Fundamental Principles of Good System Design
A.Terry Bahill, PE, University of Arizona
Rick Botta, BAE Systems
Abstract: This article presents dozens of fundamental • Identify things that are likely to change
principles of good system design that should help make a • Write extension points
product better. Not surprisingly, many of these same principles • Group data and behavior
will help make a product reusable in a new system and will • Use data hiding
help reduce redesign costs when requirements change. These • Write a glossary of relevant terms
principles apply to simple systems and complex systems. • Envelope requirements
These principles come from hardware, software, system, and • Create design margins
test design, but they are general and many can be applied in a • Design for testability
large variety of fields (even non-engineering fields). • Design for evolvability
• Build in preparation for buying
Keywords: System Design, Reuse, Requirements, Systems of • Create a new design process
Complex Systems • Change the behavior of people
These design principles come from the experience of hundreds
EMJ Focus Areas: Systems Engineering of engineers and managers. The particular references cited in the
following paragraphs are not meant to be the authority—they are
merely examples that have references in the literature.
D
esign is a creative activity—consequently, there is no Use models to design systems: System design can be
process that will guarantee good designs, but there are requirements based, function based, or model based. Model-
some principles that will increase the probability of based system engineering and design has an advantage of
getting a good design. This article presents dozens of fundamental executable models that improve efficiency and rigor. One of the
principles of good system design that should help make a product earliest developments of this technique was Wymore’s (1993)
better. Using these principles will also make a product more book entitled Model-based System Engineering, although the
reusable for future systems and it will help reduce redesign costs phrase “model-based system design” was in the title and topics
when requirements change. Of course, the customer may mandate of Rosenblit’s (1985) PhD dissertation. Model-based systems
or exclude the use of some or all of these principles. Some of these engineering depends on having and using well-structured models
principles are as follows: that are appropriate for the given problem domain (Bahill and
• Use models to design systems Szidarovszky, 2008). Bahill’s models start with the use cases.
• Use hierarchical, top-down design Use hierarchical, top-down design: Early on, translate the
• Work on high-risk items first customer’s needs into goals, capabilities, and functions; these
• Prioritize provide guidance for all future development. Work on high-
• Control the level of interacting entities level functions first because, although high-level functions
• Design the interfaces are less likely to change, when they do change, they force
• Produce satisficing designs changes in many other functions. Decompose systems into
• Do not optimize early subsystems, subsystems into sub-subsystems, etc. (Chapman
• Maintain an updated model of the system and Bahill, 1992). In software, this decomposition is called
• Develop stable intermediates layered architecture (Evans, 2004). Implementation is simpler
• Use evolutionary development if the dependencies and action initiations between these layers
• Understand your enterprise are unidirectional.
• State what, not how Work on high-risk items first: Work on high-risk items
• List functional requirements in the use cases first in order to reduce risk; in addition, high-risk items are more
• Allocate each function to only one component likely to change, thereby producing changes in other entities,
• Do not allow undocumented functions so working the high-risk items first will reduce the rework due
• Provide observable states to changing requirements. Furthermore, if it was impossible to
• Rapid prototyping satisfy the high-risk capabilities and the project was cancelled,
• Develop iteratively and test immediately you will have saved the money that otherwise would have been
• Create modules squandered satisfying low-risk requirements (Jacobson, Booch,
• Create libraries of reusable objects and Rumbaugh, 1999). The original spiral model of Boehm (1988)
• Use open standards advocated risk-driven development.
Refereed management tool manuscript. Accepted by Associate Editor John Farr.
Engineering Management Journal Vol. 20 No. 4 December 2008 9
Prioritize: Requirements, goals, customer needs, capabilities, level from both the business and technical viewpoints (Bahill,
risks, directives, initiatives, issues, activities, features, functions, Botta, and Daniels, 2006). A single model should underlie
use cases, technical performance measures, and weights of analysis, design, implementation, and team communication
importance for the criteria in tradeoff studies should all be (Evans, 2004). Update this model throughout the design
prioritized. Prioritization will help with budget, schedule, system process (Douglas, 2004). Update this model to “as built” in the
architecture, customer satisfaction, and risk reduction (Botta and implementation phase and “as modified” in the test, operational,
Bahill, 2007). and retirement and replacement phases. When the requirements
Control the level of interacting entities: Objects should inevitably change, engineering should review all decisions, revise
exchange inputs and outputs with other objects at the same level, the system model, rerun all simulations, and show the effects of
or perhaps at one level above or below (Bahill, Szidarovszky, these requirement changes on cost, schedule, performance, risk,
Botta, and Smith, 2008). It is a mistake to have objects interact and the designs of other systems (Wymore, 2004).
with objects two or more levels above or below (Simon, 1962). Every operational system should have an accurate model. This
Some interlevel interactions may be specified as unidirectional model should be run to evaluate performance enhancements and
(Evans, 2004); this simplifies the implementation. possible disasters. If the system is a regional electric power grid
Design the interfaces: Be sure to design your interfaces and it has been suggested that its capacity could be increased by
(Quintanar, 1999; Rechtin, 2000). Interfaces between subsystems adding solar and wind generators, then the system performance
and interfaces between the main system and the external world should be evaluated on the model before it is installed on the real
must be designed. Subsystems should be defined along natural system. If the system is a large building, and evacuation is being
boundaries. When the same information travels back and forth considered because a hurricane is approaching, then run the
among different subsystems, a natural activity may have been model to estimate possible hurricane damage. Every Interstate
fragmented. In the automobile industry, they do not build a car highway bridge should have a model that degrades as the bridge
frame, send it across town to install the motor and then send it degrades. When the model predicts a dangerous situation, the
back to put on the axels and wheels. Subsystems should be defined bridge should be shut down. When a nuclear reactor is to be
to minimize the amount of information exchanged between the decommissioned, its model will be run to help formulate the
subsystems (Rechtin, 2000). Well-designed subsystems send decommission plan.
finished products to other subsystems. Another way of stating Develop stable intermediates: “A large change is best made
this is to minimize the coupling between subsystems. Interfaces through a series of smaller, planned, stable intermediate states”
should connect things of similar levels (Bahill, Szidarovszky, Botta, (Rechtin, 2000). These intermediate states should be stable enough
and Smith, 2008). Feedback loops around individual subsystems that the progression could be stopped at predetermined points.
are easier to manage than feedback loops around interconnected With stable intermediates, if a large complex system is cancelled,
subsystems. When possible, different entities should use the same for example because of loss of political support, then something
interface, rather than having a specialized interface for each entity useful for mankind will still exist. The Central Arizona Project
(Schultz, Fricke, and Igenbergs, 2000). Browning (2002) uses a was designed this way, but the Superconductor Supercollider
design structure matrix to analyze and modify the interfaces in a in Texas was not (Moody, Chapman, Van Voorhees, and
process. Special care should be given to interface design so that Bahill, 1997).
the interface does not have to change when its associated systems Use evolutionary development: The Department of Defense
change. The name and the brief description of the interface should (DoD) created the evolutionary acquisition process. Using it, you
proclaim its intention. create a usable system and later add requirements and money to get
Produce satisficing designs: Engineers should create a more complex usable system (DoD 5000.1). The B-52 airplane
satisficing designs—they should not try to produce optimal is a quintessential example: every half-dozen years the Air Force
designs because for complex systems it is impossible to do. Simon added requirements and money and got new capability.
(1957) says that the key to successful design is “the replacement Understand your enterprise: Understand how the system
of the goal of maximization with the goal of satisficing, of finding you are designing fits into your enterprise. Frameworks help
a course of action that is ‘good enough.’ ... Since the [designer] ... people organize and assess completeness of integrated models
has neither the senses nor the wits to discover an ‘optimal’ path— of their enterprises. Several popular frameworks have been used
even assuming the concept of optimal to be clearly defined – we to architect enterprises. The Zachman framework, like many
are concerned only with finding a choice mechanism that will lead others, considers multiple perspectives and multiple aspects of an
it to pursue a ‘satisficing’ path, a path that will permit satisfaction enterprise (Bahill, Botta, and Daniels, 2006).
at some specified level of all its needs.” State what, not how: State what function needs to be
Do not optimize early: If optimization is absolutely performed, not how to implement the solution. For example,
required, do it late in the design process. If you optimize early you should say, “Play music.” Do not say, “Play a CD,” or “Hire
in the design process, you will have to reoptimize every time the a pianist,” or “Turn on the radio and tune in a music station.” In
design changes. At the risk of being too specific, we suggest that the object-oriented software world, this is called polymorphism
optimization should not be done before Critical Design Review (Rumbaugh, Jacobson, and Booch, 2005); however, one man’s
(CDR). This does not mean that you should not strive to find a floor is another man’s ceiling. First, state what the customer needs.
good architecture early in the design process. It means do not Then figure out how to satisfy this need. This “how” then becomes
use integer programming to minimize part counts or wire lengths a system feature. State what this feature must do. Then figure
before CDR. It means do not use optimization methods for routing out how to implement it. This implementation then becomes a
problems on networks with stochastic failures before CDR. requirement that states what the system must do, etc.
Maintain an updated model of the system: Engineering List functional requirements in the use cases: Traditional
must create a model that simulates the intended system at every requirements are typically written with textual statements of
10 Engineering Management Journal Vol. 20 No. 4 December 2008
imperative. They are the primary means by which systems capabilities of the system. This is particularly useful when delving
engineers bound and communicate system functions, capabilities, into unfamiliar design areas. The first prototype is often discarded,
and constraints. The rapid adoption of use case modeling for particularly in software systems.
capturing functional requirements in the software community has Develop iteratively and test immediately: Build a large-
caused systems engineers to adopt use case models for capturing scale system by constructing it as a series of smaller products of
system-level functional requirements. We advocate a hybrid increasing completeness. Because the early entities are small, it is
requirements process in which use case modeling and traditional easier to get them right and testing can be completed immediately
shall-statement requirements are applied together to effectively (Douglas, 2004).
express both functional and non-functional requirements Create modules: Design the system with many small
(Daniels and Bahill, 2004). The use cases should contain the main independent but interacting modules (Parnas, 1972). The principle
and alternate scenarios. These describe the system functions. of independence means that changing one module should not
The next section of the use case should formally describe the force changes in other modules (Suh, 1990). Good examples are
functional requirements. the modules of the Unix (or Linux) computer operating system
Allocate each function to only one component: Each and the libraries of Java. Modules should have low external
function should be allocated to only one physical component, complexity (loose coupling) and high internal complexity (strong
and, therefore, each function would have only one owner. If there cohesion) (Schultz, Fricke, and Igenbergs, 2000).
were two owners for a function, one might change his or her Create libraries of reusable objects: Patterns are example
requirements, and this would change the system for the other. solutions for doing common things. There are many books with
In the object-oriented world, this would be phrased as, “Do not software patterns (see, for example, Fowler, 2004) and some with
allow multiple actors to have the same role” (Övergaard and use case patterns (Övergaard and Palmkvist, 2005); however,
Palmkvist, 2005). If two actors are trying to assume the same role, this library principle is not restricted to software and use cases.
generalize them into one abstract actor. There are exceptions to For example, a company could create 100 generalized evaluation
this principle, but they are unusual. Violation of this principle is criteria (measures of effectiveness) that could be tailored and
captured in the American proverb, “Too many cooks spoil the used in company tradeoff studies. Each criterion would contain
soup.” In the 20th century, the functions of gathering intelligence the name of the criterion, description, weight of importance
and tracking terrorists were allocated to the FBI, the CIA, the (priority), basic measure, units, measurement method, input (with
NSA, the Pentagon, etc. Until 9/11/01 the results were mixed. expected values or the domain), output, and scoring function
This principle is discussed in more detail in Appendix A. (type and parameters) (Daniels, Werner, and Bahill, 2001). This
Do not allow undocumented functions: Do not hide the criterion library would form the nucleus of a tradeoff study, but
existence of system functions. Make sure that all system functions many customized criteria would be added. This particular library
are identified and described appropriately. Undocumented should be a part of the company CMMI DAR process (Chrissis,
functions can exist due to developmental testing activities, Konrad, and Shrum, 2003). Libraries could also be created for
accidents, playfulness, or malicious intent. The PDP 11-45 generic requirements.
computer had secret op codes. Microsoft Excel 97 had a built in Use open standards: Open standards are publicly available
flight simulator. Thousands of such Easter eggs are documented at specifications for achieving a specific task. Open standards
http://www.eeggs.com/tree/1-1-111.html. Don’t try this at home, are available for all to read and implement. Examples of open
but starting a line with “=rand(200,99) (Enter)” (excluding the standards include ANSI/EIA-632, ANSI/EIA 731, IEEE 1220, ISO
quotes) in a Word document or a PowerPoint presentation, will 15288, UML, SysML, OMG IDL, CORBA and USB. In contrast,
give you 235 pages of “The quick brown fox jumps over the lazy proprietary standards are controlled by a single entity. Java Server
dog,” and perhaps a computer crash. Faces can be the interface between HTML code and logic code.
Provide observable states: System equivalence cannot The Java Server Faces is a mass-market product that is highly
be proven using input/output behavior. State behavior must be scalable, but it is still controlled by a single commercial entity,
used to prove equivalence of dynamic systems (Wymore and likewise with Microsoft’s Source Code Control Interface (SCCI)
Bahill, 2000). It would be best to provide the total system state, Specification.
but it would still be useful to provide only a significant number Identify things that are likely to change: Differentiate
of reset states or restore points (Botta, Bahill, and Bahill, 2006). between aspects of a system that are likely to change and those
Providing states will allow future designers to reuse existing that are likely to remain relatively constant. Identify the aspects
systems, upgrade systems, use commercial off the shelf products, that are likely to change and put extra effort into designing their
replicate field failures, verify that a physical system conforms to interfaces. For example, an air transportation system will always
its design, and verify evolving systems (Wymore and Bahill, 2000; have functions such as load people, load luggage, take-off, land,
Botta, Wuersch, and Bahill, 2004). It will also allow them to find a and comply with FAA regulations. It also has entities that are sure
system mode behavior function that can be placed in front of the to change such as the type of aircraft, speed, size, routes, and cargo
input to the system being reused in order to produce the desired capacity. The system should be designed to accommodate changes
new system behavior (Wymore, 1993). in the things that are likely to change (Evans, 2004). For example,
Accelerometers from automobile air bag systems can be the processing speed of computers is expected to increase;
reused as g-switches in missile safing systems if the states are therefore, hardware and software should be designed so that
observable. If the only indication the accelerometer gives is changes are not necessary when processor speeds do increase.
Fired or NotFired, then they are not reusable. But the state of the Write extension points: In use cases use extension points
accelerometer can be defined as the g-force being measured. If where change is expected (Cockburn, 2001; Kulak and Guiney,
this g-force can be observed, then they can be reused in missiles. 2000; Övergaard and Palmkvist, 2005). That way the base use
Rapid prototyping: Develop a prototype quickly. Get case does not need to be changed when the extending use case
the stakeholders to use it. This will identify the true needed is changed.
Engineering Management Journal Vol. 20 No. 4 December 2008 11
Group data and behavior: Group together data and of course you should prefer to use it rather than develop a new
the behavior (logic) that operates on it, because data and the product in-house. But if a COTS product is not available, then
behavior that accesses that data often change together (Fowler, build a custom product, and monitor the market place: when a
2004). Software accomplishes this with header files and with class COTS product becomes available, switch to that COTS product.
diagrams that have attributes (data) and operations (behavior). In hardware, sometimes the contractor will use commercial
Hardware accomplishes this with distributed control where each grade products while waiting for military standard parts to
board has a processor and memory. come along.
Use data hiding: Hide data from objects that do not have Create a new design process: When using a significant
“a need to know” (Parnas, 1972). That way if the data structure amount of COTS, products you must change your design process.
is changed, the other objects do not have to be notified about These are some of the new activities that must be performed:
the change. This principle is also called information hiding and • Search the marketplace for candidate COTS products and
function hiding (Gomaa, 2000). In the UML, model elements technologies.
such as attributes and operations can be marked with one of • Work with the customer in early project phases to refine
these visibility indicators: public, protected, private, or package. the customer needs statement and get high-level, flexible
In public documents, describe the interfaces and only the public objectives, instead of extensive requirements lists.
functions and data. This principle has nothing to do with security • Iteratively negotiate the requirements and the architecture
—its purpose is simply to improve the efficiency of making with the customer.
changes. Architecture hierarchies and levels also influence • Change contracting so that funding for upgrades and
data hiding. marketplace research does not end with the project’s period
Write a glossary of relevant terms: Collect terms used in the of performance.
domain and design models and provide definitions. Capture the • Create a satisficing design that may not meet all of the
jargon of the domain experts. Include names of functions, classes, requirements, but one that provides the high priority
methods, modules, and high-level organizing principles. Evans capabilities and satisfies the customer’s operational needs.
(2004) calls this collection of terms a ubiquitous language. • Create test procedures that will be reused in the Operation and
Envelope requirements: Estimate requirements top-down Maintenance phase of the system life cycle whenever upgrades
and fill in details later, e.g., we need to test (measure) a DC voltage or new COTS products are brought into the system.
that surely will be less than 40 volts. Later we find that it will • Plan for insertion of upgrades and technologies throughout
probably be between 5 and 20 volts. Finally, we get a specification the system life cycle.
of 12±2 volts. This principle ameliorates changing requirements • Continually search the marketplace for upgrades and
than with reuse. new products that can replace existing COTS products,
Create design margins: If your estimated need is two particularly in the Operation and Maintenance phase.
Gigahertz of bandwidth, specify four. But this is expensive: if
everyone did this, the system would be gold-plated. It is better to Choosing to design with a significant amount of COTS
give all of the flexibility in cost, schedule, and performance to the products is a decision that should not be made lightly. Indeed
program manager and allow him or her to distribute it across the the BAE Systems’ COTS-Based Engineering package already has
project. This principle is treated in detail in Appendix B. a dozen documents containing three Megabytes of text.
Design for testability: Early in the design process, it should
be determined how the system will be tested. The architecture Change the behavior of people: Finally, as a last resort, you
should be selected to enable built-in self-test (BiST). BiST can try to change bureaucracy and human nature so that you get
can be triggered externally or it can be performed whenever stable requirements up-front. You can also try to change people
the system is not busy performing its normal functions to get rid of the Not Invented Here attitude. But good luck.
(O’Conner, 2001).
Design for evolvability: The capacity of an existing system Systems of Complex Systems
to successfully adapt to changing requirements throughout its More and more systems are now being composed of a multitude
life cycle is called evolvability (Christian and Olds, 2005). A of complex systems. A system of systems is a large complex
system can adapt to change by reconfiguring existing system system that is composed of other large complex systems.
entities, by increasing the size of existing system entities, or by (Systems composed of simple systems are not difficult to deal
adding new entities. Often design, development, and testing with and are not considered here.) First, the system of systems
take multiple years. Technologies can change during that period. must be a system, meaning it must have states and inputs that
Designs should have adequate flexibility and adaptability to take are transformed by functions into outputs. Next, each of the
advantage of this fact rather than fighting it. The classic example constituent systems must be a system in its own right, meaning
is Motorola’s satellite phone system that was made obsolete by cell it must have states and inputs that are transformed by functions
phone technology before it was completed. into outputs. The constituent systems must be able to function
In designing the Boeing 747 airliner, the engineers designed on their own as totally independent systems; therefore, all of the
weight growth capability into the airplane by giving it bigger principles of good design that were presented in this article apply
wings and tail surfaces than it initially needed. The landing gear to the design of the constituent systems. Now, which of these
was more robust than needed and it was designed so that gear principles applies to the high-level system of systems? Exhibit 1
that is more capable could be substituted without the expense of a shows the principles that might not.
major redesign. This allowed a dozen different versions of the 747 The Department of Defense Architecture Framework
to be built over 30 years (Sutter, 2006). (DoDAF) was created to help with the design of systems of
Build in preparation for buying: If a commercial off the systems. The DoDAF has the following four views of a system
shelf (COTS) product that suits your needs is available, then of systems:
12 Engineering Management Journal Vol. 20 No. 4 December 2008
Exhibit 1. Principles That Might Not Apply to the Design of Systems of Complex Systems
Principle The reason why the principle might not apply
Maybe system of systems design should be top-down. But presently most system of systems design
Use hierarchical, top-down design is bottom-up, because usually the constituent systems (or at least their designs) already exist.
Write extension points
Group data and behavior
System of systems design is not likely to get down to this level of detail. The design of the
Use data hiding
individual systems will get to this level, but the system of systems design will not.
Envelope requirements
Create design margins
Build in preparation for buying
This will not work for systems of systems.
Change the behavior of people
• Operational View (OV): A description of the tasks, activities, principle of “Develop iteratively and test immediately” could
operational elements, and information exchanges required confound the principles of “Use hierarchal, top-down design”
to accomplish DoD missions and “Work on high-risk items first.” But in a careful design, the
• Systems View (SV): A description of systems and high-level or high-risk items would be decomposed into smaller
interconnections supporting DoD functions modules that could be tested immediately. Similarly, “Design for
• Technical Standards View (TV): Standards and rules testability” and “Design for evolvability” are not contradictory,
governing arrangement, interaction, and interdependence of they are orthogonal. There are no other obvious interactions
system parts or elements, whose purpose is to ensure that a between these principles.
conformant system satisfies a specified set of requirements Some of these principles are just good design principles—
• All View (AV): Information pertinent to the entire they will help with reuse, changing requirements, testability,
architecture, AV products set the scope and context of and evolvability, whereas others primarily ameliorate changing
the architecture requirements, increase reuse potential, or enhance evolvability.
Exhibit 2 shows these principles and indicates for which facets
The DoDAF, however, is not a design process. It is missing they are most applicable; however, the Xs should not be crisp—
the following design artifacts: customer requirements, derived they should be fuzzy. The right column indicates principles that
requirements, system test, system validation, concept exploration, are likely to impact the short-term cost of the system, but, of
tradeoff matrix, sensitivity analysis, schedule, budget, technical course, the tradeoff between short-term cost and customer value
analysis, and risk management. Entities like these would have is a complex issue (Browning, 2003).
to be included in the design of the constituent systems, but it is The principles of good design that were presented in this
possible that they could be omitted (as suggested by DoDAF) for article were specific, concrete, low-level suggestions for design.
the design of a system of systems. We did not cover basic system engineering principles such as
stating the problem, discovering requirements, doing tradeoff
Design for Reuse studies (Pugh, 1991; Daniels, Werner, and Bahill, 2001; Smith,
We can design new systems better, faster, and cheaper if we correctly Son, Piattelli-Palmarini, and Bahill, 2007), configuration
reuse previously developed products. (Of course, this only applies management, sensitivity analyses (Smith, Szidarovszky, Karnavas
if you do the job correctly; i.e., you should not reuse computer and Bahill, 2008), etc. Of course, these other activities must
code, you should reuse software models.) These products might be done, but they are covered adequately in other publications
have been developed in-house or they might be commercial off (INCOSE, 2004). Examples of failures that result from violating
the shelf. There are several facets to design for reuse: (1) refining these system design principles are also given elsewhere (Bahill
customer needs and negotiating system requirements with the and Henderson, 2005).
customer, (2) selecting and evaluating potential reuse products, Most engineers and managers are probably familiar with the
(3) technology planning and insertion, (4) product lifecycle principles of good design that were presented in this article. We
planning, and (5) designing products so they are more reusable. think that presenting them all in one place can serve as a checklist,
This article concerns the 5th topic—design for reuse. Designing to make sure they are all considered in designing systems.
systems with increased probability of reuse is not free – it requires
extra effort and cost. This produces another facet of the design for Acknowledgment
reuse process—convincing your boss or customer that it is worth This article was supported by AFOSR/MURI F49620-03-1-
the extra cost to design a system for increased probability of reuse. 0377. We thank Bob Sklar and Greg Shelton for comments on
This facet is beyond the scope of this article. design margins.
Summary References
This article has presented dozens of principles of good design. Bahill, A. Terry, Rick Botta, and Jesse Daniels, “The Zachman
Of course they would not all be applicable on all programs. Framework Populated with Baseball Models,” Journal of
Surprisingly, none contradict each other. If care is not taken, the Enterprise Architecture, 2:4 (November 2006), pp. 50-68.
Engineering Management Journal Vol. 20 No. 4 December 2008 13
Exhibit 2. Facets for Which Each Design Principle is Most Appropriate
The uppercase X means the principle has a great affect, the lowercase x means the principle has a large affect, the dollar sign means using the principle
will cost money.
Changing
Principle Reuse Potential Evolvability Good Design Impact Cost?
Requirements
Use models to design systems x x X
Use hierarchical, top-down design X
Work on high-risk items first X
Prioritize x X
Control the level of interacting entities X
Design the interfaces X
Produce satisficing designs X
Do not optimize early X
Maintain an updated model of the system X $
Develop stable intermediates x X x
Use evolutionary development X $
Understand your enterprise X x $
State what, not how X
List functional requirements in the use cases x X $
Allocate each function to only one component x X
Do not allow undocumented functions x X
Provide observable states x x X $
Rapid prototyping x X $
Develop iteratively and test immediately x X
Create modules X X
Create libraries of reusable objects X $
Use open standards X x
Identify things that are likely to change x X
Write extension points x X
Group data and behavior X
Use data hiding X
Write a glossary of relevant terms x X $
Envelope requirements X
Create design margins X $
Design for testability X $
Design for evolvability X $
Build in preparation for buying X $
Create a new design process X $
Change the behavior of people X $
Bahill, A. Terry, and Steven J. Henderson, “Requirements published on paper 37:5 (October 2008), pp. 553-571.
Development, Verification, and Validation Exhibited in Boehm, Barry W., “A Spiral Model of Software Development and
Famous Failures,” Systems Engineering, 8:1 (2005), pp. 1-14. Enhancement,” Computer, 21:5 (1988), pp. 61-72.
Bahill, A. Terry, and Ferenc Szidarovszky, “Comparison of Botta, Rick, and A. Terry Bahill, “A Prioritization Process,”
Dynamic System Modeling Methods,” Systems Engineering Engineering Management Journal, 19:4 (2007), pp. 20-27.
DOI 10.1002/sys20118, published online (October 3, 2008). Botta, Rick, Zach Bahill, and A. Terry Bahill, “When are
Bahill, A. Terry, Ferenc Szidarovszky, Rick Botta, and Eric Smith, Observable States Necessary?” Systems Engineering, 9:3
“Valid models require defined levels,” International Journal (2006), pp. 228-240.
of General Systems, published electronically, iFirst 37: Botta, Rick, William Wuersch, and A. Terry Bahill, “The Need for
(March 2008), pp. 1-20, DOI: 10.1080/03081070701395807, Observable States Affects the Make-Reuse-Buy Decision,”
14 Engineering Management Journal Vol. 20 No. 4 December 2008
Proceedings of the 14th Annual International Symposium of Pugh, Stuart, Total Design, Addison-Wesley (1991).
the International Council on Systems Engineering (INCOSE), Quintanar, Gerard J., “An Age of Interfaces,” Distributed
(June 2004), \content\papers\533.pdf. Computing, (November 1999), pp. 15-18.
Browning, Tyson R., “Process Integration Using the Design Structure Rechtin, Eberhardt, Systems Architecting of Organizations: Why
Matrix,” Systems Engineering, 5:3 (2002), pp. 180-193. Eagles Can’t Swim, CRC Press (2000).
Browning, Tyson R., “On Customer Value and Improvement in Rumbaugh, James, Ivar Jacobson, and Grady Booch, The Unified
Product Development Processes,” Systems Engineering, 6:1 Modeling Language Reference Manual, 2nd Edition, Addison-
(2003), pp. 49-61. Wesley (2005).
Chapman, William L., A. Terry Bahill, and A. Wayne Wymore, Schultz, Armin P., Ernst Fricke, and Eduard Igenbergs,
Engineering Modeling and Design, CRC Press (1992). “Enabling Changes in Systems Throughout the Entire
Christian, John A., and John R. Olds, “A Quantitative Methodology Life-Cycle - Key To Success?” Proceedings of the 10th
for Identifying Evolvable Space Systems,” 1st Space Exploration Annual International Symposium of the International
Conference, (January 2005) AIAA 2005-2543. Council on Systems Engineering (INCOSE), (July 2000),
Chrissis, Mary Beth, Mike Konrad and Sandy Shrum, CMMI: pp. 599-607.
Guidelines for Process Integration and Product Improvement, Simon, Herbert A., Models of Man: Social and Rational, Wiley
Pearson Education Inc. (2003). (1957).
Cockburn, Alistair, Writing Effective Use Cases, Addison-Wesley Smith, Eric D., Ferenc Szidarovszky, William J. Karnavas and A.
(2001). Terry Bahill, “Sensitivity analysis, a powerful system validation
Daniels Jesse, and A. Terry Bahill, “The Hybrid Process That technique,” The Open Cybernetics and Systemics Journal,
Combines Traditional Requirements and Use Cases,” Systems http://www.bentham.org/open/tocsj/openaccess2.htm, doi:
Engineering, 7:4 (2004), pp. 303-319. 10.2174/1874110X00802010039, 2: (2008), pp. 39-56.
Daniels Jesse, Paul W. Werner, and A. Terry Bahill, “Quantitative Simon, Herbert A., “The Architecture of Complexity,” Proceedings
Methods for Tradeoff Analyses,” Systems Engineering, 4:3 of the American Philosophical Society, 106 (1962),
(2001), pp. 199-212. pp. 467-482.
The Defense Acquisition System, DoD Directive, Number 5000.1, Smith, Eric D., Young-Jun Son, Massimo Piattelli-Palmarini, and
May 12, 2003. http://www.dtic.mil/whs/directives/corres/ A. Terry Bahill, “Ameliorating Mental Mistakes in Tradeoff
pdf2/d50001p.pdf Studies,” Systems Engineering, 10:2 (2007), pp. 222-240.
Douglas, Bruce P., Real-time UML: Advances in the UML for Real- Suh, Nam P., The Principles of Design, Oxford University Press
time Systems, 3rd Edition, Addison-Wesley (2004). (1990).
Evans, Eric, Domain-driven Design: Tackling Complexity in the Sutter, Joe, with Jay Spenser, 747: Creating the World’s First Jumbo
Heart of Software, Addison-Wesley (2004). Jet and Other Adventures from a Life in Aviation, Harper
Fowler, Martin, UML Distilled: A Brief Guide to the Standard Collins Publishers (2006).
Object Modeling Language, 3rd Edition, Addison-Wesley Wymore, A. Wayne, Model-based Systems Engineering, CRC Press
(2004). (1993).
Fricke, Ernst, and Armin P. Schultz, “Design For Changeability Wymore, A. Wayne, “The Nature of Research in Systems
(DfC): Principles to Enable Changes in Systems Throughout Engineering,” paper presented at the Stevens Institute --
Their Entire Lifecycle,” Systems Engineering, 8:4 (2005), pp. University of Southern California Workshop on Research in
342-359. Systems Engineering, (April 2004).
Gomaa, Hassan, Designing Concurrent, Distributed, and Real-time Wymore, A. Wayne, and A. Terry Bahill, “When Can We Safely
Applications with UML, Addison-Wesley (2000). Reuse Systems, Upgrade Systems or Use COTS Components?”
INCOSE Systems Engineering Handbook v2a, 2004. Retrieved Systems Engineering, 3:2 (2000), pp. 82-95.
March 2006, http://www.incose.org/ProductsPubs/
incosestore.aspx.
Jacobson, Ivar, Grady Booch, and James Rumbaugh, The Unified About the Authors
Software Development Process, Addison-Wesley (1999). Terry Bahill, PE, is a professor of systems engineering at
Kulak, Daryl, and Eammon Guiney, Use Cases: Requirements in the University of Arizona in Tucson. While on sabbatical
Context, Addison-Wesley (2000). from the University of Arizona, he did research with BAE
Moody, Jay A., William L. Chapman, F. David Van Voorhees, Systems in San Diego. He received his PhD in electrical
and A. Terry Bahill, Metrics and Case Studies for Evaluating engineering and computer science from the University of
Engineering Designs, Prentice Hall PTR (1997). California, Berkeley in 1975. Bahill has worked with BAE
Rosenblit, Jerzy W., A Conceptual Basis for Model-Based System Systems in San Diego, Hughes Missile Systems in Tucson,
Design, Ph.D. dissertation in Computer Science at Wayne Sandia Laboratories in Albuquerque, Lockheed Martin
State University, published by University Microfilms Tactical Defense Systems in Eagan MN, Boeing Information,
International (1985). Space and Defense Systems in Kent, WA, Idaho National
O’Connor, Patrick D. T., Test Engineering, John Wiley (2001). Engineering and Environmental Laboratory in Idaho
Övergaard, Gunnar, and Karin Palmkvist, Use Cases: Patterns and Falls, and Raytheon Missile Systems in Tucson. For these
Blueprints, Addison-Wesley (2005). companies he presented seminars on systems engineering,
Parnas, David L., “On the Criteria to be Used in Decomposing worked on system development teams, and helped them
Systems Into Modules,” Communications of the ACM, 15:12 describe their systems engineering processes. He holds a U.S.
(1972), pp. 1053-1058. Also available at http://www.acm.org/ patent for the Bat Chooser, a system that computes the Ideal
classics/may96/ Bat Weight for individual baseball and softball batters. He
Engineering Management Journal Vol. 20 No. 4 December 2008 15
received the Sandia National Laboratories Gold President’s experience in a wide variety of engineering, engineering
Quality Award. He is the Founding Chair Emeritus of the management, and program management roles involving
INCOSE Fellows Selection Committee. development and integration of complex, software
Rick Botta is the director of systems engineering for intensive systems.
BAE Systems in San Diego. He holds a Bachelor of Science Contact: A. Terry Bahill, PE, Systems and Industrial
degree in Computer Science from California Polytechnic Engineering, University of Arizona, Tucson, AZ, 85721-0020;
State University, San Luis Obispo. Rick has a quarter century phone: 520-621-6561, terry@sie.arizona.edu
Appendix A One system with two subsystems and two functions, OK design:
Principles of Function Design A claw hammer pounds nails or pulls nails. A pencil makes lines
Functional decomposition is a popular system design technique. or erases lines. A teapot heats water and whistles. A clock radio
When using it, you identify the top-level function that the system wakes up people or plays music. A heating, ventilation, and air
must perform. Decompose that function into subfunctions. conditioning system heats a house or air-conditions a house.
Then decompose those subfunctions into sub-subfunctions. Computers do many things at the same time.
Continue this decomposition until you get functions that can One object with two functions, OK design: A drawbridge
be implemented with commercial off-the shelf products. When allows cars to move over the river or boats to move under the
performing this design task, creating the functions and allocating bridge. Female breasts attract males and feed offspring resulting
them to components should not be arbitrary or capricious. The from that. Mammal sex organs are used for reproduction and
functions should be designed and there are principles that can waste elimination. An air conditioner cools air and removes
help you design good functions. humidity from the air. A dog can guard the house or be a pet.
Allocate Each Function to Only One Component. Each One object with two functions, marginal design: Sports
function should be allocated to only one physical component, stadiums have been built to present both football and baseball
and, therefore, each function will have only one owner. If there games. Such stadiums are not popular now—they must not have
were two owners for a function, one might change his or her been very successful. A combination washer and dryer washes
requirements, and this would change the system for the other. In clothes and dries clothes (these are not currently popular). An
the object-oriented world, this would be phrased as, “Do not allow item with functions of create and operate the same object is a bad
multiple actors to have the same role” (Övergaard and Palmkvist, design (Evans, 2004). If you buy a new car and it needs service,
2005). If two actors are trying to assume the same role, generalize you do not take it back to the factory that manufactured it—you
them into one abstract actor. My wife notes that in a theater take it to a separate service center.
play it would also be mistake to allow two actors to assume the One function with two purposes, OK design: An oven cooks
same role. For some systems and customers, this principle may food and kills bacteria. It has one function (heat food) but two
be difficult to implement. Let us now look at some examples of purposes. A dishwasher cleans dishes and kills bacteria.
following and violating this principle. Make Functions Independent. Functions should not depend
One function allocated to two components, bad design: upon each other. If they are independent and one is changed, then
Violation of this principle is captured in the American proverb, the other one will not have to be changed. Normally I let my clock
“Too many cooks spoil the soup.” In the 20th century, the function radio wake me up with music. But if I am in a strange town, I use
of tracking terrorists was allocated to the FBI, the CIA, the the buzzer, just in case the radio station is off the air or the radio
NSA, the Pentagon, etc. Until 9/11/01, the results were mixed. is mistuned when I want to get up. Allowing the wakeup function
In a baseball game, if the runner on first base is likely to steal to depend on the play music function is dangerous, and I avoid it
second base, then the function of covering second is allocated by when the wakeup function is critical. Fricke and Schultz (2005)
agreement to the second baseman or the short stop, but never to present a technique to help keep functions independent,
both. This agreement prevents bad design. This principle may be A bad design: On most company telephones, dialing 9 gets
the reason back-seat drivers are so distained. an outside line, and then dialing 1 starts a long distance dial. At
One function allocated to two components—exceptions that this point if the 1 button is inadvertently hit again, then the caller
proof the rule: One valid reason for assigning a function to more is connected to 911, the emergency line. If you hang up quickly,
than one component would be that the function is performed by they send a policeman to save you.
one component in a certain mode and by another component in Limit the side effects: Functions should do what their names
another mode. For example, to decelerate an airplane, when the imply and nothing else. For example, in an automobile, the
wheels first hit the runway, reverse the thrusters on the engines. ignition switch turns off the ignition system, but it also has a side
Later, when preparing to move from the runway to the taxiway, apply effect of disconnecting electric power to the radio. Renaming
the brakes on the wheels. Another reason for assigning a function this switch the electric power switch would solve this side
to more than one component would be deliberate redundancy to effects problem.
enhance reliability—allowing one portion of the system to take on These principles apply to object-oriented design as well. In use
a function if another portion fails to do so, as on the Space Shuttles, cases, the functions are described in the Functional Requirements
which have five flight control computers. Another reason is truly part of the Specific Requirements section (Daniels and Bahill,
distributed functionality: you can decelerate a car with either front 2004). In use case diagrams, functions are associated with the
wheels or back wheels. For decelerating an airplane, the reverse roles. In activity diagrams, functions are the activities. In state
thrusters on the engines and the air brakes on the wings might be machine diagrams, functions are the actions and activities. In
for redundancy or distributed functionality. class diagrams, functions are the operations listed in the third part
16 Engineering Management Journal Vol. 20 No. 4 December 2008
of the box. In sequence diagrams, functions are the commands, But it is a better practice (particularly with schedule) to sweep
so functions appear in many places. up all of the reserve and give it to the Program Manager.
In an object-oriented design, it would be a mistake to give
two functions the same name and it would be a mistake to assign Exhibit B2. Allocation of Reserves
one function to two classes; however, it is very natural to have one
function appear in a use case, a class diagram, a state machine Module Target Weight
diagram, and a sequence diagram. It would be specified in one
place and used in multiple diagrams. A 15
These principles of good design do not apply to biological B 20
systems that evolved instead of being designed. C 40
Program Manager’s Reserve 25
Appendix B
Design Margins
The term design margin is used for at least four different purposes:
safety factors, budget reserves, tolerances, and performance Things that are often budgeted include computer memory,
capabilities. When designing a system, parameters with large weight, power, cost, and schedule. These items are usually traded
uncertainties should have bigger safety factors than parameters off with each other and also between the subsystems.
that are well known. For instance, if it is believed that the safe When designing a system, it is important to give tolerances
upper limit for voltage is 200 ± 5V, then rate the system at 190V. for manufacturing parameters. These design margins are usually
Whereas, if you think a safe upper limit for voltage is 200 ±20V, given as the tolerance about a nominal value. For example,
then you could rate the system at 140V. Output voltage 5 V ± 0.1
The maximum safe pressure for a cylindrical steel boiler is Weight 5 kg +0.1, -0.5
given by Hole diameter 5 cm +0.1, -0
Wall Thickness × Tensile Strength
Maximum Pressure = In a similar vein, parameters will change due to operation,
Shell Radius wear, aging, and replacement. Tolerances must be given for
maintenance procedures. For example, when tuning a Datsun
Suppose that the values for a particular boiler design yield 240Z, set the spark plug gap between 0.8 and 0.9 mm and set the
a maximum safe pressure of 1000 psi. According to the 1915 distributor point gap between 0.45 and 0.55 mm.
ASME Boiler Code, you should rate it for 200 psi: that is, the At Sandia Laboratories a “high-margin” nuclear explosive
code required a safety factor (design margin) of 5. Studies of the package design generates its nominal (or higher) yield over the
service history of pressure vessels and failure analyses led to a widest possible range of input and environmental parameters. New
more thorough understanding of the behavior of steel materials nuclear weapons are being designed with increased “design margins,”
and better manufacturing techniques led to better materials. As a which some people think will decrease the “safety margin.”
result, in 1951 the ASME design margin was changed to 4, which Other considerations: assume a design has five layers of
would allow 250 psi for the boiler above. In 1999, this design integration. How we allocate tolerances can have a huge impact
margin was further reduced to 3.5. As the system becomes better on yield at each level. If we assume that statistically we need to
understood, the design margin is reduced. constrain the lower level components with a 6-sigma margin to
Reliability engineers increase the reliability of a system by allow for a 4-sigma yield as we integrate all the pieces together,
limiting the ratio of the operating stress to the rated stress to, then we will have a high cost at those lower levels but a lower cost
for example, 50%, which implements a 100% design margin. For at the top level. When considering field service, the low-level field
example, a capacitor that is rated for 10V would be restricted to a replacements must work with a system that has been in the field for
maximum operating voltage of 5V. a considerable period of time; therefore, the design margins and
Often nonfinancial budgets are created for critical tolerances must be controlled precisely at the low levels to allow
design parameters. for these field replacements to have a high confidence of success.
Exhibit B1. Weight Budgets
Maximum
Module Target Weight Reserve
Allowable Weight
A 15 20 5
B 20 30 10
C 40 50 10
Engineering Management Journal Vol. 20 No. 4 December 2008 17