On System Design

Jim Waldo
 On System Design

Jim Waldo

Perspectives 2006-6
In an Essay Series Published by Sun Labs

December 2006
This work first appeared as part of the OOPSLA 2006 Essays track, October 22-26, Portland, Oregon, USA. Copyright © 2006 Sun Microsystems,
Inc. All rights reserved. The SML Technical Report Series is published by Sun Microsystems Laboratories, of Sun Microsystems, Inc. Printed in
U.S.A.

Unlimited copying without fee is permitted provided that the copies are not made nor distributed for direct commercial advantage, and credit to the
source is given. Otherwise, no part of this work covered by copyright hereon may be reproduced in any form or by any means graphic, electronic,
or mechanical, including photocopying, recording, taping, or storage in an information retrieval system, without the prior written permission of the
copyright owner.

TRADEMARKS
Sun, Sun Microsystems, the Sun logo, Java, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other
countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and
other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. UNIX is a registered
trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd.

For information regarding the SML Technical Report Series, contact Jeanie Treichel, Editor-in-Chief <jeanie.treichel@sun.com>.All technical
reports are available online on our website, http://research.sun.com/techrep/.
 Notes from the Author

What follows is a slightly edited version of an essay I wrote for the 2006 Object-Oriented Programming, Systems,
Languages and Applications (OOPSLA) conference. Richard Gabriel urged me to consider submitting to the essays
track of the conference, and I agreed to write something well before I knew what I would be writing about. What
intrigued me about the task was the thought of using the essay form, which allows the author to insert opinion and
personal observation, as a way of exploring a subject that did not seem to lend itself to the more impersonal form of a
conference paper.

In writing an essay, I am always aware of skating on the thin line between capturing something worth saying and sim-
ply pontificating. I hope that I have stayed to the useful side of that line, and apologize for those places where I have
crossed it. Much in this essay is borrowed or stolen from others, and I try to indicate the heavy influence of people
like Fred Brooks and Ivan Sutherland have had on my thinking in this area.

The subject of the essay, System Design, is one that as a profession we talk about less than I believe we should. It is,
in many ways, the most important and most difficult thing that we engineers attempt to do. I believe that we avoid
talking about it because it is hard, and seems somehow “unscientific.” There are clearly some designs that are good
and others that are not. But the judgment of how good a design is often seems subjective or based on aesthetic princi-
ples rather than on the cold hard facts that we are engineers who pride ourselves on forming the basis for all that we
do. I hope that this essay convinces some readers that the dichotomy between science and art or engineering and aes-
thetics is not clear, required, or even desirable. What we do must be grounded in fact, but it also needs to be grounded
in taste. We should revel in that rather than trying to cover it up. It makes what we do more difficult, but also much
more interesting.

Jim Waldo
Burlington, MA
December 2006
 Editor’s Notes

About the series—The Perspectives series is a collection of essays written by individuals from Sun Microsystems
Laboratories. These essays express ideas and opinions held by the authors on subjects of general rather than technical
interest. Sun Microsystems Laboratories publishes these essays as a courtesy to the authors to share their views with
interested friends and colleagues. The opinions and views expressed herein are solely those of the authors, and do not
in any way represent those of Sun Microsystems Laboratories, nor Sun Microsystems, Inc.

~~~~~~~~

Dr. Waldo is presently a Distinguished Engineer with Sun Microsystems, Inc.

—Ed.
 On System Design
Jim Waldo
Sun Microsystems, Inc
1 Network Drive
Burlington, MA 01803
1 781 442 0497
jim.waldo@sun.com

Abstract made it harder for system design to be taught or even done in

In this essay, I consider some of the factors that are making it a reasonable way.
more and more difficult to expend the effort necessary to do
system design. Because of changes in the economics of the I am beginning to believe that the art and craft of
field in both industry and research, we have become less able system design is in danger of being lost.
to take the time needed to do real system design, and to train
the next generation of designers. Because of the intellectual
property landscape, we are less able to discuss system The inability to do or to learn system design in these
design. The end result is that we do less good system design traditional venues has led to the emergence of new areas
than we used to, at least in those environments where system where engineers and scientists can practice and perfect their
design used to be most common. But there are reasons to be skills in the area. I will end the essay by discussing some of
optimistic about the future of system design, which appears those areas, as they provide the hope that good system design
to be happening in non-traditional ways and in non- will continue to be part of what we teach, learn, and practice.
traditional venues. In particular, one interpretation of the
popularity of both agile methods and open source projects is 2. What Is System Design?
that they give the participants places where they can learn the One of the most interesting, and most difficult, of the tasks
craft of system design. that we may undertake in our careers as engineers or
computer scientists is the design of an entire system. A
1. Introduction system is a set of interacting parts, generally too large to be
I am beginning to believe that the art and craft of system built by a single person, created for some particular purpose.
design is in danger of being lost. Carefully designed systems, We work with systems all the time. The operating systems
in which the right abstractions are combined in just the right that control our machines are systems. The layers of
way to produce a system that is easy to learn, easy to change, hardware and software that allow the programs on these
and pleasing to use and work with, are unlikely to happen machines to interact with each other over a network are
using the kind of design techniques that are popular today. It systems. Even most applications that we use are systems,
isn’t just the techniques that we use that impede our ability to whether we know it or not.
design systems. We are unable to train engineers and
As engineers, we know that the way to solve a large problem
scientists adequately in system design. The economics of the
is to break it into a set of interacting smaller problems. Each
industry push us in directions that don’t favor design. The
of these smaller problems can then be decomposed into even
realities of funding in research make it unlikely that much
smaller problems, until after enough iterations we have a
time will be spent on system design. The end result is that
problem that can be solved on its own. Each decomposition
less careful design work is being done, and we as an
gives us a set of components, and deciding what those
industry, a profession, and an intellectual discipline don’t
components are and how they fit together is the activity of
seem to care or be able to do much about it.
system design.
In what follows, I will try to describe and explain some of
All reasonable1 software is a system that has a design on this
these factors, and try to make clear the price that the industry
characterization. The software will be organized around
and the discipline are likely to pay because of these factors. I
methods or procedures or functions or whatever abstraction
will begin by trying to characterize what we mean by system
design. On the characterization I will give, all but the most 1
trivial of software artifacts have a design, but only some of We have all seen BASIC programs that have no such
them were given that design consciously. I will then turn to design. However, after the first week or so of writing
how system design is learned, and given that as a base will code, anyone who does not avoid that sort of non-
look at the changes in both industry and academia that have structure should be quietly, but firmly, convinced to
spend his or her time doing something, anything, else.

1
for this sort of decomposition the language being used System design can change and evolve over time. The
supports. Each of these methods will represent a original Javatm programming language and associated
decomposition and abstraction of a problem that must be libraries had a simple and consistent design. Some of the
solved for the software to run. The larger the piece of additions to the libraries associated with the environment
software, the more layers there are in the design, and the since it was first introduced reflect the original design, but
more complex the system. others have introduced other notions of design. The overall
system has evolved into something that, at a certain scope,
But to say that all software has a design does not entail that
has a coherent design but which, taken as a whole, is far less
all software is designed. Designing a system requires that
unified than it once was. A more radical example of design
someone think about the right way to decompose the
change over time is seen in the sets of protocols and
functionality, and how to create a small set of abstractions
languages that define the World Wide Web; when first
that can be re-used and re-combined to provide the needed
introduced these were simple and had a coherent design. But
functionality. The notion that anything that shows some kind
the collection of designs that have been proposed or that
of design is therefore the result of some conscious activity of
have become accepted standards in the past decade, show no
design is a confusion that is based on an ambiguity in the
such coherence or simplicity. Individual collections of these
term “design.” On one sense of the word, design is a
may be said to form a designed system, but the amalgam that
property of some object such as a program, a system, or the
forms the overall platform does not.
like that merely indicates that there are parts that interact. On
another sense of the word, design indicates the activity of Some of these examples of good design were thought out in
determining what the parts of some larger whole should be, fairly complete detail before the systems were produced.
and how those parts will fit together. While anything that is Others evolved with the implementation of the system itself.
the result of the activity of design will itself have a design, it But in all of the cases of good design, there is a fairly simple
does not follow that anything that has the property of a set of principles that can be seen to underlie the design. In
design is therefore the result of the activity of design.2 the case of Unix, the idea of a file and the ability of any
program to take an ASCII stream as input and produce such
One of the best indications that a program is the result of the
a stream as output allowed those learning the system to know
activity of design is the existence of a document that
what to expect as they encountered new parts of the system.
describes that design, especially if the document was written
There are times that the design of a system, even when it is
before the program. But all too often we must discover the
an example of good design, will need to be pushed and
design by inspecting the code. Sometimes the design that is
prodded in unnatural ways to gain something that the
discovered shows all the hallmarks of a thoughtful design
original design did not take into account. It was a great
activity, but there are other times that the discovered design
simplification in Unix to treat all files as ASCII streams, but
shows a haphazard combination of various abstractions,
the introduction of magic numbers, various kinds of headers,
duplication of functionality in slightly different forms, and
and conventions having to do with the filename extension
inconsistencies in the way in which abstractions were
show the desire for a typed file system being overlaid on
selected, implemented, and used. Such discovered designs
such a system.
show either the absence of any design activity prior to the
construction of the program, or that what design activity did Given my characterization of system design, I should really
occur prior to the writing of the program was, to speak restate my concern on the subject. Since any system will
plainly, not very good. have a design, saying that system design is dying out would
be the same as saying that software development is dying
I know of no adequate set of necessary and sufficient
out. That is demonstrably not the case. More and more
conditions for determining whether a design is good or not,
software is being produced, so there are more and more
but like so many things having to do with taste and aesthetics
system designs.
we generally know good and bad design when we see it. The
Unix® operating system has a simplicity and symmetry that What I am worried about is the demise of systems that are
is indicative of a good design; the companion C designed, in the sense that there is some coherent plan for the
programming language has a combination of power and system that is arrived at by the people working on the system
brevity that both reflects and compliments the PDP-11 in a way that is separate from simply observing how the code
architecture for which it was originally intended. falls out. Maybe a better characterization of my worry is that
the act of designing a system is happening less and less, and
2 as a result the design of the systems that we are producing is
The assumption that anything that exhibits the property of
becoming more and more haphazard and the resulting
having a design is, therefore, the result of the activity of
designs are less and less coherent, simple, and aesthetically
design is the base of arguments that go far beyond
pleasing. We seem to be producing software where the
computer science, engineering, or programming. Space
overall design can only be determined after the fact, by
limitations and good sense keep me from addressing the
looking at the code that is produced
wider issues of this debate.

2
Whether the perceived lack of designing systems is good or any team to create a good design that will meet the needs of
bad, it is something that we as an industry and as an the customer by the mere repeated application of the rules
intellectual discipline should understand. The change in the that make up the methodology.
design of systems is, I think, being caused by a number of
factors. Individually, they might not be a problem; taken “So, how do you go about learning to design a
together they are changing the way we build systems. Part of system?” Like most great questions, it showed a
it has to do with education; part if it has to do with level of naivety that was breathtaking. The only
economics; part of it has to do with the current fads or short answer I could give was, essentially, that you
fashions in the way we write software. In what follows, I will learned how to design a system by designing
look at each of these factors in turn. systems and finding out what works and what
Let’s start with some thoughts on education. doesn’t work.

3. TRAINING IN SYSTEM DESIGN I have no doubt that the success stories that each of these
Like most other industrial research laboratories, Sun Labs
design approaches and aids cite are true. In some sense, that
brings in groups of interns over the summer to work on
is just the problem; completely incompatible and
various projects. This is about as classic a win-win situation
contradictory approaches to the design problem have been
as can be found in business. Most of the interns are graduate
shown to be wildly successful by their proponents and wildly
students, with some undergraduates and an occasional high-
unsuccessful by the proponents of competing approaches.
school student. The interns find a summer job in their field of
Bottom-up or top-down, waterfall or extreme; all seem to
interest. The lab gets an injection of enthusiasm that is hard
work for some and not for others.
to replicate. The students think they are being overpaid,
while we get what we consider cheap labor. The students The only generally applicable rule that doesn’t have obvious
don’t know what things can’t be done, and therefore often do counterexamples is one I first heard enunciated by Fred
the seemingly impossible. Best of all, the interns get to see Brooks more than a dozen years ago. In a talk given in a
what the “real world” is like.3 Sun-internal seminar (an expanded version of which became
the basis for his Turing Award lecture in 2000[3]), Brooks
This past summer, while walking back from lunch about a
talked of the work he had been doing to try to find the
week into his tenure, the intern working in my group turned
underlying common feature of good design, not just in
to me and asked, “So, how do you go about learning to
computer hardware and software but also in such endeavors
design a system?” Like most great questions, it showed a
as architecture, graphics, and the fine arts. The only thing
level of naivety that was breathtaking. The only short answer
that he could find that good designs had in common was that
I could give was, essentially, that you learned how to design
they were produced by good designers.4
a system by designing systems and finding out what works
and what doesn’t work. I’ve been thinking about the long There is one reading of this insight on which it is true but
answer ever since; I’m not sure that the long answer differs uninteresting, a mere tautological statement that reflects
from the short answer in much more than length, but giving in to the unpredictable and inscrutable mystery of
nonetheless here is what I’ve come up with. design. On this reading, the only way to determine what
produces a good design is to wait until you have one, and
3.1 The Origin of Good Design then attribute it to the designer. Good design, on this view,
Before knowing how to train someone in system design, it is happens by chance. You can hope for it, but you can’t do
useful to have some idea concerning the origin of good anything to improve your chances of getting a good design.
design. If we can know what leads to good design, we can try This is not the reading that I believe Brooks intended, nor the
to teach people to do those sorts of things in the hope that one that I found persuasive when I first heard the talk. My
good design will result. reading of this principal is that those who have been able to
There is no shortage of books, seminars, and other training produce a good design in the past are far more likely to be
guides that claim to help in this quest. There are techniques able to produce a good design in the future. There is no
such as Six Sigma that profess to aid in the development of guarantee that the future designs will be good, but your
good design. There are languages such as UML that claim to chances are much better. There is no magic process by which
help in the development of good design. And there are no
end to the methodologies and processes that claim to enable
4
As a somewhat depressing side-note, the first question
asked at the end of the talk was what process those good
3
The thought that an industrial research lab could be designers used to produce the good designs. The question
considered part of the real world is in itself something of was asked by a senior engineer, who should have known
a comment on the connection between academia and better. Sometimes hearing is not the same as
reality. understanding.

3
such designers produce their designs; each may go about the but it is also true that you need to learn the technique that
design problem in a different way, and a designer may allows you to channel and amplify that talent.
approach one problem in a particular way and another in a In my own case, the instruction that I received in system
completely different fashion. design came in the form of an apprenticeship with a master
The point, I believe, is that good design is a capability that designer. This was not a formal arrangement, and it could
some people have, and others simply do not. Whether this is well be that the person I considered myself apprenticed to
an innate skill that people are born with, or one that is did not see our relationship in anything like those terms. But
cultivated over time in ways that we don’t understand, is a looking back on it, I clearly see it that way.
question far too deep for me to address here. I neither know The more structured and corporate relationship was that of
nor care. But by the time someone is designing a computer an overall software architect for a major component of a
system, whatever it takes to be a good designer is either there system and an individual contributor for that system. The
or it is not. When it is there, it can be developed and honed. group I was in was responsible for the windowing system
It can also be degraded or warped. But when it is not there, and all user-visible tools for Apollo Computer, an early
there is no technique or process that can make up the deficit. workstation company. The architect of the group had
Some people are uncomfortable with this idea. Many of them implemented the first version of these components on his
are managers; I will discuss their discomfort later. Others are own, but as is often the case grander plans had been hatched
uncomfortable for more philosophical reasons; they feel that for the second system and a small group had been assembled
saying that there are those who can produce good designs to do the design and implementation. I had been hired to
and those who cannot is contrary to some egalitarian notion design and implement the component library that would deal
(which it is) and somehow elitist or undemocratic (which I with text; there were others who were dealing with the
think it is not). windowing system, input mechanisms, the shell interpreter,
Why should we be surprised to find that there are some and even a scripting language.
people who are just not capable of doing first-rate system The overall design process for the group required the owner
design? Such designs are difficult, complex, and require a of each component to write a series of specifications for his
great deal of taste to get right. Further, they require the or her component. The first of these was a straw man, meant
ability to deal with a great deal of ambiguity while forming to be a quick sketch of the various pieces and the overall
the design, an ability to deal with whole sets of questions that component model. The last was an iron man, a detailed
the designer can’t solve but which he or she knows or has the specification of all of the entry points and their functionality.
faith to believe will be solved at the appropriate time. Given Once a month, the entire group would go off site, usually to
the difficulty of all of these tasks, it is no more surprising the apartment of the manager of the group, for a morning to
that not everyone can be a great designer than it is that not review one of the specifications for some component.
everyone can be a great composer, or a great artist, or a great
architect, which not coincidentally are all fields that are a The fact that good designs come from good
kind of design. This is not to say that designers are better designers does not tell us where the good designers
people than those who are not great designers; indeed, come from.
designers are good or bad people in roughly the same
proportion as any other group. But it is to say that some
people are better designers than others, and ignoring that is The overall architect of the group was not one of the more
one of the many things that leads to bad system design. active participants in these discussions. But when he talked,
everyone else listened. His most damning criticism was a
3.2 Teaching by Doing simple “That’s too hard.” When said of a specification, it
Having said all that, the question of how to teach system indicated that you had not done the work to sufficiently
design is still open. The fact that good designs come from understand the problem and boil it down to some simple
good designers does not tell us where the good designers core. The assumption was that there was always some simple
come from. While it may be true that not everyone can be a core, and by making the assumption such a core was
good designer, it is also true that there is some learning that generally found.
goes on. I am reminded of posters I saw years ago at the
Those design reviews, and the constant interaction with both
Rhode Island School of Design, posters with the headline
the architect and the other members of the group over a
“Talent without technique is a waste.” The school does not
multi-year period of time, were the places where my system
claim to be able to make anyone an artist. But they do claim
design skills were honed. It was here I learned about
to be able to take someone with the talent to be an artist and
simplicity and symmetry, about interfaces and designing for
give them the technique that will let them exploit and
change, and a host of other rules and techniques that I still
channel that talent. The same is true in system design; it may
use. More important, I learned what worked for me and what
be that you must have some talent to do the design task well,
did not, and that what worked for me might not work for

4
others. Rather than learning a process of design, I learned readings: Lampson[6], and Brooks[2], and lots of things by
how I could best design. Parnas[4]. But I’ve never been able to pin down the concepts
I originally thought that this way of learning design was that needed to be taught and the sequence in which those
unusual, and a result of my academic background being in a concepts are to be presented. After considerable time of
field unrelated to computer science. But as I learned more trying and failing to come to some plan, I realized that I was
and began talking to others who I considered to be good at thinking about this problem in the wrong way.
system design, I found that this experience was more than More than half a century ago, the philosopher Gilbert Ryle
just common; it was nearly universal. Everyone I talked to made a distinction between knowing how and knowing
had a similar story of the master designer who had, either that[8]. Knowing that is a relation between a person and a
consciously or by example and correction taught him or her proposition; it is a piece of factual knowledge that can be
what they considered to be the important lessons in design. discovered, can be justified, and can be taught by the usual
There was a period when I would ask, “who did you do your mechanisms of pedagogy. Knowing how is a different kind
design apprenticeship with?” without supplying any other of thing; it is the kind of knowledge we have when we know
context. I expected some to be confused by the question, but how to walk, or run, or sing. It is not a factual sort of
I found that everyone to whom I asked the question not only knowledge, but an ability that we exhibit in our actions. We
understood it, but was able to answer without thinking. Even can know how to do something reasonably well or expertly.
more interesting, the names that were given were often the We can’t know that the world is round reasonably well or
same. Whether they knew it or not, a relatively small number expertly. Most important, while we can be taught to know
of master craftsmen were credited with training a much how to do something, the kind of teaching that takes place is
larger number of system designers. very different from the kind of teaching required to know
that.
Design, if my experience is any indication, is best Academic disciplines require a combination of knowing how
learned by a long and varied process of trying, and knowing that. To be fully educated in any of these
failing, and trying again under the guidance of disciplines, one certainly needs to understand the factual
someone who is an expert at the task. backgrounds of that discipline. But to be truly educated in
the field also requires that one learn how to think in a
particular way. Each field has its own technique or set of
This was hardly a scientific survey, and as scientists we
techniques that must be learned just as well as the subject
should take care in drawing strong conclusions from
matter of the field if you really want to be an expert in that
anecdotal data. But I think it is indicative of something that
field.
no one that I have talked to about how they design and how
they learned to design has pointed to a class that they took
which trained them in any important ways. Design, if my Academic disciplines require a combination of
experience is any indication, is best learned by a long and knowing how and knowing that.
varied process of trying, failing, and trying again under the
guidance of someone who is an expert at the task. Different fields have different combinations of subject
3.3 Design and Curriculum matter, that requires knowing that, and technique, that
That no one seems to learn system design from some course requires knowing how. The vast majority of my formal
can be troubling. If designing of systems is really the hard training was in the field of philosophy. As practiced in the
part of what we as engineers and computer scientists do, United States and England, what is sometimes called
aren’t we in need of some systematized way of teaching “Anglo-American” or analytic approach to philosophy, the
what is needed to do that kind of design? field is almost entirely technique. Certainly there is plenty of
content having to do with the history of philosophy and the
Looking around the web, there are some courses in system great philosophical questions. But what really matters is the
design that are taught at various universities, and lots of way in which one thinks, having to do with conceptual
courses offered by consulting companies. I have more than analysis, the building of logical models, and approaches to
just a passing interest in a course in system design for a argumentation. While very little of the subject matter of
variety of reasons, not the least of which is that I have been philosophy was useful to me when I became a software
contemplating teaching such a course. It is the sort of course engineer, I found that the techniques I learned were just as
students ask for; it would be valuable if students coming into relevant in computer science as they were in the field in
industry actually had some skill in system design; and it which I learned them.
would be interesting to design the curriculum and readings
for such a course. I’m told by those who have attended that law school is very
much the same, in that gaining a technique, or learning to
I had great difficulty in getting anything like a set of readings think like a lawyer, is far more important than the actual
or a coherent plan for such a class. There are some obvious subject matter of the law After one has learned the technique,

5
one can take the bar exam for a particular state, testing What would be best is a situation where an entire department
knowledge of the subject matter of the law for that state, was cognizant of the need to teach design technique, and all
before one can practice law. But knowing the law without of the courses from any of the instructors had as an admitted
knowing the technique does not make one a lawyer. goal the training in such technique. Such curricula are
There are other subjects where there is far more subject possible in other design fields, but they are difficult to design
matter to master along with the technique. When studying and even more difficult to evaluate. Until we as a discipline
geology you still need to learn to think like a geologist, but find a way to do this kind of curricula design and evaluation,
there is also a lot of subject matter that must be mastered. In system design will continue to be learned as a craft, through
these subjects, learning the technique is often a byproduct of an apprenticeship, and outside of the normal academic
learning the subject matter, or at least a byproduct of the channels. Perhaps this is all that we can expect, but in times
pedagogy used in teaching the subject. of optimism I think that we as a field could do better.
Courses are organized around chunks of the subject matter It might be that we should look not at engineering but at the
rather than around technique. A well-designed program will studio arts for direction on such a curriculum. The approach
use the technique of the field in all of the courses for that taken there is that the students do lots of design projects, of
field, and will use the learning of the subject matter as an varying levels of complexity and size, and are constantly
excuse to train students in the technique. Courses that try to undergoing criticism of their work, both from their peers and
teach only technique tend to be somewhat unsuccessful; at their instructors. These students also see the work of their
best they can provide a forum for students to demonstrate the peers being criticized, which is another way in which design
technique they have already acquired. can be learned. This is a lot more work, both for the students
and the teachers, but seems to have some positive impact on
The academic discipline of computer science has not, I the development of technique in an area where elegance and
believe, done a particularly good job of recognizing the taste are being taught. I doubt that we could do worse than we
distinction between technique and subject matter. While do currently if we as a discipline were to try such an approach.
there are some examples in which the technique is
reasonably well described (a recent piece by Jeannette 3.4 The Intellectual Gene Pool
Wing[10] does a great job of describing what it is to think Before moving on to other topics, there is one side trip that I
like a computer scientist), the seemingly non-terminating feel must be taken while on the subject of learning system
discussion of what the curriculum of a computer science design. It has to do with what I think is an unfortunate
major (see, for example, [1]) appears to confuse the narrowing of the intellectual gene pool in our field.
techniques that we need to instill with the subject matter that
we need to teach. Until we as a discipline find a way to do this kind of
My own conclusion is that system design is really a matter of curricula design and evaluation, system design will
technique, a way of thinking rather than a subject that can be continue to be learned as a craft, through an
taught in a particular course. It might be possible to build a apprenticeship, and outside of the normal academic
program that teaches system design by putting students channels.
through a series of courses that hone their system design
skills as they move through the subject matter of the courses.
When I first started writing software, the industry was
Such a series of courses would, in effect, be a formalized
expanding so rapidly and the academic field was so new that
version of the apprenticeship that is now the way people
there were far more jobs for software engineers than there
acquire their system design technique.
were candidates with degrees in the field. As a result, lots of
There may even be departments of computer science that different backgrounds were represented in nearly every
have just such a series of courses. If so, I am not aware of software engineering group.
them. They would certainly not be found by looking for
For example, in the group in which I served my
schools that teach a course in system design; all of their
apprenticeship, the academic backgrounds included a Ph.D. in
courses would have as a subtext system design. I think it far
physics, a Ph.D. in philosophy (me), an engineer who had
more likely that computer science departments teach system
done graduate work in psychology, another whose background
design in much the same way that I learned system design—
was in anthropology, and two musicians, along with two
that there are some professors who act as master craftsmen in
engineers who had degrees in computer science and one who
the field for a group of students, who apprentice with those
had no degree at all. As a result of all of this diversity of
professors. These students will take any course taught by the
background, there were lots of different viewpoints on any
professor, no matter what the subject matter, and learning by
given problem, and lots of ways of looking at any task. The
doing. But such training is accidental at best; often students
end result was one of the most interesting and innovative
are advised against taking too many courses from a single
groups that I’ve ever been a part of.
faculty member, which decreases the probability of such
technique training occurring.

6
What I find distressing is that I doubt very much if any of the industry have conspired against the kinds of training that lead
members of that group who had studied something other than to good system design.
computer science could have gotten their first job as a software
engineer today. Academia has always insisted on the proper 4. WHERE SYSTEM DESIGN HAPPENS
credentials in the proper field. This is not surprising, given that If system design is in fact learned as part of an
they exist to issue such credentials. But industry now requires apprenticeship, there are two places that we should expect
that those who fill the job of software engineer be trained in such learning to take place. The first is in graduate school,
that field. The result is that the candidates entering the where a student can work with a single faculty member, his
profession are far more homogeneous in the way they think or her advisor, who acts as a master. The other is on-the-job,
and the way that they approach problems. Many times they learning the arts of system design by doing such design.
have been told what the proper way to solve a problem is, and But various forms of pressure have made this kind of training
so they simply solve it that way. harder and harder to obtain, because less and less real design
goes on either in academic research or in industry. Instead,
System design is not something that can be covered academic research has become much more of an
in a class, but is learned through a much longer evolutionary task, a change that has been an unintended
process that is more like an apprenticeship than consequence of decisions by funding agencies designed to
anything else. Such apprenticeships are not the sort reduce risk. At the same time, industrial system design has
of thing that our educational system is set up to become more constrained, more expensive, and less
provide (at least at the undergraduate level), and is adventurous. The result of both has been not just a reduction
not going to be provided by some change in the set in the ability to teach system design, but an environment in
of courses that make up the curriculum. which many of the wrong things are being taught about how
to accomplish that task.

If we actually knew what it is to think like a computer scientist 4.1 Industrial System Design
or software engineer, and knew how to teach people to think Perhaps we should not be surprised that there is less
that way, this might not be a problem. If we actually knew the opportunity to learn system design in industry, if for no other
answers to most of the questions that come up when producing reason than that there are fewer systems that need to be
software, getting people who already know those answers designed than there were ten or twenty years ago. Industry
would be a way of making the industry more efficient. But, as consolidation and maturity have changed the need for system
I argued in the previous section, I don’t think that we are very design, and therefore the opportunity for learning such design.
good at teaching how to think like a computer scientist, or at Twenty years ago there were far more companies creating
least like a system designer. Nor do I think that we have computer systems than there are today. Further, these
adequate solutions to many of the problems that have to do companies competed not merely on price but on the
with system design in particular and software engineering in functionality, stability, and sophistication of the overall
general. We can certainly get more immediate returns on our system, which was proprietary to the company. Every
investments by hiring only those students who have a degree computer company had their own chips, their own hardware,
in computer science or a related field. But I fear that we are their own operating system and their own programming
limiting our genetic stock of ideas prematurely, and as a result language. Indeed, IBM had three or four of each. In addition,
the discipline is the poorer for it. customers buying these systems would then need custom
3.5 Education and System Design software that went beyond the basic computer system, so
there was a thriving industry in building that custom
If the above observations are correct, then it is not all that
software. All of these projects required system design, so
surprising that system design is uncommon, and good system
there were lots of chances to try designing a system, and lots
design even more so. Good system design requires not only
of chances to learn either by getting it right or getting it
talent but the training that supplies the needed technique to
wrong. There was also a thriving interchange of design ideas
go along with that talent. System design is not something
in conferences like USENIX, OOPSLA, HotOS and the like.
that can be covered in a class, but is learned through a much
longer process that is more like an apprenticeship than Current industry trends are very different. Where there used
anything else. Such apprenticeships are not the sort of thing to be many computer companies, there are now far fewer.
that our educational system is set up to provide, at least at the The number of operating systems has been reduced to two,
undergraduate level, and is not going to be provided by some with the choices being Windows or one of the Unix variants.
change in the set of courses that make up the curriculum. Customers almost never purchase custom software systems,
built from the ground up from specifications hammered out
In fact, most who do system design learned their craft after
in discussions between the software engineers and the
they completed their formal classroom education, either on
customers themselves. Instead, most custom software is
the job or while doing thesis research. But changes in the
written to allow the connection of existing systems, or the
economics of both research funding and the software

7
continuation of those systems on new hardware or in new The fact is that good system design takes time; it is the sort
environments. The production of this kind of software of thing that requires hard solo thinking along with long
comes not from small companies that specialize in doing discussions with other engineers. There are days when no
system design but rather from either the consulting services real progress seems to be made, and other days when the
of existing companies or specialized consultancies, and is only progress is to realize that what you thought was
generally constrained to the existing environments in such a progress over the previous few days or weeks was in fact a
way that the design freedom of the creator of the software is wrong turn that won’t really work. Such a realization is
tightly constrained. progress. In fact, such a realization may be the most
A lot of effort has been put into finding ways of building important kind of progress, as it can save huge problems
these custom systems in ways that are more efficient and later in the project. But to a manager it may not seem to be
responsive to the customer. Techniques such as extreme moving forward.
programming, in which small changes are made to a system Grady Booch once told me that he believed that the greatest
with constant feedback from the customer have been contribution the tools he and others had produced to
developed and are widely used. These techniques emphasize support the design process was that they made it appear to
doing quick prototypes and then enhancing those step-by- managers that the designer was doing something. He may
step until what the customer wants is produced. have been exaggerating, but not by much. Anything that
Such techniques are excellent ways of making sure that the gives the designer time to think about the system before
system produced is the one that the customer actually wants. committing those thoughts to code helps the goal of well-
But they are not good techniques if one wants to insure some designed systems.
form of up-front system design. Rather than trying to think What is really needed is an act of faith by management.
out the system ahead of time by decomposing it into its The difference between someone who is making progress
constituent parts, these sorts of iterative techniques in coming to grips with a system and someone who is
emphasize adding features by aggregation on to a first- taking an in-office vacation may not be visible from the
approximation core. System design may be enhanced by outside. Most managers are not able to do the design task
refactoring as the project progresses, and there may be times themselves (those that can are rarer than those who can
when it is possible to review the entire system and change make the needed leap of faith), and so have to trust the
the design. But neither of these activities helps to get the system designer. Having an engineer as the designer who
project done, and often the result of such work is not visible has been successful in the past may help a manager to be
to the customer. It is far more usual that problems in the patient. But if you find a manager who is actually willing to
design are coded around rather than fixed. The end result is a give you time to do the design task, stick with him or her.
system in which the design emerges rather than one in which He or she is a treasure much rarer than gold.
the design is thought out.
4.2 Design and Intellectual Property
Even worse than not being visible to the customer, work A subtler change that has had an impact on system design is
done on designing the system is not visible to the the change in the way corporations and, to some extent,
management of the company that is developing the system. universities, view intellectual property. One of the reasons that
Even though managers will pay lip service to the teaching of there were conferences and mailing lists that documented and
The Mythical Man Month[2], there is still the worry that discussed system design was that the companies in which
engineers who aren’t producing code are not doing anything those systems were developed did not want the ideas
useful. While there are few companies that explicitly underlying the systems to be kept secret. Indeed, the
measure productivity in lines-of-code per week, there is still developers of the system were generally encouraged to publish
pressure to produce something that can be seen. The notion their designs. Such publications were seen as ways to market
that design can take weeks or months and that during that the products shipped by the company, and were seen by the
time little or no code will be written is hard to sell to designers as ways of getting feedback and new ideas about the
managers. Harder still is selling the notion that any code that design. It also meant that there were forums where system
does get written will be thrown away, which often appears to designers could look at the work of other designers, discuss
be regression rather than progress. that work with them, and find solutions that could be
incorporated into their own designs.
Grady Booch once told me that he believed that the But over the past decade, the companies that funded the design
greatest contribution the tools he and others had work decided that they wanted to be paid when others used the
produced to support the design process was that results of the design. On the face of it, this is not a bad thing. If
they made it appear to managers that the designer companies invested and obtained a result, it is reasonable that
was doing something. they be rewarded for the investment. If these companies can
see that there is a reward, they are more likely to continue the
investment. This is the premise behind the patent system in

8
particular and intellectual property rights in general, so they can, but are working with a number of handicaps. While
perhaps we should be surprised that there was a period when the fees that are charged for patents are supposed to be
this kind of thinking was not applied to system design. returned to the office to fund the work that they do, in fact a
There has been much debate about whether or not software considerable portion is taken and used elsewhere; the patent
in general and system designs in particular are proper office is one of the few places in the U.S. government that
artifacts for the patent process. I’m not sure where I stand on could be considered a revenue generator. The pay that can be
such issues; discussions on the reification of ideas in offered to examiners is far less than what they can make in
software and the comparison of that to the reification of other the private law firms that deal with intellectual property law.
inventions in a form that can be touched and manipulated, One director in the patent office admitted to me that when
and discussions of whether software system designs are more examiners could only make 50% more in private industry it
properly covered by patent laws or copyright, are interesting was still possible, because of government pensions and
as ways to fuel conversations over drinks. But like many benefits, to attract good people, but when the differential
discussions that are essentially philosophical, I’m not at all became 100% or more it got much harder. The number of
sure that they will terminate with a real conclusion. patents that are being filed has grown far faster than the
number of examiners; I was told that the current wait
Less debatable is the fact that the current system is not serving between a filing and the time that an examiner is even
either the companies that fund design or the field in which the assigned to a case is close to three years. Until then,
design takes place. Whether this is an inherent aspect of the applications are stored in a room filled with shelves that
system or an accident of the way in which the system has looks like something out of the last scene of Raiders of the
evolved is an issue that is beyond my skills to decide. But the Lost Ark.
effects are harmful in ways that I see every day.
The end result is that patents are examined in a somewhat
The first problem has to do with the way that the negotiation cursory fashion by examiners whose expertise varies widely.
over the value of patents occurs between the companies that The patent office, to its credit, has taken steps to try to make
hold those patents. Such negotiations, I am told by those who things better, but there is a 10-year history of software
have been party to them, are generally done by count rather patents of questionable quality. Once again, this would not
than by value. That is, company A will count up the number of be a problem in itself, for the issuing of a patent does not
patents it holds in some broad area such as computer hardware mean that the patent is good. That, as any patent attorney will
and software. Company B will do the same. Whichever tell you, can only be decided in court when the patent is
company holds the larger number of patents is the one that will contested. But here we get to the third problem with the
be paid by the other, and the size of the payment is determined patent system.
by the size of the difference. The end result is that each
company cross-licenses all of their relevant patents to the Patent litigation, for those who have been through it, is the
other, and some amount of money changes hands. closest thing I’ve found to living in the world envisioned by
Kafka. The theory is that a jury of ones peers can be presented
The problem with such a scheme is that it does not take into with the facts of the case, and can decide if the patent in
account the quality of the ideas that have been patented. A question is an embodiment of a true innovation and if the
fundamental patent in a major part of the field is no more technology in question in fact infringes on the patented
valuable in such a negotiation than some minor tweak that is invention. But a jury of one’s peers does not mean a jury of
no longer relevant because the industry has passed it by. The one’s technical peers. Instead, it means a jury made up of
assumption is that, on average, any patented idea is just as people registered to vote in the district in which the trial is
valuable as any other. This is an assumption that makes such held. Indeed, having a technical background may well
negotiations possible, since any negotiation based on the disqualify a person from serving on the jury in a patent case,
value of an idea would take forever. But it also encourages since such a juror may be coming into the trial with a pre-
the companies involved to attempt to patent any idea, no conceived notion of what is novel and what is not in the field.
matter how large or small, since the value of any patent is
considered equal to the value of any other. The result is that twelve non-technical citizens are asked to
decide if something really is a novel invention, and if some
This in itself would not be a problem if the quality of patents other piece of technology infringes on that invention. To
were itself more uniform. However, the software world is make this decision, the holder of the patent will introduce an
still somewhat mysterious to the patent office, and was even expert witness, who will present his or her credentials and
more so when software patents first started to be issued. We then testify that the invention is both novel and infringed.
can all think of patents that have been obtained for The defending lawyers will present their own expert witness,
techniques that have been in common use for years, or who will present his or her credentials and then point out
patents for techniques that appear to most members of the how the invention in question was well known prior to the
profession as obvious extensions to known techniques. filing of the patent, embodied in a number of pre-existing
I have toured the patent office, and know a number of the technologies, and not part of the technology that is claimed
people who work there. They are trying hard to do the best to be infringed. The jury then has to decide which witness to

9
believe. The presumption is that the patent is indeed valid; While the general situation around software and systems
otherwise, why would the patent examiners have awarded a patents is troubling, the impact that situation has had on the
patent? The end result is probably not as random as flipping discipline of system design is not often acknowledged but is
a coin, but if you have gone through the proceedings it is nonetheless large. The co-demands of keeping our own
hard to convince yourself that the results of the process innovations secret, at least until the patent is filed, and not
actually turn on the originality of the patent and the similarity studying the work of others, to keep from being charged with
of the technology claimed to infringe on that patent. knowing infringement, is responsible, at least in part, for
Worse still for the subject of this work, if you have been stifling the discussion about systems design in the
found to infringe, there is then the question of whether or not communities of software engineering and computer science.
you have infringed knowingly. If it is found that you have, We now talk about the process of system design, or the tools
rather than just infringing by accident by re-inventing the that we can use to support system design, but we rarely talk
technology contained in the patent, the damages awarded to about actual system designs. It is as though artists were told
the holder of the patent are tripled. they could no longer talk about art, but could only talk about
brushes, pigments, and the way in which they prepare a
canvas. It is very hard to learn about good system design
Patent litigation, for those who have been through unless you can see and study other system designs, both
it, is the closest thing I’ve found to living in the good and bad. The intellectual property atmosphere in
world envisioned by Kafka. The theory is that a jury industry has limited the number of designs that are actually
of ones peers can be presented with the facts of the talked about, and has convinced many system designers that
case, and can decide if the patent in question is an they should not even look at the designs that are available.
embodiment of a true innovation and if the Whatever you think of the patent system, this effect has been
technology in question in fact infringes on the bad for the overall quality of systems.
patented invention.
Before moving on to other topics, it should be noted that
open source is often touted as one answer to the problems of
The impact on all of this on the discipline of system design is the intellectual property system. Open source, it is argued,
that companies now encourage their designers to patent any has as a major advantage that anyone can look at and study
part of their design that seems novel, rather than publishing the code for a system, and hence can learn the design of that
that design in a journal or talking about it at a conference. The system. Good designs can be seen, as well as bad designs,
more of this work that can be patented, the larger the patent and the discussion, generally carried out on mailing lists, can
portfolio for the company, and the less likely it is that there take the place of the conferences that we used to have on
will be a need to pay large amounts of money to other firms system design.
when cross-licensing agreements are made. Part of patenting is
There is a sense in which this is true, and for that I am a great
that you can’t talk about the item being patented until the
proponent of open source. However, open source generally
patent is filed5, which can be a long and involved process.
requires the discovery of system design from the artifact of
At the same time, companies are actively discouraging the code, rather than supplying some kind of documentation
designers from looking at the work of their colleagues in that explains why the system is the way it is. Further, many
other companies. Looking at such work can lead to future of the well-known open source projects, such as Linux and
claims of knowingly infringing on a patent, which triples any the Apache Web Server, are implementations of existing
damages that might be awarded. This combination of the designs. Reading the code can teach one a lot about such
desire to patent and the fear of knowing infringement can implementations. But reading the code is less useful as a way
lead to situations that verge on the absurd. I have been asked, of learning about the system design itself.
as part of patent filings for work that I have done, to provide
exhaustive lists of any pre-existing work that might have 4.3 Systems and Standards
influenced the design, while at the same time being warned The one circumstance in which most managers will allocate
not to actually search the literature for anything that I might time for the design of a system is when that design takes
not have known about previously. place in the context of a standards body. This is also the one
time that most companies will allow the designers to talk
with other designers about that design. So it would seem that
5 standards bodies would be the best place for the activity of
More precisely, you can’t talk about the invention before system design. Unfortunately, for a number of reasons,
it is filed if you want to get a European patent. In the standards bodies are among the worst places to do real
U.S., the patent must be filed within a year of the system design.
invention first being disclosed. In practice, it is hard to
get approval from the legal department of a company to The interaction between system design and standards bodies
talk about anything patentable prior to the filing, and even is complex and takes a number of different forms. At its best,
after it might be difficult. standards bodies simply codify an existing technology that is

10
so widely used that it is already a de facto standard. The when technology companies differentiated themselves by the
intention is not to solve a technical problem with the features that they were able to design and build into their
standard, but to clarify and specify existing practice. This is systems. However, over the last decade adherence to
the sort of role that the groups that standardized the C standards has become more and more important. This is not
programming language or the IP protocol had. There were surprising, as it allows customers of these technologies to
some technical contributions made by each of these simplify their acquisition of products. They begin with a
standardization efforts, but those contributions were to checklist of standards, and find the vendor who can supply
clarify edge cases where the existing implementations of the all of those standards at the best price. More important, by
de facto standard differed. adhering to standards, a customer is not tied to a particular
vendor, since essentially the same system can be bought
The recent history of attempts to standardize from the competitors of that vendor.
various parts of the Extensible Markup Language Because of this change in the buying strategies of their
(XML) takes this trend to something close to customers, influence over standards groups has become very
absurdity. In the early years of this decade, it important for technology vendors. If a standard can be
seemed that a new standards body was being written in such a way as to advantage a particular vendor, the
formed every month to promulgate an as-yet- competitors of that vendor will be forced into playing catch-
undesigned XML standard. up for some period of time. Thus participation in and control
over standards groups has become a way for technology
vendors to differentiate their offerings.
This is a very different role than that taken on by standards
bodies that attempt to create a standard technology out of The recent history of attempts to standardize various parts of
whole cloth or from an as yet unproven idea. Classic the Extensible Markup Language (XML) takes this trend to
examples of such attempts are the groups that defined the something close to absurdity. In the early years of this
Ada programming language or the OSI networking standard. decade, it seemed that a new standards body was being
The OSI networking standard gave us the seven layer model formed every month to promulgate an as-yet-undesigned
that we all know and love, but also attempted to define a XML standard. Each of these standards bodies was made up
standard for interconnect based on that model. Only the of some subset of the overall set of computer vendors, and
seven-layer model remains today. The Ada language determining which company was controlling the standards
specification defined a language that is still in use, but most group and which was being frozen out took skills that used to
of the users are required to use the language contractually, be reserved for determining the meaning of which
not out of free choice. In both cases, the standard was an commissar was standing by which politburo member during
attempt to invent and guide technology rather than codify the May Day parade.
existing technology, and in both cases the results were All of this may make for good business. It may give
somewhere between partial and total failure. customers more choice and more control. My only point is
One of the differentiators of standards that succeed and those that it does not produce good system design. It is hard
that fail is where the system design takes place. If the system enough to do good system design when it is done by a single
is designed outside of the standards process, generally by a person, or a small group, whose only design considerations
small group or an individual, and has been implemented and are technical. When that same task is attempted by large
used, the chances of the standard being widely accepted and groups of people each of whom has a different agenda and
useful are high. Examples of this include the C language and whose technical judgment is at least influenced by, if not
the TCP/IP standards. If the standards group undertakes the subordinate to, commercial or political considerations, we
system design itself, the chance of producing a coherent and should not be surprised if the resulting designs are not those
useful design is much lower. that we hope others will learn to produce.
This should be no surprise. Good system design requires at 4.4 Academic System Design
least a unified vision of the overall system, and the ability to If system design is best learned by apprenticeship, we could
push that vision to all parts of the system. This can best be expect that system design could be learned in graduate
accomplished when the design is the responsibility of a school, where the student/advisor relationship closely models
single person, and can sometimes be maintained when a the apprentice/master craftsman relationship. This may be
small group undertakes the design. However, a standards true for some graduate programs, but just as the changing
group is rarely small and unified in its vision. Indeed, the economics of industry have made it harder and harder to
standards process is an inherently political one, where the teach or do system design in companies, changes in the
addition of one feature is often bargained for by accepting economics of academic research have made it more and
the addition of a different feature. more difficult to do real system design there.
This political aspect of standards groups is exaggerated by There is an idealized view of academic research in which
the commercial importance of standards. There was a time that research takes greater risks than industry, plans for the

11
longer term, and is less concerned with the commercial demonstrate their results. As a result of this demonstration,
success of a research effort than in the intellectual content of either re-allocate the funding favoring the most promising of
the research. On this view, academic research can take a the alternatives, or simply cut the funding to all but the most
longer view than industrial research and development, and promising project. Repeat.
can take on higher-risk questions since even negative results A number of government and private agencies that have been
can add to the base of knowledge that is the goal of known for funding long-term research now use this model.
academia. When a research program does pan out, the results While the model seems to make sense and certainly cuts the
can be transferred to industry for further development, and risk of making a major research investment in something that
the academic researcher can turn to the next big question. takes years and produces nothing but negative results, it also
Along the way, graduate students are trained in methods of means that many academic research groups are in a constant
research and techniques of system design, and when they are short-term effort to produce the next bake-off demo.
done they can either join the industrial world or return to
academia to continue long-term research and the training of As a result, academic research is of a shorter duration and is
the next generation of graduate students. more risk-averse than industrial research and development.
Industry is often able to invest in high-risk development
Those who believe this will also clap for Tinkerbell. based on the possibility of large returns (although this is
The reality of academic research is much different than this. often tied to making the results of the development into a
Professors spend much of their time writing grant proposals standard, which was discussed in the last section).
in an attempt to get funds for the support of graduate Academics are increasingly unable to convince granting
students. Once they get such grants, they need to target their agencies to fund for the same long duration.
research to produce the papers that will be accepted to the Nor are academic institutions much more open to sharing the
appropriate conferences and journals in their field, and be results of their research than is industry. The lesson of
able to show the granting agencies enough progress that they intellectual property has not been lost on many of these
will be able to get another round of grants. The cycle is institutions that now seem to hope that the developments of
actually quite short. Most grants require either yearly or their research can be used to add to the endowment of the
semi-yearly reviews, and some require much more frequent university. I do considerable collaborative research with
updates. The received wisdom is that a grant needs to have various academic institutions, and have noticed over the past
enough detail to prove that the research the grant will support five or so years an increase in the difficulty of negotiating
will in fact be successful; to do this it is in turn often agreements on the intellectual property generated by such
necessary to have done the work already. Thus there is a collaborations. Indeed, one collaboration that I tried to fund a
tradition in some departments of using the results of the work couple of years ago became impossible when the academic
done on one grant to get the money for the next grant. As in institution’s lawyers insisted on terms that gave the
most systems, the hard part is bootstrapping (in this case, institution all rights to anything that was done by anyone in
getting the first grant), but there is an increasingly common the collaboration, including any work done entirely by my
practice at universities to offer junior faculty seed grants for group inside of Sun. Even when the conditions are not so
this bootstrapping mechanism. irrational, the desire by these institutions to patent the result
This may not have always been the case, but the realities of of the work of their faculty and graduate students has had the
funding agencies have dictated this form of risk-averse same squelching of open discussion as has been caused by
funding. The funding agencies, many of which are the protection of intellectual property in industry.
governmental, have been pressured to show more relevance Whether such policies will lead to more money for
in the research they fund, and have sometimes been universities is yet to be seen, but these changes in funding
embarrassed by research that has not given positive results . and sharing do mean that it is less likely that full system
This is not a new phenomenon; some of us are old enough to design will occur at these academic institutions. Academia is
remember Senator William Proxmire’s Golden Fleece subject to the same pressures as industry. Even though the
awards, given to government-funded research projects that pressures comes from slightly different sources, it gives the
appeared to be meaningless or otherwise ill-advised. As the same results with respect to system design.
funding agencies face more and more pressure to show that
the work they are funding lead to actual results, those 5. WHAT DOES IT ALL MEAN?
agencies in turn place more emphasis on ensuring that the The previous sections paint a rather grim picture concerning
research they fund will be successful. the practice of system design. A combination of impatience,
One way of doing this is to require occasional “bake offs” economic pressures, and a lack of trust by those who don’t
between research projects competing for money. This understand what is required for system design seem to be
funding technique uses a simple recipe. Give a number of creating a perfect storm, where we don’t have the time or
projects seed funding for a first phase of a project. At the end support to do real design in either academia or industry, and
of the first, fairly short, phase, have the different projects where we can’t train the next generation of system designers
in the craft.

12
Perhaps this is just a sign of the age of the author, and all of design that has not been blessed by a standards body. What
the trends that I have identified are simply changes that have we are lacking today in our industry is the courage that is
made the world different and to which I should simply adapt. needed to take the kinds of risks that are inherent in doing
I could be convinced of this if I didn’t see a real desire in the system design. Whether this lack is caused by the scarcity of
next generation of engineers and computer scientists to learn funding, or the bursting of the technology stock bubble, or
something about system design. It isn’t that they have gotten the consolidation of the industry is hard to tell. But the
beyond the need to design systems; when they see a good reason that we are no longer designing interesting systems is,
system design they are appreciative, excited, and want to I believe, simply a lack of the courage needed to do so.
know how to create designs that have the same quality. They If this is true, then one possible approach would be to solve
may not be able to verbalize what they are missing, but they this problem ourselves, at both the individual and collective
know it when they see it, and they would like to learn. level, by simply insisting that we be given the time and
Another possibility is that the lack of system design at this resources to do good system design. Finding courage is
time is just part of a natural cycle of development in the field difficult, and instilling it in others more difficult still. But
of computer science. On this view, we are in the analogue of either is less difficult than changing the economy, or the
what Thomas Kuhn[5] called a period of normal science, in legal system, or the attitude of the funding agencies, or the
which the existing theory (or system designs) were being ways in which our field is taught. Indeed, we could make the
confirmed, tested, and slightly altered. Perhaps the systems change starting with ourselves, by taking the time and
that we have are good enough for what we need to do, so making the effort to do good system design, and to demand
there is little or no need to do major design work on new of our colleagues and managers that they both give us the
systems. That will change in the future when we find tasks opportunity to do such design and do such designs
for which the current systems are inadequate, but until we do themselves.
we should expect little support for system design. Indeed, But given the realities of our industry and the wider
systems like those being developed by Google are just the economy, I hold little hope that simply making such
kind of radical departures that we would expect in a time of demands will solve the problem. But this doesn’t mean that
revolution, and they are indicators that we are about to enter the situation is hopeless. Instead, it means that those who
into a new system design cycle. wish to continue in the craft of system design need to find
other, less direct, ways of allowing such design to be
Where I see encouraging signs are in two areas that practiced and taught.
are generally not thought of as central to system I am actually encouraged by some signs that this is already
design, the areas of agile methods and open source happening, although perhaps not in the ways or in the places
software. that any of us might have expected. These signs are not
coming from industry, where the relative power of the
I have some sympathy for this view, in that it gives me hope engineer and the manager has changed to the advantage of
that things will change. But I also realize that this view is the latter, and where managers are under increasing pressure
based on the false assumption that there are fewer systems to cut costs and therefore have become more and more
being produced now than there were in the past. In fact, I cautious. Nor do I see much change in academia, where short
observe all kinds of systems being produced, from the funding cycles and publications by the pound are still driving
service-oriented architectures of web services to the out good system design. Where I see encouraging signs are
ontologies of the semantic web. What I find missing in these in two areas that are generally not thought of as central to
systems is a notion of design other than the designs that are system design, the areas of agile methods and open source
done in standards committees or other large groups, or software.
designs that emerge from the code that is thrown together to “Agile methods” mean lots of different things to lots of
implement the system. different people, so I should begin by saying what I take
I think one explanation can be seen if we re-read Ivan them to be. This is not because I think that my
Sutherland’s Technology and Courage[9]. System design, characterization is any better than any of the others, but
like any other form of research, is hard work that entails simply because it will help in the discussion that follows.
taking great risks and therefore requires the constant Like patterns or open source, there is considerable theology
application of what can only be called courage. It takes in the characterizations of agile methods, and I don’t wish to
courage for an engineer to design a system without get caught up in such theological debates. I’m happy to
constantly asking the customer if it is what the customer admit that my characterization is not really what is meant by
wants. It takes courage for a manager to trust an engineer to agile methods; what I am describing is a trend I have seen in
take the time to design a system. It takes courage for a development that is at least sometimes given that label.
funding agency to underwrite an academic research project What I am using the term “agile methods” to label is an
that might well fail. It takes courage for a company to back a approach to writing code and, ultimately, systems that is

13
based on small groups of programmers working closely of which needs to understand the entire artifact. This in turn
together; in the most extreme form of this the small group is encourages discussion of the overall system, not just at the
a pair of programmers working together with a single level of the code that is being produced but at the level of the
keyboard and screen. No matter what the size of the group, system itself. Each member of such a team has to explain to
the system is built by iteratively constructing small pieces, the others how the system fits together, and just that act of
and then enhancing that working system in small, explanation requires thinking about the design. Even better,
manageable chunks to build the ultimate large and complex the others can then help to make the overall design better; the
system. In addition, I include the practice of “test driven give-and-take of a small-group programming session is much
development” in which the tests for some piece of the same as that found in a good design session because it is,
functionality are written before the code that provides that in fact, a design session.
functionality. There are, of course, many other techniques What is important here is the required communication
that get included under the term “agile methods,” but for the between the participants. Having to express a design will
purposes of this discussion these are the features that are often uncover problems with the design, and can certainly
most important. show areas where the design (and, therefore, the
Earlier I noted that such an approach to the production of a communication of the design) is unclear or inconsistent.
system seems to be an invitation to plunge into the code While it is true that writing down the design of a system is a
before thinking things through and then to make incremental form of documentation that can help people who want to
changes to the undersigned system until things are good learn or understand the system, the greatest benefit of such a
enough. Such an approach seems to actively discourage written design is to the designer who must do the writing.
thoughtful system design. And, indeed, I have sometimes The very act of writing the design document helps to clarify
seen these methods produce systems that were badly the design itself. In the same way, having to communicate
designed, overly complex, and not well thought out. What the design during group programming helps to clarify and
has surprised me is the number of well-thought-out systems simplify the design.
whose designs show taste and elegance that have been The process of small group development also provides an
produced using these techniques. opportunity for the members of the group to serve their
The reason, I believe, has to do with two of the aspects of design apprenticeship. While the group may not consist of an
such agile methods. The first is the combination of breaking acknowledged master and a set of apprentices, the constant
the overall system down into small pieces and the discussion of the design even with a peer group can help in
requirements of test-driven development. Each of these the development of taste and craftsmanship. While there is
techniques requires that some thought be given to the always the possibility that bad taste will be reinforced and
abstractions that form the system. Breaking the system down bad habits encouraged, the process of peer-mentoring is
into smaller pieces requires some thought into what those better than no form of design feedback at all.
pieces are going to be and how they fit together, which is Whether it be to a group of peers or a master, the real point is
exactly the art of system design. In order to write the tests that the design needs to be expressed to someone else. It is
before the code that is to be tested, an abstract notion of what very difficult to mask the weaknesses of a design when you
the code is supposed to do must be thought through. In are communicating that design to someone else who is
deciding what to test, a programmer needs to think about the intimately involved in the implementation of the design.
general functionality of the system, and how that Simple designs can be communicated easily; complex
functionality is going to be accessed. Both activities require designs are hard to explain. Just as writing down a design
thinking about the interfaces for the various components of will often show flaws or weaknesses in the design,
the system in a fashion that is one removed from the explaining a design to a peer will often improve the design.
implementation of those interfaces. By deciding what small
thing can be done and by writing the tests first, agile methods Working on an open-source project also provides engineers
impose a requirement of thinking about the abstract system both a forum for the discussion of design and a mechanism
that is a way of expressing the overall design of the system. for learning through an apprenticeship. The first of these is
supplied by the mailing lists that are central to many open
source projects. On these lists there is constant discussion of
Breaking the system down into smaller pieces the design alternatives, philosophies, and trade-offs that are
requires some thought into what those pieces are faced by the overall project. Newer or less experienced
going to be and how they fit together, which is engineers can ask questions that will be discussed and
exactly the art of system design. answered by the overall community. Like the discussion that
goes on between the members of a pair-programming team,
The second, and more important aspect that favors system such electronic discussions allow the engineers to try out
design when using agile methods is that those methods ideas, have those ideas criticized or amplified, and generally
require that the work be done in small groups, each member participate in the design process of a large project. The

14
discussions tend to be at a different time-scale than those This is a process that benefits both the apprentice and the
held face-to-face with a pair-programming partner, and often master. The apprentice benefits in obvious ways, learning
involve a much larger group of participants. But they are still how to be a better craftsman and gaining a better
forums that require discussion of the design. Better still, they understanding of how to build and design a system. The
are forums that require that the participants communicate the master benefits by using the apprentice as an idea magnifier.
design in a clear and persuasive way. Just as the act of By having others doing some of the work, the master is freed
communication between two programmers can help to to concentrate on those parts of the design or the code that
clarify and simplify the design of a system, the act of only he or she can do. The end result is that the kinds of
communicating a design to the other members of an open systems that can be built are more significant, and the ways
source project will help to clarify and simplify the design of of approaching design are conveyed.
the open source system. This ability to learn, to teach, and to tackle hard technical
These discussions often replicate, at least electronically, the problems without the oversight or interference of
master/apprentice relationship that is so central to becoming management is also, I believe, one of the prime reasons for
an accomplished designer. Such relationships are established the popularity of open source projects among engineers.
in spite of the mythology that has grown up around the way Such projects are places where technical decisions can be
open source projects are run. The establishment of this sort made on technical grounds, and where the decision making
of mentoring happens because of the reality of the way that powers are given to those who have shown technical ability
open source projects work, a reality that is very different in the past. The fact that the end result of such developments
from the folk wisdom that has grown up around such is innovative software that is often superior to that produced
projects. by the projects that are the day jobs of the very people who
write the open source software may be ironic, but it should
Working on an open-source project also provides not be surprising.
engineers both a forum for the discussion of design
and a mechanism for learning through an This ability to learn, to teach, and to tackle hard
apprenticeship. technical problems without the oversight or
interference of management is also, I believe, one of
the prime reasons for the popularity of open source
The folk wisdom of open source, best exemplified by the
projects among engineers. Such projects are places
writings of Eric Raymond [7], holds that open source
where technical decisions can be made on technical
projects are chaotic, highly democratic undertakings in
grounds, and where the decision making powers
which the marketplace of ideas sorts out the good ideas from
are given to those who have shown technical ability
the bad, the code is written by anyone, and there is no
in the past.
hierarchy. In actual fact, most of the successful open source
projects are run as semi-benign dictatorships in which a very
small group of people controls all of the code that is put into In an important sense, both agile methods and open source
the project. These people are the committers of the project, can be seen as reactions to the difficulty of doing system
and no code is allowed into the source repository until it design in either the academic or the industrial world. One
meets their standards. solution to this could have been confronting the managers,
It is true that anyone can offer code to the committers to see professors, and funding agencies that have made it
if it can be included into the project. But most of the code increasingly more difficult to do system design in the
will go through a very detailed reading by the committers, traditional environments. But this other solution is both more
and only be accepted when it is found to be good by the indirect and, in many ways, more in keeping with the ethos
standards set by this group. Not surprisingly, most of these of software design. Rather than trying to change the set of
committers are just the kinds of master craftsmen of code constraints that frame the problem, designers and those who
that you would want supervising the apprenticeship of those wish to learn design have simply designed around the
learning system design. The apprenticeship is not as direct, problem. By adopting agile methods, we have found a
with little or no face-to-face discussion, but the overall mechanism that allows us to discuss and learn design without
process is the same. The apprentice will try to solve having to tell our management that this is what we are doing.
problems, offer his or her solution, and be told to try again, By working in open source, we have created an environment
generally with some discussion as to the reasons for needing in which we can continue to do technical work framed in
to try again, until the code and the design is right. The purely technical way. The fact that open source needs to be
communication may be electronic rather than face-to-face, done on our own time is a minor inconvenience; most good
but the process is the same as it was 20 years ago; one of software designers would prefer doing technical work to
trial-and-error, of frustration and trying again, and of failure most other forms of recreation. In a meta-sense, the new
and enlightenment, or at least increased mastery. venues for learning and teaching system design are
themselves excellent examples of system design, in which a

15
problem is solved in a fashion that is elegant, subtle, and [4] Hoffman, Daniel M. and David M. Weiss (ed),
pleases both the practitioner of the art and the consumer of Software Fundamentals: Collected Papers by David
the code. The end result is that the craft survives, thrives, and L. Parnas, Addison-Wesley, Boston, MA, 2001.
continues to evolve. [5] Kuhn, Thomas, The Structure of Scientific Revolutions,
University of Chicago Press, Chicago, IL, 1962.
6. ACKNOWLEDGMENTS
I would like to thank Bob Sproull, Ivan Sutherland, Margo [6] Lampson, Butler, Hints for Computer System Design.
Seltzer and Ann Wollrath, all of whom have been generous ACM Operating Systems Rev. 15, 5 (Oct. 1983), pp 33-
with their time and ideas during discussions of much that is 48
contained in this paper. Special thanks go to Brian Marick, [7] Raymond, Eric, The Cathedral and the Bazaar:
whose care and comments during the shepherding of this Musings on Linux and Open Source by an
paper have greatly improved the result. Accidental Revolutionary, O’Reilly Media (2001).
[8] Ryle, Glibert The Concept of Mind, University of
7. REFERENCES Chicago Press, Chicago, IL, 1949.
[1] ACM Curricula Recommendations,
[9] Sutherland, Ivan, Technology and Courage, Sun
http://www.acm.org/education/curricula.html, 2005. Microsystems Laboratories Essay Series, Mt. View, CA,
[2] Brooks, F.P., The Mythical Man Month: Essays in 1996
Software Engineering, 20th Anniversary Edition,
[10] Wing, Jeannette M., Computational Thinking,
Addison-Wesley, Boston, MA, 1995
Communications of the ACM, Vol. 49, Issue 2, March,
[3] Brooks, F.P., The Design of Design, Turing Award 2006.
Lecture,
http://terra.cs.nps.navy.mil/DistanceEducation/online.sig
graph.org/2001/SpecialSessions/2000TuringLecture-
DesignOfDesign/session.html, 2000

16