Chapter 5: The Second System Effect

The second-system effect proposes that, when an architect designs a second system, it is the most dangerous system they will ever design, because they will tend to incorporate all of the additions they originally did not add to the first system due to inherent time constraints. Thus, when embarking on a second system, an engineer should be mindful that they are susceptible to over-engineering it (*).

Adde parvum parvo magnus acervus erit.
{Add little to little and there will be a big pile.}


If one separates responsibility for functional specification from responsibility for building a fast, cheap product, what discipline bounds the architect’s inventive enthusiasm?

The fundamental answer is thoroughgoing, careful, and sympathetic communication between architect and builder. Nevertheless there are finer-grained answers that deserve attention.

Interactive Discipline for the Architect

When a construction architect devises a project against a budget, it usually happens that the initial offer has to be re-designed iteratively in order to fit contractor’s bids.

An analogous process governs the architect of a computer/programming system, with the advantage of getting bids from the contractor at many early points in his design, almost any time he asks for them. He usually has the disadvantage of working with only one contractor, who can raise or lower his estimates to reflect his pleasure with the design. In practice, early and continuous communication can give the architect good cost readings and the builder confidence in the design without blurring the clear division of responsibilities.

The architect has two possible answers when confronted with an estimate that is too high: cut the design or challenge the estimate by suggesting cheaper implementations. This latter is inherently an emotion-generating activity. The architect is now challenging the builder’s way of doing the builder’s job. For it to be successful, the architect must

  • be aware that he suggests, not dictates : the builder has the inventive and creative responsibility for the implementation
  • be flexible and always be prepared to suggest a way of implementing anything he specifies, and be prepared to accept any other way that meets the objectives as well
  • deal quietly and privately in such suggestions
  • be ready to forego credit for suggested improvements

Self-Discipline — The Second-System Effect

When an architect first designs a work, it starts from the ignorance of not knowing what is to be done, so he pays careful attention, controlling every aspect, taking out concepts and feature not really relevant, but stores them for a future when they might be used.

The architect faces no a second system to design, which is the most dangerous system a man ever designs. When he does his third and later ones, his prior experiences will confirm each other as to the general characteristics of such systems, and their differences will identify those parts of his experience that are particular and not generalizable.

The general tendency is to over-design the second system, using all the ideas and frills that were cautiously sidetracked on the first one. The result, as Ovid says, is a “big pile” of functionalities where most of them are rarely used.

The second-system effect has another manifestation somewhat different from pure functional embellishment. That is a tendency to refine techniques whose very existence has been made obsolete by changes in basic system assumptions.

How does the architect avoid the second-system effect? Well, obviously he can’t skip his second system. But he can be conscious of the peculiar hazards of that system, and exert extra self-discipline to avoid functional ornamentation and to avoid extrapolation of functions that are obviated by changes in assumptions and purposes.

A discipline that will open an architect’s eyes is to assign each little function a value: capability x is worth not more than m bytes of memory and n microseconds per invocation. These values will guide initial decisions and serve during implementation as a guide and warning to all.

How does the project manager avoid the second-system effect? By insisting on a senior architect who has at least two systems under his belt. Too, by staying aware of the special temptations, he can ask the right questions to ensure that the philosophical concepts and objectives are fully reflected in the detailed design.


The Agile Manifesto

In February 2001, seventeen software developers met at the Snowbird resort in Utah to discuss lightweight development methods, among others Jeff Sutherland, Ken Schwaber, and Alistair Cockburn. Together the seventeen published the Manifesto for Agile Software Development, in which they shared that, through their combined experience of developing software and helping others to do it, they had come to value:

  • Individuals and Interactions over processes and tools
  • Working Software over comprehensive documentation
  • Customer Collaboration over contract negotiation
  • Responding to Change over following a plan

While the secondary concerns were important the primary concerns were more critical to success.
By these terms, they meant:

Individuals and interactions
Self-organization and motivation are important, as are interactions like co-location and pair programming.
Working software
Working software is more useful and welcome than just presenting documents to clients in meetings.
Customer collaboration
Requirements cannot be fully collected at the beginning of the software development cycle, therefore continuous customer or stakeholder involvement is very important.
Responding to change
Agile software development methods are focused on quick responses to change and continuous development.

Some of the authors formed the Agile Alliance, a non-profit organization that promotes software development according to the manifesto’s values and principles. Introducing the manifesto on behalf of the Agile Alliance, Jim Highsmith said,

The Agile movement is not anti-methodology, in fact many of us want to restore credibility to the word methodology. We want to restore a balance. We embrace modeling, but not in order to file some diagram in a dusty corporate repository. We embrace documentation, but not hundreds of pages of never-maintained and rarely-used tomes. We plan, but recognize the limits of planning in a turbulent environment. Those who would brand proponents of XP or SCRUM or any of the other Agile Methodologies as “hackers” are ignorant of both the methodologies and the original definition of the term hacker.

— Jim Highsmith, History: The Agile Manifesto

Agile software development principles

The Manifesto for Agile Software Development is based on twelve principles:

  1. Customer satisfaction by early and continuous delivery of valuable software
  2. Welcome changing requirements, even in late development
  3. Working software is delivered frequently (weeks rather than months)
  4. Close, daily cooperation between business people and developers
  5. Projects are built around motivated individuals, who should be trusted
  6. Face-to-face conversation is the best form of communication (co-location)
  7. Working software is the principal measure of progress
  8. Sustainable development, able to maintain a constant pace
  9. Continuous attention to technical excellence and good design
  10. Simplicity—the art of maximizing the amount of work not done—is essential
  11. Best architectures, requirements, and designs emerge from self-organizing teams
  12. Regularly, the team reflects on how to become more effective, and adjusts accordingly

from Wikipedia

Chapter 4: Aristocracy, Democracy and System Design

This great church is an incomparable work of art. There is neither aridity nor confusion in the tenets it sets forth. . , ,

It is the zenith of a style, the work of artists who had understood and assimilated all their predecessors’ successes, in complete possession of the techniques of their times, but using them without indiscreet display nor gratuitous feats of skill.

It was Jean d ‘Orbais who undoubtedly conceived the general plan of the building, a plan which was respected, at least in its essential elements, by his successors. This is one of the reasons for the extreme coherence and unity of the edifice.


Conceptual Integrity

The typical situation for a cathedral building is being made during several generations by several builders, where each period shows the ideas and “improvements” of those in command at that moment.

The Reims Cathedral is the counterexample: the building integrity was achieved by the self-abnegation of eight generations of builders whom sacrificed some of his ideas in benefit for the construction pure design.

Even though they have not taken centuries to build, most programming systems reflect conceptual disunity far worse than that of cathedrals. Usually this arises not from a serial succession of master designers, but from the separation of design into many tasks done by many men.

Conceptual integrity is the most important consideration in system design. It is better to have a system omit certain anomalous features and improvements, but to reflect one set of design ideas, than to have one that contains many good but independent and uncoordinated ideas.

Achieving Conceptual Integrity

The purpose of a programming system is to make a computer easy to use.

Ease of use is enhanced only if the time gained in functional specification exceeds the time lost in learning, remembering, and searching manuals. With modern programming systems this gain does exceed the cost, which did not happen in software development old days. Because ease of use is the purpose, the ratio of function- conceptual complexity is the ultimate test of system design. Neither function alone nor simplicity alone defines a good design.

For a given level of function, however, that system is best in which one can specify things with the most simplicity and straightforwardness.

It is not enough to learn the elements and rules of combination; one must also learn the idiomatic usage, a whole lore of how the elements are combined in practice. Simplicity and straightforwardness proceed from conceptual integrity. Every part must reflect the same philosophies and the same balancing of desiderata.

Every part must even use the same techniques in syntax and analogous notions in semantics. Ease of use, then, dictates unity of design, conceptual integrity.

Aristocracy and Democracy

Conceptual integrity in turn dictates that the design must proceed from one mind, or from a very small number of agreeing resonant minds. Schedule pressures, however, dictate that system building needs many hands. Two techniques are available for resolving this dilemma.

  • Division of labour between architecture and implementation.
  • The Surgical Team structuration

The separation of architectural effort from implementation is a very powerful way of getting conceptual integrity on very large projects. Complete and detailed specification of the user interface.  (For the entire system it is the union of the manuals the user must consult to do his entire job).

The architect of a system has to bring professional and technical knowledge to bear in the unalloyed interest of the user, as opposed to the interests of the salesman, the fabricator, etc.

“Where architecture tells what happens, implementation tells how it is made to happen.”

In regard to the deeply emotional question of aristocracy versus democracy:

  • Are not the architects a new aristocracy, an intellectual elite, set up to tell the poor dumb implementers what to do?
    • Yes, in the sense that there must be few architects, their product must endure longer than that of an implementer, and the architect sits at the focus of forces which he must ultimately resolve in the user’s interest. If a system is to have conceptual integrity, someone must control the concepts. That is an aristocracy that needs no apology.
    • No, because the setting of external specifications is not more creative work than the designing of implementations. It is just different creative work. The design of an implementation, given an architecture, requires and allows as much design creativity, as many new ideas, and as much technical brilliance as the design of the external specifications.
  • Has not all the creative work been sequestered for this elite, leaving the implementers as cogs in the machine?
  • Won’t one get a better product by getting the good ideas from all the team, following a democratic philosophy, rather than by restricting the development of specifications to a few?
    • Not only the architects will have good architectural ideas. Often the fresh concept does come from an implementer or from a user. However, the conceptual integrity of a system determines its ease of use. Good features and ideas that do not integrate with a system’s basic concepts are best left out.
    • If there appear many such important but incompatible ideas, one scraps the whole system and starts again on an integrated system with different basic concepts.

The external provision of an architecture enhances, not cramps, the creative style of an implementing group. They focus at once on the part of the problem no one has addressed, and inventions begin to flow. In an unconstrained implementing group, most thought and debate goes into architectural decisions, and implementation proper gets short shrift.

What Does the Implementer Do While Waiting?

“It is a very humbling experience to make a multimillion-dollar mistake, but it is also very memorable”

When it is proposed that a small architecture team in fact write all the external specifications for a computer or a programming system, the implementers raise three objections:

  • The specifications will be too rich in function and will not reflect practical cost considerations.
  • The architects will get all the creative fun and shut out the inventiveness of the implementers.
  • The many implementers will have to sit idly by while the specifications come through the narrow funnel that is the architecture team.

In the computer systems business the pace is quicker than in construction (where design comes first, building comes after), and one wants to compress the schedule as much as possible. How much can specification and building be overlapped?

The total creative effort involves three distinct phases: architecture, implementation, and realization, which can in fact begun in parallel and proceed simultaneously. Meanwhile, on the realization level there is much to be done also. Programming has a technology, too. Much work must be done on subroutine conventions, supervisory techniques, searching and sorting algorithms.

Conceptual integrity does require that a system reflect a single philosophy and that the specification as seen by the user flow from a few minds. Because of the real division of labour into architecture, implementation, and realization, however, this does not imply that a system so designed will take longer to build. Experience shows the opposite, that the integral system goes together faster and takes less time to test. In effect, a widespread horizontal division of labour has been sharply reduced by a vertical division of labour, and the result is radically simplified communications and improved conceptual integrity.

Chapter 3: The Surgical Team

These studies revealed large individual differences between high and low performers, often by an order of magnitude.


When managing a team there is a debate between small teams made out of sharp first-class people, or bigger teams with people of every kind. Appart from that there are the needs and size of the project, for which a small team runs short or reseources for doing it in a meaningful schedule.

The Problem

Is it preferable to have small, sharp teams of very efficient programmers or a large team of no so efficient people able to deal with big tasks by, at the end, brute force?

The dilemma is a cruel one. For efficiency and conceptual integrity, one prefers a few good minds doing design and construction. Yet for large systems one wants a way to bring considerable manpower to bear, so that the product can make a timely appearance. How can these two needs be reconciled?

Mills’s Proposal – THE SURGICAL TEAM

Harlan Mills proposes that each segment of a large job be tackled by a team, but that the team be organized like a surgical team rather than a hog-butchering team. That is, instead of each member cutting away on the problem, one does the cutting and the others give him every support that will enhance his effectiveness and productivity.

Much as a surgical team during surgery is led by one surgeon performing the most critical work, while directing the team to assist with less critical parts, it seems reasonable to have a “good” programmer develop critical system components while the rest of a team provides what is needed at the right time

THE SURGEON  (The chief programmer).

  • Defines the functional and performance specifications, designs the program, codes it, tests it, and writes its documentation.
  • Writes in a structured programming language such as PL/I
  • Has effective access to a computing system which not only runs his tests but also stores the various versions of his programs, allows easy file updating, and provides text editing for his documentation.
  • Needs great talent (10+ years experience) and considerable systems and application knowledge, whether in applied mathematics, business data handling, or whatever.

THE COPILOT. (The alter ego of the surgeon)

  • Able to do any part of the job, but is less experienced.
  • Main function is to share in the design as a thinker discussant, and evaluator. The surgeon tries ideas on him, but is not bound by his advice.
  • Represents his team in discussions of function and interface with other teams.
  • Knows all the code intimately.
  • Researches alternative design strategies.
  • May even write code, but he is not responsible for any part of the code.


  • Is boss, and he must have the last word on personnel, raises, space, and so on, but he must spend almost none of his time on these matters.
  • Needs a professional administrator who handles money, people, space, and machines, and who interfaces with the administrative machinery of the rest of the organization.
  • Has a full-time job only if the project has substantial legal, contractual, reporting, or financial requirements because of the user-producer relationship.


  • Takes the draft or dictated manuscript produced by the surgeon and criticizes it, reworks it, provides it with references and bibliography, nurses it through several versions, and oversees the mechanics of production.


  • The administrator and the editor will each need a secretary; the administrator’s secretary will handle project correspondence and non-product files.


  • Responsible for maintaining all the technical records of the team in a programming-product library.
  • The clerk is trained as a secretary and has responsibility for both machine-readable and human-readable files.
  • Logs and keys it all computer input. The output listings go back to him to be filed and indexed.
  • Making all the computer runs visible to all team members and identifying all programs and data as team property, not private property.
  • Relieves programmers of clerical chores, systematizes and ensures proper performance of those oft-neglected chores, and enhances the team’s most valuable asset—its work-product.
  • Logs all updates of team program copies from private working copies, still handles all batch runs, and uses his own interactive facility to control the integrity and availability of the growing product.


  • Responsible for ensuring the adequacy of “File-editing, text-editing, and interactive debugging” services and for constructing, maintaining, and upgrading special tools—mostly interactive computer services—needed by his team.
  • Each team will need its own toolsmith
  • The tool-builder will often construct specialized utilities, catalogued procedures, macro libraries.


  • Is both an adversary who devises system test cases from the functional specs, and an assistant who devises test data for the day-by-day debugging.
  • Also plans testing sequences and set up the scaffolding required for component tests.


  • Masters the intricacies of a programming language, which uses to do difficult, obscure and tricky things
  • Does small studies on good technique
  • At the service of different surgeons

How It Works

The team just defined meets the desiderata in several ways. Ten people, seven of them professionals, are at work on the problem, but the system is the product of one mind—or at most two, acting uno animo.

Differences between a team of two programmers conventionally organized and the surgeon-copilot team.

  • In the conventional team the partners divide the work, and each is responsible for design and implementation of part of the work. In the surgical team, the surgeon and copilot are each cognizant of all of the design and all of the code. This saves the labor of allocating space, disk accesses, etc. It also ensures the conceptual integrity of the work.
  • In the conventional team the partners are equal, and the inevitable differences of judgment must be talked out or compromised. Since the work and resources are divided, the differences in judgment are confined to overall strategy and interfacing, but they are compounded by differences of interest. In the surgical team, there are no differences of interest, and differences of judgment are settled by the surgeon unilaterally.

These two differences—lack of division of the problem and the superior-subordinate relationship—make it possible for the surgical team to act uno animo.

Yet the specialization of function of the remainder of the team is the key to its efficiency, for it permits a radically simpler communication pattern among the members.