David Cummings

Executive Vice President
David M. Cummings is the Executive Vice President of the Kelly Technology Group in Santa Barbara, CA. He has over 35 years of experience in the design and implementation of software systems, many of which are embedded systems. Nine of those years were spent at the Jet Propulsion Laboratory, where he designed and implemented flight software for the Mars Pathfinder spacecraft. He holds a bachelor's degree from Harvard University, and a master's degree and a Ph.D. from UCLA. For more information, please see www.kellytechnologygroup.com.


's contributions
    • "Thank you for your comment, and thank you as well to Andrew Banks for his earlier comments.\n\nI agree with all your points. And regarding your last paragraph, I have seen two different MISRA C tools greatly overinflate the number of violations for the reasons you describe.\n\nUnfortunately, there are members of our profession who make a business out of finding simplistic ways to evaluate other people\u2019s software using metrics such as counting MISRA violations, counting global variables, measuring cyclomatic complexity, etc. Many developers of real-world systems recognize that this is overly simplistic and that these evaluations are largely without merit, consistent with the points you make regarding counting MISRA violations. In addition, there is objective academic research based on empirical evidence that debunks these simplistic metric-based evaluations.\n\nNonetheless, some members of our profession continue to use these simplistic and largely meaningless evaluations to further their own business needs, not only as expert witnesses but also as consultants to industry and government. I spent many years as a government contractor, including 9+ years at NASA\u2019s Jet Propulsion Laboratory, and on a number of projects I saw non-technical bureaucrats and managers hire such people based on the false belief that they had a magic bullet (a \u201crecipe\u201d as these two experts told the jury) for ensuring high quality software. Many experienced developers know that there is no such magic bullet or recipe, but non-technical bureaucrats, managers, judges and juries can be easily misled.\n\nSo, although the vendors whose tools enable such metrics undoubtedly have good intentions, and although the tools themselves can be helpful to developers who know how to use them properly, unfortunately these same tools are misused by some members of our profession to serve their business needs rather than using them to serve the real technical needs for which they were intended.\n"

    • "You left out the second half of Dr. Hatton\u2019s sentence. In its entirety, that sentence and the following sentence, which together complete Dr. Hatton\u2019s paragraph, read:\n\n\u201cAlthough hard real-time systems and scientific subroutine libraries are not the same beast, there is precious little sharing of good experimental data and analysis in any computationally reproducible form on which we could build. It could be argued that there are better, more modern alternatives, in that they make more sense to an experienced engineer, but where is the quantitative evidence that they are \u2018better\u2019?\u201d\n\nThese sentences from Dr. Hatton do not change my point that Dr. Hatton\u2019s academic opinions support this statement from ArtGoldste:\n\n\u201cA second disturbing aspect is the way in which Dr. Koopman has selected himself as the arbiter and spokesperson for the academic community when he says \u2018\u201cacademic standard is there should be zero\u201d global variables\u2019.\u201d\n\nDr. Hatton is a member of the academic community with many publications on software safety, and his opinion about global variables is clearly at odds with Dr. Koopman\u2019s. That was my point. The entirety of Dr. Hatton's paper from which I quoted, which specifically discusses the Toyota trial, makes it clear that his opinion about global variables is at odds with Dr. Koopman\u2019s.\n\nFurthermore, in the second Hatton reference that I cited, Dr. Hatton characterizes as \u201cpoints of folklore\u201d with \u201cno supporting statistically robust evidence\u201d the plaintiffs\u2019 contention in this trial that global variables are associated with defects. This, too, makes it clear that his opinion is at odds with Dr. Koopman\u2019s.\n\nDr. Hatton\u2019s opinions in both of these references support the above statement from ArtGoldste. Your partial quote of just one sentence from Dr. Hatton\u2019s paper does not change that. Nor does your quote from Donald Knuth."

    • "Regarding your last paragraph: Yes, my article is about expert testimony at trial, so in that sense it is \u201c\u2019legal\u2019\/law focused\u201d as you say.\n\nRegarding your first paragraph: When talking about the Obermaisser paper and dangerous faults, Dr. Koopman did not say \u201cpotentially dangerous\u201d as you imply. Rather, he told the non-technical jury that Obermaisser said 2 percent of failures are \u201cdangerous\u201d whereas Obermaisser said \u201carbitrary.\u201d Dr. Koopman misquoted Obermaisser, which I think is misleading. I believe it is crucial that technical experts not misrepresent facts to a jury as Dr. Koopman did.\n\nDr. Koopman then calculated for the jury, based on Obermaisser\u2019s 2 percent number, that a \u201cdangerous\u201d failure would be expected in the fleet of Toyotas every week or two, even though Obermaisser gave no statistics about \u201cdangerous\u201d failures. Then Dr. Koopman went even further and told the jury that, based on Obermaisser\u2019s 2 percent number, an unintended acceleration event would be expected in the fleet of Toyotas every week or two, despite the fact that Obermaisser said nothing about unintended acceleration, or acceleration of any sort. To me this is also misleading.\n\nThose are just a few examples. Dr. Koopman also told the jury that Toyota\u2019s code \u201chas far, far too many bugs\u201d without seeing one line of that code. He also told the jury that \u201cthere is no reason\u201d for Toyota\u2019s use of global variables even though he did not see Toyota\u2019s code, and even though his own research team\u2019s Ballista software contains explicit comments describing reasons to use global variables. To me, these are other examples of statements that are misleading at best. (My articles provide additional examples.)\n\nRegarding your second paragraph: My point was not to simply compare the experts\u2019 software with Toyota\u2019s software. Rather, my point is that the experts\u2019 software shows that they do not practice what they preach about global variables and the use of MISRA C as a predictor of bugs."

    • "I agree with your point that Dr. Koopman\u2019s testimony is troubling and raises important ethical issues. And specifically, with respect to your questioning of the appropriateness of Dr. Koopman having \u201cselected himself as the arbiter and spokesperson for the academic community\u201d regarding global variables, I\u2019d like to point out the following:\n\nDr. Les Hatton, a well respected researcher in software safety and author of the well-known book \u201cSafer C,\u201d has not been able to find any statistically significant relationship between the use of global variables and software defects. When discussing the evidence presented at this specific trial, he says:\n\n\u201cFor example, the use of global variables is an important issue in these reports as a dangerous practice. It is likely that many embedded system engineers would agree, but how dangerous are they and in what context are they dangerous? Everybody will have an example which may have affected them but this does not constitute a quantitative predictive system. Tim Hopkins and I checked this in the NAG library (Hopkins and Hatton (2008)), and there was no statistically significant relationship between the presence of global variables and the presence of defect after 25 years of use.\u201d\n\nSee: http:\/\/www.leshatton.org\/Documents\/SSS17_Hatton_11-Oct-2016.pdf\n\nDr. Hatton also refers to the plaintiffs\u2019 contention in this trial that global variables are associated with defects, and the plaintiffs\u2019 contention that high cyclomatic complexity and other \u201cmeasures\u201d are associated with defects, as \u201cpoints of folklore\u201d with \u201cno supporting statistically robust evidence.\u201d\n\nSee: http:\/\/www.leshatton.org\/Documents\/SSS_09-Feb-2017.pdf\n\nThus, Dr. Koopman\u2019s testimony to the jury about global variables, as well as his testimony about other supposed \u201cmeasures\u201d of software quality such as cyclomatic complexity, appears to be contradicted by Dr. Hatton\u2019s research."

    • "It would be wonderful if, as you say, these kinds of trials decreased in frequency due to good development processes, increased knowledge, use of best practices, etc. However, that assumes that plaintiffs (and their software experts) behave in good faith, and only file lawsuits accusing software of causing accidents if they have legitimate reason to believe the software was indeed to blame. This trial shows that in fact this is not the case. That\u2019s a key point.\n\nThe first software expert, Dr. Koopman, told the jury that Toyota\u2019s software was of low quality even though, as I show in the article, his evidence was misleading at best, including misrepresenting facts like changing the wording of a research paper (and making many other questionable assertions).\n\nThe second software expert, Mr. Barr, also criticized Toyota\u2019s software quality with misleading testimony, as I show. In addition, as I discuss in your reference [1], he claimed to have found that more likely than not Toyota\u2019s software caused the accident (more likely than not is the plaintiffs\u2019 burden of proof). As I show in that reference, his causation theory assumed multiple failures, but he provided no evidence of any specific bugs directly causing any of those failures, let alone the multiple failures assumed by his theory that had to occur together. Furthermore, as I show, he presented misleading slides to the jury, including a slide that conveyed that he had found an actual occurrence in the code of stack overflow, when he found no such occurrence.\n\nThus, unless we find a way to prevent highly questionable testimony from software experts such as the testimony at this trial, I\u2019m afraid that indeed it is the case that \u201cas we become increasingly reliant on embedded software in our daily lives \u2026 our legal system is likely to face this issue with increasing frequency.\u201d Sadly, the actual quality of the software at issue is largely irrelevant to testimony such as the testimony presented at this trial."

    • "The correct link to the URL in my previous comment (without the final period) is:\nhttps:\/\/tinyurl.com\/yajw76tx\n\nAlso, the link to the archived Ballista page on the Wayback Machine is:\nhttps:\/\/web.archive.org\/web\/20160616215326\/https:\/\/users.ece.cmu.edu\/~koopman\/ballista\/\n"

    • "I\u2019m afraid you have been misled by Dr. Koopman. The note you quote from the Ballista website was not in the version of the website I accessed when I wrote my original IEEE articles, which you can see in Footnote 1 here: https:\/\/tinyurl.com\/yajw76tx. That note was also not in the latest version of the Ballista website archived on the Wayback Machine. Up until this recent addition by Dr. Koopman (perhaps in response to my articles?), there were no such disclaimers on his Ballista website. Thank you for bringing it to my attention.\n\nMy point regarding Ballista is that Dr. Koopman told the jury that \u201cglobal variables are evil\u201d and the \u201cacademic standard is there should be zero\u201d global variables, but in his own academic code he does not practice what he preaches. Even if, as he is now claiming for the first time on his website, the Ballista code was written by students who are still learning how to create software systems, then why didn\u2019t he provide the right guidance to these students, especially on an issue as important to software quality as he says this is?\n\nAnd of course this is just one of the many questionable aspects of his testimony, including:\n\n1. He told the jury that Toyota \u201chas far, far too many bugs,\u201d and \u201cthere is no reason\u201d for Toyota\u2019s use of global variables, even though he did not see one line of Toyota\u2019s source code.\n\n2. He told the jury that for every 30 MISRA C violations, one can expect an average of 1 major bug and 3 minor bugs in the code. In a recent comment on my Embedded.com article, the current Chairman of the MISRA C Working Group said: \u201cThis is a metric that the MISRA C Working Group do not recognise, and certainly do not endorse!\u201d \n\n3. He changed the wording of a research paper in order to justify his testimony to the jury that the fleet of Toyotas would be expected to experience an unintended acceleration event roughly every week or two. The actual wording of the research paper does not support the conclusion he presented to the jury.\n\n"

    • "Thank you for your feedback. There are a number of free tools available for static code analysis. Verbose compiler warnings can also be useful. I used a free version of a tool from Gimpel Software for the MISRA C analysis described in this article.\n\nHowever, please understand that no guidelines or tools, including MISRA C, can ensure code quality. I have used static code analyzers and many other tools with success, but not in the simplistic way the two plaintiffs\u2019 experts described. I believe that those experts do a disservice to the embedded systems community (including hobbyists) by saying that MISRA provides a \u201crecipe\u201d for ensuring software safety, and by conveying the impression that if you follow MISRA C your code will be high quality, and if you don\u2019t, it will be low quality. That is just not true.\n\nIn fact, research has shown that correcting every MISRA C violation can actually make code worse, which the two plaintiffs\u2019 experts apparently do not understand. They gave the jury the impression that the goal should be zero MISRA C violations. This is contradicted by research and by conventional wisdom. Chris Hills, a member of the MISRA C Working Group, has said: \u201cAnyone who stipulates 100% MISRA-C coverage with no deviations does not understand what they are asking for.\u201d He also says: \u201cA \u2018tick box\u2019 culture to implementing MISRA-C has developed. As well as giving the programming team many problems, it can also produce horrendous source code.\u201d\n\nIn addition, I\u2019ve seen different MISRA C tools produce very different results for the exact same code. I\u2019ve also seen replication of single violations reported by at least two popular MISRA C tools, significantly overinflating the actual number of violations. Thus, it is not clear that relying on MISRA C, without applying a very strong filter and\/or using other tools as well, is useful.\n\nIn summary, use static analysis tools, but be sure to use prudence in interpreting the results. Unfortunately, there is no silver bullet.\n"

    • "Thank you for your comment.\n\nAs to your question, there is no simple answer, as much as the two plaintiffs\u2019 software experts in this trial would have you believe otherwise. They conveyed to the non-technical judge and jury that if you follow the right \u201crecipe,\u201d you can build a safe system, saying things like:\n\n \u201cSo this is a recipe book for how to build safe cars\u201d (referring to MISRA), and\n\n\u201cIs your process good? Have you followed a good recipe?\u201d and\n\n\u201cQ: Okay. What do you mean by this MISRA is a recipe?\nA: It's -- we're going to go through that in some detail in slides, but it tells you what you need to do to be safe at great length. \u2026 It has everything that you need to know, all the accepted practices for building safety,\u201d and\n\n\u201cThey don't follow a recipe for making a safe system.\u201d\n\nAs anyone who has actually designed and written software for safe systems knows, it is not nearly this simple. Yes, there is an important body of knowledge in which one must be grounded before even attempting to architect such a system. However, that is not sufficient. There is no \u201crecipe,\u201d contrary to what the two plaintiffs\u2019 experts say. In fact, there is research showing that many MISRA C violations are false positives, and that fixing every MISRA C violation can actually make code worse. Furthermore, a well respected researcher in software safety, Dr. Les Hatton, has concluded that there is no empirical data to back up the assertion from the two plaintiffs\u2019 experts that global variables are associated with software defects. Dr. Hatton refers to that notion as \u201cfolklore.\u201d\n\nSo what can you do? The character limit for this comment does not allow a complete answer. Let me just say, extremely simplistically, that you must hire the right people to design the architecture of the system and software, based on their experience and track record, and those people must provide continual oversight all the way through design, implementation, and testing. But there are volumes more to say..."

    • "You bring up several interesting points. Thank you.\n\nFirst, with respect to Dr. Koopman\u2019s academic code, he told the non-technical judge and jury that \u201cglobal variables are evil\u201d and the \u201cacademic standard is there should be zero\u201d global variables. He then said that Toyota\u2019s code was of low quality because it violated this standard. However, talk is cheap, and his own research team\u2019s academic code shows that he does not practice what he preaches. His testimony about global variables, without the judge and jury being aware of the use of global variables in his own academic code, as well as without them being aware of the comments in his own academic code explaining reasons for using global variables, would seem to be misleading at best. Also, as discussed in detail in my article, that is only one of the many highly questionable aspects of his testimony and the testimony of the other expert. (For example, without having seen one line of Toyota\u2019s code, Dr. Koopman told the judge and jury that Toyota\u2019s code \u201chas far, far too many bugs\u201d and that \u201cthere is no reason\u201d for Toyota\u2019s use of global variables.)\n\nRegarding your comments about the need for independent experts to advise judges in such trials, or the need for technically literate juries, I agree that solutions such as those should be seriously considered by the legal community. But without more input from software experts, the legal community is unlikely to realize the seriousness of this problem. I encourage readers who feel strongly about this issue to speak out. Finding a solution to this serious problem is up to the legal community, but making the legal community aware of the need for such a solution is up to us. At this point, the legal community is largely unaware that they even have a problem. After all, the highly questionable testimony of the two plaintiffs\u2019 software experts in this case apparently seemed reasonable to the non-technical judge, jury, and the judge\u2019s legal staff."