G. J. K. Asmis’s scientific contributions

This article outlines an approach in the design, documentation, and evaluation of computer systems. This allows the use of software in many safety-critical applications because it enables the systematic comparison of the program behavior with the engineering specifications of the computer system. Many of the ideas in this article have been used by the Atomic Energy Control Board of Canada in its safety assessment of the software for the shutdown systems of the Darlington Station. The four main elements of this approach follow: (1) Formal Documentation of Software Requirements: Most of the details of a complex environment can be ignored by system implementers and reviewers if they are given a complete and precise statement of the behavioral requirements for the computer system. We describe five mathematical relations that specify the requirements for the software in a computerized control system. (2) Design and Documentation of the Module Structure: Complexity caused by interactions between separately written components can be reduced by applying Data Abstraction, Abstract Data Types, and Object-Oriented Programming if the interfaces are precisely and completely documented. (3) Program Function Documentation: Software executions are lengthy sequences of state changes described by algorithms. The effects of these executive sequences can be precisely specified documented with tabular presentations of the program functions. Also, large programs can be decomposed and presented at a collection of well-documented smaller programs. (4) Tripod Approach to Assessment: There are three basic approaches to the assessment of complex software products: (i) testing, (ii) systematic inspection, and (iii) certification of people and processes. Assessment of a complex system cannot depend on any one of these alone. The approach used on the Darlington shutdown software, which included systematic inspection as well as planned and statistically designed random testing, is outlined.

This paper outlines an approach to the design, documentation, and evaluation of computer systems. We believe that this approach makes it possible to control the complexity that is present in software products and allows the use of software in many safety-critical applications. Our approach to dealing with complex systems has been described by E.W. Dijkstra as “separation of concerns” and is supported by the use of rigidly organized mathematical documentation. Many of the ideas presented in this paper have been used by the Atomic Energy Control Board of Canada (AECB) in their safety assessment of the software for the shutdown systems of the Darlington Nuclear Power Station.