Software Quality In a Non-Software Company?

Nicros writes "I work for a publicly traded biotech company that happens to write software that is, in fact, kind of critical for the business — without it no data would ever be read from our instruments, and no analyses would be performed on that data. The problem is that as a 'biotech' company, we are not taking software quality seriously. We have no senior management with any history of commercial software development — our C level has really no clue whatsoever what software really is, much less what is going on in software development. All of our quality processes are related to manufacturing our system (not software), so we are constantly forced into ad-hoc development since there is no real process for our development. Repeated requests to hire someone with some real commercial software development experience have gone unanswered. I have been to the CEO directly one-on-one and although he agreed this was an issue, thanked me, and said he would look into it, that was the end of it. He has bigger things to worry about. So the question: Is this just a fact of life and I need to deal the best I can? What else can I do to get some attention on software quality in the company?"

Practice What You Preach

[ilovegeorgebush]

You're obviously fighting an up-hill struggle. Going straight to the CEO is both a good and bad idea - if it works you'll get immediate affect, but it's likely to be ignored.

You need to argue this case as much as possible. If you're the developer, or in charge of development, enforce decent developmental practices and ensure your estimates include them. Err on the side of caution. Take an estimate and double it. Managers talk money, not standards, so you'll have to hit them where it hurts.

Otherwise, is there anything off-the-shelf that could alleviate some development?

Re:Practice What You Preach

[Z00L00K]

A version control system is critical to have, and to document what your processes are when developing software is the second part of the process.

Impose a coding standard where some outlines for coding style is provided, but more for the sake of how to maintain the code quality. Compiler warnings shall be at an absolute minimum, utilization of compiler safeguards shall be used whenever possible. Enforcing "Option Explicit" in VB for example.

For version control - go for a simple solution like CVS or SVN. SourceSafe isn't really safe... It has a tendency to drop files if the area where you check in files on suffers from a full disk.

But there is no support at all from management when it comes to safe software development it may be time to drop the issue and say that "we need to buy some software here" and hire a consultant company for that. Then it starts to get expensive and wrong unless you get the right people...

Last option is to leave ship and leave the sources in an unstructured order without any useful documentation. Then wait and see if someone comes back asking you politely for help. If you aren't alone bring your coworkers with you too. There are always companies looking for people with skills.

Re:Practice What You Preach

[Syberz]

I also work for a biotech but we're lucky enough to have a CEO who's a computer scientist so he knew the importance of IT. As such we have a rather larger IT dept which includes a software development team.

In order to show the bossesses that proper software maintenance/creation/validation procedures are important just explain what would the FDA or some other regulatory agency do to your collective bung holes if they were to probe deeper into your practices.

Mission critical data being handled by non-validated/non-documented software is just like having untrained people working with samples in the lab, it's a big no-no.

You need paperwork that supports your claim, start with all the areas where un-validated software is used, then add to that a second section explaining the cost of poorly planned development iterations. We work using monthly iterations and when we told the people responsible for the software in the field that an iteration cost about 30 000$ just in labor costs they started paying attention and making the lists of demands count, i.e. removing the superflueous demands (ex: "it would look nicer in blue" was replaced with "The standard deviation calculation should be done with X+1, not just X.")

Re:Practice What You Preach

[b4upoo]

Between being right and being popular with bosses being popular wins out every time. Pestering them about better ways to do things is not a great idea. Play golf with them and never mention a darned thing relating to work and if something does crop up then make them think it was all their idea all along. Money shall flow to you as well as job stability. Make sense and be logical and you might as well start a job search.
          Thia may not apply in other nations but in America it works every time.

Re:Practice What You Preach

[inviolet]

You're obviously fighting an up-hill struggle. Going straight to the CEO is both a good and bad idea - if it works you'll get immediate affect, but it's likely to be ignored.

Rarely does the statement "You've got a problem and you need to solve it" ever get a good response.

If you say "We have a problem, this is how other people solve it, and this is what I will need to solve it. Give me the budget and I'll solve the problem." then you are vastly more likely to get what you want. Then you'll have to deliver, but if you are like me (not that I am the best way to be), you'll find the responsibility gratifying and the deadline invigorating.

Re:Practice What You Preach

[Hotawa+Hawk-eye]

Your statement "We have a problem, this is how other people solve it, and this is what I will need to solve it. Give me the budget and I'll solve the problem." is close to complete, but you're missing one piece.

"We have a problem, this is how other people solve it, and this is what I will need to solve it. This is what it costs us _not_ to solve it. Give me the budget and I'll solve the problem."

If you can show that the software development 'process' currently in place is costing the company $N a month and you will need to spend $X to improve the process, if you're going to be developing software for more than (X/N) months, it'll be more cost-effective to fix the process.

Re:Practice What You Preach

[sm62704]

In order to show the bossesses

Yes, precious, we'll show those nassssty bossesses, yes, we'll shows them!

;)

Re:Practice What You Preach

[electroniceric]

I also work for a biotech (... this my other brother Darrell), and we're facing the prospect of FDA regulation as a device. So we're presently working our way through ramping up a formal (21CFR820) Quality System now. My boss happens to have been through this before and to be a pretty effective evangelist for the FDA's Quality System methodology, which is required for all medical devices and drugs. As he says, a Quality System is just putting to paper all the things you should be doing anyway. So one place you may want to start is by discussing the utility of complying with FDA regs with regard to software.

My boss also notes (on any occasion where there's an opening) that when the FDA introduced design controls, most companies complained they were going bankrupt (as companies are wont to do when regulation, merited or unmerited, is proposed). But when the FDA went around doing their roadshow to show that they weren't just making rules without listening to industry, people from the device companies gradually started to get up and explain how using a Quality System actually lowered their costs and decreased their time to market for revisions and product upgrades.

So as an evangelization tactic I'd look on the FDA's site for guidances relating to the introduction of the Quality System Regulation. For example, this guidance on general principles of software validation is pretty good. If you mentally translate into software industry language you can really see that they're trying to get you to do better engineering by thinking and documenting early, really getting straight what the software is trying to do, and being structured about showing that it does what it needs to do. The truth is that despite the startup effort of introducing documentation and procedures, controlled engineering methodologies work way better - they reduce requirements failure, increase code quality (and more importantly, design quality), and - though developers start out hating paperwork - even make the developers happier because more code works and sees real use. If the company plans to be in the software business for the foreseeable future, it's almost certain that the effort invested in good software practices will pay huge dividends down the road. The key is point out that quality is not an esoteric consideration, it's a driving cost and business risk consideration. Sooner or later the cost of low quality software shows itself.

One thing I will note is that the QSR is pretty waterfall oriented, both because it predates the formalization of iterative/agile methodologies, and because it's written for engineering of physical boxes that have to be released to manufacturing (which implies a fair bit of waterfallism). Part of our effort is to practice iterative development methodology while documenting to the FDA's standards.

Anyway, take a look at all that.

Anarchy is an opportunity

[Hal_Porter]

It sounds like in your company there is no one doing this job. You've talked to the CEO. Get him to make you VP of software and tell him you'll solve the problem if he gives you responsibility.

Anarchy is an opportunity for the ambitious and unprincipled. Take it and make yourself software Czar.

Re:Anarchy is an opportunity

[pieterh]

Agreed. Don't raise issues for other people to solve, you are just labeling yourself a trouble maker. Raise issues, attach costs to them, and then present yourself as the person with solutions, and ask for budget to solve them. Make a proposal with figures, planning, clear savings, and get approval. Then hire and build a competent team and/or find a good subcontractor. Use open source where possible to save costs. Report your progress and ensure you get budget every year.

Think of ways to turn a profit from the software. Maybe it can be licensed to other firms? If you can earn revenue you will suddenly become much more valuable.

Problem is: you will stop coding and become a manager. But if you do a good job, you can get power in the firm.

If you present a good plan that will solve real problems for the company, and you are not given the green light, then look for another job. If/when things go bad, they won't thank you for it.

Re:Anarchy is an opportunity

[southpolesammy]

Careful what you wish for though....

The flip side of becoming a point of authority in an environment as this is that if/when code defects bubble to the surface on your watch that result in a major hit to the company's bottom line, you may need to have a thick layer of asbestos underwear on in order to prevent the blame game from claiming you as a victim.

Right now, you've identified the problem for your mgmt and have suggested solutions, but you're not yet responsible for the implementation of those solutions. Becoming the VP of such an org not only makes you responsible for the fixes, but also directly accountable, possibly including from a legal standpoint. In other words, you'd better hope that the bugs in your software don't have the potential to cause medical or financial harm to your customers.

Re:Anarchy is an opportunity

[houghi]

Also do not forget to get some customer input. It will be extremely hard to change anything if your customers are perfectly happy with what you have. For you it might be bad, but perhaps for the customer it is 'good enough'.

Doing the manager thing and figuring out the numbers might even lead you to the fact that changing things would cost more, while not gaining extra income or saving anything.

So it could be that it is just a 'nice to have' and not a 'need'. You will need to prove it makes money, otherwise they will not do it.

'Making money' can also mean that your customers will be happier, or they will call you less, saving money, because you can do other things. It can also happier customers, which might be important if you measure customer satisfaction.

Basically you need to sell the idea and the company needs to buy the idea. If you can agree on a price where both parties gain in the deal, then it is good. If one of the parties does not gain anything, then it is a no-go.

This is true for every change in whatever it is you want to change. From the color of the toilet paper to the closing of a factory.

Re:Anarchy is an opportunity

[kitgerrits]

If you want to keep yourself safe, document and report all 'blind spots' in your method.
Make sure you present an overview of what you can control and what you cannot control.

If management does not agree with a certain blind spot, show them the resources required to cover that blind spot.

You cannot have bug-free code without strict rules and a literally astronomical budget. (and even NASA has had a few bugs)
What you can do is prevent embarassing/dangerous bug from making it into 'production software'.

Re:Anarchy is an opportunity

[nahdude812]

Excellent point, if you present yourself as the man with the solutions, and especially if they promote you as such, you're going to be taking the heat when things do not go perfectly.

The thing about rigid development and testing processes is that they delay releases. You can do featureful but buggy from-the-hip releases rapidly, or you can do rock solid heavily tested releases very slowly.

It's the old speed, quality, cost diumverate. Sounds like today they're choosing speed and cost, and quality is there only because your product isn't yet so mature that regression bugs aren't common.

Companies starting a development methodology need time to adjust to the reduced agility that these require. It's best to work your way into it.

Start with introducing source control and some formal testing, along with build releases. It's not very likely that they're going to reject you on these things as their benefits are fairly clear and they shouldn't have that much impact on your bottom line. Create a branch per release, and suggest that the software not be released to manufacturing until that release passes formal testing.

Later you can introduce things like regression testing and a proper software development lifecycle.

You have to be careful how you present it. Make sure they're aware that you're easing the company into a larger methodology, and until fully implemented there's still going to be gaps for bugs to fit through. Explain that during this process you'll be performing gap analysis on each bug that does appear, identifying how it got through testing, and adjusting the process as necessary to ensure that such a thing is less likely in the future.

You don't want to present it as a silver bullet out the gate, you want to be sure to explain that it's iterative and the objective isn't immediate perfection but continual quality increase. Even if you have 30 years of software development lifecycle managerial experience, you can't convert a company to a full-blown lifecycle overnight, and depending on how a company works and what its needs are, lifecycles will in fact differ a bit from company to company. Even if a perfect lifecycle existed, you still need to give people time to get accustomed to it, so you can't just throw the switch over night or everything comes to a halt.

Re:Anarchy is an opportunity

[antifoidulus]

Going to the customers would be a huge mistake in this case, it seems the software is supposed to be "invisible" to the end user, so going to the end user and saying, "Hey, you know that software that runs on the expensive piece of equipment we sold you, well underneath the covers its crap and I need to convince the CEO of that" is probably a bad idea. Plus, the customer probably doesn't care as long as the stuff works. You can get poorly written code to work, but the huge amount of manpower it takes to maintain bad code will come back to bit the company in the ass.

Opinion from the outside?

[DerCed]

Could you propose to hire a software test consultant for a day or two and let him point out serious quality issues (data integrity, security, correctness..)?
A serious, alarming report by an external software test professional could help reinforcing your requests?

I have the same problem

[_Shad0w_]

I have the same problem where I work, the problem is I am the dev with real commercial experience; I just can't convince them that we need to do things in a manner that I would consider correct - it's all ad-hoc development and it's all driving me nuts.

The problem is, if our software doesn't work correctly, then the data we collect and process using it becomes screwed up, which is a major issue for the core business - data is our crown jewels.

My current solution to the problem is looking for a new job in a company that actually takes software development seriously. I just can't see any way of getting things here working the way I want. There wasn't even any revision control in place on the source code when I started.

The problem I'm finding is that the lack of structured development and design here is actually beginning to hurt me professionally: prospective employers, who have software development as a core aspect of their business, actually ask about this kind of thing. If you're looking to hire someone who takes their profession serious, for god's sake make sure they're actually going to be able to do their job - otherwise your company is just going to turn in to a blot on their CV.

As a C-Level for a Software company

[thegrassyknowl]

Prepare a brief for the management-level at your company. Show them basic tools for managing software quality. Dig up documents that show different ways of improving software quality. Talk about development methods (agile, etc).

Tools like Redmine are very pretty and manager-friendly (and free). Show them how easy it is to add tickets, approve and deny work, track changes to the software as it evolves and isolate changes until they are tested properly.

Point out that there is a potential legal minefield if they get something wrong and it's proved to be the software at fault. Show them that tracking each and every change along with who authorised it, who did the work, who approved the changed software to run, etc will help lift some of that liability.

Managers aren't all clueless, and all ones that I know are genuinely willing to do things better. Often they are too caught up in doing things to appease the board that they don't have time to look at things that seem menial to them.

If you don't prepare a brief and suggest a really good solution or two they'll eventuall get a contractor in who will charge a fortune, tell them that everything sucks and then leave. Then you'll be stuck with a half-arsed process based on some pie in the sky ideas from a contractor who really can't know the day to day ins and outs of what you do.

At the end of the day what you need to demonstrate is that by putting a process in place and then tools/staff to support it you'll be able to achieve better results.

Re:As a C-Level for a Software company

[grey1]

All the folks who have suggested coming up with solutions not problems have got at least part of the answer.

I've spent a few years working with a team that has moved from being a bunch of individuals who just make changes to the code ("highly skilled desperados"), to a team where there is:

• a clear defect/issue/bug tracking system (was ClearQuest, now it's bugzilla - "no changes without a defect" was the mantra)
• a clear and strong change control mechanism/board
• good source code control (was ClearCase, now it's svn)
• an automated build process (instead of the hand-tagged, oops, missed a vital file, let's try it again, process of the past)
• clear regression tests and good testing of new features or bug fixes
• good visibility of strategy and the reasons for change

All of this has helped improve software "quality".

And it's in an R&D environment, i.e. it's internally written software to support teams of research scientists and their data and instruments.

We now feel we have reasonable control of changes we make - we know why we want them, and what they are likely to impact. It's much better than when we started - 3 months of firefighting, just trying to keep the software system afloat.

Suggest some or all of the above. Try to quantify the costs, or at least the risks, associated with leaving things as they are. Talk to whoever is the CIO or equivalent. Find the highest-ranking person in the company who understands software and sell the problem and solution to them.

Other angles to try - see who you could get to give a talk at your site on software quality etc. Can you tap into a professional body - like the BCS in the UK?

Good luck!

Re:As a C-Level for a Software company

[roman_mir]

Do not bring up agile in this situation. You want to push them into a paradigm that is structured towards responsibility, not something that allows development to wash their hands from anything and just blame business. In the situation described in this story the best way to go is by setting up a structure that forces a couple of things: documentation of requirements up front, system and design specs, phased iterative development, unit testing of course, QA department, responsible management. I know it sounds difficult, but you have to work towards it, nothing is easy.

Use We instead of I

[RuBLed]

I remember this WTF article at the DailyWTF (I forgot the title) where in order to become firm and get your point across, his superior told him to use WE and OUR instead of I and ME in his email correspondence.

So instead of "Sorry I cannot do this since I believe that you must follow the testing procedures." you could write it like this "Sorry, We cannot do this since we believe that you must follow the testing procedures."

I lol'd but I find myself writing such mails from time to time..

Mixing of two mindsets

[slipnfall]

Hi OP,

I'm a developer/Engineer for two biotech companies: one a small startup, with me being the only part-time employee. The other is a large DOD-backed institution. I can tell you that in the short time that I've been there, it has been a frustrating uphill battle to instill an Engineering/Developer mindset. While I firmly believe Scientists and Engineers seems to have a similar approach to work, it's interesting to see how passive the science-minded folks are towards hardware/software advancements. They are only concerned about how many protein cells it can accurately count, or whatever. There is no interest in what goes on 'behind the scenes', and consequently, what goes on to get there.

There are absolutely no Engineering controls in place at either Employer, and software development is as you said: made for the moment. Personally since I am the one-and-only, I find that I just have to do the best with what I have. I comment and doccument well, keep a code revision repository, and do my best(within reason) to make sure someone else can pick up where I left off.

It won't be my problem if/when the day comes I leave, but at least I'll be able to sleep at night.

Reminds me of Ariane 5

[Planar]

We have no senior management with any history of commercial software development

That reminds me of Arianespace. It took the crash of a 150M$ rocket to make them change that.

Open source it

[Adam+Hazzlebank]

Management are possibly right, the important thing is getting the product to market. If the R&D people write bad code, but code that works, and it gets the instrument to market then ship it. If it's instrument based, the software isn't the critical problem (if it works better than the other guys you win, doesn't matter if the primary data analysis software sucks so long as it more of less works).

However, you should try and convince you're management to open source the software. In this industry the probability is that if you don't open source it someone else will write an open source replacement (see Phred/Phrap, and the open source replacements of the primary data analysis software on next-gen sequencers which are starting to appear). That means your company losses control of the primary data analysis and possibly device control software, and that's bad for your company.

Open source has the added benefit that your development costs will fall (you can start using GPL code), it'll help you engage with the scientific community and you'll get people outside the company doing free work for you (seriously people want to get this stuff working, they'll help). You'll also get free peer review on your code which will drive standards up.

Scared of showing your crap code? Don't be, in this industry I've seen enough to know that most of it sucks (a lot of it's written by Biologists with no formal training). The clincher? "ABI are doing it, why can't we!" http://solidsoftwaretools.com/gf/

Re:Open source it

[Sparky+McGruff]

That's kind of funny; I was thinking about a bug ridden piece of ABI software (the control software for their 7500 real-time PCR machines) as I was reading the original post. I've lost a whole lot of sample runs when the software craps out mid-run. Then again, it could have been the control software for the $500K confocal microscope that renders the hardware largely unusable. Or it could be any number of other software packages that run plate readers, scintillation counters, or anything else. The quality of software on the control systems for even the most expensive hardware is abysmal; they love to produce poor software that loves to crash, and writes proprietary files that can't be readily imported into more powerful software. It's gotten somewhat better over the past 5 years, but as the hardware lives for 20 years, we end users get to enjoy the crappy software long after the company has moved on. It certainly does color my decision about which hardware I will buy in the future, though.

Re:Open source it

[Sparky+McGruff]

If the primary device control software for the SOLiD sequencers is as reliable as their QPCR software, then you'll probably lose about 10% of your runs due to software failure. Of course, that means you get to spend 10% extra on ABI consumables, and if it was a particularly valuable sample, well, tough. It's nice that they're opening up the analysis package, but the true "mission critical" software is the control package. I've yet to find a vendor of (rather expensive) hardware that seems to think the control software is anything other than an afterthought.

Re:Plant a bug

[ilovegeorgebush]

That's called sabotage and it's a silly idea.

Some hints for your situation

[Apogee]

I'm in a quite similar situtation, and perhaps I can provide a few hints from what we're currently doing.

I'm working for a relatively well-known institute in academia (biotech field), with a group that among other research projects, also provides web-based services to the research community. Funding is partially tied to the operation of the services, so there is actually enough pressure to make sure that they work and work correctly at all times.

Still, until about a year ago, development was very ad-hoc, in a mix of languages, and with many "islands of knowledge", where some parts of the system were only known to one post-doc, and other parts could only be fixed by the group head (who, as they are, was usually busy with many other things...). After some hard times and near-misses, we started looking around for ways to improve our development.

I was quite attracted by the ideas of Agile, and I believe that they're a good fit to the kind of processes you find in science, as well as in software engineering. We initially had a professional Scrum coach come in and talk with us about software development practices, and then decided to apply Scrum to our processes.

It's now a bit more than 1 year since then, we're still using Scrum with a few adaptations to fit the academic environment (we're also using Scrum for projects that are really science and research, not software development). In a recent secret poll among the team, Scrum got high marks for making the team more productive, and for creating an environment where code and knowledge is shared. People are happy with the structure that Scrum provides, and we always know where the project stands. Incidentally, we also write better software faster.

But we're still improving the way we work. The transition is slow and painful, and we're only slowly adopting things such as test-driven development, automated builds and pair programming. In my experience, there's a lot of resistance against these "newfangled" methods in the academic culture, especially that of people who weren't trained as software engineers, but rather as physicists, chemists, biologists, but now find themselves producing software.

Some hints on what I've found useful in re-shaping our work environment:

- You can't change the whole structure in one day. Get permission to run a small, isolated project in "the new way", and use this to demonstrate the advantages. Remember, there are many metrics for success: Code quality, timely delivery, not having single points (persons) of failure, as well as team velocity and personal satisfaction. Try to make a case from this small project (and gain experience while doing so), and then grow it out slowly.

- I would not advise to do some clever "breaking the build, and thus showing everybody how fragile the system is" exercise. This may not be seen as constructive.

- Instead, provide convincing evidence by example that your way is more productive and more certain. Bugs that are fixed stay fixed, and don't creep in later again. Timelines are better kept. That sort of thing...

- If you can get someone in to talk about the current best thinking in software development, do so (someone else mentioned this already). It's good to hear an outside opinion, and to understand that these practices are not theoretical but used by large companies world-wide.

- I found Joel Spolsky's 12-point assessment very useful to find out where your organization stands: http://www.joelonsoftware.com/articles/fog0000000043.html ... These are also good points to whisper into management's ears.

Quality Software development is hard

[wrook]

As someone above mentioned, good advice on this question really depends on if you are writing software or not. If you are not involved in writing software, and you are not executive level then just stay out of it. Even if it is mission critical and you see something seriously bad, it's not your business. You've explained the issues, your observations have been listened to and acknowledged. Now you have to trust that your management is doing the right thing. If you don't trust that, then you have *much* bigger problems than software...

But if you *are* involved in software and you want to improve the situation, then it *is* your business. But after years of doing software process improvement I'll tell you that it's a long hard road you'll be walking and you need to be patient.

First of all, making it widely known that the people writing the software are doing a bad job is not going to make you friends. You may not have intended to insult everyone who works on software in your company, but by walking up to the CEO and telling them that nobody knows how to write quality software, you've pretty much done that.

Software process improvement is less a technical issue than it is a political issue. You've got to work on your people skills. You've got to make friends. You've got to make people eager to hear what you have to say. So the absolute very first thing you've got to do is "turn that frown upside down". Nobody wants to hear that they suck. You've got to be positive. You've got to smile. You've got to encourage people and sing their praises.

I know, I know... they really all do suck. Been there, done that, got a closet full of t-shirts. But you are where you are. And you aren't going to move anywhere by attacking these people. So sit down, relax, take a deep breath and get used to what you see. Because it's not going to get to great any time soon.

BUT (big, big, big BUT) if you are smart, and skillful, and patient, little by little by little you can improve things. If you are a coder then you can start with yourself. Do one small thing. Be successful with it. Then go to your buddy and say, "Hey... I started doing this one small little thing and my life is better. Wanna try?"

Keep doing that. Ask other people for their opinion on something that would make life better for you. Then say, "Hey, cool idea! Let's try it!". Keep doing that.

If you see something that's good, yell it out to the world. Say, "Wow! That's fantastic! Did you see what so-and-so did? We should all do that!". Keep doing that.

And smile. Every day. All day. Tell people how smart you think they are. Build up their confidence. Look at their code and compliment them. If you see something that could be improved, say "Hey. You know what? I have an idea... what if we did X here? Do you think that would work?" But for every time you do that, make sure to find 10 other things right that they are doing.

It's bloody hard. It's fucking hard. To be so positive every day. To tell people that you think they are good people. That they are good employees. That they work hard. But that's what it takes to make improvements.

Trust me. And in the end your patience will be rewarded. Because in my experience, most people want to succeed. They want to be kick-ass at their job. They just want a nice friendly person to guide them there. And then they'll go. Easily and willingly. And after all that, it turns out (from my experience) that all those nice things you said over all that time -- turns out to be true (9 times out of 10 -- the other time the guy really is a hopeless wanker).

you're pressing the wrong buttons

[petes_PoV]

There's no point talking about intangibles to a CEO, or C?? anything else.

Have you quantified the benefits of improving software quality?

Have you laid out the risks (both personal, to the directors and to the share-price) of low software quality

Did you make the guy aware of the legal implications and liabilities?

Did you describe what the competition does?

Did you actually propose a planned and costed solution - or were you just moaning at him?

But most importantly, did you wear a tie?

What exactly means "Non-Software Company"?

[Tanuki64]

I have worked in enough software companies to know that they are not necessarily better.

Open source

[Confused]

• Your software doesn't make money for the company, it's just producing costs.
• Your customer need the software to use your stuff.
• From your description, your customers might include quite a few very clever ones that constantly try to push the limit of your systems and thus damning your software to eternal hell for its shortcomings.
• Any help you can get to develop it would be welcome, although don't expect your development costs to go down.

This sounds like the perfect scenario for open sourcing your software with you as the main developers maintaining it.

For the regular users, nothing much will change.

For the power users, those most likely to complain, this will be a tremendous benefit. If they don't like it, they have the possibility to improve it. This often reduce the number of problem reports and increase the good problem reports from your knowledgeable customers. Sometime you might even get useful patches, that save you some work. If you're really lucky, you might get a few users who start to code enhancements.

It also might generate some good-will towards your company and ease the integration of your bricks with other solutions.

What has this all to do with software quality? With your software out in the open, quality problems tend to be treated more like bugs that will be fixed as fast as necessary and possible and you get a better feedback where work is important. Making the software and drivers open source won't save your company any money, it won't cost more either, but it will improve what you get for your effort.

Certification

[tombeard]

If you are in the bio tech field then all of your processes need to conform to ISO13485. There is a section specifically about software. Your company won't be in an FDA/CE regulated environment long unless you comply with those quality standards. I suggest you research the guidelines and point them out to your quality manager.

Been there, done that, got fired

[Ancient_Hacker]

Old chinese proverb: "The nail that stands out gets hammered".

I was in a very, very similar situation. In a company with not a shred of software quality control. Everybody listened to my presentations suggesting we get someone with software engineering experience in the loop. Even a "thank you" from the CEO.

Six months later, I got very firmly terminated on wholly made-up charges of poor performance.

Draw your own conclusions.

Missed the obvious solution

[johannesg]

Make it fail. Make it fail spectacularly, to the tune of millions of dollars. That will certainly get the CEO's attention, and he will be sure to take measures that will stop such failure in the future. Of course, I can pretty much guarantee that you will not like his solution, but software development will be much more professional afterward.

If this is not what you want, ask yourself what you actually want to change. You do know what you want to change, right? Discuss those things with colleagues and managers, then formally propose doing them.

I'm guessing you probably want a more structured development process, with better-organized change requests, and at least some semblance of formal testing. That is very, very hard to set up, because it also requires the help of your users, and they don't care about software, they just want to have their problem solved. If this is the case, always remember that you are there to solve their problems, but they are not there to solve your problems. In other words, don't force them into a process they don't like. You might do better if you can show an advantage other than "it makes my life a little easier".

If all you want is a bugtracker and a version control tool, just request a budget of about $2000, then buy a Dell PC with Linux and install Bugzilla and SVN on it. That will set you back $400 or so, the rest of the $2000 is to show that you are a business thinker and did not forget to include installation time ;-)

If you want to institute Methodologies (like extreme programming or similar), good luck with that. It will probably end in your colleagues defenestrating you...

Re:What the Hell are you talking about?

[SpinyNorman]

Go read up on the Capability Maturity Model (CMM) or ISO 9000 and come back when you have a clue.

You don't even need to formalize the process to that extent to make leaps and bound improvements on the hack-it-together and test it approach you are suggesting... At a minimal a decent software development process should have:

Requirements specifications & reviews
Design specifications & reviews
Test specificiations & reviews
Codng standards
Code reviews
Source control
Regression tests
Functional tests
Load tests

Re:Here's a revolutionary idea

[indifferent+children]

How much combined experience does the management team and board of this company have?

This argument is also known as "The Enron Gambit": those wildly successful guys who are raking it in hand-over-fist must know better than those of us who think that their business model makes no sense. They sure showed us.

So That's Why Instrument Software Sucks...

[fearofcarpet]

I've been a research scientist for, well, long enough and a computer nerd for a lot longer. I've always wondered how it is that a company can make a state-of-the-art piece of research equipment and then bundle it with a PC running Windows 95 with a serial interface and the worst, least intuitive, and most expensive software I have ever seen.

Now that I'm in charge of picking what we buy I make it a point to find companies that support Linux because it usually means they have a real software development team and that they don't outsource their development. (Jovin Yvon who bought up all their competitors were the worst at this, charging $5,000 to re-install their fluorimeter software, the installation CD for which they refused to sell based on "licensing" issues.). And I'm usually right.

Most recently I purchased a $70,000 high-speed InGaAs camera that came with Windows-only software (that wouldn't run in virtual machine either because it required low-level NIC access). They charged another $2,500 for the "intermediate" software package (which I have no problem with in itself) that had a bug in it. The bug? It wouldn't export movies longer than 10,000 frames, which at 1,000 fps is 10 seconds of video. It took them three months to get me a beta version of a different piece of software that would allow me to export longer movies.

Another company, which I love doing business with so I'll mention them here, EPIX Inc., makes less expensive high speed cameras, but develops their software in Java and releases Linux versions. The software is buggy--as is all instrument software--but I can actually call a real software developer on the phone and tell him/her what the problem is--imagine that!

Sorry for the rant, but this story makes it clear to me why instrument software is so terrible. The first major company that figures out how valuable intuitive, functional, cross-platform, (and for the love of god, not hardware-keyed) software that doesn't store data in some unholy proprietary format that physically ties people to the machine that the instrument is attached to just to process the data is... Ok, well the few companies (I'm looking at you Bruker) that have figured that out have staying power and brand loyalty in university research where as the others are used as pejoratives.

My erstwhile employer had a similar problem

[jimicus]

Let me tell you a little anecdote which was relayed to me by the IT manager at a previous employer.

When he came to the company, software quality had never been taken particularly seriously. They'd insourced IT where previously everything was handled by an outside company, presumably in the hope of getting better quality services for their money, but were seeing little benefit - mainly because the IT department was so busy implementing new features the business wanted they never had time to debug existing issues.

Helpdesk call levels were very high, the IT department wasn't particularly highly respected in the rest of the business and while the business probably did want less buggy software, they were always too busy chasing after the Next Big Feature to allow the IT department to concentrate on bugfixing.

So he went to the business (ie. the directors/senior management) and said "OK, here's a suggestion. We'll spend the next three months working on nothing but bugfixes. No new features. What glitches with the system are impacting your staff?". The business wasn't hugely keen on the idea of no new features for three months, but he was able to persuade them that the benefits of having more stable software outweighed this.

Three months later, the business was so impressed with the improvements that they asked if the IT department could spend another three months doing nothing but bugfixes.

Sometimes, the business needs a little poke from IT to understand how to get the best benefit from the IT department. Being able to recognise this and make a suitably diplomatic poke is what IT management is there for. If there isn't clear IT management in place to make such a poke - well volunteered.

Use the right language

[ebbe11]

...and that language is money.

Find out how much it will cost the business if the software stops working. Estimate the risk (number between 0 an 1) of this happening. Multiply these two numbers. The result in dollars is the amount of money your company will lose with certainty. Not maybe, with certainty.

software must be ready when product ships

[John_Sauter]

In most companies where software is not the main focus, the deadlines are for the main product and the software had better be done by that deadline. The software guys have nothing to say about the schedule.

I saw this effect first-hand at Digital Equipment Corporation. Although we did a lot of software, the corporate culture focused on hardware, so the software had to be ready when the hardware shipped. Fortunately, the software guys were generally able to get a prototype far enough in advance of "first customer ship" that it was possible to get the drivers written. From a software point of view the hardware documentation was sometimes lacking: once I recruited the assistance of an in-house field service guy to help me read the engineering drawings so I could figure out how to program a new device.

Garbage in, Gospel Out?

Unfortunately, software quality isn't even on most companies' radar. Until it exposes them to major losses like a balsa-wood skyscraper built next to the airport on the shores of the Petrol Sea.

Software has the disadvantage of being intangible and we all know that "Any kid can write software".

Any kid can bandage a cut, but that doesn't mean you want that kid doing a colonoscopy on you.

At some point the software industry is going to need to establish itself as a rigorous practice with rigorous standards. Not some silly cert that says you know Language-of-the-Week, but something along the lines of GAAP for accountants. I'm not holding my breath, though.

IF you happen to have - or be able to cultivate - the right social skills, take an active role. However, despite what the "don't like it, get-entreprenurial" crowd asserts, there are those of us who'll never be able to tolerate forcing their introverted personalities to assume an extroverted task on a long-term basis even with the best of counseling, self-help and medications. It can be wearying and it steals time energy from what we can do that the extroverts can't.

So if you aren't socially adept and don't see yourself swimming through office politics like Nemo, the best advice I can give is keep your resume up to date and network to whatever degree your social skills allow so you can bail before the tower collapses.

Then again, you can be Monty Hall and still come out of the losing side in the office, so keep the resume up to date anyway.

Get a test audit

[ArtistFrmrlyKnwnAsAC]

I write software for clinical researchers. From the summary description, sounds like the company has software that is part of their clinical quality system which is not being tested/validated. If the description is correct and the software is actually part of the clinical therapy they're selling, they should have an external auditing agency take a look at it before the FDA does.

The first time one of their products is audited by the FDA, the warning letter they receive will communicate to management exactly what is lacking in their compliance with FDA cGMP. Unfortunately, everyone from regulatory compliance down to the lowliest coder who had something to do with the products in question will share in the group spanking (been there).

I'd be shocked if they didn't already have a relationship with an auditing company--unless they're the tiniest of startups. If they do, the submitter should look through their last audit summary and see if anything has gone unaddressed, and if the scope of the audit matches the submitter's idea of the actual quality system for the product(s) in question.

Re:Plant a bug

[ilovegeorgebush]

It's hardly going to bring down the company (unless the company was in such dire straits that anything small could bring it down, in which case it's about time to leave), and may bring to the attention of the upper mucks of an important issue.

There are better ways of doing that, such as persevering, practicing what you preach (good development standards and approach), being firm with management about the issue.

I've been there and I feel your pain!

[eagee]

I've been in the same boat, and I feel your pain. Here are the things that helped me: 1. Adopt a methodology, if you're doing things ad-hoc you're going to pay for it long run. Check out "Heads First Object-Oriented Analysis and Design". Their ideas are perfect for the non-software company that writes software, and it's a fast/fun read. Even if you're not working with an OO toolkit, this is still an excellent approach. 2. Learn to make accurate estimates - this is *incredibly* important. If you're not used to doing this properly, I'd reccomend "Software Estimation - Demystifying the Black Art" by Steven McConnel. If you don't have the time to read that book, grab Construx estimate and learn to use that. It's free (there may be a fee for professional use, but you can learn with it first), and while a little quirky has a pretty effective system for developing a professional/fairly accurate estimate. 3. Grab "Wiley - AntiPatterns, Refactoring Software, Architectures, and Projects in Crisis". Not only is it an interesting read, but it offers some tried and true solutions for this kind of situation. 3. When scope creep attacks, ask your boss, "What don't you want me to do?" - This little question can quite clearly illustrate the cost of pushing features on developers. It's also the reason you need accurate time estimates based on specific feature sets, so you can back it up. 4. Remember that 9 women can't make a baby in 1 month. Don't let management throw more developers at a problem unless it makes sense. Having proper abstractions helps here. 5. Remember that you and the management have the same goal, and are really on the same team. Work with them, and help them understand what's possible. So, that's my $0.02. I hope it helps, and good luck!

what your company must do

[doubtintom]

Your explanation of your product/service sounds like a medical device. Assuming that is true, your company is surely registered with the FDA and is audited by them every two years or so.
The comments in this list about federal law requiring a quality system *including software quality procedures* are correct. There is no way out of this and the company has a tiger asleep in engineering. The reason the omission has not surfaced is that FDA's budget has prevented them from auditing deeply enough - yet. They haven't been able to send auditors with enough software background to be able to detect the absence of the expected levels of software QA. They definitely have the qualified people, just not enough of them.
An additional reason could be that the product/service has not hurt anyone, or if so, the incident(s) have not been reported - which is another federal law incumbent on the manufacturer AND the hospital/clinic/doctor. FDA audits and warnings can come any time if enough of these reports stack up. Or if the docs send them in and the company does not.
Even if the code is really good and no medical problems have come up, that will not stop FDA from pulling your product off the market if they find you non-compliant with their regulations.
So the company has 'enjoyed' a prototyping phase. Once the management has read the FDA regulations on the personal liability of the company officers, they will probably want to get started with the formal software QA system right away. It doesn't have to be completed overnight. But when/if FDA look deeply enough into your company, you would want them to find records of your diligent work in building up the software QA procedures and practice in an ongoing and steady way. And doing the right things first.

Create two presentation slides

[HikingStick]

SLIDE A:

1) We create software.
2) Software is used in medical devices.
3) We forego QA and industry best practices for software development.
4) Something goes wrong.
5) We get sued AND we lose (to the five-nines sure).
6) Change #1 to "Update resume".

SLIDE B

1) We create software.
2) Software is used in medical devices.
3) We follow industry best practices for software development and have a solid QA program.
4) Something goes wrong (yes, it still happens).
5) We get sued.
6) Our controls and best practices are a reasonable defense.

relate it to legislation / federal regulations

[spasm]

One route to making people serious about IT processes is to relate it to relevant federal regulations.

For example, we've been doing work that will eventually involve us as a partner in upcoming clinical trials. There's a bunch of federal regulations about IT processes connected to clinical trials, and it has been easy to get management to accept that while our current processes can be as ad-hoc as we like, at some point having compliant processes will be essential to continuing the work we do, so we may as well get it right the first time rather than have to reimplement years worth of ad-hoc development somewhere down the track.

In my case, one trivial example has been being able to implement gpg signing of documents as a consequence of setting up the infrastructure to be able to be quickly compliant with 21 CFR 11, which we'd need to do if we're part of a clinical trial.