BOSTON The escalating cost of software goofs combined with the specter of malpractice suits over glitchy programs are spawning fresh attempts to swat bugs before they can do much harm.
A number of vendors came to the Embedded Systems Conference (ESC) here last week with tools designed to ferret out bad coding before it gets into production software packages. At the same time, industry initiatives a number of them led by Carnegie Mellon University are getting a bead on bugs as part of a broader effort to make computing systems more reliable.
Bugs and glitches cost the U.S. economy about $59.5 billion a year, according to a study released in June by the National Institute of Standards and Technology. The NIST report found that software users contribute about half the problem, while developers and vendors are to blame for the rest. Better testing could expose the bugs and remove them early in development, knocking more than a third or $22.2 billion off that cost, said the study, which was conducted by the Research Triangle Institute in North Carolina with input from the software industry.
Software is error-ridden in part because of the complexity inherent in writing millions of lines of code. The NIST study estimated that about 80 percent of the cost of developing software goes into identifying and correcting the defects. Other factors contributing to the problem, according to the study, include flawed marketing strategies, limited liability by software vendors and decreasing returns on testing and debugging.
But the price of being lax is rising. The National Academy of Sciences earlier this year urged lawmakers to consider adopting legislation to hold software vendors liable for security breaches. Europe already has begun to do so. A Dutch judge in September convicted Exact Holding NV of malpractice for selling buggy software, rejecting the argument that early versions of software are traditionally unstable.
Two companies dedicated to reducing the risk associated with bad coding made a splash at ESC, as S2 Technologies Inc. released its Stride Integration and Test Platform, and the Programming Research Group announced the opening of a new U.S. office, a new chief executive officer for the Irish company's North American operations and a push to expand its foothold in the embedded community with a line of static code analyzers for applications in C, C++, Java and Fortran.
Also, Programming Research last month joined the Sustainable Computing Consortium, a collaborative effort among major corporate IT users, developers, suppliers, university researchers and government agencies to drive improvements in the dependability, security and quality of information systems.
"We are dedicated to raising the bar in terms of software quality, standards compliance and performance, which fits well with the overall mission of the Sustainable Computing Consortium," said Robert D. Buckley, the newly appointed CEO of Programming Research Inc., the Americas subsidiary of the Dublin-based Programming Research Group.
The consortium currently has 30 members, among them CMP Media LLC, which publishes EE Times. Other member companies include Boeing, Cisco, Confluence, General Motors, Hewlett-Packard, Microsoft, Oracle, Raytheon and RedSiren Technologies.
The Sustainable Computing Consortium is based at Carnegie Mellon University in Pittsburgh, which is also the linchpin of another industry effort toward software reliability. NASA's Ames Research Center is working with Carnegie Mellon's School of Computer Science to develop a multidisciplinary, multi-institutional High-Dependability Computing Program with the initial aim of improving NASA's ability to create dependable software. The incremental five-year cooperative agreement, signed earlier this year, is part of a broader strategy that links NASA, Carnegie Mellon, corporate partners and other universities in the quest for dependable computing.
"Human performance and human-computer interaction are critical elements of software reliability," said Terry Allard, chief of the Human Factors Research and Technology Division at NASA Ames. These criteria have long been requirements for space and defense systems, said Allard. Now they are becoming important for systems in many other sectors, including those associated with national infrastructure, defense and health care, as well as mainstream applications ranging from electronic commerce to desktop PCs.
"Carnegie Mellon has more than 2,500 alumni in Silicon Valley. They want to see us take a more active role in this environment," said James H. Morris, professor and dean of the School of Computer Science, and a principal investigator on the High-Dependability Computing Program.
Part of the university's efforts to raise its profile in the Valley involves formation of the High-Dependability Computing Consortium jointly with NASA and 15 Silicon Valley companies. With a broad focus on reducing failures in computing systems critical to the welfare of society, Carnegie Mellon and its partners will explore collaborations with industry and other major software development efforts, including open-source projects. Carnegie Mellon has an agreement to use NASA facilities at Moffett Field in Sunnyvale, Calif., as a launch pad for the high-dependability program.
Bugs flow downstream
The NIST study that came out in June found that more than half of all errors in software are not discovered early enough in the development process, but crop up "downstream," when the package is nearing production, or even later, in the field. One way of making code writing more efficient is to integrate and test software components almost from the onset of an embedded-software development project. That's the aim of the Stride Integration and Test Platform from S2 Technologies (Cardiff, Calif.).
After two years of development and a year of beta testing, "we have shown that we can reduce integration and testing cost, and the schedule, by 30 percent," said Dave Wenk, vice president of marketing at S2.
Whereas in-circuit emulators are processor-centric and integrated development environments are RTOS-centric, Stride 1.0 is interface-centric. That means, S2 said, that it has detailed knowledge of how components within the embedded application communicate. By black-boxing the details of each software component and revealing the application's internal communications, Stride 1.0 claims to let a developer integrate and test millions of lines of code by focusing on significantly fewer interfaces.
Stride 1.0 creates a virtual development environment in which the location of one component in an embedded application is transparent to any other component or host-based application. Developers can move threads, functions, messages, data and other components back and forth across the host-based interface to accomplish their integration and testing objectives. Stride 1.0 is agnostic to the real-time operating system or processor being used.
The commercial launch is scheduled for the fourth quarter. S2 listed Micro Motion, a division of the Emerson electronics conglomerate, as a customer, along with a large semiconductor company and a major cell phone maker, both unnamed.
As an example of how Stride 1.0 helps in keeping software costs down, S2 Technologies said that currently, it takes a team of 15 engineers approximately two years to develop the software embedded in a typical cellular telephone. Assuming that the average annual salary and benefits per engineer are roughly $150,000, then the project cost excluding tools, equipment, training, materials and other expenses is $4.5 million.
Integration and testing activities consume approximately 40 percent of the cost and schedule of a typical software project, S2 said or $1.8 million and almost 10 months of the schedule. Based on the experience of beta customers and S2's own internal analysis, the company said that Stride 1.0 saves 30 percent of that cost, $540,000, by cutting the time it takes to do integration and testing from 10 months to seven. Because the market window for a cellular handset averages about nine months, a handset manufacturer can thus expect to realize 33 percent in additional revenue on top of the half-million in cost savings, by the company's accounting.
Given the costs and other repercussions associated with software failures, embedded developers are coming to appreciate the benefits of static code analysis. That's the approach Programming Research Group has taken to reliability in a line of products and services designed to help developers achieve stated levels of software quality and software process improvement.
The company's QA-C static code analyzer lets developers test multiple layers of dense source code and identify potentially damaging, costly or even life-threatening coding errors in business and safety-critical applications.
Programming Research, which has just opened an office in Boston, announced at ESC that its tools now support QNX Software Systems' Momentics development suite, for use in the automotive, medical, network and defense industries. The company said it will also lend its expertise to the Eclipse.org C/C++ Development Tools (CDT) Project, led by QNX. Eclipse is an open platform for tool integration being developed by an open community of tool providers.
"We are pleased that our work with QNX has now enabled us to take a front role in the Eclipse CDT Project, which will have a huge impact on the next wave of open computing," said Buckley, the CEO for the Americas.