Re: object-orientation vs. safety-critical



Date view Thread view Subject view Author view

Nancy Leveson (leveson(at)sunnyday.mit.edu)
Fri, 01 Mar 2002 10:49:06 -0500


John C. Grebe Jr. wrote: Is it possible that part of the problem is the top level design and the perspective used in definition of the objects? Could an alternative design with objects based on a safety oriented perspective make a difference? The problem is that I want to analyze functions, not objects. I also think that the best and most natural design method for control systems is functional decomposition. There have been some attempts to design spacecraft systems using OOD that were failures and the team went back to their traditional functional decomposition. Someone at a NASA Center (who shall remain anonymous) told me that they are considering forbidding the use of OOD. What I don't understand is why so many people nowadays think there is only one way to design all systems. A mastercraftsman has a whole toolkit and not only can use them all but knows when it is best to use each tool. An amateur has only a few tools and uses them all for everything. Same with great architects. There are always tradeoffs in any complex design effort, and different designs will optimize the different desired qualities. A great designer knows how to create a design that will optimize the most important qualities for that system. If building a screen editor, I would be the first to use an OOD. But when designing a control system, I would use a more appropriate design. The truly great software designer does not use OOD for every design (that is the sign of an amateur) but can select a design approach that is the best for that particular system. I have looked at dozens of OO designs of control systems, and I find them incredibly more complicated than those based on functional decomposition. I think I can now explain why. A mechanical engineering professor here at MIT defines "complexity" as the degree to which the structural decomposition of the system differs from the functional decomposition. OOD structurally decomposes the system (according to objects) but the functionality gets spread throughout and gets far away from the structure. That probably also explains why I see engineers struggling to use object oriented designs and making objects like "navigation" (a function, not an object). OOD fanatics tell me it is just because those engineers do not know how to do object-oriented design, but I think there is a much deeper reason. They seem to find it much more natural to design these types of systems using functional decomposition. That naturalness translates into easier to understand and review, easier to design without errors, easier to analyze to determine whether the system does what the engineer wants and does it safely. Nancy


Date view Thread view Subject view Author view