Home > Store > Software Development & Management > Architecture and Design

Software Fundamentals: Collected Papers by David L. Parnas

Register your product to gain access to bonus material or receive a coupon.

Software Fundamentals: Collected Papers by David L. Parnas

Book

  • Your Price: $39.96
  • List Price: $49.95
  • Usually ships in 24 hours.

About

Features

Description

  • Copyright 2001
  • Dimensions: 7-3/8x9-1/4
  • Pages: 688
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-70369-6
  • ISBN-13: 978-0-201-70369-6

David L. Parnas is one of the grandmasters of software engineering. His academic research and industrial collaborations have exerted far-reaching influence on software design and development. His groundbreaking writings capture the essence of the innovations, controversies, challenges, and solutions of the software industry. Together, they constitute the foundation for modern software theory and practice.

This book contains thirty-three of his most influential papers in various areas of software engineering. Leading thinkers in software engineering have contributed short introductions to each paper to provide the historical context surrounding each paper's conception and writing.

Software Fundamentals: Collected Papers by David L. Parnas is a practical guide to key software engineering concepts that belongs in the library of every software professional. It introduces and explains such seminal topics as:

  • Relational and tabular documentation
  • Information hiding as the basis for modular program construction
  • Abstract interfaces that provide services without revealing implementation
  • Program families for the efficient development of multiple software versions
  • The status of software engineering as a profession
  • Why complex software, such as for the Strategic Defense Initiative, is unlikely to work the first time that it is used in the field

As a celebration of one of the fathers of modern software engineering, and as a practical guide to the key concepts underlying software development, Software Fundamentals is valuable for professionals, especially those who are interested in teaching the fundamentals of software.

David Parnas is highly regarded for his many valuable contributions to software engineering. He developed and applied cutting-edge software technology to the U.S. Navy's A-7E aircraft, and he advised the Atomic Energy Control Board of Canada on the use of safety-critical, real-time software. During his career, he has contributed more than 200 papers to ACM, IEEE, and ICSE publications. He won an ACM "Best Paper" award, two "Most Influential Paper" awards from ICSE, and the 1998 "Outstanding Researcher" award from ACM SIGSOFT. In May 2001, Dr. Parnas was recognized at the International Conference on Software Engineering for his lifetime of outstanding achievements.

About the editors:

Daniel Hoffman is an Associate Professor of Computer Science at the University of Victoria in British Columbia. David Weiss is the Director of the Software Technology Research Department at Avaya Laboratories.



0201703696B04062001

Sample Content

Table of Contents



Foreword.


Preface.

I. DESCRIPTION AND SPECIFICATION.

David Lorge Parnas, P.Eng.
1. Using Assertions About Traces to Write Abstract Specifications for Software Modules (Wolfram Bartussek and David L. Parnas).

Introduction.

A FormalNotation for Specification Based on Traces.

Some Simple Examples.

Discussion of the Simple Examples.

A Compressed History of the Development of an Abstract Specification.

Conclusions.

2. Less Restrictive Constructs for Structured Programs (David L. Parnas and William Wadge).

Abstract.

Introduction.

The State of a Computing Machine.

Programs.

Program Specifications.

Primitive Programs.

Control Constructs and Constructed Programs.

Defining the Semantics of Constructed Programs.

The Value of a Program.

The Syntax of the Constructs.

Notation.

Guard Semantics.

The Semantics of a Limited Component.

The Semantics of Limited Component Lists.

The Semantics of “;”.

The Semantics of “stop”, “go” and “init”.

Semantics of the Iterative Construct (it ti).

The Semantics of Parentheses.

The Value of “#”.

The Value Stack.

Exits and Entrances.

A Very Simple Example Done Three Ways.

The DEED Problem.

Conclusions.

3. Predicate Logic for Software Engineering (David Lorge Parnas).

Abstract.

Introduction.

The Structure of This Paper.

Comparison with Other Work.

Basic Definitions.

The Syntax of Logical Expressions.

The Meaning of Logical Expressions.

Examples of the Use of This Logic in Software Documentation.

Conclusions.

4. Tabular Representations in Relational Documents (Ryszard Janicki, David Lorge Parnas, Jeffery Zucker).

Abstract.

A Relational Model of Documentation.

Industrial Experience with Relational Documentation.

Why Use Tabular Representations of Relations?

Formalisation of a Wide Class of Tables.

Transformations of Tables of One Kind to Another.

Conclusions.

5. Precise Description and Specification of Software (D. L. Parnas).

Abstract.

On Foundational Research.

Language Is Not the Issue.

A Polemic About Four Words.

Four Types of Software Products.

Programs and Executions.

A Mathematical Interlude: LD-Relations.

Program Construction Tools.

Describing Programs.

Specifying Programs.

Objects Versus Programs.

Descriptions and Specifications of Objects.

Conclusions.

6. Specifying Software Requirements for Complex Systems: New Techniques and Their Application (Kathryn L. Heninger).

Abstract.

Introduction.

A-7 Program Characteristics.

Requirements Document Objectives.

Requirements Document Design Principles.

Techniques for Describing Hardware Interfaces.

Techniques For Describing Software Functions.

Techniques for Specifying Undesired Events.

Techniques for Characterizing Types of Changes.

Discussion.

Conclusions.

II. SOFTWARE DESIGN.

7. On the Criteria to be Used in Decomposing Systems into Modules (D. L. Parnas).

Abstract.

Introduction.

A Brief Status Report.

Expected Benefits of Modular Programming.

What Is Modularization?

Example System 1: A KWIC Index Production System.

Hierarchical Structure.

Conclusions.

8. On a “Buzzword”: Hierarchical Structure (David Parnas).

Abstract.

Introduction.

General Properties of All Uses of the Phrase “Hierarchical Structure”.

Summary.

9. Use of the Concept of Transparency in the Design of Hierarchically Structured Systems (D.L. Parnas and D.P. Diewiorek).

Abstract.

Introduction.

The “Top Down” or “Outside In” Approach.

“Transparency” of an Abstraction.

Preliminary Example.

“Register” for Markov Algorithm Machine.

A Hardware Example.

An Unsolved Transparency Problem from the Operating System Area.

“Suggestive Transparency”.

“Misleading Transparency”.

Outside In and Bottom Up Procedures in Combination.

10. On the Design and Development of Program Families (David L. Parnas).

Abstract.

Introduction.

Motivation for Interest in Families.

Classical Method of Producing Program Families.

New Techniques.

Representing the Intermediate Stages.

Programming by Stepwise Refinement.

Technique of Module Specification.

Comparison Based on the KWIC Example.

Comparative Remarks Based on Dijkstra's Prime Program.

Comparative Remarks Based on an Operating System Problem.

Design Decisions in Stage 1.

Stage 3.

How the Module Specifications Define a Family.

Which Method to Use.

Relation of the Question of Program Families to Program Generators.

Conclusions.

Historical Note.

11. Abstract Types Defined as Classes of Variables (D.L. Parnas, J.E. Shore, D.M. Weiss).

Introduction.

Previous Approaches.

Motivations for Type Extensions.

A New Approach.

Applying These Concepts to Designing a Language.

12. Response to Undesired Events in Software Systems (D.L. Parnas, H.W. Wuerges).

Abstract.

Introduction.

Difficulties Introduced by a “Leveled Structure”.

The Effect of Undesired Events on Code Complexity.

Impossible Abstractions.

Error Types and Direction of Propogation.

Continuation After UE “Handling”.

Specifying the Error Indications.

Redundancy and Efficiency.

Degrees of Undesired Events.

Examples.

Conclusions.

Appendix 12.A: Annotated Example of Module Design in Light of Errors.
13. Some Software Engineering Principles (David L. Parnas).

Abstract.

Introduction.

What Is a Well-Structured Program?

What Is a Module?

Two Techniques for Controlling the Structure of Systems Programs.

Results.

Error Handling.

Hierarchical Structure and Subsetable Systems.

Designing Abstract Interfaces.

Conclusions.

14. Designing Software for Ease of Extension and Contraction (David L. Parnas).

Abstract.

Introduction.

Software as a Family of Programs.

How Does the Lack of Subsets and Extensions Manifest Itself?

Steps Toward a Better Structure.

Example: An Address-Processing Subsystem.

Some Remarks on Operating Systems: Why Generals Are Superior to Colonels.

Summation.

15. A Procedure for Designing Abstract Interfaces for Device Interface Modules (Kathryn Heninger Britton, R. Alan Parker, David L. Parnas).

Abstract.

Introduction.

Objectives.

Definitions.

Design Approach.

Design Problems.

Summary.

16. The Modular Structure of Complex Systems (D.L. Parnas, P.C. Clements, D.M. Weiss).

Abstract.

Introduction.

Background and Guiding Principles.

A-7E Module Structure.

Conclusions.

17. Active Design Reviews: Principles and Practices (David L. Parnas, David M. Weiss).

Abstract.

Introduction.

Objectives of Design Reviews.

Conventional Design Reviews.

A More Effective Review Process.

Conclusions.

18. A Rational Design Process: How and Why to Fake It (David Lorge Parnas, Paul C. Clements).

Abstract.

The Search for the Philosopher's Stone: Why Do We Want a Rational Design Process?

Why Will a Software Design “Process” Always Be an Idealization?

Why Is a Description of a Rational Idealized Process Useful Nonetheless?

What Should the Description of the Development Process Tell Us?

What Is the Rational Design Process?

What Is the Role of Documentation in This Process?

Faking the Ideal Process.

Conclusion.

19. Inspection of Safety Critical Software using Function Tables (David Lorge Parnas).

Abstract.

Introduction.

Safety-Critical Software in the Darlington Nuclear Power Generating Station.

Why Is Software Inspection Difficult?

Functional Documentation.

Program-Function Tables.

The Inspection Process.

Hazard Analysis Using Functional Documentation.

Conclusions.

III. CONCURRENCY AND SCHEDULING.

20. Concurrent Control with “Readers” and “Writers” (P.J. Courtois, F. Heymans, D.L. Parnas).

Abstract.

Introduction.

Problem 1.

Problem 2.

Final Remarks.

21. On a Solution to the Cigarette Smokers' Problem (Without Conditional Statements) (D.L. Parnas).

Abstract.

Introduction.

Comments.

On Patil's Proof.

Patil's Result.

On a Complication Arising from the Introduction of Semaphore Arrays.

On the Yet Unsolved Problem.

On More Powerful Primitives.

22. On Synchronization in Hard-Real-Time Systems (Stuart R. Faulk and David L. Parnas).

Abstract.

Introduction.

The Need for a Separation of Concerns.

A Two-Level Approach to Synchronization.

Considerations at the Lower Level.

The Lower-Level Synchronization Primitives.

Considerations at the Upper Level.

The STE Synchronization Mechanisms.

Implementation in Terms of the Lower-Level Mechanism.

The Pre-Run-Time Scheduler.

Why Another Synchronization Mechanism?

Experience and Results.

Summary.

23. Scheduling Processes with Release Times, Deadlines, Precedence, and Exclusion Relations (Jia Xu and David Lorge Parnas).

Abstract.

Introduction.

Overview of the Algorithm.

Notation and Definitions.

How to Improve on a Valid Initial Solution.

Searching for an Optimal or Feasible Solution.

Empirical Behavior of the Algorithm.

Conclusions.

Appendix 23.A: An Implementation of the Procedure for Computing a Valid Initial Solution.
Appendix 23.B: An Implementation of the Main Algorithm.
Appendix 23.C: Examples 1$#150;5.

IV. COMMENTARY.

24. Building Reliable Software in Blowhard (David L. Parnas).

Introduction.

On “Building In”.

Four Views of a Programming Language.

Resolving Conflicts of Viewpoint in the Design of BLOWHARD.

What Is BLOWHARD?

Why This Farce?

25. The Impact of Money-Free Computer Assisted Barter Systems (David L. Parnas).

Introduction.

Money Versus Barter as a Mechanism for Exchanging Our Current Goods and Services.

Money Versus Barter for Future Sales?

What Would Barter Mean for Foreign Trade?

Are CABS a Dream or Are They Current Technology?

Turning Theory into Practice.

What Would Be the Net Effect of the Use of CABS?

Can a Materialistic, “Rational”, System Be Humane?

CABS and the Moral Illnesses in the Bishop's Report.

26. Software Aspects of Strategic Defense Systems (David Lorge Parnas).

Abstract.

Introduction.

Why Software Is Unreliable.

Why the SDI Software System Will Be Untrustworthy.

Why Conventional Software Development Does Not Produce Reliable Programs.

The Limits of Software Engineering Methods.

Artificial Intelligence and the Strategic Defense Initiative.

Can Automatic Programming Solve the SDI Software Problem?

Can Program Verification Make the SDI Software Reliable?

Is SDIO an Efficient Way to Fund Worthwhile Research?

27. SDI: A Violation of Professional Responsibility (David Lorge Parnas).

Introduction.

SDI Background.

The Role of Computers.

My Decision to Act.

Critical Issues.

Broader Questions.

28. The Professional Responsibilities of Software Engineers (David Lorge Parnas).

Abstract.

Personal Responsibility, Social Responsibility, and Professional Responsibility.

The Social Responsibility of Scientists and Engineers.

The Professional Responsibilities of Engineers.

What Are the Obligations of the Engineer?

Professional Practice in Software Development.

A Simple Example, Pacemakers.

Other Concerns.

The “Know How” Isn't There.

How to Improve the Level of Professionalism in Software Development.

29. Software Aging (David Lorge Parnas).

Abstract.

What Nonsense!

The Causes of Software Aging.

Kidney Failure.

The Costs of Software Aging.

Reducing the Costs of Software Aging.

Preventive Medicine.

Software Geriatrics.

Planning Ahead.

Barriers to Progress.

Conclusions for Our Profession.

30. On ICSE's “Most Influential Papers” (David Lorge Parnas).

Background.

What Are the Best Papers of Our Most Important Software Engineering Conference?

We Must Be Doing Something(s) Wrong!

We Need to Change Something.

Conclusions.

31. Teaching Programming as Engineering (David Lorge Parnas).

Introduction.

Programming Courses and Engineering.

The Important Characteristics of Programming Courses.

The Role of Mathematics in Engineering.

The Role of Programming in Engineering, Business, and Science.

The Content of Most “Standard” Programming Courses.

Programming Courses Are Not Science Courses.

A New Approach to Teaching Programming.

The Mathematics Needed for Professional Programming.

Teaching Programming with This Mathematical Background.

Experience.

Conclusions.

32. Software Engineering: An Unconsummated Marriage (David Lorge Parnas).

Software Engineering Education.

33. Who Taught Me About Software Engineering Research? (David Lorge Parnas, P.Eng.)

Whom to Thank?

Everard M. Williams.

Alan J. Perlis.

Leo Aldo Finzi.

Harlan D. Mills.

Conclusions.

V. BIBLIOGRPAHY.

Bibliography.
Bibliographies.
Credits.
Index.

Preface

Daniel M. Hoffman and David M. Weiss

Why Create a Book Around Dave Parnas's Work?

It is sometimes said that progress in a scientific discipline can be measured by how quickly its founders are forgotten. Software development, sometimes called software engineering, is not a scientific discipline and is still young: Many of those who formulated fundamental principles in the field are still active in it. Unfortunately, we have the worst of both worlds: Our founders seem dimly remembered, and we are making little progress towards becoming a discipline. Fundamental ideas, such as information hiding and abstraction, are only vaguely understood by those who need them most and are constantly reinvented. Those who practice software development and those who teach software engineering seem uneducated in, and unaware of, the history of their profession.

This book is our attempt to provide a view of the work of one of the grandmasters of our field, highlighting the fundamental ideas that he and his colleagues invented and expounded. We hope to provide a reference for those who teach and those who do, giving them both an historical record, a clear explanation of fundamental ideas that will help them in their work, and a set of examples to use and emulate. David L. Parnas is both a clear and creative thinker and an extraordinary expositor of seminal ideas. The issues that he addresses are at the heart of software engineering today; his explanations are still relevant and his solutions, trialed on real systems, transfer to today's software development organizations and environments.

Do you need to understand how to organize your software into modules so it can be easily maintained and so that your modules are reusable, whether they are expressed as classes, packages, or other forms? Dave Parnas identified the information hiding principle and showed how to to use it to construct workable, reusable modular structures that are stable over time. (See Chapters 2 and 16.)

Are you struggling to create APIs to make your software useful to application programmers? Dave Parnas devised the idea (and coined the term) for abstract interfaces, and showed how to design interfaces that provide services without revealing their implementations. (See Chapter 15.) Languages like C++ and Java directly support this idea with abstract classes.

Are you wondering how to create your software as a set of layers that define a hierarchical structure that meets your requirements, lets you build your system a few layers at a time, and lets others add to the structure that you have created? Dave Parnas clearly explained what a hierarchical structure is, what some of the important hierarchical structures that we use are, why people often confuse them, and how to create a layered structure that meets your needs. (See Chapter 8.)

Do you know that your software is going to exist in many different versions, but are having difficulty designing your software not just to accommodate the different versions, but to take advantage of your situation to make your development process more efficient? Dave Parnas defined program families to help with just this situation and showed how to create them in a cost-effective way. (See Chapters 10 and 14.)

Dave has been busy in more than just technical areas. His work includes commentary on the social responsibility of software engineers, both by exposition and by example. His stance on our inability to create trustworthy software for the Strategic Defense Initiative is represented (Chapters 26 and 27), as well as his thoughts on how to teach software engineering (Chapter 31 and 32), and how to make software engineering a profession (Chapters 28 and 33).

Why Did We Pick These Papers?

The preceding are just a few examples of the ideas described in the papers that constitute this book. Out of the more than two hundred papers that Dave has published, we selected thirty-two, plus one special one that he did not write, but strongly influenced. We picked technical papers that expressed fundamental ideas that were groundbreaking when they were published, that have an enduring message, and that are models of exposition, and nontechnical papers that had an influence on the opinions of the time. Some were controversial when published and remain so.

An outstanding aspect of Dave's career is his insistence that his ideas be tested on real problems, where one cannot define away the complexity of the world in the interest of devising an elegant solution. Perhaps the best known examples are the operational flight program (OFP) for the U.S. Navy's A-7E aircraft and the shut-down software for the Darlington nuclear power plant.

The A-7E project, also known as the Software Cost Reduction (SCR) project, was conducted by Dave and colleagues at the U.S. Naval Research Laboratory (NRL). It was a demonstration of how to apply ideas such as information hiding, abstraction, cooperating sequential processes, deterministic scheduling, program families, formal specification, hierarchical structuring, and undesired event handling to the design of a hard-real-time system. Many of the same approaches now appear in modern designs and modern languages under different names; a few diverse examples are exception handling (Chapter 12) and the observer pattern (Chapter 22).

Several years of Dave's time and effort were directed at making the SCR software and its documentation an engineering model of how to develop and document software. The papers derived from the project that appeared in the research literature; such as Chapters 6, 12, 15, 16, 17, 18, and 22, only tell part of the story. The complete set of requirements and design documentation (including what we now term architecture), was published as technical reports by NRL and serve as detailed guides and templates for those wishing to use the ideas.

How Is the Book Organized?

This book contains thirty-three papers divided into four sections. Dave has written a short introduction to each section and we have invited a guest author to write an introduction to each paper.

Specification and Description contains six papers, focusing on the most important kinds of software engineering documentation and the roles that they play. Relational and tabular documentation are presented in depth, including both the underlying mathematical basis and practical notations suitable for use by working programmers.

Design contains thirteen papers, covering the principles and techniques that have been central to Dave's work for the past three decades. Information hiding is emphasized, including the role of information hiding in abstract interfaces, its application in complex systems, and its implications in the design of program families.

Concurrency and Scheduling contains two early papers on the use of semaphores and two more recent papers on new approaches to synchronization and scheduling. The latter focus on achieving both good performance and a module structure that supports maintainability and comprehensibility.

Finally, Commentary contains ten papers on a wide variety of topics including education, social issues, the role of the engineer, and the status of software engineering as an engineering profession.

In the interests of preserving the historical record and of leaving Dave's writing style unperturbed, we have tampered as little as possible with the papers that appear here, only correcting a few typographical errors in most papers.

Why Have Guest Introductions?

The papers span the period from the 1970s through the 1990s. Some use old examples and notations that may not seem relevant to today's Internet world. We asked leading members of our field to write short introductions to the papers to explain the papers' historical and modern relevance. Right from the start, we knew that the introductions must be fun to read and worth reading. They must tell the reader something worth knowing that is not in the paper or is not obvious from reading the paper.

We were most fortunate in gathering an impressive collection of authors. Some have been involved with Dave since his work at NRL and earlier. Others participated in the SCR Workshops that continued the NRL work. Some have never directly collaborated with Dave. All are excellent writers with special insights about the significance of the papers both at the time of writing and today. All wrote with enthusiasm and skill. The thirty-three paper introductions are an important contribution in their own right. The fact that these people were all willing, indeed eager, to contribute speaks highly of Dave's work.

Dave collaborated with us on the selection of the papers in this book. On several occasions he commented that we were likely to get people angry once again. That is the nature of the man and his ideas: insightful, creative, stimulating, provocative. We hope you find that the papers in this book have the same qualities. It is our present to Dave on his sixtieth birthday.

Acknowledgments

We would like to say that we had the idea for this book on our own, but it actually originated with Brad Appleton. Thanks, Brad, for giving us the chance to carry out the idea. Organizational and production details for a book of this sort can get quickly out of hand without an experienced professional editor to guide you. Debbie Lafferty at Addison-Wesley has been a cheerful, steadfast guide for us, appreciating the idea for the book from the first, and working with us to make it happen. During the course of production, all of the papers contained herein were retyped. Dorene Brummel happily took on the job of proofreading them, for which we are very grateful.

Joanne Glazer Weiss showed outstanding forebearance and support when her husband plunged into this project immediately after finishing his first book. He thanks and loves her.

 

Duck Bay, British Columbia

September, 2000

 


0201703696P04182001

Index

Index

Note: Italicized page locators refer to figures.

A
Abbreviations, 219, 221
Aberdeen Proving Ground, 512
ABET
   Computer Science Accreditation Board integrated into, 534
Absolute-value function, 49
Abstract data types, 138, 221, 471
Abstract decisions
   representation of program development using, 196
Abstract interfaces, xxi, 111, 144, 260, 263-264, 298
   defined, 300
   designing for device interface modules, 291-293, 295-314
   principle, 295
   software designed with, 297
   specifications, 407
Abstraction, xxi, 221, 275, 316, 403, 405
   defined, 299
   and design for change, 555
   impossible, 234-235
   and retroactive incremental modularization, 561
   with STEs, 425
   transparency of, 175
   type extension and, 218
   for upper-level mechanisms, 415
Abstraction function
   and module internal structures, 363
Abstraction specification development, 19-26
   current specification for T/L module, 25-26
   flaws in first version of T/L module specification, 22-25
   informal picture of T/L module, 19-21
Abstract machines, 162, 163, 179, 234, 410
Abstract specifications, 7
   example of, 15, 17
Academic institutions
   defense-related funding and role of, 529
Access functions, 302, 309
   defined, 301
Access programs, 418
Accreditation, 534, 541, 546-547, 573, 595, 600. See also Education
Accuracy, 361, 366
ACM, 534, 593
ACM-SIGSOFT Outstanding Researcher Award
   Parnas's receipt of, 597, 599
Action clusters, 200n4, 212
Active design reviews
   conclusions about, 350
   and conventional design reviews, 341-343
   introduction to, 339-340
   and more effective review processes, 343-350
   objectives of, 340-341
   principles and practices in, 337-351. See also Design
Acyclic directed graph, 79
ADA, 94
ADC. See Air Data Computer
Address file module, 280, 281, 283-284
Address information items, 279
Address input module, 282
Address output module, 282
Address-processing system example, 279-285
Address storage module, 280, 281, 283
Address translation tables, 19
Ad hoc notation
   versus mathematics, 2-3
Adjusted release time, 445
AECB. See Atomic Energy Control Board
AECL. See Atomic Energy of Canada Limited
Aerospace
   software engineering-related standards for, 535
AFM. See Address file module
Agent, 395, 396
Aging, software, 549-550, 551-567
AI. See Artificial intelligence
Aircraft Motion Module, 334
Aircraft operating conditions
   consistent notation for, 123-124
Air Data Computer
   development of abstract interface for, 303, 304, 305, 306
Air Information Management System
   for Boeing 777 aircraft, 438
Algol 60, 94, 220, 223, 226, 398, 473, 513
Algorithm for scheduling processes, 439, 440-453
   conclusions on, 452-453
   empirical behavior of, 451-452
   implementation of main, 457-459
   improving on valid initial solution, 447-449
   notation and definitions, 444-447
   overview of, 442-443
   searching for optimal/feasible solution, 449-451
Aliases, 5
Al Maghribi, Al Samawal Ibn Yahya Ibn Yahuda, 89, 90
Alphabetic orderings, 152
Alphabetizer module, 148, 150
ALPHARD, 471
Al Qiwami fil Hisab al Hindi (Al Maghribi), 89
ALTER, 20
   definition of, 180
Ambiguities
   and design errors, 340
American Scientist, 497, 522
Amputation, 561
Analog systems, 499, 500
Ancestors, 195, 196, 197
"Anchoring the Software Process" (Boehm), 353
Angle brackets
   nonterminals in, 34
"Anonymous" process synchronization, 410
Antiballistic missile (ABM) system, 497
Applets, 191, 192
Applicability condition, 11
Application Data Type Module, 329-330
   submodules within, 334
Application families, 191
Applied research
   judgment of, 517
Arbitrary details, 117
Architecture review, 144
Arguments, 55
   of function application, 57
   of primitive expression, 57
Arithmetic expressions
   and value of program, 34
Arms development
   Einstein's view of, 520
Arms race, 520, 521
Arrays, 585
   looking for common matching in three, 62
   looking for matching elements in two, 62
Artificial intelligence, 498, 602
   defined, 510
   and Strategic Defense Initiative, 510-512
A-7 aircraft
   design approach, 301-306
   design problems, 307-313
   document, 111
   Navigation/Weapon Delivery System on, 112
   redesigning flight software for, 295-296
   system definitions, 29-301.See also A7E aircraft
A-7 aircraft avionics
   embedded systems designed for, 291
   software characteristics, 296
A-7 program
   characteristics, 12-113
   document conclusions, 132-133
   requirements document objectives, 113-114
A-7 requirements table of contents, 115
A-7D aircraft, 68
A-7 device interface modules, 313
   design procedure for, 303
A-7E aircraft, xxii, 68, 75, 107
   active design reviews of specifications for, 337-351
   experience/results with Onboard Flight Program for, 430-432
   and HRT systems, 407
   module guide for Onboard Flight Program for, 324, 325-334
   Onboard Flight Program of, 320
   requirements specifications, 414-415, 437
   virtual radar device, example system, 416-418
A-7E module structure
   notes on behavior-hiding module decomposition, 329
   notes on hardware-hiding module decomposition, 328
   notes on top-level decomposition, 325-326
   second-level decomposition, 327-331
   third-level decomposition, 331-334
A-7E software, 321
   redesign of, 141
   requirements, 108
ASM. See Address storage module
Aspect-oriented programming, 143
Assembly language, 403
Assertions, 12, 13
   about equivalence of traces, 12
   about trace legality, 12
   about values returned by V-functions at end of traces, 12
Assignment
   primitive expressions evaluated for given, 59
   terms evaluated for given, 58
Associations of Professional Engineers, 541
Assumption list
   final version, ADC abstract interface, 306
Assumptions
   critical examination of, 393
   embodied in program construct specifications, 302
   explicit, in design, 344
   questioning, 470
ASTRAL, 404
Atlantic Nuclear Services, 370
Atlee, J.
   introduction by, 67
Atomic Energy Control Board, 373, 374, 378, 381
Atomic Energy of Canada Limited, 68, 370, 381
Attributes
   of STE type, 418
Audit team
   and inspection process at nuclear plant, 378
Australia
   software engineering education in, 534
Automata theory, 583, 585
Automatic implementation, 7
Automatic programming, 498
   feasibility of, 513
   and SDI software problem, 512-514
Automatic type conversion, 221
Aviation Week, 301
Avionics computers, 327
await conditional, 422
await operations, 426, 427
await programs, 432
Axiom of reflection, 55, 64

B
Bad tape block, 254
Balzer, R.M., 152
BANKER
   in T.H.E. system, 165
Barter, 468-469
   money versus, for future sales, 484-486
Barter systems
   impact of money-free computer assisted, 477, 479-492
   and inflation, 482
Bartussek, Wolfram, 9
Base-displacement addressing, 185, 186
Base machine, 171, 175, 179, 180, 182
Basic, 590
Basili, Victor R.
   introduction by, 549, 593
Bassett, P., 91
Battle-management satellites, 493
Battle-management software, 503-504
   and artificial intelligence, 511
   characteristics, 502
Battle-management systems
   and automatic programming, 513-514
Battle stations, SDI, 526, 527
Bayesian mathematics, 510
Before/after descriptions, 101
   LD-relations used as, 101-102
Before/after specifications, 103
   LD-relations used for, 103
Behavioral descriptions, 1, 100-101
Behavioral specifications, 1
Behavior-hiding modules, 316, 317, 325, 328
Bell, Gordon, 171
Bell Labs (Columbus, Ohio), 74
Belpaire, G., 399, 400, 411, 412, 433
Bentley, Jon, xvii
BFM. See Block file module
Binary relations, 56, 72
Binding time, 143
Binomial formula, 89
BLISS, 152
Block file module, 280, 281, 283, 284
BLOWHARD, 471
   building reliable software in, 473-475
   defined, 475
   as farce, 475
   resolving conflicts of viewpoint in design of, 474-475
Body
   LD-relation of, 37-38
Boehm, Barry
   introductions by, 267, 353
Boeing 777 aircraft
   Air Information Management System for, 438
Boolean expressions, 54
   conditions described with, 413
   in program function tables, 376, 377, 378
Borgida, A., 571
Borrowing
   and "future sales," 485
Bottom line, 483
"Bottom up" design process, 175, 177
Bounded quantification, 55, 61, 63
Brackets
   in documentation, 366
   for mnemonic names, 117
   tuples enclosed in, 56
Branch-and-bound technique, 443
British Columbia
   software engineering licensing in, 534
Britton, Kathryn Heninger, 295
   introductions by, 107, 337
Broad family of systems, 277
Brooks, F.P., Jr., 139, 336, 577
Bugs, 140, 229, 499, 506, 522
   in military programs, 503
   and retroactive documentation, 561
   and software aging, 553, 554. See also Errors
"Building Reliable Software in BLOWHARD" (Parnas), 467
Built in software, 473
Business
   role of programming in, 581-582

C
C, 94, 584, 589, 590
C++, xxi, 230
   class interfaces in, 192
CABS. See Computer Assisted Barter Systems
Calculus, 581, 585
Canada
   computer engineering programs in, 546
   software engineering education in, 534
Canadian Council of Catholic Bishops
   CABS and report by, 491-492
Canadian Nuclear Safety Commission, 369
Canadian University, 437
cand, 54
Capacity limitations, 237
"Capturing More World Knowledge in the Requirements Specification" (Greenspan, Mylopoulos, Borgida), 571
Carnegie-Mellon University, 171, 599
CASE tool, 370
Catching exceptions, 230
Cell connection graphs, 79, 81
   types of, 80
Cells, 79
Censorship, 468
Central resource allocator, 165, 166
Challenger space shuttle, 519
Change
   designing for, 269, 271, 273, 297-298, 555
   in device state, 312
   ease of, in requirements documentation, 114
   planning for, 562-563
   in requirements documents, 361
   researchers, and need for, 575-576
   and software aging, 549, 552, 553
   techniques for characterizing types of, 131
Character codes, 152
Characteristic predicates, 56, 57
CHAR(I), 179
Chemical engineering, 575, 596
"Cigarette Smoker" problem, 384
   on solution to, 393, 395-401
Circular shifter module, 147, 148, 150, 151-152, 153, 154
Civil engineering, 593
Clarity
   in program structures, 211
Classical mathematical notation, 3
Class interfaces
   module specifications versus, 192
Class of expressions
   semantics of, 44-45
"Clean" decomposition, 154
"Clean" design, 138-139
Clements, Paul C., 319, 353, 354, 355, 571
   introduction by, 157
CLU, 226, 471
Code, 157
   complexity, 233-234
   and retroactive incremental modularization, 561
   sharing, 219, 221, 223, 225, 298
   and software aging, 557
   verification, 7
Code inspection team
   and inspection process at nuclear plant, 378
Coding
   and programming professionally, 587
Commas
   use of, with tuples, 56
Comments section, 118
Commerce, 468-469
Commercial-off-the-shelf (COTS) components, 353
Communication protocols, 96
Comparison team
   and inspection process at nuclear plant, 378
Competence set, 35, 73, 90, 99, 102
Compilers, 99, 220
Compile time checking
   and redundancy, 219
Complete specifications, 12
Complete transparency, 175
Complex systems
   modular structure of, 319-336
   requirements specifications for, 107, 111
Component orientation, 138
Composition, 585
Compound conditions, 124
   text macros for, 123, 124
Computations, 474
Computation time, 439
Computer Assisted Barter Systems, 477, 479
   and currency supply, 481-482
   dream or current technology?, 487
   and economic planning, 485-486
   and foreign trade, 486-487
   gain/loss measurement with, 483-484
   and inflation, 482
   introduction to, 479
   maintaining balance in system, 483
   and "matching" service, 482-483
   and money constraints on economy, 480-481
   money versus barter for future sales, 484
   and moral illnesses cited in Bishop's Report, 491-492
   net effect of use of, 490
   standards development/enforcement, 488
   theory turned into practice, 488-490
Computer engineering
   and accreditation issues, 546-547. See also Software engineering
Computers
   role of, in SDI, 522-523
Computer science
   departments, 577
   education, 469, 583
   research, 469-470
   and software engineering, 541, 575, 596
Computer Science Accreditation Board
   integration of, into ABET, 534
Computer scientists, 593
Computer specifications
   in requirements documents, 360
Computer State Module, 332
Computer Structures: Readings and Examples (Bell and Newell), 171
Computer system
   and system requirements document, 72
Computing courses
   intellectual content of, 582
Computing machine
   state of, 32
Computing Professionals for Social Responsibility, xviii, 493
Concurrency, 29, 316, 507
   with conventional programming method, 505
   and SDI software reliability, 515
   why make special case of, 383
Concurrent control with "readers" and "writers," 387-392
   problem 1, 389-390
   problem 2, 390-391
Concurrent programming, 383, 387
Conditional await programs, 426
Conditions, 122, 413
   for condition table, 126
   and modes, 125
   for periodic function form, 129
   representing, 124
   and text macros, 123
Condition tables, 125
   mode, 126
Condition values, 413
Conference on Language Design for Reliable Software, 471, 473
Congressional Office of Technology Assessment, 494
Conjunctions
   distributed over disjunctions, 85
Connections, 258, 259
Consistency
   and T/L module, 26
Consistent relations on segments, 446
Consistent specifications, 12
Constant, 44
Constraints on implementation, 113
Constructed programs
   control constructs and, 34
   semantics of, 34
Constructive descriptions, 1, 4, 104
   of programs, 100
Constructive specifications of programs, 104
Constructive versus behavioral distinction, 90
Constructs (or constructors), 99-100
   structured, 31
   syntax of, 34-35
Consumer goods
   "market basket" certificates for, 489
Context switching, 428, 429, 440, 452
Continuous functions, 500
Control abstractions, 471
Control block module, 152
Control constructs
   and constructed programs, 34
   syntax of, 34-35
Controlled quantities, 72
Control state, 32
Convenience
   use of word, 278-279
Conventional design reviews, 341-342
   problems with, 342-343
Conventional software development
   and reliable programs, 504-506. See also Software development
Cooperating sequential processes, 111, 429, 409, 507, 508
Core allocation
   in operating system, 202-204
Correct programs, 229
Counter-trade, 486
Courtois, Pierre-Jacques, 389
   introduction by, 387
CPU timesharing problem, 437-438
Crashes, 241
Critical regions, 412, 433
Currency, 468-469
   and Computer Assisted Barter Systems, 479
   and foreign trade, 486-487
   and inflation, 482
   supply, 481-482
Current entry, 19
CURRENT operation, 20
Cyclic executive construction problem, 438
"Cyclic executive" loops, 403

D
DA (Data Abstract) specifications, 10-12
Darlington Nuclear Power Generating Station (Ontario, Canada), xxii, 68
   experience with relational documentation at, 74
   functional documentation in inspection process at, 375-376
   hazard analysis using functional documentation at, 380
   inspection process at, 378-380
   licensing process for, 372
   program-function tables used at, 76, 77, 376-378
   safety-critical software and, 373-374
Data Banker Module, 329, 330-331
Data hiding, 143
   and design for change, 555
Data items
   organization by, 116-117
   symbolic names for, 117
Data portability, 219
Data representation, 118
   for output data item, 120
Data state, 32
Data structure, 152
Data-transforming components
   chain of, 272
Data Type Module, 331
Deadlines, 439, 440, 441, 443, 451, 452
   and battle-management software, 503
   and documentation, 558
   in military programs, 502
   scheduling, 428
   and software aging, 556
Deadlocks, 241, 408
De Bruijn, N. G., 98, 102, 389
Debt, 485, 487
Decomposition, 255, 260
   in KWIC index production system, 149-151
   common, for compiler/interpreter for same language, 153
   and hierarchical structure, 167-168
   module, 322
   into subprograms, 163
Decoys, 522, 523, 527
DEED problem, 41-42
Defective virtual machine, 236
Defense industry
   unprofessional behavior in, 529
Defense projects/work
   Parnas's views on, 520, 530
Defense-sponsored research, 497
Deficiency correction phase, of programming, 506
Definitions, 215
   type, 217-218. See also Semantics
Delayed effects, 10, 11
DELETE(I,J), 179
DELETE operation, 20
Demand function, 121
   completed form for, 128
Democracy
   and informed public, 524
Denotation, 58
   of predicate expressions, 59
   of primitive expressions, 59
Denotational semantics
   of programming languages, 94
Der Spiegel, 528
Descendant program, 195
Descriptions, 90, 96
   defined, 95
   of objects, 104-105
   of programs, 93. See also Definitions
Design, 583, 589
   of abstract interfaces, 263-264
   of device interface modules, 297-298
   through documentation, 335
   errors, 151
   of hierarchically structured programming systems, 173
   of module structure of A-7E flight software, 324, 325-334
   and software aging, 549, 550
   of software, for ease of extension and contraction, 267-290
   and transparency, 181
   of "uses" structure, 276-279. See also Design reviews; Rational design process; Software design
Design assumptions, explicit, 344
Design decisions
   and modules, 154-155
   in stage 1, 204-205
   in stage 3, 205-208
Design documentation, 71
   organizing for review, 345-346
Designers    and reviewers, 339, 342, 349
Designing for change, 269, 271, 273, 297-298, 555
"Designing Software for Ease of Extension and Contraction"    (Parnas), 571
Design property identification, 343-344
Design representation
   redundant information included in, 345
   reviewability of, 344-345
Design reviews, 316, 562
   A-7E specifications, 337-351
   conventional, 341-342
   objectives of, 340-341
   and software aging, 549, 550, 559, 560. See also Active design reviews
Deterrence
   and SDI, 521
Development process description, 358
Device-access code
   centralizing, 298
Device Interface Module, 297
   abstract interfaces designed for, 291-293, 295-314
   for A-7E, 327-328, 346
   with characteristics that change independently, 307-308
   decomposition, 332
   defined, 300
   design goals for, 297-298
   information from software for, 312
   and major variations among available devices, 307
   reporting changes in device state, 312
   reviews used for, 346
Device interface submodules, 332
Device interrupts, 411
Diagnostics Module, 332
Diagrams
   uses relation, 285
Dictionaries
   in documentation, 366. See also Definitions
Differential calculus, 51
Digital computers, 500
Digital systems, 499
Digital technology, 75
Dijkstra, E. W., 4, 11, 29, 54, 102, 153, 164, 173, 174, 200, 270, 384, 388
   "cigarette smoker's problem" and Patil's evaluation of P/V operators, 393, 395-400
   comparative remarks based on prime program of, 202
   guarded commands of, 29, 584
   "P" and "V" operations of, 389, 411, 412, 413, 432
   prime program of, 198-199
   primitives used by, in T.H.E., 186, 188
   semaphores, 410
   stepwise refinement introduced by, 198
   structured programming ideas of, 211
   synchronization work by, 430
   T.H.E. system paper by, 162
DIMs. See Device Interface submodules
Discipline of Programming, A (Dijkstra), 270
Discrete state systems, 499, 500
Disjunctions
   conjunctions distributed over, 85
Divide and conquer approach, 584, 587, 588
Documentation
   active design reviews of, 337-351
   avoiding problems with, 365-366
   boring prose in, 364-365
   confusing/inconsistent terminology in, 365, 366
   conventional design reviews of, 341-342
   design through, 335
   functional, 375-376
   importance of, 563
   investment in, 4
   language in, 95
   and myopia, 365
   and planning for change, 562
   poor organization of, 364
   problems with, 364-366
   retroactive, 560-561
   role of, 90, 364
   and software aging, 553, 557-558. See also Module Guide; Relational model of documentation; Requirements documents; Software documentation
Documentation-driven tools, 3-5
DoD. See United States Department of Defense
Domain, 55
   analysis, 191
   of relation, 56
do od guarded command construct, 29
Dookhan, A., 5
d-operations, 411, 413, 427, 431, 433
Doppler and Ship Inertial Navigation Set, 310
down(s) operation, 412
Downward propagating undesired event, 235, 244
Drift rate, 309
Duplication
   avoiding, 288
Durability
   software engineering-related standards for, 535
Dynamically evaluated aliases, 5

E
Earliest-deadline-first strategy, 442, 443, 452
Earth Model Module, 334
Eastport Report, 526, 527
Easy guards, 35
eBay, 477
Economic planning
   CABS for, 485-486
Economy
   impact of CABS on, 479
   money constraints on, 480-481
   net effect of CABS on, 490
Education, 469, 541
   engineering, 579-584
   of programmers, 504-505
   programming courses and engineering, 577-578, 579-592
   software, 577
   and software aging, 556
   software engineering, 534, 547, 593, 595-596
   and software engineering research, 599-605
Efficiency, 240, 426, 433, 484
Eiffel, 192
Einstein, Albert, 343, 520, 604
Electrical engineering, 593
   and accreditation issues, 546-547
Electrical engineers, 595
Electronic commerce, 468
"Elegant" design, 138-139
Elementary equivalence of tables, 85
Elementary transformation, 84-85
Elevator problem, 353, 354
ELIGIBLE, 446
Embedded software
   disadvantages with, 297
   real-time, 295, 296
   simplifying, 298
Embedded systems, 292
   aircraft, 408
   characteristics of, 114n1
   military tactical, 407
Emden, Martin van, 49
EMPTY operation, 20
Encapsulation, 9, 275
Engineer
   meaning of word, 599-600
Engineering
   history behind, 574
   management distinct from, 547, 604
   and product obsolescence, 563
   programming taught as, 577-578, 579-592
   role of mathematics in, 581
   and semantics, 575-576
   software engineering as branch of, 575. See also Chemical engineering; Civil engineering; Electrical engineering; Software engineering
Engineering organizations/societies
   importance of, 545, 546
   lack of communication between software engineers and, 573-574
Engineering products classification, 499
Engineers
   licensing of, 540-541
   need for software engineers to be educated as, 593
   obligations of, 541, 542-543. See also Software engineers
England
   negligence suits in, 533
entier program, 40
Environmental quantities, 72
Equality, 64
   and V-functions, 13
Equivalence assertions, 12
Equivalencing facility
   need for, 225-226
Equivalent traces, 12, 14
Error handling, 139-140, 262
Error indications
   specifying, 237-240
Errors, 229, 232, 264, 356, 505, 506
   in ADC abstract interface, 303-304, 305
   annotated example of module design in light of, 247-253
   in battle-management software, 503
   classification of, 340-341
   and conventional design reviews, 342
   in design reviews, 340, 350
   finding during review process, 343
   and inspection process at nuclear plant, 378
   and lawsuits, 533
   of mechanism, 239-240, 254
   and pre-run-time scheduling, 440
   in proofs, 515
   reducing, 589
   and software aging, 554
   in software research, 516
   with switch nomenclatures, 311
   of usage, 254. See also Bugs; Undesired events
Error types
   and direction of propagation, 235-236
Espionage
   effect of, on SDI, 522
Essential characteristics, 117
Ethics
   and software engineering, 493, 494, 534
Event-detecting processes, 415
Event observers, 404
Events, 122, 413
   defined, 301
   for demand function form, 128
   for event table, 127
   notation for, 124
   real-time, 414-415
   and text macros, 123
Event signalling processes, 415
Event tables, 127-128
   example of, 127
Examples
   address-processing subsystem, 279-285
   degrees of undesired events, 241
   Dijkstra's prime program, 198-199
   function description, 128-130
   of input data item description, 118
   loss of transparency at hardware level, 182, 185-186
   module design in light of errors, 247-253
   module guide for A-7 OFP, 324, 325-334
   output data item description, 119-121
   pacemakers, 543-545
   transparency, 175-177
   UE messages passed between levels, 254
   virtual radar device, 416-418
   Wulf's KWIC index program, 199-200
Exception handling, 229
EXCLUDE relations, 443, 445, 446, 447, 449, 450, 455, 459
Exclusion constraints, 452
Exclusion relations, 429, 433, 439, 440, 453
Execution of program, 73, 98-99
Existential quantification, 60
EXLEFT operation, 20
Expert systems, 511-512
Expressions
   notational conveniences with, 60
   satisfaction of, 59
EXRIGHT operation, 20
Extended computer, 410, 411
Extended Computer Module, for A-7E, 327
Extensible languages
   and data portability, 219
Extensions, 288
   designing for, 288
   manifestation of lack of, 271-273
   within requirements, 286
   at runtime versus during SYSGEN, 288-289
External behavior specification, 113

F
"Fail-soft" computer software, 503
Failure traps, 239
False expressions, 59
Families of programs. See Program families
Family of objects, 189
Farmer, William F., 54
Farrell, Dennis, 108
Faulk, Stuart, 407
   introductions by, 229, 393, 403
Fault monitor, radar state, 417
Fault-tree analysis, 380
FD Module. See Function Driver Module
Feasible schedule, 445
Fifth root algorithm, 89
Financial planning
   and software aging, 563
Finite sets, 578
   mathematical logic based on, 585
Finite state machines, 98, 431, 578, 584-585
   black box descriptions of, 104
   defining, 418-419
   object as, 104
Finzi, Leo Aldo, 597, 599
   Parnas's tribute to, 602-603
Fire-control software, 503
Flexibility, software, 287
Flight control, 407
Flight Path Marker (FPM) symbol, 129
Flowcharts, 151, 154, 260
Floyd, R. W., 96
FLR. See Forward Looking Radar
Formal parameters
   description of, for procedures, macros, and more, 226
Formal specifications, 7, 111, 407
FORTRAN, 94, 220, 513, 580, 582, 584, 589, 590
   EQUIVALENCE statement in, 225
FORTRANSIT, 137n1
Forward Looking Radar, 311
Foundational research
   Parnas on, 93-94
Free space list module, 207
"Front end" investment, 27
FSMs. See Finite state machines
Full tabular expression, 81
Function, 55, 56
Functional component, 259, 260
Functional documentation, 375-376
   hazard analysis using, 380
Functional notation, 63
Functional safety
   software engineering-related standards for, 535
Function application, 57
Function description examples, 128-130
Function Driver Module, for A-7E, 328
Function driver module decomposition, 333
Functions, 51, 52, 78, 585
   characteristics of, in describing computer systems, 75
   components performing more than one, 272-273
   tabular descriptions of, 586
   tabular representations of, 60, 82
   and text macros, 123
Funding
   academic institutions and, 529
   and conflicts of interest, 521
   SDI, software problems and, 493, 494
   SDIO and, 516-518
   and social responsibility, 539
Futures
   money versus barter for, 484-486
   reliability assurances for, 489

G
Garlan, D., 158
GAT, 137n1
GATE, 137n1
Gauss, Carl Friedrich, 574
Gauthier, Richard, 145
GDP. See Gross Domestic Product
Generality, software, 287
Go
   semantics of, 36
Gold standard, 489
GOLEFT operation, 20
Goods and services, 480
   CABS, foreign trade and, 486-487
   impact of CABS on, 479
   money versus barter for, 484-486
Gorn, Saul, 512
.g.relation, 424
Greenspan, S.J., 571
Griss, Martin, 191
Gross Domestic Product, 491
Guarded commands, 31, 40
   restrictions on, 29-30
Guards
   semantics for, 35
   side effects in, 42
   values, 35
Guindon, Raymonde
   elevator control design by, 353, 354
Gulf War
   Patriot Missile System in, 494
Guttag, John, 10, 11, 12, 18

H
"Habermann" hierarchy
   in T.H.E. system, 164-165
Handshakes, 272
Handzel, 10
Hansen, Brinch, 388. See also Hansen, P.B.
Hansen, P.B., 186
Hard real time systems, 407, 412, 439
Hardware devices
   virtual devices not corresponding to, 313
Hardware families, 193
Hardware-hiding modules, 316, 317, 325
Hardware interfaces, 132
   inconsistencies in, 310-311
   techniques for describing, 116-121
Hardware interrupts, 411
Hardware level
   loss of transparency at, 182, 185-186
Hardware "traps"
   for error detection/recovery, 230
Hazard analysis
   and safety-critical software, 371, 372
   using functional documentation, 380. See also Safety-critical software
Headers, 79
   in program function tables, 377
Head-up displays, 113, 310
Heart pacemaker, 543-545
Heninger, Kathryn L., 111, 414. See also Britton, Kathryn Heninger
Heuristic programming, 510, 511
Hewlett-Packard 2116, 182
   partial list of micro-operations for, 184
   simplified block diagram for, 183
   timing diagram for rotation of A register, 184
Heymans, Frans, 387, 389
"Hidden" functions, 11, 18, 19
Hidden information, 245. See also Information hiding
Hidden modules, 323
Hierarchically structured systems, 173, 233
Hierarchical structures, xxii, 144, 153-154, 157-158
   and decomposition into modules, 167-168
   general properties of uses of phrase, 161-168
   Parnas on, 161-170
   relating to resource ownership/allocation, 165-166
   and subsetable systems, 263
Hierarchies
   and top down design methodology, 167
History
   engineering, 574
Hoffman, Daniel
   introduction by, 577
Honesty, 537, 538, 542
Horning, James
   introductions by, 255, 471
HRT. See Hard real time
Hu, J., 5
HUDs. see Head-up displays
Human Factors Module, 334
Hybrid systems, 499
Hydra, 166, 286

I
i
   semantics of, 36
IBM system/360, 171
ICBMs. See Intercontinental ballistic missiles
Identity, professional
   cross industry, 564
IEEE Collection of Software Engineering Standards (1999), 535
IEEE Computer Society, 534, 593
IEEE Transactions on Software Engineering, 572
Implementation, 13
   of main algorithm for scheduling processes, 457-459
   and policy choice, 203
   of procedure for computing valid initial solution, 455-456
   of signal and await, 428
   of STE types, 426
   and transparency, 175
   verification before, 27
Implication, 60
Impossible abstractions, 234-235
"Impossible" state, 236n3, 239
IMS models. See Inertial Measurement Set models
Incidents, 241
Incompleteness
   and T/L module, 22
Inconsistencies
   and design errors, 340
Inconsistent relations on segments, 446
Incorrect behavior, 229
Index sets, 61, 62, 79
Indivisibility, 432
   versus regions, 412-413
Industrial reviewers
   and documentation, 558
Inefficiencies
   and design errors, 340
Inequations, 481n1
Inertial Measurement Set models, 307, 309
Infinite sets, 578
Inflation
   impact of CABS on, 479
   problem of, 482
   and savings, 485
Inflexibilities
   and design errors, 340
Informal specifications, 7
Information distribution, excessive, 272
Information flow, tabular, 79
Information hiding, xxi, 107, 111, 212, 229, 267, 403, 405
   and abstraction, 218
   benefits of, 143
   and clean/elegant design, 138, 139
   in complex systems, 335
   and decomposition, 151
   and design for change, 555, 556
   and error handling, 262
   in exportation of functions, 171
   and goals of modular structure, 322
   and hard real-time system, 315
   interface and module definition, 274-275
   and module guide, 319,
   modules, 144, 207, 320, 407
   module structure description based on, 321, 324
   in PMDS device interface module, 308
   principle, 9
   and retroactive incremental modularization, 561
Init
   semantics of, 36, 37
"Initial states"
   programs as, 586
Initial valid solution, 450
IN_MODE, 344-345
Inner ring procedures, 166
Input alphabet, 98
Input data items, 118, 124
   completed form for, 119
   describing as resources, 118
Input modules, 147, 148, 150, 153
Input/output interfaces
   in requirements document, 360
Input values, 122
INSERT(I,J), 179
INSERT operation, 20
Inspections
   software, 140
   tables useful in, 77. See also Reviewers; Safety-critical software
Institute for Advanced Studies, 604
Instruction sequence, 118
Instruction Set Architecture, 171
Instruction Set Processor, 171
Insurance
   and CABS, 486
Integer arrays, 223
Integer queue
   example, 15, 18
Integer values
   stack for (example), 15
Integral calculus, 51
Intellectual isolation costs, 564
Interactive systems, 97
Intercontinental ballistic missiles
   and SDI, 520
Interest rates, 485
Interface, 299
Interface definition
   and information hiding, 274-275
Interface design, 316
Intermediate values, 122
Intermodule interfaces, 275
International Conference on Software Engineering, 316
   "Most Influential Paper" award at, 569
   Parnas's acceptance speech for Influential Papers award, 571-576
International trade, 469
   barter's role in, 477
Interprocess synchronization
   with STEs, 425-426
Interrupts, 411
   and errors, 186
   handling, 277
Intersection operation, 585
"Introduction to the Construction and Verification of Alphard Programs, An" (Wulf, London, Shaw), 571
Inversion
   of two-dimensional 3 x 3 normal table, 83
Inverted tables, 76
   defining g, 78
   function, 82
   normalizing, 82, 83-84
ISA. See Instruction Set Architecture
"Is Automatic Programming Feasible?" (Gorn), 512
ISO
   committee for software engineering standards, 535
ISP. See Instruction Set Processor
IT, 137n1, 513
Iterative construct (it ti), 29, 30
   body of, 40
   semantics of, 37-38

J
Jacobson, Ivar, 191
Janicki, Ryszard, 3, 71
Janson, P.A., 288
Java, xxi, 230
   class interfaces in, 192
Jerusalem Post, 530
Jini Connection Technology, 292
"Job shops," 385
Johnson, Ralph
   introduction by, 191
Jonsson, Patrik, 191

K
Kaiser, C., 241
Kemmerer, Richard
   introduction by, 569
"Kernel" approach to OS design, 286
Kirchoff's laws, 574
Knight, John, 109
Knuth, D.W., 389
Koot, C. W., 174n1
Korea
   nuclear power plants in, 381
Krakowiak, S., 241
KWIC index
   example, 139, 144, 201-202
   program, 260, 262
KWIC index production system
   comparison of two modularizations, 149-151
   modularization 1, 146-148
   modularization 2, 148-149

L
Lai, Chi Tau Robert, 139
Language
   design, 226-227, 471
   hierarchical structure and levels of, 168
   Parnas on, 94-95
   theory, 583. See also Definitions; Semantics; Syntax
"Language-neutral" lectures, 588, 589
"Language of critical sections," 412
Language researchers
   and documentation, 557
Lateness of schedule, 444
Lateness of segment, 444
Latest segment, 444
Law
   and software engineering, 533-534
LD-relations, 30, 33, 34, 44, 46-47, 73, 90, 91, 99, 105, 586
   and before/after descriptions/specifications, 101-102, 103
   and module internal structures, 363
   notation for, 35
   and program function tables, 376
   and programs, 47
Legality of sequences
   notation for describing, 14
Legal traces, 11-12, 17
   for T/L module, 25, 26
Lehman, Manny, 549
LENGTH operation, 179
"Leveled structure"
   difficulties introduced by, 233
Level of abstraction, 287, 288
Levels
   modules, subprograms as distinct from, 287
Liability law, 533
Licensing    of engineers, 540-541
Limited component semantics, 36
Limited component lists, 40
Limited domain
   composition of, 46
   theorems about, 47
   union of two, 46
Limited domain relations. See LD-relations
Line storage modules, 148, 151, 153
Linked lists of small arrays
   register as, 179
Linked list with index
   register as, 179
Lipton, Richard, 399
Lists
   of undesired events, 130
Livelocks, 408
Lockheed, 370
Logic, 501, 578
   not designed for partial functions, 61
   Parnas on, 49
   with partial functions, 53
Logical correctness, 385
Logical expressions
   meaning of, 58-60
   syntax of, 57-58
London, Ralph L., 571
Loops, 29
   in "uses" relation, 273
Los Alamos, 528
Loss of transparency, 175, 179, 180
Loveland, Donald, 93n1
Lower bound function
   for valid initial solution, 448, 449
Lower-level mechanism
   implementation in terms of, 426-427

M
Macros, 165
   description of formal parameters for, 226
Maintainability, 542-543
Maintenance
   and rational design process, 363-364
Maintenance programmers
   and documentation, 557
   and retroactive documentation, 560-561
Makowski, Janusz, 530
Management
   engineering distinct from, 547, 604
   and software aging, 555, 556
Manufacturers
   and laws of negligence, 533, 534
"Market basket" certificates, 489
Markov algorithm translator, 153
Markov algorithm machine register, 178-182
Master control module, 147, 149
Mathematical logic
   based on finite sets, 585
Mathematical methods
   for software development, 67
Mathematical models, 95-96
Mathematical notation
   and tabular representations, 75
Mathematical tools, 500
Mathematics, 577, 578, 583, 584, 596, 600, 602
   ad hoc notation versus, 2-3
   importance of, in engineering, 600, 602, 603
   for professional programming, 584-586
   role of, in engineering, 581
   and software documentation, 558
   teaching programming and, 587-598
M.B.L.E. laboratory, 387, 388
McLean, John
   introduction by, 7
McMaster University, 68, 82, 579
   Table Tools Project at, 370
Mealy, G.H., 152
Medical applications
   software engineering-related standards for, 535
Medium table skeleton, 79, 80
Memory allocation
   and software aging, 553
Memory load, 259, 260
Memory reference instruction
   ISP for fetch portion of, 186
   and loss of transparency, 185
Message passing, 384-385, 430
Mili, Ali
   introduction by, 89
Military funding
   and conflicts of interest, 521
Military/industrial complex
   and "people of conscience," 520
Military software
   inadequate programming approach to, 504, 506
Military systems
   gap between theory and systems in, 507
Mills, Harlan, 42, 98, 102, 508, 578, 597, 599
   Parnas's tribute to, 603-604
Minimal extensions, 269, 274
Minimal increments of system, 274
Minimal independent incremental functions, 286
Minimal subsets, 269, 274, 286, 317
Minimum lateness schedule, 451, 459
Misleading transparency, 188-189
Missile defence systems
   comment on (Parnas), 468
MIT, 437
Mnemonic names, for modes, 125
Mode condition tables, 125
   example of, 126
   section from navigation, 126
Mode Determination Module, 333
Model, 90, 96
   defined, 95
   products, 566
   programs, 93
   value of, 289
Mode monitor, radar state, 417
Modes
   belonging to more than one type, 224-225
   and condition tables, 125, 126, 127
   for demand function form, 128
   for event table, 127
   for organizing and simplifying, 124-125
   for periodic function form, 129
   types as classes of, 221
   types consisting of, that are invocations of parameterized mode descriptions, 223-224
   types consisting of, with identical externally visible behavior, 222
   types consisting of, with identical representations, 222-223
   types consisting of, with some common properties, 224
   of variable, 220-221
Modular coupling, 7
Modular decomposition, 144, 316
Modularity, 111, 171, 255, 267
Modularization, 229, 403
   comparison of, in KWIC index production system, 149-151
   defined, 146
   effectiveness of, 145
   retroactive incremental, 561
Modular programming, 147, 527
   advances in, 146
   benefits of, 146
   philosophy of, 145
Modular structure
   design principle underlying, 321
   goals of, 322-323
"Modular Structure of Complex Systems, The" (Parnas, Clements, Weiss), 571
Module definition
   and information hiding, 274-275
Module design
   document, 363
   in light of errors, 247-253
   specifications, 211
Module Guide, 316, 319, 323-324, 361
   and module interfaces, 362
   for NRL's version of A-7E flight software, 324, 325-334, 335
Module interfaces
   designing/documenting, 362
Module internal structures
   designing/documenting, 363
Modules, 9, 97, 361
   and decomposition, 143-144, 322
   defined and discussed, 259-260
   and design decisions, 154-155
   hierarchical structure and decomposition into, 167-168
   interchangeability of, 279
   for Markov algorithm interpreter/compiler, 178
   subprograms, levels as distinct from, 287
Module specification, 3, 191, 192, 210
   family defined by, 208-209
   stepwise refinement contrasted with, 209-210
   technique of, 200-201
Module structure
   A-7E system, 321
   designing/documenting, 361-362
Mok, Aloysius, 441
   introduction by, 437
Money
   barter versus, for future sales, 484-486
   constraints by, on economy, 480-481
   problem solving and, 480
   as rationing mechanism, 491
   and trade imbalances, 483
Money-free computer assisted barter systems
   impact of, 477, 479-492
Money supply, 481
Monitored quantities, 72
Monitors, 409
Moore-Mealy model, 585
Moral illness, 491, 492
MULTICS system, 161, 166-167
Multidimensional notations, 3
Multi-person programming, 260
   solo-programming versus, 257-258
Multiple entry/exit programs, 31, 39-40
Multiprocessing effects, 505
Multiversion programmers, 210
Multi-version programs/programming, 194, 257, 258
Mutex, 390
Mutual exclusion, 409, 410
Mutual exclusion relations, 438
Mylopoulos, J., 571
Mythical Man Month effect, 365

N
"Naive" set theory, 54
NASA, 370
NATO, 521, 541, 595
NAT relation, 72
Natural language documents, 71
Naur, P., 200n4, 212
Naval Research Laboratory. See United States Naval Research Laboratory
Naval Weapons Center (China Lake, Calif.), 107, 108, 315, 507
   active design reviews at, 337
   ADC abstract interface review at, 304, 305
Negation, 585
Negligence suits
   four elements in, 533
Newell, Allen, 171
"New Math of Computer Programming, The" (Mills), 604
Noise-filtering techniques, 503
Nondeterministic programs, 29, 32, 99, 101
Nonhierarchical systems, 163
Nonprimitive ordering relations, 64
Non-procedural programs, 32
Non-safety-critical software, 564. See also Safety-critical software
Nonsymmetric exclusion relations, 412
Nonterminating execution, 98
Nonterminating programs, 383, 384
Nontrivial hierarchy
   disadvantage of, 165
Norbert Wiener award, xviii
Normal form traces, 12, 13, 25
Normal function tables, 82
Normalization
   of two-dimensional inverted table, 84
Normal table, 79
   defining f, 78
   inverting, 82-83
Nortel Networks, 370
Notation, 35, 133, 141
   for aircraft operating conditions, 123-124
   for describing legality of sequences, 14
   for describing syntax, 13
   for describing traces, 13-14
   for describing values of V-functions at end of traces, 14
   and software documentation, 558. See also Symbols; Syntax
NRL. See United States Naval Research Laboratory
Nuclear missiles
   and deterrence measures, 521. See also Strategic Defense Initiative
Nuclear power
   software engineering-related standards for, 535. See also Darlington Nuclear Power Generating Station
Nuclear weapons, 504, 520
   and SDI, 519
"Nucleus" approach to OS design, 286
NWC. See Naval Weapons Center
Nyquist, 574

O
Object code
   source code distinct from, 409
Object orientation, 138
   and design for change, 555
Object-oriented programming, 8, 191
Objects
   created by modules, 97-98
   descriptions and specifications of, 104-105
   versus programs, 104
Obligations of engineer, 542-543
Obsolescence issues, 563
Office of the U.S. Secretary of Defense
   Strategic Defense Initiative Organization within, 497, 519
O-functions, 10, 11, 12
   for Table/List Module, 20
Old age care
   and CABS, 486
Onboard Flight Program
   of A-7E aircraft, 320
One-way linked list
   register as, 179
Ontario Hydro, 68, 370, 379, 380, 381
"On the Criteria" (Parnas), 157
"On the Design and Development of Program Families" (Parnas), 191, 193-213
Operating system area
   unsolved transparency problem from, 186-188
Operating system problem
   comparative remarks based on, 202-204
Operating systems
    remarks on, 286
Operational flight program, xxii
   for A-7E aircraft, 315, 316, 317, 339
Operations research, 442
Operator precedence, 45, 60
Optimal schedule, 445
Order of operations
   restrictions on, 237-238
Outer rings, 166
Out-of-date directory, 254
Output alphabet, 98
Output data items, 121
   completed form, 120
   describing in terms of effects on external hardware, 119
   example of description for, 119-121
Output module, 147, 149, 153
Output values
   as functions of conditions/events, 122-123
   specifying in requirements documents, 360
   and values in standard units, 120
"Outside in" approach, 167, 173, 174, 189

P
Pacemakers, 543-545
Palindromes
   relational description of program checking for, 62
Panel on Computing in Support of Battle Management
   Parnas resigns from, 497
"Parallel" operations, 399-400
Parameterized mode
   descriptions (param-types), 223-224
   syntax for, 226
Parameters
   bindings, 226
   formal, for procedures, macros, and more, 226
   limitations on values of, 237
Parentheses
   for operator precedence, 45
   semantics of, 38
Parker, R. Alan, 295
Parnas, David Lorge, xvii, 7, 9, 10, 11, 29, 31, 67, 90, 107, 109, 171, 215, 229, 295, 353, 354, 404, 437, 438
   ACM-SIGSOFT Outstanding Researcher Award acceptance speech by, 597, 599
   on logic, 49
   "Most Influential Paper" award received by, 569, 571
   
   predicate logic for software engineering, 51-65
   resignation of, from U.S. Defense Dept. Committee advising on SDI, 519, 524, 537
   SDI funding position of, 493
"Parnas Tables," 67, 68, 69
Partial functions, 51, 52, 55, 56, 58, 60, 63, 64, 585
   logic not designed for, 61
   logic with, 53
PASCAL, 220, 223, 226, 451, 582
Pascal compilers, 99
Patil, Suhas, 393
   "cigarette smoker's problem," evaluation of, 395-400
Patriot Missile System
   failures of, in Gulf War, 494
Pattern recognition, 518
Pentagon, 520. See also United States Department of Defense
Performance
   and software aging, 554
Periodic function, 121, 122
   completed form for, 129
   condition tables in descriptions of, 127
Periodic processes, 429, 431, 440
   "cyclic executive" for set of, 437
Perl, 30
Perlis, Alan J., 597, 599, 604
   Parnas's tribute to, 601-602
Personal responsibilities
   of software engineers, 537, 538
Perspective, shortage of, 90
Perspective-based reading, 550
Petri nets
   and Patil's "cigarette smoker's problem," 395, 397
Philips Computer Industries (The Netherlands), 387
Physical Model Module, 329, 330
Physical Model Module Decomposition, 334
Physical models, 96
Planning
   and software aging, 562-563
PMDS. See Projected Map Display Set
PMS. See Processor, Memory, Switch
Point-solution design, 267
Policy, 202, 203
Political education
   versus weapons technology, 520
Pont, Stephen, 145
P operations (Dijkstra's), 384, 387, 389, 411, 413
Position data, 307
Poverty, 491
P/P (Precondition-Postcondition) specification techniques, 10
Practitioners
   changing communication patterns between researchers and, 575
   gap between researchers and, 573
Precedence constraints, 452
Precedence relations, 438, 439, 440
PRECEDE relations, 443, 445, 446, 447, 449, 450, 452, 455, 459
Precondition, 10
Predicate calculus, 585, 586
Predicate cells, 79, 81
Predicate expressions, 51, 52, 57-58, 59
Predicate logic, 78
   for software engineering, 49-50, 51-65
Predicates, 55
   primitive functions and, 57
Predicate transformers, 200, 270
PREEMPT relations, 446, 447, 450, 452, 455, 459
Pre-run-time scheduler, 428-430, 433
Pre-run-time scheduling, 404, 432, 439, 440, 452, 503
Price, W. R., 11
Pricing, 469
Primary secrets, 324
   of Computer State Module, 332
   of Data Type Module, 331
   of Device Interface Module, 328
   of Extended Computer Module, 327
   in hardware-hiding module for A-7E, 325
   of Mode Determination Module, 333
   of Physical Model Module, 330
   of System Generation Module, 331
   of Virtual Memory Module, 332
Prime program, Dijkstra's
   comparative remarks based on, 202
Primitive expressions, 57
   denotation of, 59
   evaluating, 58, 59
Primitive functions
   and predicates, 57
Primitive operators, 55
Primitive predicates, 55
Primitive programs, 33, 99
Primitives
   lower-level synchronization, 411-413
   Patil on more powerful, 399-400
Priority of traps, 238
Problem solving
   and engineering, 542, 583. See also Examples
Procedures
   description of formal parameters for, 226
Processor, Memory, Switch, 171
Process segments, 439, 440
Process structure
   A-7E system, 321
Process synchronization primitives, 186-188
Process synchronization routines, 111
Production control, 407
Productivity measures, 484
Product lines, 139
Product-line software, 191
Professional liability law, 533
Professional programming
   mathematics and, 584-586
Professional responsibilities, 581
   Parnas's view on, 519
   of software engineers, 537, 538, 540-541
Program construction, 587-588
Program constructors
   simple language of, 588-589
Program Design Notation, 589
Program families, 139, 143, 191, 194, 211, 316
   choosing methods to use for, 209-210
   classical method of producing, 194-195
   comparative remarks based on Dijkstra's prime program, 202
   comparative remarks based on operating system problem, 201-204
   comparison based on KWIC example, 201-202
   conclusions about, 210-211
   design decisions in stage 1, 104-205
   differences among, 270
   historical note on, 211-212
   and module specification, 200-201
   module specifications defining of, 208-209
   motivation for interest in, 194
   new techniques, 196-197
   relation of, to program generators, 210
   representing intermediate stages, 197
   restructuring, 561-562
   software as, 270-271
   stage 3, 205-208
   and stepwise refinement, 198-200
Program function tables, 376-378
   inspection of safety-critical software using, 369-381
   use of, at Darlington Nuclear Power Station, 76
Program generators
   program families related to, 210
Programmers
   and documentation, 557
   education of, 501, 504-505
   gap between researchers and, 570, 572
   and reviews, 559. See also Engineers
Programming, 601
   automatic, 512-514
   deficiency correction phase of, 506
   and engineering, 595, 596
   and engineering practices, 543, 544, 545
   new approach to teaching, 584, 587-591
   professional, 587
   role of, in engineering, business and science, 581-582
   by stepwise refinement, 198-200
   teaching, 137-138, 577-578, 579-591, 595-596
Programming assignment specification, 587
Programming courses
   content of "standard," 582
   and engineering, 579
   important characteristics of, 580
   science courses distinct from, 582-583
Programming environments
   research in, 509
Programming languages
   simplifications in, 509
   view of, 471, 474
Program(s), 32, 34
   behavioral descriptions of, 100-101
   construction tools for, 99-100
   constructive descriptions of, 100
   constructive specifications of, 104
   correctness proofs for, 259
   criteria for use of, by other programs, 278
   describing, 73, 100-102
   as descriptions of state sequences, 586
   designs turned into, 589
   and executions, 98-99
   hierarchy for, 162-163
   as "initial states," 586
   LD-relations and, 47
   multiple entry/exit, 39-40
   nondeterministic, 99
   objects versus, 104
   other kinds of behavioral descriptions of, 102
   primitive, 33
    "pure" relational alternative, 102
   real-time, 403
   relational description of, checking for palindromes, 162
   relational description of, searching B for value of x, 231
   specifying, 3, 32-33, 102-104
   tables in inspection of, 77
   terminating, 97
   value of, 34
"Program Slicing" (Weiser), 571
Program verification
   and mathematics used in documentation, 71
   and SDI software reliability, 514-515
Projected Map Display Set, 307, 308
Proofs, faith in, 515
Protection hierarchies
   in MULTICS system, 166-167
Prototype, 90, 95, 96
Pseudocode, 4, 7, 363, 589
"Pulling Together" (ICSE-19), 569
PUSH operations, 17

Q
Quality
   software engineering-related standards for, 535
Quantification, 60
Questionnaires
   designing, 349
   reviewer, 347, 349
   and software design review, 339, 343
Quine, W.V.O., 49
Quotes
   characters enclosed in, 34

R
Radar
   conditions defining states of, 417
   externally visible events, and detection processes, 418
   states, 416
   states of, r, 419
Radar set module, 417
radar type, 419, 421, 422
RAL instruction execution
   ISP code for, 182
Range, 55
   of relation, 56
   type, 297
Ranging, radar state, 416, 421
Rapid prototyping, 7
Rational design process, 356, 362
   desirability of, 355
   discussion about, 358-364
   documentation role in, 364-366
   faking ideal process, 366-367
   how/why to fake it, 353-368
   idealized description for, 357
   maintenance, 363-364
   module interfaces designed/documented, 362
   module internal structures designed/documented, 363
   module structures designed/documented, 361-362
   program writing, 363
   requirements document for, 358-361
   uses hierarchy designed/documented, 362
Raw table skeleton, 79, 81
RC4000 system, 161, 165, 187, 286
Reactivity control systems, 373
Readability, 5
Readers, 389, 390
"Readers" and "Writers"
   concurrent control with, 387-392
   problem, 384
Reagan, Ronald, 519, 520, 521
   quoted, on strategic defense system requirements, 498
   and SDI, 493, 501, 527
Real-time events, 414-415
Real-time processes, 404
Real-time programs, 403
Real-time schedules
   and battle-management software, 503
Real-time systems, 97
Recognition algorithms, 503
Reconfiguration interfaces, 309
Record keeping
   and software aging, 557-558
Recursive calls, 167
Recursive programming, 163
Redundancy, 240
   and compile time checking, 219
   in design representation, 345-346
   eliminating checks for, 244
   and safety-critical software, 372
Reference tools
   requirements documentation as, 114. See also Documentation; Module Guide
Reflection
   and undesired events, 235, 244
Regions
   versus indivisibility, 412-413
Regions relations
   advantages with, 429
Registers
   in HP 2116, 182
   for Markov algorithm machine, 178-182
Relational component, 99
Relational composition, 585
Relational documentation
   industrial experience with, 73-74
Relational documents
   tabular representations in, 71-87
Relational model of documentation, 71-73
   program descriptions, 73
   relation of NAT, 72-73
   relation of REQ, 73
   system requirements document, 72
Relational operators, 54, 55
Relation attributes, 420, 422
Relation cells, 79, 81
Relation components, 35
Relation inquiry programs, 421
Relation NAT, 72
Relation parameter, 418
Relation REQ, 73
Relations, 51, 55, 63, 64, 79, 585, 586
   defined, 56
   synchronization on, 422-423
   tabular descriptions of, 586
Releases
   and software aging, 558
   timing of, 439, 440, 452
Reliability
   and safety-critical software, 371, 372
   and software aging, 554
Reliability monitor, radar state, 417
"Rendezvous" operators, 409
Representation-dependent programs, 223
Rep-types, 222-223, 225
REQ relation, 73
Requirements, 267
   subsets and extensions in, 286-287
Requirements definition
   identifying subsets first, 273-274
   and undesired events, 114
Requirements documents
   for A-7 program, 113-114
   contents, 359
   design principles, 114-116
   discussion about, 131-132
   mathematical model behind, 360
   need for, 358-359
   organization of, 360-361
   techniques summary for, 132-133
   writers, 360
Requirements specifications, 109, 315-316
   for complex systems, 107, 111
Requirements table of contents, 53
Requirements team
   and inspection process at nuclear plant, 378
Research
   alternative funding for, 518
   computer science, 469-470
   judging, 517
   SDIO and funding of, 516-518
   software engineering, 506-507
Researchers
   changing communication patterns between practitioners and, 575
   critique of methods followed by, 572-575
   gap between programmers and, 570, 572
   need for rethinking audience by, 565
   and publishing outside specialty, 467-468
Resource monitors, 111
Resources
   impact of CABS on, 479
Restricted modules, 323
Restrictions
   on order of operations, 237-238
Restructuring, program families, 561-562
Retirement savings, 484
Retroactive documentation, 560-561
Retroactive incremental modularization, 561
Reusable software, 191, 335
Reviewable designs, 343-344, 542
Reviewers, 350
   characteristics of, for DIM abstract interfaces, 348
   classifying, 347-349
   and conventional design reviews, 342
   correspondence of reviews and, 348
   and designers, 339, 342, 349
   detailed design coverage by, 341
   errors found by, 340
   questionnaire for, 347, 349
   and review types, 346
Reviews, 555
   conducting, 349-350
   correspondence of reviewers and, 348
   effective, 343-350
   and software aging, 558-559, 560
Review type identification, 346
Revision, 555
Rigour
   and safety-critical software, 371, 372
Rings, 166
RISC architectures, 172
Robotics, 407
Robust programs
   and SDI software, 515
Rochkind, Marc J., 571
Rows
   in condition tables, 125-127
Rule-based programming, 510
Run-time
   context switching, 429
   device-dependent characteristics varying at, 309
Run-time errors
   and information hiding, 262
   in software systems, 231
Run time scheduling, 429
   pre-run-time scheduling compared to, 440
Run-time type checking, 272, 273

S
Safe set, 73
Safety-critical applications, 534
Safety-critical real-time systems, 438, 440
Safety-critical software, 403, 407, 564
   inspection of, using program-function tables, 369-381
Safety-critical software inspection
   at Darlington Nuclear Power Generating Station, 373-374
   difficulties with, 374-375
   and functional documentation, 375-376
Saltzer, G., 186
Salutation, 292
Sampling periods, 503
Sandia National Laboratories, 528
Sandwiching, 278
Satellites
   and SDI, 523
Savings and investment, 480, 484
   targeting to needs and inflation-free, 485
Scalability
   of LD-relations, 91
Scheduling, 385, 444
   algorithm for problem solving, 439-454
   and battle-management software, 503
   examples 1-5, 460-465
   of processes with release times, deadlines, precedence, and exclusion relations, 439-454
Science, 539, 596
   role of programming in, 581-582
Science courses
   programming courses distinct from, 582-583
Scientists
   social responsibility of, 538-539
SCR. See Software Cost Reduction
SDI. See Strategic Defense Initiative
SDIO. See Strategic Defense Initiative Organization
SDIO Panel on Computing in Support of Battle Management, 493, 519
   Eastport group within, 525, 528
Secondary secrets, 324
   of Data Type Module, 331
   of Physical Model Module, 330
   of System Generation Module, 331
   of Virtual Memory Module, 332
Secrets, 274, 280, 316, 324
   of Data Type Module, 331
   defined, 300
   in hardware-hiding module for A-7E, 325, 326
   of System Value submodule, 333. See also Primary Secrets; Secondary secrets
Semantics, 95
   of class of expressions, 44-45
   of constructed programs, 34
   of go, 36
   for guards, 35
   of "i," 36
   of init, 37
   of iterative construct (it ti), 37-38
   of limited component, 36
   of limited component lists, 36
   of parentheses, 38
   of stop, 36. See also Language; Syntax
Semaphores, 396, 409, 410, 411, 413, 415, 429, 432
   arrays, 397, 398
   closing/opening operations, 412
   overflow, 397
   passages, 411, 412, 427
Sensors, 522, 527
   within heart pacemakers, 544, 545
Separation of concerns, 366, 385, 433
    and design for change, 555
   need for, 408-410
   preserving, 415
   processes used for achieving, 409-410
   in requirements documentation, 116, 360, 361
   with STEs, 425
Sequences, state, 175
Sequencing decisions
   and stepwise refinement, 209
Sequential completion method, 194
   representation of development by, 195
Sequential development, 193
Sequential programs, 383
set attribute, 422, 424
Set inquiry programs, 421-422
Set of all segments, 444
Set of processes, 444
Set of segment units, 444
Set parameter, 418
Set theory, 585
Sexagesimal notation, 89
Shared Services Module
   for A-7E, 329
Shared Services Module Decomposition
   modules within, 333
Shared variables, 430
Shaw, Mary, 158, 571
Shore, John
   introductions by, 215, 477, 597
Shutdown systems, nuclear plants, 373, 375
Side-effects, 34
   in boolean expressions, 31
   in guards, 42
Siewiorek, Daniel, 173
   introduction by, 171
Simple n-tuple, 55
Simple tuple, 55-56
Single-purpose programs, 284
"Smart" weapons/satellites, 408
Social responsibilities
   of software engineers, xxii, 537, 538-539
Soft modules, 288
Software, 2
   classes of specifications for, 10
   complaints about systems of, 269
   designing for ease of extension and contraction, 267-290
   devices requiring information from, 312
   evolution, 549
   as family of programs, 270-271
   geriatrics, 559-562
   hierarchical structure in systems of, 263
   quality assurance, 140
   reducing life-cycle cost of, 264
   resusable, 91, 335
   system structures, 157
   types of, 97-98
   understanding, 501. See also Program families
Software aging, 549-550, 551-567
   barriers to progress, 563-565
   causes of, 552-553
   costs of, 553-554
   inevitability of, 559
   and partitioning of people/industries, 564, 565
   planning ahead, 562-563
   preventive medicine for, 555-559
   reducing costs of, 554-555
Software architecture, 158
Software Cost Reduction, 141, 315n2
Software Cost Reduction model, 107, 108, 109
Software Cost Reduction Project, xxii, 339, 507
   at Naval Research Laboratory, 437
   Parnas's leadership of, 520
   precepts underlying basis for, 507-508
"Software crisis," 563-564, 577
Software decision hiding modules, 316, 317
Software decision module
   for A-7E, 325, 326, 329
Software design, 137-142
   "clean" or "elegant," 138-139
   conclusions about, 141
   error handling, 139-140
   for hard-real-time systems, 407
   as idealization, 356-357
   introduction to, 137-138
   new approaches to, 339
   other structural design decisions, 140-141
   program families or product lines, 139
   role of specifications in, 9
   and software inspections, 140
Software designer
   and family of programs, 270
Software developers
   and documentation, 71
   and foundational research, 93
Software development, xxi
   and information hiding, 143
   mathematical methods for, 51, 67
   professional practice in, 543, 546-547
   slowing rapid pace of, 562
   and software aging, 549, 551
   and software education, 577
"Software Development Based on Module Interconnection" (Tichy), 571
Software documentation, 1-2
   examples of logic used in, 60-63
   Table Tool System for, 4
Software engineering, xxi, xxii, 67, 157, 499
   barriers to progress in, 563-565
   as branch of engineering, 575
   and defense-sponsored research, 497
   defined, 257
   and documentation, 557-558
   educational programs for, 547
   and ethics, 493, 494
   gap between principles and practice of, 319-320
   gap between programmers and researchers, 572
   history behind, 90-91, 541
   and legal principles, 533-534
   limits of methods, 506-510
   mathematical notation and, 71
   predicate logic for, 49-50, 51-65
   principles, 255, 257-266
   professionalization of, 534-535, 566
   reasons for hardness of, 508
   and semantics, 576
"Software Engineering as a Profession," 534
Software engineering education, 593, 595-596
Software engineering program accreditation, 546-547
Software engineering research
   defined/discussed, 506-507
   education, 599-605
   and SDI goals, 509
Software engineers, 51
   education of, as engineers, 593
   need for communicating with engineering organizations by, 573-574
   professional responsibilities of, 537-548
Software functions
   organization by, 121-122
   techniques for describing, 121-130
Software generality
   software flexibility versus, 287
Software Productivity Consortium, 338
Software reliability, 471, 473
   and automatic programming, 513
   challenges to, 508
   enhancing, 298
Software research
   alternative funding for, 518
   judging, 517
   SDIO and funding of, 516-518
Software technology
   SDI and limits of, 522
Software unreliability, 498, 499-504
   and education of programmers, 501
   introduction about, 499
   and mathematical tools, 500
   system types, 499
   understanding software, 501
Software Utility Module, 329, 331
Solo-programming, 257, 258
Source code
   object code distinct from, 409
"Source Code Control System, The" (Rochkind), 571
Soviet Union. See U.S.S.R.
Space-based defense systems/weaponry, 493, 519. See also Strategic Defense Initiative
Space Technology, 301
"Spaghetti code," 138, 140
Spatial Relations Module, 334
Special-purpose compilers
   eliminating need for, 288
Specifications, 13, 71, 90, 96, 255, 601
   analysis, 7
   defined, 9-10, 95
   history of work on (brief), 10-11
   of information hiding modules, 193
   lack of, for SDI, 514-515
   language, 94
   of modules, 260, 261
   of objects, 104-105
   program, 32-33, 93, 102-104
   role of, in software design, 9. See also Documentation
Spec-types, 222, 225
Splitting, 278
Spooling, 277
SS Module. See Shared Services Module
STAC
   alternative formal specifications for, 17
Stack overflow    example, 16
Standby, radar state, 416, 421
Starting states, 98, 586
Start time of segment, 444
"Star Wars" program, 493, 519, 520, 537
   comment on (Parnas), 468. See also Strategic Defense Initiative
State inquiry operations, 421-422
State parameter, 418
State sequences, 175
   programs as descriptions of, 586
State Transition Event Module, 334
State Transition Event mechanism, 404, 431
   summary, 432-433
   types, 420, 422
   values, 419
   variables, 418. See also STE synchronization mechanisms
State transitions
   operations, 420-421
   representing, 419-420
STE. See State Transition Event mechanism
Stepwise refinement, 191, 192, 193, 202, 207, 210, 218
   module specification contrasted with, 209-210
   programming by, 198-200
STE synchronization mechanisms, 417, 418-426
   combined operations, 424-425
   finite state machine defined, 418-419
   interprocess synchronization with STEs, 425-426
   set synchronization programs, 424
   state inquiry operations, 421-422
   state transition operations, 420-421
   state transition representation, 419-420
   synchronization operations, 422-423
Stop
   semantics of, 36
Stopping states, 586
Strategic Defense Initiative, xxii, 468, 493
   background, 520-521
   critical issues surrounding, 524-528
   difficulties with software for, 522-523
   and expert systems, 511-512
   funding of, and conflicts of interest, 521
   and "loose coordination" distraction, 525-526
   and "90%" distraction, 525
   Parnas's opposition to, 519-530
   Parnas's resignation from Defense Dept. committee advising, 519, 524, 537
   pursuit of, for other reasons?, 529-530
   and software issues, 501-504, 514-515
   role of computers in, 522-523
   software engineering research and attainability issues, 509
   and trustworthiness issues, 521, 522, 530
Strategic Defense Initiative Organization, 494, 497, 517-518, 519, 520, 528
   and funding, 516-518
   quality of work in, 528
   reaction by, to Parnas's resignation from advising committee, 524
Strategic defense systems
   and artificial intelligence, 510-512
   and automatic programming, 512-514
   conventional software development and lack of reliable programs, 504-506
   program verification and SDI software reliability, 514-515
   reasons for untrustworthiness of SDI software system, 501-504
   requirement, 498
   SDIO and funding research for, 516-518
   software aspects of, 493, 497-518
   software engineering limits and, 506-510
   why software is unreliable, 499-501
Strategic software engineering, 144
"Stream of consciousness" writing, 364, 365
"Stream of execution" writing, 364, 365
Structure
   meaning of, 258
   steps for better, 273-279
   of systems programs, 260-261
Structured constructs, 31
Structured programming, 31, 157, 218
   assumptions about, 231-232
   Dijkstra's papers on, 162
   value of, in producing programming families, 206-207
Subclasses, 191, 192
Subexpressions, 54
Subfamilies, 197, 205, 209
Submodules, 361, 363
Subprograms, 162, 163
   modules, levels as distinct from, 287
Subroutines, 259, 260, 287, 474, 561
Subsetable systems
   and hierarchical structure, 263
Subsets, 163, 277, 278, 288
   designing for, 288
   identifying, 273-274
   manifestation of lack of, 271-273
   picking, 284
   within requirements, 286
   use of, 209
Success
   designing for, 557
   and software aging, 552
Sufficiency
   and trap conditions, 238
Suggestive transparency, 188
Support software
   reducing need for, 288
Swansea University, 85
Switches
   with hardware side effects, 311
   nomenclatures, 118, 311
Symbols
   #, 34, 38-39, 45
   in event tables, 127, 128
   Flight Path Marker, 129
Synchronization, 384, 385, 387, 388, 430
   combined operations, 424-425
   lower level considerations, 410-411
   primitives, 412
   two-level approach to, 410
   upper level considerations, 413-418
   summary of operations, 423. See also STE synchronization mechanisms
Synchronization in hard-real-time systems, 403-405, 407-435
   considerations at lower level, 410-411
   considerations at upper level, 413-418
   experience and results, 430-432
   implementation in terms of lower-level mechanism, 426-428
   introduction to, 407-408
   lower-level synchronization primitives, 411-413
   need for separation of concerns, 408-410
   pre-run-time scheduler, 428-430
   reason for another synchronization mechanism, 430
   STE synchronization mechanisms, 418-426
   summary on, 432-433
   two-level approach to, 410
Syntax
   checker, 589
   of constructs, 34-35
   definition, 13
   of logical expressions, 57-58
   notation for describing, 13
   of program design notation, 588
   of specification, 12. See also Language; Semantics
SYSGEN
   eliminating need for, 284, 288
   extension at runtime versus during, 288-289
System Data Type Module, 334
System Generation Module, 329, 331
System generation programs, 210
System requirements document, 72
Systems programs
   two techniques for controlling structure of, 260-261
System Value Module, 333

T
Table holder, 85
Table of contents
   A-7 requirements, 115
Table predicate rule, 80, 81
Table relation rule, 80, 81
Tables, 75, 586
   condition, 125-127
   defining, f, 78
   dimensionality changes in, 82
   discovering first, 75
   fomalisation of wide class of, 77-81
   for precision and completeness, 125-128
   program function, 376-378
   transformations of, from one kind to another, 82-85
   use of at Darlington Nuclear Power Station, 76
Table Tools Project, at McMaster University, 370
Table Tool System, 4
Tabular expressions, 3, 4
Tabular representations
   in relational documents, 71-87
Taxation, 489, 490, 493, 529
TC-2 assembly code, 431
Teaching
   programming, 137-138, 577-578, 579-591, 595-596
   software engineering research, 599-605. See also Education
Teams
   and inspection process at nuclear plant, 378, 379
Technical writers
   and documentation, 557
Technion Institute, 530
Technocrats
   research in DoD judged by, 517
Technology, 539, 574
Technology transfer problem, 5, 107, 108
Templates
   for value descriptions, 117-118
Terminating programs, 97
Terms, 57
   evaluating for given assignment, 58
Test case generation, 7
Testing, 4, 500, 522, 555, 574, 575, 581
Tests
   in programming courses, 589, 590
Texas
   software engineering licensing in, 534
Text macros, 123-124
   for conditions, 124
T.H.E. system, 161, 167, 277
   BANKER in, 165
   Dijkstra's paper on, 162
   "Habermann" hierarchy in, 164-165
   primitives from, 187, 188
Thinking
   tables aid in, 76-77
Three exit program, 40
Three-valued logics, 54
Throwing exceptions, 230
Tichy, Walter F., 571
Timers, 411
Timing considerations section
   for output data item, 121
Timing constraints
   in requirements document, 361
T/L ("table/list") module
   conclusions about, 26-27
   current specification for, 25-26
   flaws in first version of specification for, 22-25
   informal picture of, 19-21
   with unlimited capacity, 24-25
"Top down" approach, 157, 167, 173
Total functions, 56, 63, 64
Trace Assertion Method, 2
Trace-based methods, 5, 18
Trace-based specifications, 8
Trace legality
   assertions about, 12
Traces, 11, 104
   assertions about equivalence of, 12
   formal notation for specification based on, 12-14
   notation for describing, 13
   techniques, 7-8
   and T/L module, 21, 22, 25
Tracking, radar state, 416, 421
track (RS) operation, 423
Trade
   and Computer Assisted Barter Systems, 479
   deficits, 487
   imbalances, 483, 487
   and inflation, 482
   and money supply, 481-482
   surpluses, 483, 487
   systems of, 468-469
Traffic control, 407
Trajectory computations, 518
Transformations of tables
   interrelationship between, 84-85
Transparency, 171
   of an abstraction, 175
   example, 175-177
   and flexibility of design, 181
   misleading, 188-189
   suggestive, 188
   unsolved problem, from operating system area, 186-188
Traps, 238
   conditions, 162
   and error types, 235-236
   failure, 239
   priority of, 238
   state after, 239
   and undesired events, 233-234
Trap vector size, 238-239
Tree-structured hierarchies, 323
Tripp, Leonard
   introduction by, 533
"True concurrency," 384
True expressions, 59
TRW Software Productivity System, 267
TTS. See Table Tool System
Tuples, 55-56, 75
Turing machines, 578
Turing Prize, 599
Two-dimensional inverted table, 84
Two-dimensional tableaux, 586
Two-dimensional 3 x 3 table, 83
Two-entrance program, 41
Two-linked list
   register as, 179
Two-valued logics, 54
Type extensions
   motivations for, 218-220
Types
   approaches to defining, 217-218
   as classes of modes, 221
   consisting of modes as invocations of parameterized mode descriptions, 223-224
   consisting of modes with identical external visible behavior, 222
   consisting of modes with identical representations, 222-223
   consisting of modes with some common properties, 224
   modes belonging to more than one, 224-225

U
UEs. See Undesired events
UMLs. See Undefined modeling languages
Unconditional await programs, 426, 427
Unconventional decompositions, 145
Undefined information requests, 237
Undefined modeling languages, 141
Undesired event handling
   continuation after, 236-237
   in requirements document, 361
Undesired event messages
   passed between levels, 254
Undesired events, 229, 230, 232, 262
   assumptions, defined, 300
   classification, 130
   conclusions about, 244-245
   degrees of, 241-244
   effect of, on code complexity, 233-234
   factors determining degrees of, 242
   lists of, 130
   and module internal structures, 363
   order of actions and, 243
   order of aims and, 242-243
   order of degrees of, 242
   redundancy, efficiency and, 240-241
   and requirements definition, 114
   response to, in software systems, 231-246
   and specifying error indications, 237-240
   techniques for specifying, 130
   upward propagating, 235
Unemployment, 491
   impact of CABS on, 479
Uniform pricing, 469
Union operation, 585
United Kingdom
   software engineering education in, 534
United States
   negligence suits in, 533
   and SDI, 493, 521
   software engineering education in, 534
United States Department of Defense
   judging research done within, 517
   and overfunding problem, 530
   Parnas's consultancy with, 520
   and SDIO funding, 516-518
United States General Accounting Office, 494
United States Naval Research Laboratory (Washington, D.C.), xxii, 107, 111, 215, 303, 315, 319, 370
   A-7 aircraft redesign at, 295
   A-7E flight software produced by, 324
   Software Cost Reduction Project at, 339, 407, 437, 507, 520
United States Navy, 516
Universal Plug and Play, 292
Universal quantification, 62, 63
UniversitŽ du QuŽbec ˆ Hull, 85, 370
University of British Columbia, 68
University of Maryland, 578
University of North Carolina, 577
University of Victoria, 487
UNIX, 509
Updates
   and software aging, 552
Upper level considerations, 413-418
   desirable characteristics of upper-level mechanism, 415-416
   example system, 416-417
   real-time event, 414-415
up (s) operation, 412
Upward propagating undesired event, 235
User-defined data types, 217
User programs, 297
"Uses" hierarchy, 263, 277-278, 286, 362
"Uses" relation, 269, 276-277, 278, 284
   between component program, 285
   loops in, 273
"Uses" structure
   A-7E system, 321
   designing, 276-279
U.S.S.R.
   and SDI, 493, 521
u-tuple, 58

V
Valid initial solution, 446
   implementation of procedure for computing, 455-456
   improving on, 447-449
Valid schedule, 445
Value description templates, 117-118
Values
   encoding, 118
   of functions, 56
   guard, 35
   of programs, 34
   symbolic names, 117
Value stack, 39
van Emden, Martin
   introduction by, 49
van Schouwen, A. John
   introduction by, 369
Variables, 44, 218
   mode of, 220-221
   STE, 418
Variant-types, 224
Varney, R.C., 165
VDI (Association of German Engineers), 575
VDM model, 102
Vector economics, 484
Velocity increments, 307
Venus, 277
Verification
   and documentation, 558
   before implementation, 27
   and safety-critical software, 372
Versions
   and software aging, 560. See also Releases
V-functions, 10, 11, 12, 18
   and assertions, 12, 13
   assertions about values returned by, at end of traces, 12
   notation describing values of, at end of traces, 14
   for Table/List Module, 20, 25, 26
Virtual devices, 297, 298
   assumption list characterizing, 301-302
   with changeable characteristics, 308-309
   interconnections between, 309-310
   not corresponding to hardware devices, 313
Virtual machine, 171, 173, 175, 176, 179, 181, 186, 474
   concept of, 275-276
   defective, 236
   and misleading transparency, 188-189
   and suggestive transparency, 188
Virtual machine approach
   advantages of, 287
Virtual memory, 172, 277
Virtual Memory Module, 332
Virtual panels, 121
Virtual radar
   conditions defining states of, 417
VM. See Virtual machine
Von Neumann, John von, 604
V operations (Dijkstra's), 384, 387, 389, 412, 413

W
Wadge, William
   introduction by, 29
wait conditional, 422
Wait conditional on membership, 424
wait on call operation, 423
Wait on set, 424
Waldo, James
   introduction by, 291
Warheads, 522, 527
Warsaw University, 85, 370
Weapon Behavior Module, 334
Weapons, 522, 527
   space-based, 493
Weapons development, 497
   Parnas's view on, 520
Weapons systems, 468
   battle-management software system characteristics, 502
Weiser, Mark, 571
Weiss, David M., 139, 141, 217, 319, 338, 339, 571
   introductions by, 143, 315, 493
Well-done table skeleton, 80
   examples of, 81
Well-structured programs
   discussion about, 258-259
   producing, 260-261
when clause, 414
Whistle blowers, 519
Williams, Everard M., 597, 604
   Parnas's tribute to, 599-601
Wilmotte, J.P., 399, 400, 411, 412, 433
"Windows on the World," 569
Wodon, P., 400
World Wide Web, 172
WOW. See "Windows on the World"
Writers, 389, 390
Wulf, William A., 199-200, 201, 571
WŸrges, Harald, 140, 229, 231

X
Xu, Jia, 404, 437, 438, 439

Y
Year-2000 problem, 595
York University, 437

Z
Zermelo-Fraenkel Set Theory, 50
Zucker, Jeffrey, 71

Updates

Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership