Problem: You need to signal success or failure of a request to its sender.
Context: The sender is a human user. Humans hate being told what they did was wrong, and if your application does it then they will start hating it. Humans also hate being interrupted and told what to do, especially when either or both are gratuitous.
Forces: Failure is a normal part of life. Human beings do not appreciate, like, or react well to negative reinforcement.
Solution: Use positive reinforcement exclusively. When the request is successful, signal it with either its result, or some pleasing soundbite. When the request is unsuccessful, signal it with either silence, or a result that doesn't interrupt the user's work flow. Be noisy with success, unobtrusive with failure.
Example 1: What you get when you fetch a WikiPage or web page that doesn't exist. (i.e. a web page that says "this page doesn't exist, try looking here", not a beeping "file not found" pop-up message box)
Example 2: The Transmission Stopped! message at the end of a web page when you stop OperaBrowser from fetching it. (not complete destruction of whatever has been transferred so far, or a modal dialog that refuses to proceed until the user confirms that the web page is incomplete)
Netscape used to do this too. I don't remember what the exact message was, but the first character was >, to close any HTML tags that might have been open.
Criticism and contradictions with well-established practices:
"Human beings do not appreciate, like, or react well to negative reinforcement."
Strongly disagree with the 'react well' part. Many people react far better to negative criticism than praise. In the military they beat you down with verbal abuse and many perform far better under that environment than if they were coddled.
The RuleOfSilence suggests that if you have nothing surprising to say, don't say anything. Success should not be surprising. ThereIsMoreThanOneWayToScrewItUp - given a lack of CosmicAwareness? it is impossible to predict all failures ever. There are also contexts in which you can't lock down all potential failures. A good example is trying to match against the Postcode Address File (PAF). There are too many types of failure to not tell the user precisely why you couldn't do what they asked, many of which you can't pre-empt. There are even cases where you explicitly need to allow a SoftFailure? - many of which you can't pre-empt.
While I agree with many of the ideas on NewOsFeatures (which I belive spawned this page), I can't disagree more with this one. Perhaps I've just used un*x for too long and have had my brain warped, but I prefer the exact opposite of this idea. I'd even go so far as to say the first line of the page is an flat-out lie. Silent failure isn't the inversion of an AntiPattern, it's an AntiPattern itself.
I tend to get really annoyed at noisy success. It irks me when some simple CommandLine program feels the need to spout *useless* messages all over my terminal. It's even more irritating in a GUI. Success is (or should be) the norm. Being noisy about it interrupts my workflow.
On the other tentacle, silent failure is even worse. If something is wrong, I want to know what. While MakeFailureImpossible is a lofty goal, it is also impossible in many (most?) cases. In such a case, I would vastly prefer to know what's going on. (This isn't to say that I want an application locking modal dialog, that's annoying too.)
Basically, I want the computer to do what I tell it to. And be quiet about it. If for whatever reason it can't do what I want, tell me. Simple as that. -- LeviAho?
Clarification:
But Silent failure can leave people waiting indefinitely. Is it done? Did it work? It hasn't said anything for 10 minutes. I guess I'll wait another 10 minutes. How will I know when to stop waiting?
When it's not "finished" but also no longer "in progress". Both of these stages are successful stages, not failures. The only reason you'd need to signal failure is if you never signaled completion or progress in the first place.
Which leads back to the point made by AlanCooper; do you want to cooperate with users even at the price of catering to their psychological needs, or do you prefer to wage war against them?
I just want to let them know when I couldn't do what they asked.
Why? This is a serious question. Is there something they can do to change the fact that you couldn't complete their request? Or is it impossible to fulfill their request and it was your fault, your laziness, that you made it appear to them as though it was possible?
Let's take another look at OperaBrowser. When a connection times out, there's usually something I can do. Usually, it times out because my dialup connection screws up. So what I can do is reconnect to the ISP and reload the page. So it actually makes sense for Opera to signal failure in some way. Or does it?
The majority of the time that I get connection time outs is because I'm not connected to the net at all. Can I do anything about the time outs? No. Do I want to do anything about them? No! So why the bloody hell is Opera tearing my attention away from the page I'm reading in order to whine to me that some connection I don't care about is timed out? In fact, even when I do want to reload the page, popping up an error dialog to tear my attention away from what I'm doing is a BadThing. The time outs should accumulate unobtrusively in their own little window, exactly like Opera's transfers window accumulates file downloads. This would communicate them to the user when the user wants to see them and it would gather them all in one place where they can't be lost. And the reason for this is because time outs are not errors, they aren't "exceptional situations which justify the special attention of the user".
Why is it considered acceptable, even virtuous, for application software to be whiny?
From above: So the floppy drive icon shouldn't appear anywhere unless there's a floppy disk in the drive?
In MacOsClassic (I don't know about MacOsx) this is exactly how it worked - if a disk of any kind (logical or physical) was available to be used, it would appear on the desktop. I found it perfectly natural to use - no floppy visible, the drive is empty. In comparison, whenever I used MicrosoftWindows, I would find it annoying to see the icon representing the floppy drive in "My Computer", because I could click on the icon, only to be rewarded with an annoying dialog box saying the drive was empty.
How will the user know the computer knows it has a floppy drive and what it's called?
The user has to assume at least minimal competence on the part of the people who programmed the OperatingSystem. Speaking as someone who has suffered through installing LinuxOs numerous times, I would really, really like to be able to assume this. But often, sadly, you can't. -- EarleMartin
Discussion (moved from NewOsFeatures)
[One of the suggested NewOsFeatures] seems to be suggesting that silent failure is a good thing, which seems obviously wrong.
Web browsers use silent failure because this is considered a good thing in GUIs. Personally, I can't stand when OperaBrowser opens an error dialog just because a connection timed out. It should treat connection time outs just like stops by displaying a valid-seeming page with Transmission Stopped! at the end. See InteractionDesign for more details.
Silent failure is just intelligent design.
So far you have not supported this generalization. I am arguing that whether you prefer silent failure or noisy failure is a subjective matter. Claiming that silent failure is inherently more intelligent design than noisy failure is just dogma.
An OS forcing noisy success is no more undesirable than a language forcing OO programming. That's because when failure is as common as waves in the ocean, its exact nature is rarely of relevance. And when you allow users to formulate invalid requests, you get a flood of failures. The lesson is to MakeFailureImpossible.
That assumes the editor knows where the user wants to save the document before it opens the document. The user may not even know that. How will the editor?
Hardly. It merely assumes the editor doesn't open a Save As dialog which displays every directory whether it's writeable or non-writeable by the user. All that's required of the editor is that its dialogs display only valid possibilities.
Besides, in an OS with TransparentPersistence (the kind described in NewOsFeatures, where this thread originated) the entire operation of "saving" a document is meaningless and the editor always knows where to "save" a document before it opens it (or it would, if the operation weren't meaningless).
I don't like silent failure. I see it too often. Just last week we had two new PCs that popped up a window when we powered them up, saying "initializing something or other, please don't touch keyboard or mouse...". We sat there for 20 minutes wondering if they were initializing or if they had failed to initialize. Eventually we gave up, but there was no stimulus to prompt that action. We did it because we guessed. I don't want to guess. I want to know.
In the example above, it's not silent failure that caused the problem but silent success. If you were used to software that gave constant progress updates, you would have known immediately that it had failed to initialize precisely because it was silent.
If it stopped giving constant progress updates, how long would I have to wait to know that? What if it was the first time I used it?
Then too bad. It's completely unreasonable to design user interfaces to the stupidest, most ignorant, or least experienced user imaginable.. [Now, that's what I would call arrogance]
I'm glad you don't design my user interfaces.
On the one hand, you don't want to cut off too many people. On the other hand, if you've got 10,000 users, and you design for the 10,000'th guy on the competence list, that's at least 9,900 users you're going to end up alienating. If nothing else, Mr(s). 10,000 needs something on the screen to report to Mr(s). 500 when they go looking for help. It is neither arrogant nor unreasonable to say that you can't design interfaces to the bottom .01% and expect a useful program for most people to emerge; it's the exact same error, in reverse, as designing for the top .01%.
Let's imagine this pattern applied to a compiler. On success it prints "Compilation succeeded." On failure it prints nothing. How do I know what caused it to fail? -- EricHodges
last 20 progress.log
Except that the compiler, being designed intelligently to display its successes (progress) noisily will have displayed it all in its window. So just glancing at it will show the last functions successfully compiled and the last operations attempted. At that point, knowing the operation which the compiler failed to complete should enable any cretin to put two and two together to figure out where it failed. Answer: it failed in the last operation it attempted.
Perhaps you can take this opportunity to justify your belief, made implicit numerous times on this page, that user interface design should be targeted at people at least 20 IQ points below the stupidest of computer literate users.
Isn't it better to show ONE failure message instead of 100 success messages. I tend to get lost in a sea of messages.
No. If you don't want to be swamped by a mass of details then you can stick to displaying "working .../-\|*" to indicate that the program is working on whatever. Then, when it fails it should display the failure point in the exact same mode as it's been displaying progress. So there are no modes, no error dialogs, no beeps, no annoying stuff.
3rd voice: For a compiler, "success" includes printing diagnostics about the input file and exiting with a non-zero code when the input is incorrect. Thus, it noisily succeeds by printing error messages!.
And in that vein, FreedomIsSlavery.
As a compiler user, I don't care what the compiler programmer thinks is success or failure. The programmer is there to cater to MY needs and so I get to decide what's success and failure. And if the compiler crashes then woe be to the compiler writer! And if the OS displays an error message because the compiler crashed then woe be to the OS writers!
It seems that most of this dialog could be summarized by: "But ... things *do* fail. The user *needs* to know there's a problem. If the software does *nothing*, is *silent*, the user is left in suspense as to whether the computer is still working on it, or if there is some sort of failure. You must *indicate* failure somehow." "Yes, if you simply silence programs that currently have noisy failure, keeping the user in suspense is a problem. But when it comes to fixing that problem, ThereIsMoreThanOneWayToDoIt. Rather than make failure noisy, I prefer to make success more noisy. If there's some little animated thingy that keeps spinning while the software is *working*, then when that stops, the user knows it is *done*. For example, a compiler could write out the function name and line number it has *succeeded* in compiling, then overwrite it with the next function name and line number it has *succeeded* in compiling. When the compiler can't understand some line, it simply stops. If the user turns sound effects on, he hears faint 'crunching away' sounds (positive) as the compiler works, then either dead silence (failure) or some happy trumpet fanfare."
On the AppleMacintosh, dragging a song from AppleItunes? (iTunes) to a track in GarageBand: I drag the song over the track region in GarageBand, and a Plus icon appears to indicate that dropping is possible. So far, this matches the behavior described in the manual and in help. Next, drop the song - nothing happens. This is a silent failure.
This particular behavior follows the rule of SilentFailureNoisySuccess rule, but badly breaks the rule of discoverability. To discover the cause of the failure, I had to dream up experiments. Try dragging another song - does that work? No. Try dragging another song - does that work? Yes. Ok, so the icon wasn't totally lying - it is possible to drag a song to a track. OK, why not the song I wanted - oh, I see - the songs that won't drop have longer names. I guess there's some kind of maximum name length limit in GarageBand tracks. Nice of it to tell me that in the first damn place!
Now, that doesn't mean obtrusive failures that interfere with the work flow are good, but simple silent failure is not a better answer.
See AlternativesToObtrusiveFailures.
Oh really? It seems to me that your problems are that your Mac lied to you and that the application you're using is retarded. If the only counter-argument that people can come up with against silent failure is that they have to deal with retarded software, then it's a damned good argument for instituting universal silent failure ASAP. Broken software will be totally intolerable and people will no longer put up with that shit. -- RK
Every program has faults, and no program is ever finished. If one of the programs infrastructure decisions (in this case, silent failures) makes those minor faults into serious impediments to use, to me, that's a much bigger problem than the faults themselves. I'm envisioning being the programmer looking at the bug database seeing "Minor - Can't drop files with very long names" next to something like "Major - crashes with more than 9 tracks on OS X rev xxx". Which one do you think will get the priority fix for next release? How mach programmer time would have to be dedicated per release to -ever- get that minor bug fixed? How much would the product cost? If features are scaled back to fix minor bugs and keep costs down, will the product compete with other products' new features?
Now, add to that the fact that there are possible compromises between the extremes of modal failure dialogs and utterly silent failure...
I'm sorry but I do NOT consider being unable to deal with long filenames to be a minor problem. I consider it to be a critical problem, one indicative of a major and fundamental architectural fault in the software. This is the kind of thing that programmers should get fired over.
As for dealing with more than 9 tracks? I consider trying to deal with more than 1 track to be a serious misdesign of software. But then, that's because I actually understand that sequencing objects (songs, movies, whatever) is a completely independent function from operating on those objects. In fact, sequencing is a basic operating systems function. And even admitting the fact that mainstream OSes are so retarded that they don't provide this function (though Unix does provide it in the shell), the fact would still remain that you're dealing with two radically different and wholly independent pieces of software and so trying to compare bugs between them is just plain dumb.
Finally, it's just like a programmer to buy into the idiot myth that "features" give value to software. They do not. What gives value to software is giving the user the ability to consistently and uniformly perform a few very simple and basic operations. Users don't give a damn about "playing mp3s" vs "playing avis". They care about "playing a song" or "playing a movie". Stick to one basic operation and perform it consistently (eg, regardless of input stream format) and for the love of my sanity, do NOT get lost in the idiocy of "features". Especially "new features" introduced by your competitors, who are invariably idiots anyways. (I mean geez, do you really think you can get a competitive advantage doing what every other moron is doing??) In other words, to the question "is it better to fix minor bugs or introduce new features", I say to hell with the features!
I'm against silent failure and recently had a case come up where it was potentially a life-or-death issue. I'm working on a mapping component for an open-source project that helps operators co-ordinate disaster rescue teams. The lead developer is of the opinion that SilentFailure? is good, i.e. it is better to have a broken map than no map at all, and that errors should therefore be ignored. Consequently, if a map layer or feature fails for any reason, the map still shows, without the feature, and without any distracting warnings. Now imagine that those map features represent people on top of buildings in a flood, about to be swept away and drowned, who have 'phoned in their positions. Some minor website configuration problem means they don't show up on the map. The helicopter won't rescue them because the operator won't know they are there. They would be swept away and lives lost. It is obvious to me that it is far better that the operator is told that there is a problem and that the map data is misleading, at least then a helicopter could make a pass over the area. Despite this argument, which I presented to him, the lead developer still believes that missing a.k.a. misleading data is better than no data and wants to keep all the do-nothing catch blocks in the code. I'm dreading the day arrives when I have to tell him "I told you so". Is this negligence? I write this code but not in a way I want. Could I potentially get sued if this did happen?
LimpVersusDie is a different issue than SilentFailureNoisySuccess. For example, you could provide an icon to indicate when a layer is not displaying correctly, or that you're using cached information, and still provide a partial map.
It strikes me that the best approach is to do whatever's quietest while still allowing the use to know what they need to know - I don't think anyone's arguing that a compiler should pop up a new dialog every time it tokenises another method, and I don't think anyone would object to having the system-tray icon change from yellow (changed or compiling) to red (failed) or green (succeeded) provided you could then go and find out more about the failure (whether that's a list of the tasks that were started, or a detailed error condition report is, in many ways, unimportant).
Both sides of the argument seem to have been spending a lot of time chasing scarecrows, or arguing about issues orthogonal to the page's topic...
See: InteractionDesign, MakeFailureImpossible, UseReversibleOperations?, FailGracefully?, RuleOfSilence