By Deane Barker | May 18, 2009 | 2 Comments
They Write the Right Stuff: Fascinating article on the software that controls the space shuttle. The level of code quality is astonishing.
This software never crashes. It never needs to be re-booted. This software is bug-free. It is perfect, as perfect as human beings have achieved. Consider these stats : the last three versions of the program — each 420,000 lines long-had just one error each. The last 11 versions of this software had a total of 17 errors. Commercial programs of equivalent complexity would have 5,000 errors.
When I worked for Citibank, our software group was getting CMM certified. Throughout that process, the shuttle program at NASA was held up as the goal we were trying to attain. At the time, they were the only CMM Level 1 outfit in the world.
Ten years ago the shuttle group was considered world-class. Since then, it has cut its own error rate by 90%.
Their process is brutally old-school — the anti-thesis of the agile, iterative development lauded these days.
Take the upgrade of the software to permit the shuttle to navigate with Global Positioning Satellites, a change that involves just 1.5% of the program, or 6,366 lines of code. The specs for that one change run 2,500 pages, a volume thicker than a phone book. The specs for the current program fill 30 volumes and run 40,000 pages.
The comments on the Reddit thread where I found it are interesting. There are a lot of complaints that the environment in which this software gets written is wholly unrealistic. It costs NASA something like 160x what normal software costs, there’s only one client, they do nothing else, the shuttle launches — and by extension, their code delivery dates — are planned years in advance, etc.
If you’re interested, someone posted a link to the coding standards guide (4MB PDF).
17 errors. I wonder how they manage that. No user input? When you allow user input, unless it’s simply via clicking items/selecting menu items, you have a HUGE input space. 10 text fields with a couple hundred character length max input would result in quite a lot of inputs to test for errors. Even if you add in validation for some fields, there are only so many cases where you want to restrict an input to some format.
I’m not saying it’s impossible, just that to be 100% sure you have 17 errors requires testing all possible inputs and all possible branches. The latter is “easy” with symbolic execution, but the former grows significantly more complicated with every time you let the user add some data.
You mean that the Shuttle program was the only CMM Level 5 project in the world. Level 1 means… you code :-)