Home / Blog / Writing High Stakes Code (At A Startup)

Writing High Stakes Code (At A Startup) - Cobalt Robotics

www.cobaltrobotics.com
6 min read
fairly easy
How to write code when the stakes are high or human safety is involved, but you don't have the budget or timelines of NASA.
Writing High Stakes Code (At A Startup)

Thoughts on how to write code when the stakes are high or human safety is involved, but you don't have the budget or timelines of NASA. Most of these are from safely building a fleet of over 100 robots at Cobalt, advising startups who programmatically move money/stocks, or my time at SpaceX. I'll try to make this general for writing software in any high stakes situation, in any startup, and focus on where to get the most bang for your buck! – Erik Schluntz, Cofounder & CTO

Poka-Yoke

Poka-yoke is a Japanese term from manufacturing that means "mistake-proofing" by design. A common example is to make a plug non-symmetric so that it's physically impossible to plug in backwards.

Fig 1. The plug on the left could be accidentally reversed, but the plug on the right wouldn't fit

There was a real case of this crashing a Russian Proton M rocket because a square part was installed upside down. If the part was not symmetric, it would have been impossible to install upside down even if you tried.

Fig 6. Proton M rocket crashes on 7/2/2013 due to a sensor installed upside down

In software this is really important for dangerous tooling – think about what damage typoing a number could do in your provisioning scripts. You can make your scripts ask for confirmation if inputs are outside a normal boundary (if you just always ask for confirmation, people will just automatically hit yes).

Units, Naming, and Typing

A similar case is units – how much do you trust that everyone in the future will know whether this function expects meters, or feet, or inches?

do_critical_thing(float distance)

This exact mistake crashed the Mars Climate Orbiter in 1999 due to a mixup between metric units and imperial units. This could be avoided with a better variable name so anyone looking at the function is very clear what input is expected:

do_critical_thing(float distance_meters)

If you want to go even further enforcing type safety, you can import…
Read full article