Higher Order Software -- A Methodology for Defining Software

About This Document

Citation: Hamilton, Margaret H. and Saydean Zeldin. “Higher Order Software — A Methodology for Defining Software.” IEEE Transactions on Software Engineering, SE-2(1): 9—32, March 1976.

DOI: 10.1109/TSE.1976.233798

Source: Paywalled (IEEE TSE). Research copy. Prepared under NASA Contract NASA9-13809 at the Charles Stark Draper Laboratory.

This is THE foundational HOS publication — the paper that virtually everything else in the Hamilton canon references. Where the 1974 Springer conference paper introduced the axioms, this IEEE TSE paper is the full formal treatment: complete axioms, derived theorems with proofs, specification language principles, analyzer design, real-time control, management methodology, and results from actual application to Shuttle and DAIS avionics programs.

View source document (PDF)

---

Higher Order Software — A Methodology for Defining Software

Margaret H. Hamilton and Saydean Zeldin, Charles Stark Draper Laboratory, 1976

Higher Order Software is defined as “a formal methodology for reliable systems specification and development.” The foundational insight is that software must be defined as hardware-independent, language-independent, and computer-resident-software-independent. HOS concerns itself only with “computable functions and their relationships,” adopting the Church-Turing definition: a function is effectively computable if there is a mechanical and finite method of calculating the value of the function in all cases when its arguments are given.

The critical empirical finding that drives the entire paper appears in a footnote on page one: “Seventy-three percent of all problems found during the APOLLO integration effort were interface problems; and verification accounts for 50 percent of the total software development effort.” This 73% figure — later rounded to 75% in subsequent publications — became the empirical anchor for the entire HOS program and the decades of work that followed.

The Six Axioms of Control

Any software system is represented by a single mathematical function with input domain and output range. The system function is an assumption; subfunctions are derived. The six axioms describe “control” — the formally specified effect of one software object on another.

Axiom 1 (Invocation): A module controls invocation of functions on its immediate, and only its immediate, lower level. The module cannot control invocation on its own level or of its own function. This immediately implies the “no GOTO” property of structured programming and prevents circular invocation.

Axiom 2 (Responsibility): The module controls the responsibility for elements of the output space. There must not exist any member of the input space for which no member of the output space is assigned — totality of the function.

Axiom 3 (Output Access Rights): The module controls access rights to output variables for each immediate lower-level function.

Axiom 4 (Input Access Rights): The module controls access rights to input variables for each immediate lower-level function. The module cannot alter its own input set.

A key theorem derived from Axioms 3 and 4: the output set of a function cannot be the input set of that same function. This eliminates an entire class of side-effect errors.

Axiom 5 (Rejection): The module can reject invalid elements of its own, and only its own, input set. This formalizes error detection as a first-class concern.

Axiom 6 (Ordering): The module controls the ordering of each tree for the immediate lower level. This governs priority relationships for real-time processes, including a theorem that a process cannot interrupt itself and that the WAIT statement is inconsistent with the control system.

Modern Connection

Hamilton’s proof that WAIT is inconsistent with the control system (Lemma 6.4.4.1) is a formal argument against the kind of blocking synchronization that modern concurrent programming frameworks — async/await, actors, CSP channels — have empirically learned to avoid. Hamilton proved it formally in 1976; the industry arrived at the same conclusion through decades of debugging deadlocks.

Interface Correctness

Interface correctness is defined as “a property of a system which results in the ability to perform a function without ambiguity.” It is proven by showing axiom consistency. The paper carefully distinguishes interface correctness (provable by HOS) from performance correctness (the “does the algorithm do the right job?” question, which requires testing or formal proof). Of Apollo errors, 13% were performance specification errors; 73% were interface errors. HOS targets the 73%.

Specification Language Principles

The HOS specification language separates system performance properties from interface correctness properties. It is not primarily a language for computer execution but for reliable system decomposition. Three levels of checking are defined: assembler (instruction level), compiler (statement level), analyzer (interface specification level).

The nodal family — a node and its immediate lower-level nodes — is the fundamental unit of decomposition. Two primitive decomposition types form the basis:

• Partition: Divides input elements or output variables. Two subtypes exist: selection partition (divides elements of the input set, each subfunction produces all output variables) and class partition (divides output variables, all subfunctions performed for every input).
• Composition: Communication between subfunctions on one level. Variables flow from one subfunction through intermediate variables to another.

The paper formally proves that if A then B (without else) is invalid in HOS because it creates an incomplete partition. The while A do B construct is invalid because it can alter its own input set, violating Theorem 3,4.1. Recursion replaces iteration through a combination of composition and partition.

Error detection and recovery are formalized: errors occur when output is undefined; detection occurs when input is invalid (maps to Reject). Recovery is always provided by the controller, not the function itself. The “P unless error then refresh P” construct enables system-wide restart — a direct formalization of Apollo’s restart capability.

Modern Connection

The “P unless error then refresh P” construct is a formal specification of what Erlang/OTP’s supervision trees implement: kill the failing process subtree and restart from a known-good state. Hamilton formalized this pattern in 1976; Joe Armstrong independently developed it for telephony in the 1980s.

The Design Analyzer and Structuring Executive

Two analyzers form the core tooling:

The Design Analyzer (static analysis) operates in four phases: (1) check interface correctness, (2) determine where performance testing is needed, (3) analyze timing and memory per level, and (4) automatically program from HOS to intermediate language or execution.

The Structuring Executive Analyzer (dynamic/real-time) handles the man/machine interface, hardware/software interface, error detection/recovery, real-time reconfiguration, and dynamic allocation. The key principle: “the human can select any reconfiguration of nodes in real time without concern for introducing errors into the system.”

The two analyzers are functionally equivalent: the Design Analyzer does statically what the Structuring Executive does dynamically.

Software Management

The Apollo statistical analysis yielded additional findings beyond the 73%: 44% of anomalies were found by “eyeballing” (manual inspection); no pure software problems occurred in any Apollo flight; the AGC systems software (scheduler, display interface, restart modules) had zero interface problems during integration — all 73% of interface errors were between application modules.

Hamilton and Zeldin establish that the management structure should mirror the software structure one-to-one. Managers at the same level do not determine interfaces with each other — interfaces are set by the higher-level manager. This is a direct formalization of the Apollo management structure.

Modern Connection

Conway’s Law (1967) observed that organizations produce designs mirroring their communication structures. Hamilton went further: she formalized it as a design principle and proved it optimal for interface control. This is a stronger claim than Conway’s observation — not that organizations inevitably mirror their software, but that they should, and here is the mathematical proof of why.

Results

HOS was applied to: Shuttle Flight Software Requirements Integration (partial axiom application) and DAIS avionics (full HOS definition of requirements, link editor, and federated multiprocessor operating system). The automatic structured design diagrams were operational. A prototype HOS Analyzer was under development, translating HAL source code to HOS control descriptions.

Counter to expectations, HOS structuring often produced more efficient code than conventional methods. The recommendation: always structure at the functional level using axioms; design as if communicating with an asynchronous executive. “It is hoped that someday solutions to efficiency problems will be more powerful hardware, rather than a compromise of software reliability.”

Hamilton predicted: “Someday, the only phase that should be required for software development will be Phase 1” — the definition of functions and interfaces.

---

References

The paper contains 22 references including Hamilton’s internal Draper Laboratory memos and notes, the 1974 Springer conference paper presenting the axioms, and related work on structured programming and formal methods.

---

Related Documents

• HOS Conference Papers (1974, 1978) — The 1974 Springer paper first introduced the axioms that this paper formalizes in full. The 1978 COMPSAC paper takes the reliability concerns of this paper and develops them philosophically.
• The Relationship Between Design and Verification (1979) — Extends the analyzer and verification concepts from Section II.D into a complete paper on design and verification methodology.
• The 001 Tool Suite: Evolution of Automation — The USE.IT system (1983) and 001 Tool Suite (1990) implement the automatic programming concepts described here as future work.
• USL: Lessons Learned from Apollo (2008) — Explicitly cites this paper’s axioms as the origin of USL’s formal foundation.
• What the Errors Tell Us (2018) — Hamilton’s capstone paper, which presents the mature error taxonomy built on the empirical foundation established here.
• Colossus Erasable Memory (1972) — The actual COLOSSUS code that generated the 73% interface error finding driving this entire paper.