Answers to Exercises

SOFTWARE ENGINEERING: Principles and Practice

Third Edition
Hans van Vliet
Department of Computer Science
VU University
De Boelelaan 1081a, 1081 HV Amsterdam
Email: hans@cs.vu.nl

July 31, 2008

Preface
This Guide contains answers to a number of exercises from the textbook. Exercises for which
a straightforward answer can be found in the text, like Define the term software engineering
or What is the difference between verification and validation (exercises 1 and 4 of Chapter
1) are not included in this guide. Answers to open-ended questions, like Study both the
technical and user documentation of a system at your disposal. Are you satisfied with them?
Discuss their possible shortcomings and give remedies to improve their quality (exercise 17
of Chapter 1) obviously are not included either.

1 Introduction
1.9 No, the linear model is not really appropriate. The linear model assumes that we
do things right the first time, know everything up front, are able to elicit the true
requirements early on, etc. This is usually not the case. On hindsight, we may document
the development process as if the sequence of steps from the linear model were followed.
It is a rational reconstruction rather than a model of how things are done. The linear
model confuses project control issues (progress control) with the actual development of
the system.
Chapter 3 in particular discusses the drawbacks of the linear model.

1.10 Major differences are: software is not continuous, progress is hardly visible, software is
logical rather than physical (maintenance is not caused by wear and tear; reliability is
determined by different factors), and the costs are incurred during design rather than
production.
Parnas (1999) contains an eloquent discussion of the engineering component of software
engineering.

1
1.12 Several professional societies for computer professionals have a code on professional
conduct. The Assiociation for Computing Machinery (ACM) and the Institute for
Electrical and Electronic Engineers (IEEE) have jointly developed a code of ethics. See
Section 1.5.
The UK have a means to certify software engineers. The British Computer Society
can accredit engineers to the qualification of Chartered Engineer (C.Eng). It is the
same qualification as is awarded to other professional engineers. So it is not a software
engineering specific qualification. It involves graduation at an accredited institute as
well as practical experience of at least 4 years.
Voluntary certification of software professionals in the US through the Institute for
Certification of Computer Professionals (ICCP) is supported by the ACM, IEEE, and
several other professional organizations. The certification involves an education re-
quirement, an experiences requirement, and passing an exam. In 1998, the Texas Board
of Professional Engineering established software engineering as a recognized discipline.
Since there is, as yet, no recognized software engineering exam, only highly experienced
software engineers are eligible. The state of affairs with respect to professionalizing soft-
ware engineering is discussed in the November/December 1999 issue of IEEE Software.
The April 1988 issue of Communications of the ACM (vol 31, no 4, pp 372-375) con-
tains a somewhat polemic discussion, entitled Why I never met a programmer I could
trust. It refers to the famous code of Hammurabi, which includes some well-known
eye-for-an-eye, tooth-for-a-tooth constructs. One of the messages is that software disci-
pline requires enforcement. The Self-Assessment procedure on the Ethics of Computing
(Communications of the ACM, vol 33, no 11 november 1990 , pp 110-132) gives
further points to ponder.

1.13 The important point to note here is that there are opposing requirements for this project.
As a software engineer, you have essentially two possibilities: you may look for a com-
promise, or you may opt for either party. In both cases, you play an active role. Many
software engineers have a more naive view and expect that the true requirements will
show up in some magical way, without their active intervention.
If you look for a compromise, this may take quite some extra time. There is a danger that
the compromise is not wholeheartedly accepted by one or both parties. A compromise
may leave both parties dissatisfied. Choosing for either party will make the other one
unhappy. Usually, there is some power-relationship between the parties involved, and
the boss wins. However, that system may well turn out to be unsuccessful, since the
end users have not been listened to. (See the LAS system discussed in Section 1.4.3).
One of the main objectives of the software architecture phase is to make conflicts be-
tween stakeholders explicit, and engage in a discussion of the tradeoffs involved. See
Chapter 11, and especially Section 11.5.

1.18 The issues raised in this question can also be illustrated through classroom projects.

1.20 These principles are dealt with at various places in this book. Some very brief answers:

A. If you do not know the current situation (for example, how productive your team
is, how many errors your team removes per month), you can not make sound pre-
dictions. To measure is to know; see also Chapter 6 and 7.

2
 B. Reuse means less work, and the quality of the pieces reused will in many cases be
of a higher quality. See Chapter 17.
C. Complexity has many facets; see Chapter 6 and Section 12.1.4.
D. Sloppy descriptions of artifacts lead to misunderstandings between developers, be-
tween developers and the client, etc. This results in errors and rework. See Chapter
9.
E. Things will change, whether you like it or not. A rigid software process can and will
not be followed; see Section 3.7.
F. Software engineering projects are team projects. This requires discipline: changes
must be dealt with in an orderly way, decisions must be documented, etc. Once
a disciplined approach is followed (CMM level 2, more or less) there is room for
further improvements. See Section 6.6.
G. If you do not understand the problem, you can hardly be expected to solve it. The
requirements then will not address the real issues, and much rework will result. See
Chapter 9.
H. Formal quality management means that there are formal procedures to decide on
quality issues. If these procedures are informal, things slip through, there is an
excuse to postpone further testing, etc. But quality can not be built in at a later
stage. See Chapter 6.
I. If components have little interaction, changes will more often be local (see Section
12.1), and their reuse opportunity becomes larger (Chapter 17).
J. Software grows; Big Bang projects are dangerous. See Chapter 3.
K. Not only the software product is important. User documentation, training material,
etc. has to pass the quality tests. See Chapter 6.
L. If change is not planned, both the product and the process are rigid. Changes then
become more difficult to handle and more difficult to implement. See Chapter 3.
M. If tradeoffs are not made explicit, there is a chance that the rationale for decisions will
be forgotten, and someone will make the wrong decision, e.g. during maintenance.
See Chapters 12 and 14, and Section 11.2.
N. Like in any engineering branch, a lot can be learned from successful (and unsuc-
cessful) solutions that others have found. It prevents mistakes, improves insight,
and helps to build a catalog of useful building blocks. See Chapters 11 and 12, and
specifically Sections 11.4 and 12.5.
O. There will always be risks. See Section 8.3.

2 Introduction to Software Engineering Management

2.6 Quantitative data on past projects is a valuable source of information when planning
a new project. The characteristics of the new project can be compared with those of
earlier projects, resulting in estimates of time and budget that are well underpinned.
To measure is to know. See also Chapter 7.

3
 2.8 Note that neglecting environmental issues is a common cause of problems in many
projects. All too often, it is thought that the software is the only thing that matters,
and that the project is finished as soon as the software is delivered to the customer.

2.9 Brooks arguments for this increase in cost run as follows ((Brooks, 1995, p. 6)): A
programming product requires that the program is written in a generalized fashion. In
particular, the range and form of inputs must be generalized. Also, a programming
product must be thoroughly tested and documented.

3 The Software Life Cycle Revisited

3.13 Arguments pro a thorough requirements analysis phase include:

The scope of the project is known at an early stage, which allows management to
properly plan and budget the project;
The effects of the new system on the organization are known at an early stage.
Non-technical issues, such as changing working procedures, can thus be planned
well in advance;
People involved know early on what is expected from them. This allows for clear
testing procedures and acceptance criteria. Having a well-delineated requirements
specification allows that change requests can be identified as such and properly
dealt with.
The resulting system is likely to be more robust and better maintainable.
Conflicting views between interested parties are resolved at an early stage.

Arguments in favor of a prototyping strategy include:

The resulting system is more likely to fit real user needs. Bells and whistles can be
identified as such. Real user requirements can only be identified when users have
had the opportunity to work with the system;
The occurrence of the Big Bang effect is precluded. Requirements evolve as the
system evolves;
The organization may gently accustom itself to changing working procedures and
the like;
People feel more closely involved with the project and the resulting system. This
increases the chances of acceptance of the system.

3.15 The merits of evolutionary prototyping are listed in the suggested answer to exercise
3.13. A major disadvantage of the evolutionary approach to prototyping is that long-
term quality aspects (maintainability) tend to be neglected.
A major advantage of throwaway prototyping is that, once the real requirements are
known, a thorough (architectural) design and implementation path can be followed,
without distractions caused by on-the-fly change requests. A disadvantage of throwaway
prototyping is that users get used to the prototype and may get disappointed when that
prototype is discarded.

4
3.17 Software maintenance cannot be completely circumvented and, consequently, neither
can the deterioration of system structure. There are two major ways to counteract
this phenomenon. Firstly, maintenance should be done in a structured way, not in
quick-fix mode. Changes should be properly designed, implemented, and documented.
Changes should not be realized by code patches. Secondly, system structure should be
monitored, and timely actions should be taken to regain a declining system structure.
This is known as perfective maintenance. See also Chapter 14 for an elaborate discussion
of maintenance issues.

3.18 At a global level, documents like a requirements specification or design description

provide an inadequate measure of progress. This measure is too gross. Projects fall
behind schedule one day at a time, and schedule slippage may thus show itself far too
late. Also, real development does not occur in a strict linear order. Developers tend to
jump from, say, requirements analysis to testing, and back.
A project can be broken into a number of subtasks. The granularity of the smallest
subtasks should be fairly small (say at most one person-month). Examples of such
subtasks could be: code module A, test integration of modules for subsystem X, review
module B. The completion of some set of such subtasks then corresponds to a formal
project milestone, but day-to-day control is executed at a much finer level.
Next to this type of control, experienced project managers use various other means to
track progress, major ones being:

Periodic status meetings with project members;

Informal meetings with project members to get a subjective assessment of progress;
Previous experience. Based on his experience with similar projects and/or mem-
bers of the team, a project manager may for instance foresee that a certain sub-
system is likely to pose problems, or know that Bill is generally overoptimistic in
his estimates.

3.19 Main differences between RAD and PD are (see also Carmel et al. (1993)):

The goals of RAD and PD are different. The main goal of RAD is to accelerate
system development, whereas PD aims to accentuate the social context in which
the system is to be developed and deployed.
User participation is different. In RAD it is possible to have a few representatives
of the (end) users on the design team. PD aims at consensus; the responsibility
for the software development process lies with the users, so a few representatives
wont suffice.
RAD focuses on structure. It employs a number of well-defined techniques, such
as workshops and timeboxing. PD does not employ a fixed set of techniques; it
focuses on creativity, learning by doing.
RAD concentrates on team building (the SWAT team). PD is focused on the
mutual learning process of IT staff and users.
RAD is concerned with speed (viz. the timebox). PD tries to reach its goals
stepwise, irrespective of the timeframes.

5
4 Configuration Management
4.7 The major tasks of software configuration management (SCM) are the same during
development and maintenance. In both cases, SCM is concerned with identifying and
controlling changes. In both cases, it must ensure that changes are properly imple-
mented and reported to interested parties.
Major differences between SCM during development and maintenance are:

Most of the identification and definition of configuration items takes place during
development;
During development, change requests are issued by both developers and users.
During maintenance, most change requests will come from users.
During development, the assessment and handling of change requests is impacted
by the necessary orderly progress of development. During maintenance, continua-
tion of the systems operation is a major criterion.
During maintenance, the operational baseline must be thoroughly separated from
the version that is being changed because of bugs reported or changes that need to
be incorporated. Thus, version control plays an even more important role during
maintenance.

4.8 Software Configuration Management (SCM) is concerned with: identification, control,

status accounting, and auditing. For these activities, the main differences between a
traditional development model and an evolutionary model are (see also Bersoff and
Davis (1991)):

(identification) In an evolutionary model, there are many variants of components

in use at the same time; in a traditional model, usually one or only a few such
variants are in use. SCM must be able to distinguish between all those variants.
(control) In evolutionary development, multiple versions of baselines are deployed
at the same time, and multiple versions of components and baselines are under
development simultaneously. In traditional development, there is one baseline and,
usually, one version of each component.
(status accounting) Is challenged as well in evolutionary development, with its mul-
tivariate product in various simultaneous stages of development and deployment.
(auditing) Has to be done frequently and quickly in evolutionary development.
Baselines change rapidly, and the results of audits must be promulgated timely to
baselines in use and in development.

4.9 Artifacts like design documents and test reports can be subjected to the same configura-
tion management procedures as source or object code modules. This can be supported
by similar tools as well. In fact, integrated project support environments do so (see
Chapter 15).

4.10 In a small development project, configuration management could be limited to SCCS-

like support for handling the projects information. Formalized change procedures and
a Configuration Control Board need not be established.

6
 In a large project, formalized procedures are a sine qua non. There are too many people
involved, and the number of items is too large, to be able to do without formalized
schemes.
In Perry and Kaiser (1991), this difference in user scale is discussed in sociological terms.
A small development project is compared with a family, where informal rules suffice, in
general. A large project is likewise compared with a city, where the rules have to be
more strict. See also Chapter 15.

4.11 Configuration management tools may keep track of the following quantitative data:

Start and end dates of activities relating to configuration items (such as start and
finish of implementation of a module). These data directly relate to project control.
Number and type of bug reports and change requests. These data impact project
control as well. They also relate to quality management; they may indicate poor
quality components, and trigger subsequent maintenance activities.

5 People Management and Team Organization

5.9 A major advantage of having a true wizard in the team is that he may boost team
productivity. Other team members may profit from his knowledge and increase their
own knowledge and skills. Potential disadvantages (which should be counteracted by
proper management attention!) are:

Technical issues may get too much emphasis. The team may easily loose itself in
beautiful technical solutions to problems that are hardly relevant to the users.
A less disciplined mode of operation may result. Proper procedures regarding
documentation and configuration control may be discarded, since the team guru
has all the necessary knowledge in his head.
The project may get into serious trouble if this person leaves the team. This holds
especially if the previous point is not adequately dealt with.

5.11 Pros of a vertical organization are:

By specializing in vertical areas like databases or human-computer interaction,

team members may acquire greater expertise in these fields, which positively im-
pacts the productivity and quality of their work.
The similarity between and reuse across products is potentially enlarged. For
instance, user interface components may become much more uniform.
Career development can potentially be better monitored and stimulated.

Pros of a horizontal departmentalization include:

Team members may acquire a better knowledge of the system. System knowledge
is likely to be less thinly spread, and communication overhead may be smaller.
Management has better accountability of people effort.

7
 Team spirit may be greater, since team members pursue the same (project) goals.
In a vertical organization, team members have a partly interest in the success of
any particular project they are involved in.

5.13 Advantages of letting people rotate between projects from different application domains
are:

Their stock of useful knowledge chunks increases.

They are more easily led to properly document things, since their work has to be
handed over to other people.
They become less easily dissatisfied with their position, since they are regularly
confronted with new challenges.

The major advantage of letting people become true experts in a given application domain
is their increased expertise within that domain. The productivity and quality of their
work increases as their knowledge of that domain grows.

6 Software Quality
6.12 The primary task of the SQA organization is to check whether work gets done the
way it should be done. Suppose the SQA organization is not independent from the
developing organization, and some serious problem crops up. From an SQA point of
view, some remedial action is required, which may delay delivery of the system. Such
is not very attractive to the developing organization. The SQA people may then get
crunched between these opposing interests. The situation is like that of an accounting
department who is responsible for its own auditing.

6.13 For any type of data collected, be it quality data, data on effort spent on design activities,
data on the number of change requests received, etc., feedback to the suppliers of those
data is important. The data supplier must be one of the main users of those data. Such
forces the data supplier to provide accurate and complete input. He will harm himself if
he does not do so. Secondly, it prevents these users from asking irrelevant data. Thirdly,
if the data suppliers do not see the benefits of data collection (which is likely to occur
if they do not get feedback), chances are that they do not appreciate the importance of
accurate data collection either. Thus, the data collection process will deteriorate, and
so does the value of the data collected.

6.17 Suppose one of the quality requirements is The system should be fast, a typical example
of a non-quantified quality requirement. Such a requirement can not be tested; there is
no way to tell whether the test succeeds or not. Such a requirement also easily gives
rise to debates later on, when the user complaints that the system is not fast (enough).
Such a requirement does not give the developer guidance either. Such a requirement is
useless.

6.19 The easiest measurable property of a software product that may be assumed to relate
to Modularity is module size. Larger modules tend to adversily affect system structure.

8
We may then impose some desirable upper bound on the size of a module. A measure
S, defined as

S = 1 (nr of modules that exceed size/total number of modules )

then gives an indication of the extent to which this rule is obeyed. The value of S lies
between 0 and 1. Larger values of S are assumed to reflect a better structure.
Other measurable properties that relate to Modularity are discussed in Sections 12.1.2
and 12.1.5. Section 12.1.2 mentions two structural design criteria: cohesion and cou-
pling. Cohesion is the glue that keeps a module together. Grouping of components into
modules in a haphazard way obviously leads to a bad system structure. Modules that
encapsulate abstract data types are much better in this respect. Coupling is a measure
for the strength of connections between modules. Modules that know much about each
others internal details are more tightly coupled than modules that can be viewed as
independent entities. High cohesion and low coupling are considered to be desirable
properties of system decomposition. We may therefore count the number of modules
that fall into the various levels of cohesion and coupling as given in Section 12.1.2, and
use this as a measure of system modularity.
Section 12.1.5 takes a look at the call graph, the graph that depicts the uses-relation
of a set of modules. On the one hand, we may consider the form of this graph, and
postulate that a tree-like pattern is better than a more general graph structure. A
measure for this is the tree impurity, which expresses the degree to which the call graph
deviates from a proper tree structure. On the other hand, we may look at the amount
of information that flows through the edges of this graph. More information leads to
tighter dependencies between modules. The information flow measure expresses these
dependencies in numbers.
Operability (the ease of operation of the software) may be related to measurable prop-
erties such as (cf (Vincent et al., 1988, p 44)):

All steps of the operation are described (normal and alternative flows);
All error conditions and responses are appropriately described;
There is a provision for the operator to interrupt, obtain status, save, modify, and
continue operation;
Number of operator actions reasonable (1 - time for actions/total time for job);
Job set-up and tear-down procedures are described;
Hard-copy log of interaction is maintained;
Operator messages are consistent and responses standard.

Though these properties are highly desirable, most of them certainly do not guarantee
easy operation. As discussed in Chapter 16, it is very important that user operations
match concepts from the task domain. Well-established measures to express this do not
really exist. What we can do though is to measure learning time of a system, and the
time needed for typical tasks within the domain for which the system is needed. Tests
with real users can express these in numbers, numbers that relate to the operability
of the system. These numbers relate to all of the issues from the above list (if steps

9
 of an operation are not fully described, it is likely that use of that operation becomes
more difficult), but these numbers also reflect something of the semantic dimension of
operability.
Neither of these measures constitutes an objective criterion. The relations between
properties measured and the corresponding quality criteria are still subjective. For
example, a system in which a few modules have a size quite above what is considered a
good standard may still be well modularized; see for example Redmond and Ah-Chuen
(1990), cited in Section 12.1.4.

6.20 A small development organization most likely cannot afford full-time staffing of a sepa-
rate SQA group. Global activities, like the drawing up of a Software Quality Assurance
Plan, may be the collective responsibility of a small number of senior staff members.
Thereafter, SQA activities may be assigned to individuals on a part-time basis. For
instance, a team member from project A may be assigned the auditing task for project
B, and vice versa.
In a larger organization, it is worthwhile to consider the establishment of a separate
SQA group of, say, 3-5 people. The advantage of having a separate group is that
specific SQA knowledge can be built up, that company-wide trends can be observed
and global policies can be established, and that the SQA group may be a trigger in
fostering quality concsiousness in the organization.
For a proper understanding of the suggested answer, you should note that we assume
the task of the SQA group to be an auditing one. I.e., the normal testing activities are
not considered the responsibility of the SQA group.

6.22 The developers view of user-friendliness is likely to be determined by technical prop-

erties of the interface: use of windows, buttons, scrollbars, pop-up menus, etc. The
developer is inclined to look at user-friendliness from the inside. On the other hand,
the users main concern is to get his job done in the most effective way. User interfaces
should not be friendly; they should effectively support the user at work.
Important ways to measure the usability of a system are:

The time needed to learn to use the system (learnability),

The time needed to perform typical user tasks (efficiency),
The retention of system knowledge over time (memorability),
The rate with which errors are made (safety), and
A subjective assessment by real users.

Requirements for these characteristics can be expressed in measurable terms. Also,

tests can be devised to determine whether these requirements are met. So-called user-
friendly systems may turn out to score well on these scales, but such is not a priori
clear. See also Chapter 16.

6.26 The data show that the increase in the number of parties involved is almost completely
caused by an increase in the involvement of indirect customers of the software to be
developed: management and staff departments. There is no increase in the categories
of people directly involved: the customers and the developers. So it may well be true

10
 that the political coloring of cost estimates (see also Section 7.2) is even stronger in
1998 than it was in 1988. The situation then has become worse.

7 Cost Estimation
7.9 An early cost estimate gives a target to aim at. As such, it will influence the project.
If we know that the project is estimated to cost 10 person months, we may be inclined
to sacrifice quality in order to meet the corresponding deadline. Maintenance will then
suffer. If a more realistic cost estimation were given, a higher-quality product could have
been delivered, with corresponding savings during maintenance. Conversely, a tight
effort estimate may force developers to ignore implementation of bells and whistles,
resulting in a leaner system, a system which better fits real user needs.

7.13 Using the schedule equation of organic COCOMO (T = 2.5E 0.38 ), the nominal develop-
ment time of this project is approximately 14 months. A schedule compression of more
than 100% (to 6 months) must be deemed very unrealistic, in view of the arguments
given in Section 7.3.

7.14 Cost estimation models predict the cost of future projects, based on data from past
projects. These predictions are only valid if future projects resemble past projects.
Development environments change. The types of systems developed change, people
change (because of personnel turnover, learning effects and the like), tool usage changes
over time, etc. Therefore, the cost estimation model should be recalibrated too, in
order to make sure that the most accurate model of the present situation is used when
estimating effort and time for future projects.

7.16 Both adding people to the project and softening quality requirements may shorten
development time. Adding people to the project should be done with care (re Brooks
Law, discussed in Section 7.3). The impact of softening quality requirements on the
time schedule could be estimated (for instance, several of these turn up as cost drivers
in models like COCOMO).
Other ways to finish the project in time can be discerned by considering the various
factors that influence cost (and, therefore, schedule):

Write less code (reuse, use of high-level languages, concentration on essential fea-
tures and ignoring bells and whistles), since size is the major determining cost
factor;
Employing better people;
Better working environments and other incentives for employees. For example,
DeMarco and Lister (1985) shows that programmers with adequate secretarial
support and sufficient floorspace are significantly more productive than their col-
leagues that are worse off. See also DeMarco and Lister (1987);
Employing (more powerful) tools;
Avoiding rework, by a conscious attention to user requirements right from the
start, and regular feedback to customers (validation).

11
7.17 Most likely, a cost estimation model based on COBOL as the implementation language
cannot be used to estimate the cost of a project that uses Pascal. For one thing, systems
written in Pascal often have different characteristics than systems written in COBOL;
COBOL programs point at business applications, Pascal programs generally do not.
Secondly, COBOL programs are more verbose than Pascal programs, so that a pure
count of LOC provides a misleading estimate of the intrinsic size of the system. For
instance, one function point (in the FPA context) is likely to incur more COBOL lines of
code than its equivalent realized in Pascal. This effect has also been noted in COCOMO
((Boehm, 1981, p. 479)), where a significant pattern of overestimation was identified
on COBOL programs.
This pattern is less likely to occur when the implementation language is C rather than
Pascal. However, one has to proceed cautiously. A proper calibration of model param-
eters to the environment should underpin or falsify this hypothesis.

7.18 COCOMO 2 mentions three cost drivers that relate to project attributes:

Use of software tools,

Multi-site development, and
Required development schedule.

The use of software tools allows the developer to concentrate on his real, intellectual
tasks, while all kinds of bookkeeping duties are taken care of by the tools at his disposal.
This would thus incur productivity gains.
If development takes place at more than one site, this incurs extra costs: for traveling,
for written documentation instead of face to face communication, and the like. The
chance for miscommunication, and thus for rework, increases as well.
The effort multipliers for the development schedule are somewhat more surprising: both
acceleration and stretchout of the nominal schedule incur higher cost. That acceleration
of the schedule incurs higher costs is quite plausible: it requires more people, with
associated communication and learning cost. According to (Boehm, 1981, p. 470),
stretchout of the schedule primarily implies spending a longer time with a smaller front-
end team to thoroughly develop and validate requirements and specifications, test plans
and draft users manuals. This would then translate into higher-quality products and/or
less maintenance.
It is interesting to note the differences in cost drivers between COCOMO and COCOMO
2. The multi-site cost driver was not present in COCOMO; apparently, multi-site de-
velopment projects were not very common at that time. On the other hand, COCOMO
had a cost driver use of modern programming practices (in particular information hid-
ing); this has become common practice, and its role as a cost driver has consequently
disappeared.
Further corroboration of the values of the original effort multipliers of COCOMO, most
of which are retained in COCOMO 2, together with pointers to supporting literature
can be found in (Boehm, 1981, Chapters 24-27).

12
8 Project Planning And Control
8.12 The members of hospital staff may have a clear idea of the requirements of the planning
system. If that is the case, a reasonably certain situation occurs, where the only problem
could be the translation between the two domains involved (the hospital world and the
planning world, respectively). Thereafter, the problem becomes one of realizing the
functionality agreed upon, and a direct supervision style of management seems viable.
On the other hand, if hospital staff has no idea of what a planning system may do for
them, a much more uncertain situation arises. A commitment style of management,
in which the parties involved (hospital staff and analysts) search for the appropriate
requirements (possibly involving the development of prototypes) then becomes the right
choice. After such an initial stage, one may as yet switch to a direct supervision style
of management for the later stages of the project.

8.13 The patient planning system by itself is not a very large system. As such, any team
organization will not involve that many layers. In a hierarchical organization, we may
for example distinguish small subteams concentrating on aspects like: the design of
databases from which information on patients, operating rooms, clinical staff, and the
like is obtained, the design of the user-interface part of the system, and the design of the
actual planning part of the system. If this type of work division amongst subteams is
chosen, the difference with a matrix-type organization is not that large. In both cases,
the subteams are characterized by the specific expertise of their members. Points to be
considered when the choice between the two options is still open, are:

Is the project large enough to merit a separate subteam for, say, the user interface
part;
Is the extra dimension of a matrix-type organization warranted in a project of this
size.

Most likely, the patient planning system is part of a larger system, and certain subsys-
tems will be shared, such as those regarding the databases and user interfaces.

8.15 I would look for incentives to keep this employee motivated. Examples are:

an increase in salary (though it is questionable whether this will be enough in the

long run);
assignment of more challenging tasks for part of his time (if this time is available);
educational opportunities;
assignment of an apprentice who may, after some time, take over some of his tasks.

Probably, some combination of the above works best.

8.17 If this situation arises, you are in real trouble. Neglecting the issue (delivering a system
of inferior quality) is likely to be detrimental in the long run, and is therefore not
recommended. Discussion with the client has to bring a solution (another delivery date
after all, or delivery of the system without the faulty component, for example).
If I were a member and the manager is ignoring the signals, a nasty situation arises. A
serious discussion with the manager might solve the issue. If it does not, my professional

13
 ethics tell me to look for other ways, for example contact my next higher superior; see
also Section 1.5.

9 Requirements Analysis
9.17 The environment of an elevator control system is likely to be fixed and stable, and there
will be no conflicts as regards the requirements of the system. For an office information
system, there is a much higher chance that the environment expresses contradictory
requirements. The people in the environment may have different views of the system,
their requirements may conflict, and their requirements are likely to change over time.
As a result, the major task during the requirements engineering phase of the elevator
control system is to find out what the requirements are. A functionalist approach can be
followed when doing so. For an office information system, a non-functionalist paradigm
is more appropriate. Some protyping or incremental development process may help to
sort out the requirements. A flexible approach is needed, since the requirements of this
type of system will change, whether we like it or not.

9.18 Stakeholders for an ofice information system could be:

1. the office workers themselves,

2. their manager, and
3. the client who pays the bill.

The clients main concern is likely to be his return on investments (ROI): how much the
system is going to cost, and how much he will get back in return. This might translate
into things like: a higher productivity of the office workers, less people to be employed,
and other types of cost savings.
The office manager may want to use the system to ease his job by collecting adminis-
trative data on the tasks of his employees, he may want to use the system to assess the
productivity of his workers (using the same set of data), and he may want the system
to make sure that tasks get done more effectively, more uniformly, etc.
The office workers themselves are likely to emphasize the system as a tool in getting
their work done. So the system should ease their job, take over the boring part of their
work, but leave the challenging and rewarding aspects to the workers.
(Obviously, the positions of the various stakeholders need not be as black and white as
sketched above. In most cases, they arent.)

9.19 This mode of working is extensively discussed in Chapter 16; its essence is captured in
figure 16.6.

9.20 In order to assess the pros and cons of various descriptive means for describing re-
quirements, we have to consider the two major audiences for such descriptions: the
user/client, who has to determine whether the requirements reflect his true needs, and
the developer, who has to design and implement the system according to the require-
ments specification.

14
 The user/client is best served by a description he is most familiar with: natural language
and/or pictures. Such a description is more likely to fit his domain language. Obvious
disadvantages are that such a description has a high chance of being ambiguous and
incomplete. Regular interaction with the client organization after the requirements have
been fixed then is often needed to resolve ambiguities or conflicts. It is a priori unclear
to what extent these necessitate rework.

9.24 A hypertext-like browsing system for a technical library potentially offers features that
are very unlike those offered by keyword-based retrieval systems. Therefore, a function-
alist approach to requirements specification is likely to result in a system which does
not utilize the full potential of hypertext or hypermedia systems. For example, users of
a technical library in the field of aeronautics may search the library by selecting from a
set of pictures of different types of planes or engines, or simulations of characteristics of
different types of engines. A prototyping approach, in which applications of hypertext
in other fields is used to assess its potential, is more likely to result in a system utilizing
the extra capabilities of hypertext.

9.25 In many a technical field, there is quite some consensus as to the major concepts and
issues involved. Therefore, we may assume that there are no major conflicts involved
(though this need not always be the case). Given the unfamiliarity with hypertext,
there will not be an immediate consensus as regards the features to be offered. The
requirements analyst then has to facilitate the learning process within the client orga-
nization and a central question becomes one of how to exploit the unique capabilities
of hypertext within this particular field.

9.27 Meyer (1985) contains a very elaborate and insightful discussion of this example.

9.28 See the answer to exercise 20 of this Chapter.

10 Modeling
10.9 The common role of a contract between a client and a contractor is described in Meyer
(1992):

It protects the client by specifying how much should be done. The client is entitled
to receive a certain result.
It protects the contractor by specifying how little is acceptable. The contractor
must not be liable for failing to carry out tasks outside the specified scope.1

In software, the relations between clients and contractors are specified in assertions,
such as pre- and postconditions of routines, and class invariants for a whole class. For a
routine, the precondition expresses requirements that should be satisfied upon calling.
The postcondition expresses properties that will be true upon return. Together, they
constitute a contract for the implementor of the routine.
1
There is a potential caveat, though. Just like the buyer of a new car expects the roof of the car to be
waterproof, even if this is not explicitly stated in the contract he signed, so will the software client expect
certain obvious qualities, even if not explicitly stated in the contract.

15
 When P is a subclass of Q, certain features of Q may be redefined in P. Following the
contract metaphor, the effect of such a redefinition must stay within the realm of the
original definition. This means that the precondition may be replaced only by a weaker
one (i.e. fewer requirements to the client), while the postcondition may only be replaced
by a stronger one (i.e. more properties hold upon return). If P redefines certain features
of Q, we request that the subcontractor is able to do the job better or cheaper, i.e. with
a weaker precondition. And the subcontractor should at least do the job requested, i.e.
have a stronger postcondition.
Note that most object-oriented languages do not enforce these restrictions in their in-
heritance mechanism.

11 Software architecture
11.2 The top-level design has to guide the developers in their work. The architecture has a
wider scope and purpose:
it it supports the communication with all stakeholders, not only the developers
it captures early design decisions, for example on behalf of early evaluation
it is a transferable abstraction, and as such its role surpasses the present project
or system.
11.13 First, the results of design have to be communicated to various parties: the developers,
clients, testers, maintainers, and so on. For this communication to be effective, its
language must have a clear semantics. Second, design elements correspond to concepts
in the application or solution domain. If these concepts are known to the parties involved
by simple labels, these labels will in due time serve as representations of these knowledge
chunks, and thus improve effective communication about the design.
Like sine and cosine are well-known concepts from the language of mathematics, so are
quicksort and B-tree in the language of computer science. At the design level, the factory
pattern, MVC and the implicit-invocation architectural style represent such knowledge
chunks. From an application domain, say finance, concepts like ledger result.
11.19 The development organization of the World Wide Web (the original version) is CERN,
the European Laboratory for Particle Physics. The (single) developer was Tim Berners-
Lee, a researcher with a background in internet and hypertext. His aim was a system
to support the informal communication between physics researchers. He anticipated a
weak notion of central control, as in the then existing internet, and not uncommon in
a research environment. The main requirements were: remote access (the researchers
should be able to communicate from their own research labs), interoperability (they
used a variety of hardware and sofware), extensibility and scalability. Data display was
assumed to be ASCII; graphics was considered optional.
These requirements were met through libWWW, a library that masks hardware, oper-
ating system, and protocol dependencies. libWWW is a compact, portable library; it
is used to create clients, servers, databases, etc. It is organized into five layers, from
generic utilities to application module. The libWWW-based client and server com-
municate with each other using HTTP, and with the consumer and producer through
HTML. For further details, see (Bass et al., 2003, Chapter 13).

16
11.23 Patterns and architectural styles may guide us during software comprehension, more or
less like programming plans do in programming and debugging. If the reader knows
that the proxy pattern is used, such guides him in building a model of what the software
does. Usually, such information will not be obvious from the code, but be indicated in
the documentation. See also the answer to exercise 13, and Section 14.3.

12.36 First, design patterns embody best practices. These best practices have stood the test
of time; they constitute proven solutions to recurring problems. Second, many design
patterns explicitly address specific quality issues. For example, separation of concerns
(flexibility) is addressed in the proxy pattern, while expandability is addressed in the
factory pattern.

no_6 = true

sum = 0

i=1

no
i < # of courses
yes
no
if grade[i] < 7
yes
no_6 = false

sum = sum + ...

i = i+1

average = ...

no
av>= 8 && no_6
yes
println(...)

end

Figure 1: Control flow graph of the grading program

12 Software Design
12.7 The control flow graph of this program is given in figure 1. The graph contains 12
nodes and 14 edges, so n = 12, e = 14, and p = 1. The cyclomatic complexity then
is 4 (which concurs with the intuitive notion of cyclomatic complexity: the number of
decisions +1).

12.8 The bottom part of the control flow graph for this version is given in figure 2. The full
control flow graph now has 13 nodes, and 16 edges, so the cyclomatic complexity now

17
 is 5. The difference with the answer to the previous exercise is caused by the fact that
the compound boolean expression is treated as one decision in exercise 7, and as two
decisions in this exercise. Of course, this does not obey the representation condition.

average = ...

no
av>= 8
yes
no
no_6
yes
println(...)

end

Figure 2: Control flow graph of simple if statements

12.10 Cyclomatic complexity is not really a good indicator of system complexity. For one
thing, it concentrates on measuring intra-modular complexity, by counting the number
of decisions made. For a system as a whole, the information flow between modules (the
amount and kind of data passed to and from modules) is a major determinant of system
complexity as well.

12.22 The central idea behind information hiding is that a module hides a secret. This secret
could be the representation of some abstract data type, but it could be something else
as well. So, the result of information hiding need not be the encapsulation of an object
and its operations. Furthermore, the classes resulting from an object-oriented design
are related through a subclass/superclass hierarchy (inheritance). Inheritance does not
result from the application of the information hiding principle.

12.24 The flow graph of this program is given in figure 3. From this flow graph, it follows
that n = 11, e = 11, p = 2, so e n + p + 1 = 3 and e n 2p = 4.
The flow graph of the same program, with procedure P drawn inline, is given in figure
4. Now, n = 8, e = 9, p = 1, so e n + p + 1 = 3, and e n + 2p = 3.
We would expect the outcome for the two versions of this program to be the same
(and, since the program contains two decisions, the answer should be 3). Most text
book discussions of cyclomatic complexity give the wrong formula, and use examples
consisting of one component only. In that case the outcome of both formulas is the
same.

12.29 A tree impurity metric m measures the extent to which a call graph G deviates from a
proper tree. It is then only natural to expect that m(G) equals 0 if and only if G is a
tree (property 1).

18
 begin start P

A X

B C Y Z

P end P

end

Figure 3: Flow graph with separate procedure P

begin

B C

Y Z

end

Figure 4: Flow graph with inline procedure P

If two call graphs have the same number of nodes, the one with the larger number of
edges is to be considered worse, since it deviates more from a proper tree structure
(more edges have to be removed in order to get a proper tree) (property 2).
If the number of edges that has to be removed in order to get a proper tree structure
is the same for two graphs G1 and G2 , but the number of nodes in G1 is larger than
that of G2 then, relatively speaking, G1 is better than G2 . The penalty of having a few
extra edges should be relative to the number of nodes in the graph (property 3).
Finally, the worst possible situation occurs if each pair of nodes in the graph is con-
nected through an edge. In that case, the graph is called complete (property 4). The
upperbound 1 is somewhat arbitrary; it could have been any constant.

12.30 The extra part is given in figure 5. The objects client and library are the same as the
corresponding objects in figure 12.26.

12.31 The main objects from this model are: Client, Employee and BookCopy. We then assume
that the ownership of computers, bar code readers and the like is not modeled in the

19
 library client

owns uses

PCs queries

store

catalog

Figure 5: Part of the object model: handling of user queries

system. The identification card is assumed not to play an active role either; it is simply
used to identify the client. We assume there is only one library.
The client may have attributes Name, Address, BooksOnLoan, and Fine. BooksOnLoan
is a simple count of the number of books this client has loaned. Fine is account of
the outstanding fines for this client. Client has the following services: BecomeMember,
ChangeAddress, AddToFine, SettleFine, LoanBook, ReturnBook, CeaseToBeMember. If a
book is returned whose due-back date has passed, AddToFine updates the account of
his fine. If (part of) the fine is settled, SettleFine takes care of that.
An employee has an EmployeeName and Password. Its main services are BecomeEm-
ployee, ChangePassword, and CeaseToBeEmployee.
A book copy is identified by its Number. It has an attribute RefBook which refers to the
book this one is a copy of. Furthermore, each book copy has attributes OnLoanSince and
OnLoanTo. These attributes are updated when the copy is loaned and returned; they are
also used to update the fine administration. Services of a book copy are: GetAcquired,
GetLoaned, GetReturned and GetDiscarded.

12.33 A central issue in object-oriented design is that concepts from the Universe of Discourse
have a direct counterpart in the design. Object-oriented design results in a model of
the problem, rather than any particular solution to that problem. Conversely, data-flow
design is much more concerned with modeling a solution, in terms of functions to be
performed in some given order. These functions need not map well onto problem domain
concepts, which may result in a less natural design, a design which poses comprehension
problems when studying the rationale for certain design decisions.

13 Software Testing
13.9 With a slightly different lay-out, and with linenumbers added to lines containing exe-
cutable statements, the body of the routine reads as given below. Note that we have
not labeled the lines containing exit statements. We could have done so, but it does not
really make a difference as far as the control flow graph is concerned. Execution of such
a statement incurs execution of the statement at line 8 as well.

20
 1 parent:= k; child:= k + k; Ak:= A[k]; insert:= Ak;
loop
2 if child > n
then exit
end
3 if child < n then
4 if A[child] > A[child+1]
5 then child:= child + 1
end
end;
6 if insert <= A[child] then
exit else
7 A[parent]:= A[child]; parent:= child; child:= child + child
end
end;
8 A[parent]:= Ak

The corresponding control flow graph is depicted in figure 6. The numbers inside the
bubbles refer to the linenumbers given in the routine text. On behalf of exercise 10, the
edges have been labelled with capital letters. Outgoing edges of decision statements are
labelled yes and no.
When the routine is executed with the given input, all lines labeled with a number will
be executed. A 100% statement coverage is therefore obtained.

13.10 The single test case given in exercise 9 does not yield a 100% branch coverage. In
particular, the branches labelled E, G, and I will not be executed by this test. The
following additional test case will do for a 100% branch coverage:

n = 4, k = 1.
A[1] = 60, A[2] = 20, A[3] = 30, A[4] = 80

13.11 For the All-Uses coverage, a path from each definition of a variable to each P- or C-use
and each successor of that use must be traversed. The program has four variables:
parent, child, Ak, and insert. By carefully looking at the text, it can be observed that
we only have to look at definitions and uses of child, since the definition-use paths of
the other variables are subsumed by those of child.
This leads to the following paths:

1. 1 2 8
A test n = 1, k = 1, A[1] = any value will do.
2. 1 2 3 6
A test n = 2, k = 1, A[1] = any value, A[2] = any value will do.
3. 1 2 3 4 5 6 8
A test n = 3, k = 1, A[1] = 1, A[2] = 3, A[3] = 2 will do.
4. 1 2 3 4 5 6 7
A test n = 3, k = 1, A[1] = 4, A[2] = 3, A[3] = 2 will do.

21
 1

A
yes
2

B no
no
3

D yes
C no
4
E K
F yes

5 G

H
yes
8 6
I
J no

Figure 6: Control flow graph of the SiftDown routine

5. 1 2 3 4 6 7
A test n = 3, k = 1, A[1] = 1, A[2] = 2, A[3] = 3 will do.
6. 1 2 3 4 6 8
A test n = 3, k = 1, A[1] = 4, A[2] = 2, A[3] = 3 will do.
7. 7 2 3
A test n = 4, k = 1, A[1] A[4] having any values will do.

13.12 The only difference between the two fragments is that the first one uses an if-statement
to see whether the element sought has been found, while the second one does so through
an assignment. If we have a test set with a 100% branch coverage for the first fragment
(i.e. both possible outcomes of the test table[counter] == element are tried at least
once), a 100% branch coverage is also achieved for fragment 2. Note that the reverse
need not be true.

13.20 Suppose a simple program has two types of input. If the test set contains the same
number of test cases for either type, faults in either execution path have the same prob-

22
 ablity of being reveiled. If, on the other hand, the actual input during the operational
use of the program is much more skewed (i.e., input of one type is much more likely to
occur), the probability of faults to show up is also skewed. As a consequence, the actual
reliability observed during execution is largely determined by the input type most often
used, and this aspect should be considered when assessing the programs reliability.

13.21 An extensive discussion is given in Musa et al. (1987). In particular:

if there is little manpower available to identify and correct faults, failures observed
will not be corrected until manpower does become available. Increase in reliability
would be higher if more manpower were available, while the actual reliability is the
same in both cases: the same number of failures is observed in the same number
of test cases.
a similar argument holds if the identification and correction of faults is limited by
the amount of computer time needed to do so.
if we have two systems, one that is used 24 hours a day, and one that is used once
a week, having experienced two failures in both systems during a time span of 2
weeks does not mean that the two systems have equal reliability.

13.22 Yes, given accurate data on failure occurrences, current reliability models give a quite
reasonably objective assessment of software reliability.
13.25 The inner loop (plus the initialization small = i), results in an index small such that
a[small] is smallest amongst a[i] .. a[n-1]. If we next swap a[i] and a[small], the result
will be:

j {i+1, . . . , n-1} : a[i] a[j]

Successive executions of the body of the outer loop will then yield:

j {1, . . . , n-1} : a[0] a[j](i.e. a[0] is the smallest element),

j {2, . . . , n-1} : a[1] a[j](i.e. a[1] is the next smallest element),
etcetera, i.e. the whole array gets sorted in increasing order

13.26 1. Change the first for-statement into for (i = 1 . . . ). Only the array with random
elements will (probably) give the wrong result, since the first element will not
move.
2. Change the first for-statement into for (i < 1; i > n-2 . . . ). Again, the array with
random elements will be the only one to give the wrong result, since no sorting
will take place.
3. Change the assignment small = i into small = i + 1. The array with random
elements will probably give the wrong result.
4. Change the assignment small = i into small = n. The array with random elements
will probably give the wrong result.
5. Change the test in the if-statement into a[j] > a[small]. Now the array will be
sorted in reverse order, so the sorted array and the array with random numbers
will give the wrong results.

23
 6. Change the test in the if-statement into a[j] = a[small]. The array with random
elements will probably give the wrong result.
7. Change the test in the if-statement into a[i] < a[small]. No swapping will take
place, so the random array again gives the wrong result.
8. Change the second for-statement into for (j= i + 0 . . . ). All tests will yield the
right answer.
9. Change the second part of the swap-statements into a[i] = a[i]. Not only will the
array with random elements probably give the wrong sorting order; its elements
will also change.
10. As the final mutant, we change the first part of the swap-statement into temp =
a[0]. The array with random elements will probably give the wrong answer.
So this test set leaves us with 1 live mutant. This means that the quality of the test set
is quite high. Note that the situation becomes really worse if we drop the array with
random numbers. The quality of this test set is really determined by the latter test.
Most of the other tests only exercise some boundary value.

13.27 The antidecomposition axiom says that if some component is adequately tested in one
environment, this does not imply that it is adequately tested for some other environ-
ment. Consider a sorting algorithm that has been tested in some environment, resulting
in a 100% statement/branch coverage. It may well be that the input to the sorting al-
gorithm always happens to be somewhat peculiar (say, only positive integers), and that
nevertheless every statement/branch of the algorithm is tested. Statement or branch
coverage for the sorting part is then adequate too, while it may well contain errors that
are reveiled if the algorithm is included in some other environment.
The anticomposition axiom reflects the opposite: if components have been tested ade-
quately, their composition need not be tested adequately. Suppose we have a component
P which is statement/branch tested using some test set T, and the output of P for T
is some set T. Suppose furthermore that Q is statement/branch tested using T. Then,
T is always 100% statement/branch tested for P;Q as well.

13.29 Functional/structural testing: a good method for fault finding, because of their
structured approach to covering the input domain and program domain, respec-
tively. Experiments suggest that these methods tend to find different types of
faults (see Section 13.8.3). Both methods are less suited for confidence building,
for two reasons. For both methods, the testing quality hinges on the quality of
the equivalence partitioning, which is often not perfect. Secondly, they treat every
fault equally hazardous, which need not be the case during operation of the system.
Correctness proofs: the major problem with correctness proofs is that the pro-
gram is proved correct with respect to some other formal description. Under the
assumption that this other description is correct, correctness proofs are both good
at finding faults and increasing our confidence. Additional testing is needed to
cater for the possible imperfectness of the formal description against which the
proof is given (and possible errors made in the proof itself).
Random testing: may be somewhat less strong in finding faults, since the method
exploits the operational profile of the system, thereby paying little attention to

24
 those parts that are hardly ever used. Experiments suggest that it is quite good
at building confidence.
Inspections: the strengths and weaknesses of inspections are similar to those of
functional and structural test methods. Again, experiments suggest that inspec-
tions reveil different types of errors.

13.30 The major difference with other types of reviews is the direct user involvement, which
may strengthen their commitment with the project. Discussion of possible usage sce-
narios also has a stronger validation character than other types of review.

13.32 Ultimately, the actual occurrences of failures are what counts. Faults that never show
up, for instance because they are located in a piece of code that never gets executed,
are not important. A fault in a piece of code that gets executed many times a day is
important, though. Thus, an assessment of the actual frequency of failure occurrences
(= reliability) may be deemed more important than testing.
On the other hand, both testing and reliability assessment are needed. Testing, if started
early on in the project, can help to prevent errors, and provides for systematic means
to assess software quality. At a later stage, reliability assessment helps to assess the
operational quality of the system.

14 Software Maintenance
14.10 See Section 14.2.1. The key idea is that design recovery requires outside information,
information that has gone lost during the transition from requirements to design, or
design to code.

14.11 During maintenance, changes are made to existing artifacts (design descriptions, code,
etc). This results in different versions of those documents. Software configuration
management helps keep track of revision histories and versions. Older versions remain
available, so that changes can be undone, and the revision history itself can be of help
during maintenance. Additional support for building executables both optimizes this
process (unchanged components need not be compiled anew) and helps to get the right
executables (those that contain the most recent version).
The data stored in the software management system can also be used for mining the
project data. For instance, trends in the number of change requests in certain parts of
the software archive can be studied; see also Section 14.4.

14.12 The major role of an acceptance test by the maintenance organization prior to the
release of a system would be to assess the maintainability of the system that is about to
become operational. Such a test will then pay particular attention to aspects that are
relevant during maintenance: the quality of the technical documentation, the structure
and complexity of individual components as well as the system as a whole, the reliability
of the system. The structure of such an organization could be similar to that of other
test groups. In particular, the future maintainers should be represented.

14.13 Maintenance concerns all work on a system after it has become operational. We may dif-
ferentiate between maintenance and development by taking the end-user point of view:

25
 work is considered development insofar as it concerns the offering of new possibilities
to them. Everything else is maintenance.
Since development from scratch is the exception rather than the rule, the distinction
between development and perfective maintenance easily gets blurred. We might say
that real maintenance concerns all activities that do not change the functionality of
the system, while development concerns the addition of functionality.
The classification of development and maintenance activities as given in the exercise
does make this careful distinction between adding functionality, and everything else.

14.14 Software maintenance requires understanding of the software to be maintained. Explicit

codification of this knowledge, and subsequent help in browsing through the resulting
network of knowledge chunks, offers additional support over other means to acquire
that knowledge (documentation, design information, and the like are essentially linear
organizations of this knowledge, from which subtle interactions and mutual dependencies
are hard to distill).

14.18 If components are reused, they will generally be of a higher quality than newly developed
parts. They have simply stood the test of time. This in itself should have a positive
impact on (corrective) maintenance effort. Secondly, reused components are likely to be
more stable; they reflect the growing understanding of domain concepts. This in turn
should positively impact perfective maintenance effort.

14.19 Object-oriented software development emphasizes the modeling of a problem, rather

than any particular solution to that problem. The structure of the resulting system
should then better reflect the structure of the problem domain. Stable entities are
the focus of attention, and volatile functionality is implemented through operations
on objects. This should help to reduce maintenance effort. At the code level, systems
written in OO languages tend to be shorter because of the code sharing that results from
inheritance. Smaller programs require less maintenance. Finally, changes to programs
can be realized through subclasses, rather than through tinkering with existing code.
On the negative side: OO programs may be more difficult to comprehend, because the
thread of control is more difficult to discern. The inheritance mechanism may make it
more difficult to decide which parts of the system apply at a given point. Excessive use
of inheritance is likely to make the system really difficult to comprehend and maintain,
henze the slogan Inheritance is the goto of the 1990s.

14.20 Changing a program involves three subtasks:

1. comprehending the program,

2. making the change, and
3. retesting the program.

Subtasks 1 and 3 require an effort proportional to the length of the program; this effort
is hardly, if at all, affected by the size of the change. Subtask 2 may be expected to
incur a cost proportional to the size of the change. If the cost of activity i is Ci per line
of code, then a 10% change in a 200 LOC program is the more costly one if:

200C1 + 20C2 + 200C3 > 100C1 + 20C2 + 100C3

26
 This is true for any nonnegative value of C1 to C3 .

15 Software Tools
15.11 Artifacts like user documentation, specifications, and the like, have many features in
common with source code modules:

they too consist of a set of interrelated components;

they are subject to change as well, resulting in different versions as well as revision
histories;
they also have some status, like: in development, being tested, frozen, etc.

Automatic support for configuration control of these artifacts thus offers similar help in
the control these types of information.

15.12 There a a number of possible reasons for this discrepancy, such as:

fully integrated support environments are not abundant. As a consequence, sup-

port for a number of activities is often given, but not for all.
support environments tend to concentrate on initial development. It is not clear
to what extent systems developed using such an environment can also be easily
maintained.
there is no consensus yet as to how a support environment should look like. A lot
of research and development in this area is still going on, and future environments
will certainly differ from the present ones.
because of their formality, support environments impose a certain way of doing
things. Many development activities however are ill-formalizable, and the envi-
ronment may then be a hindrance rather than a help. Also, tuning of a support
environment to a specific situation often is not easy.
sound ways to assess, compare, and judge the added value of support environments
are not yet available.
if different (sets of) tools are used, interoperability becomes an issue. For instance,
if requirements are kept in one tool, and code modules in another, it becomes
difficult to follow traceability links from requirements to code.

16 User Interface Design

16.12 Help systems come in two broad categories: passive help systems and active ones. A
passive help system offers static information: an overview of commands/actions, infor-
mation on the use of specific commands/actions, how-to like information (as in how to
delete a paragraph). The latter is especially important if the command mnemonics do
not really fit their semantics, and in cases where command sequences have to be issued
to realize a compound task.
A dynamic help system takes into account the current state and the history of the current
job when offering help. It may give information on admissible commands/actions, offer

27
 hints as to how to achieve things better (replace recurrent command sequences by more
powerful commands than the user is possibly aware of, and the like). Present-day
desktop applications often offer both varieties.

16.13 Most of the adaptations are to the requirements engineering phase. Requirements en-
gineering is likely to start with a feasibility study. Part of this feasibility study is to
decide on the system boundaries: what is done by the computer, and what is left to the
user. A global task analysis, possibly with a few user representatives only, may be done
to clarify these issues.
Once this feasibility study is done, and a decision on a full requirements engineering
phase is taken, a more elaborate task analysis step is conducted. Interviews, observa-
tions, and other techniques can be used to get at a full task catalog and task hierarchy.
At this stage also, certain aspects of the interface functionality (dialog style, type of error
messaging and help functions, dialog sequencing, and default behavior) is determined.
This can be user-tested using rapid prototyping and screen walkthroughs.
During the design stage, several alignment issues deserve our attention, such as those
between detailed data modeling and the objects that appear on the screen, between
task structure and system structure, and the physical layout of screens.
Finally, testing should also include usability testing.
See Summersgill and Browne (1989) for a more detailed description of how to integrate
user-interface issues with a classical waterfall-type development method, viz. SSADM.

16.14 Manually constructed scenarios with prospective users. Advantages include: user
involvement from the start, real-life examples that users feel comfortable with,
expressed in the language of the user, no big investments needed, quick results.
Possible disadvantages include: the extent to which the scenarios cover everything
needed, how to document the results, the process need not converge, it is difficult to
include dynamics, and the scenarios tend to be simple ones. See Rettig (1994) for
a more elaborate discussion of a similar approach, viz. the use of paper prototypes
in user interface design.
Iterative prototyping. The advantages and disadvantages hereof are discussed in
Section 3.2.1 of this book.
Develop functional parts first, and only then the user interface. From a managerial
point of view, this approach has definite advantages when it comes to control
progress. Functionality is decided upon first, and the user interface is seen as a
layer on top of this (so, while working on the user interface, no rework is needed
because of wrong functionality). It also allows for a clear separation of concerns
in the architecture (viz. the Seeheim model). The biggest disadvantage is that the
result need not match the real user needs, and that it takes a long time before the
users see anything.
Formal description and analysis of user interface. A major advantage of formal
descriptions is that they allow for formal evaluation. However, it remains to be
seen whether the user interface requirements can be sufficiently captured formally.
Also, discussing formal specifications with users is not easy, and most developers
are not familiar with formal techniques.

28
17 Software Reusability
17.7 When discussing data abstraction in Chapter 12, we observed that general, domain-
independent data abstractions often occur at the lower levels of the system hierarchy,
while domain-dependent data abstractions show up at the intermediate and higher lev-
els. Domain-independent data abstractions are limited in number: lists, queues, trees
of various kinds, and the like. These are well-known, and their reuse is quite feasible.
Domain independence is much harder to obtain at the higher levels of the system hier-
archy. It is very difficult to describe such concepts (like ledger in a banking system,
alarm signal in an elevator-control system, etc.) in a domain-independent way, since
they derive their meaning from that domain. It is also very hard to retrieve them using
domain-independent descriptions (if these exist): experts in a certain domain think in
terms of concepts from that domain.

17.10 In a component-based software factory, explicit attention needs to be given to the li-
brary of reusable components. I.e., we have to actively look for reusable components
during development (especially during design and implementation), and we have to as-
sess components for inclusion in the library. Thus, the process model changes in at
least two ways. During design and implementation, the library of reusable components
has to be searched. Note that this not only involves a passive search. The design pro-
cess itself will be different, since we wish to obtain a design in which reuse is indeed
achieved: not just design with reuse, but design for reuse. Secondly, we must assess
new components for inclusion in the library. This often incurs extra activities: extra
testing and documentation, generalizing components, and the like. This had better be
an activity clearly separated from the current project.
Managerially, incentives are needed to foster both the use of reusable components and
their development. Furthermore, new roles and activities must be defined. A librarian
is charged with the administration of the library (including the enforcement of coding
and documentation standards, classification of components, and the like). New activ-
ities include assessment of existing components for inclusion in the library, as well as
improvements to components before inclusion.
See also the discussion in Section 18.3.

17.13 Reusable components (or templates, or designs) embody a certain amount of, either
domain-dependent or domain-independent, knowledge. In order to assess their useful-
ness, we must be able to acquire sufficient knowledge about them. Codification of this
knowledge eases this process. Component classification schemes are one means to do
so. In a fancy classification scheme we may be given entities that are close to the one
looked for. Codification of domain-dependent knowledge is a further step in supporting
the retrieval of domain-dependent reusable artifacts.

17.15 Major aspects of this routine that need to be documented are:

description of input and output formats (including the maximum size of the ma-
trix);
precision and error tolerancy information;
information on the algorithms speed, and its memory requirements;

29
 how exceptions are handled (the possible singularity of the matrix);
an identification of the numerical method used (such as LU-decomposition with
complete or partial pivoting, QR-decomposition, Gauss-Jordan).

17.16 There are at least two reasons why this type of information may be relevant to the user:

this information may be important in our assessment of the usability of the compo-
nent. Finding an element in a binary search tree is faster than finding an element
in an unsorted list. Sorting algorithms differ in speed and memory requirements.
Numerical precision may depend on the algorithm used. Etc.
in certain circumstances, we really think of entities in terms of their representation.
For instance, we may think of a polynomial as a series of coefficients, or a series of
zeroes plus a constant. We really do not think of a polynomial in a more abstract
sense. A more elaborate discussion hereof can be found in Sikkel and van Vliet
(1992).

18 Component-Based Software Engineering

19 Service Orientation

20 Global Software Development

References
Bass, L., Clements, P., and Kazman, R. (2003). Software Architecture in Practice. Addison
Wesley, second edition.

Bersoff, E. and Davis, A. (1991). Impacts of Life Cycle Models on Software Configuration
Management. Communications of the ACM, 34(8):104118.

Boehm, B. (1981). Software Engineering Economics. Prentice-Hall.

Brooks, F. (1995). The Mythical Man-Month. Addison-Wesley, second edition.

Carmel, E., Whitaker, R., and George, J. (1993). PD and Joint Application Design: A
Transatlantic Comparison. Communications of the ACM, 36(6):4048.

DeMarco, T. and Lister, T. (1985). Programmer Performance and the Effect of the Workplace.
In Proceedings 8th International Conference on Software Engineering (ICSE8), pages 268
272. IEEE.

DeMarco, T. and Lister, T. (1987). Peopleware. Dorset House.

Meyer, B. (1985). On Formalism in Specifications. IEEE Software, 2(1):626.

Meyer, B. (1992). Design by Contract. IEEE Computer, 25(10):4051.

Musa, J., Iannino, A., and Okumoto, K. (1987). Software Reliability: Measurement, Predic-
tion, Application. McGraw-Hill.

30
Parnas, D. (1999). Software Engineering Programs Are Not Computer Science Programs.
IEEE Software, 16(6):1930.

Perry, D. and Kaiser, G. (1991). Models of Software Development Environments. IEEE

Transactions on Software Engineering, 17(3):283295.

Redmond, J. and Ah-Chuen, R. (1990). Software Metrics: A Users Perspective. Journal of

Systems and Software, 13(2):97110.

Rettig, M. (1994). Prototyping for Tiny Fingers. Communications of the ACM, 37(4):2127.

Sikkel, K. and van Vliet, J. (1992). Abstract Date Types as Reusable Software Components:
The Case for Twin ADTs. Software Engineering Journal, 7(3):177183.

Summersgill, R. and Browne, D. (1989). Human Factors: Its Place in System Development
Methods. In Proceedings Fifth International Workshop on Software Specification and Design
(ACM SIGSOFT Engineering Notes, Volume 14, Number 3), pages 227234. ACM.

Vincent, J., Waters, A., and Sinclair, J. (1988). Software Quality Assurance, Vol I: Practice
and Experience. Prentice-Hall.

31