. Ramamoorthy and S. B. F. Ho, "Testing large software with automated software evaluation systems," IEEE Trans. Software Eng., pp. 46-58, Mar. 1975. [63] J. B. Goodenough and S. L. Gerhart, "Toward a theory of test data selection," IEEE Trans. Software Eng., pp. 156-173, June 1975. [64] P. Wegner, "Report on the 1975 International Conference on Re- liable Software," in Findings and Recommendations of the Joint Logistics Commanders' Software Reliability Work Group, Vol. II, Nov. 1975, pp. 45-88.
Conf. Reliable Software, Apr. 1975, pp. 228-233. [66] R. S. Boyer, B. Elspas, and K. N. Levitt,^ "Select-A^ formal system for testing and debugging programs," in Proc. 1975Int. Conf. Re- liable Software, Apr. 1975, pp. 234-245. [67] J. Goldberg, Ed., Proc. Symp. High Cost of Software, Stanford Research Institute, Stanford, CA, Sept. 1973, p. 63. [68] L. C. Ragland, "A verified program verifier," Ph.D. dissertation, Univ. of Texas, Austin, 1973. [69] D. I. Good, R. L. London, and W. W. Bledsoe, "An interactive program verification system," IEEE Trans. Software Eng., pp. 59-67, Mar. 1975. [70] F. W. von Henke and D. C. Luckham, "A methodology for verifying
Apr. 1975. [71] C. A. R. Hoare and N. Wirth, "An axiomatic definition of the programming language PASCAL," Acta Informatica, vol. 2, pp. 335-355, 1973. [72] R. L. London, "A view of program verification," in Proc. 1975Int. Conf. Reliable Software, Apr. 1975, pp. 534-545. [73] E. W. Dijkstra, "Notes on structured programming," in Structured Programming, 0. J.^ Dahl,^ E. W. Dijkstra, and C. A. R. Hoare.^ New York: Academic, 1972. [74] W. A. Wulf, "Reliable hardware-software architectures," IEEE Trans. Software Eng., pp. 233-240, June 1975. [75] J.^ Goldberg,^ "New problems in fault-tolerant computing," in Proc. 1975 Int. Symp. Fault-Tolerant Computing, Paris, France, pp. 29-36, June 1975. [76] B. Randell, "System structure for software fault-tolerance," IEEE Trans. Software Eng., pp. 220-232, June 1975. [77] R. K. McClean and B. Press, "Improved techniques for reliable software using microprogrammed diagnostic emulation," in Proc. IFAC Cong., Vol. IV, Aug. 1975. [78] E. B. Swanson, "The dimensions of maintenance," in Proc. IEEE/ACM 2nd Int. Conf. Software Eng., Oct. 1976. [79] B. W. Boehm, J. R. Brown, and M. Lipow, "Quantitative evaluation of software quality," in^ Proc.^ IEEE/ACM^ 2nd^ Int.^ Conf.^ Software Eng., Oct. 1976. [80] J. L.^ Elshoff,^ "An analysis of some commercial PL/I programs," IEEE Trans. Software Eng., pp. 113-120, June 1976. [81] W. L. Trainor, "Software: From Satan to saviour," in^ Proc;, NAECON, May 1973. [82] E. H. Sibley, Ed., ACM Comput. Surveys (Special Issue on Data
[83] Defense Management J.^ (Special Issue on^ Software^ Manage- ment), vol.II,^ Oct.^ 1975. [84] L. A.^ Belady and M.^ M.^ Lehman, "The evolution^ dynamics^ of large
son-Wesley, 1975. [86] E.^ Horowitz,^ Ed., Practical^ Strategies^ for^ Developing^ Large-Scale Software. Reading, MA:^ Addison-Wesley,^ 1975. [87] G. F.^ Weinwurm, Ed., On the^ Management^ of^ Computer^ Pro-
[88] P. Naur and B.^ Randell, Eds., Software Engineering,^ NATO, Jan.
[89] P. J.^ Metzger, Managing a^ Programming^ Project.^ Englewood Cliffs, NJ:^ Prentice-Hall,^ 1973. [90] J.^ C. Shaw^ and W.^ Atkins, Managing^ Computer^ System^ Projects. New York: McGraw-Hill, 1970. [91] G. F.^ Hice, W.^ S.^ Turner, and^ L.^ F. Cashwell,^ System^ Development
[92] W. J.^ Ridge and L. E.^ Johnson, Effective^ Management^ of^ Com-
[93] T. R.^ Gildersleeve, Data^ Processing^ Project^ Management.^ New York: (^) Van Nostrand Reinhold, 1974. [94] G.^ F.^ Weinberg, The^ Psychology of^ Computer^ Programming.^ New York: Van (^) Nostrand Reinhold, 1971.
Programmer. Reading,^ MA:^ Addison-Wesley,^ 1974.
IEEE Trans. Comput., 1974. [97] M. H.^ Halstead,^ "Toward^ a^ theoretical^ basis for^ estimating^ pro- gramming effort," in Proc. Ass.^ Comput.^ Mach.^ Conf.,^ Oct.^ 1975, pp. 222-224. [98] Summary Notes, Government/Industry^ Software^ Sizing^ and Costing Workshop, USAF Electron.^ Syst.^ Div.,^ Oct.^ 1974. [99] B. S.^ Barry and J. J.^ Naughton, "Chief^ programmer^ team^ opera-
X (^) (of 15-volume series), pp. 1-2-1-3. [100] Software^ Development and^ Configuration^ Management^ Manual,
[101] H. Bratman and T.^ Court,^ "The^ software factory,"^ Computer,^ pp. 28-37, May 1975. [102] "Systems^ design laboratory:^ Preliminary^ design^ report,"^ Naval Electronics Lab. (^) Center, Preliminary Working Paper, TN-3145, Mar. 1976. [103] W. E. Carlson^ and S.^ D.^ Crocker,^ "The^ impact^ of^ networks^ on^ the'
[104] "Management of^ computer resources^ in^ major^ defense^ systems," Department of^ Defense, Directive^ 6000.29,Apr.^ 1976.
Barry W. Boehm received^ the B.A.^ degree^ in mathematics from Harvard University, Cam- bridge, MA, in^ 1957,^ and^ the^ M.A. and Ph.D.
Angeles, in 1961^ and^ 1964,^ respectively. He entered the (^) computing field as a Pro-
Numerical Analyst, System Analyst,^ Informa- tion System Development Project Leader, Manager of groups performing such tasks, Head of the Information Sciences Department at the Rand (^) Corporation, and as Director of the 1971 Air Force CCIP-
in the area of software (^) requirements analysis and design technology. He serves on several (^) governmental advisory committees, and currently^ is Chairman of the NASA Research and Technology Advisory Committee
Dr. Boehm is a member of the IEEE Computer Society, in^ which^ he currently serves on the Editorial Board of the^ IEEE TRANSACTIONS^ ON SOFTWARE ENGINEERING^ and on the^ Technical^ Committee^ on^ Software Engineering.
1241