Universal Systems Language

Last updated

Universal Systems Language (USL) is a systems modeling language and formal method for the specification and design of software and other complex systems. It was designed by Margaret Hamilton based on her experiences writing flight software for the Apollo program. [1] The language is implemented through the 001 Tool Suite software by Hamilton Technologies, Inc. [2] USL evolved from 001AXES which in turn evolved from AXES all of which are based on Hamilton's axioms of control. The 001 Tool Suite uses the preventive concept of Development Before the Fact (DBTF) for its life-cycle development process. DBTF eliminates errors as early as possible during the development process removing the need to look for errors after-the-fact.



USL was inspired by Hamilton's recognition of patterns or categories of errors occurring during Apollo software development. Errors at the interfaces between subsystem boundaries accounted for the majority of errors and were often the most subtle and most difficult to find. Each interface error was placed into a category identifying the means to prevent it by way of system definition. This process led to a set of six axioms, forming the basis for a mathematical constructive logical theory of control for designing systems that would eliminate entire classes of errors just by the way a system is defined. [3] [4]

Certain correctness guarantees are embedded in the USL grammar. In contrast to reactive approaches to program verification, testing for errors late into the life cycle, USL's development-before-the-fact philosophy is preventive, not allowing errors in the first place. A USL definition models both its application (for example, an avionics or banking system) and properties of control into its own life cycle. [5] Providing a mathematical framework within which objects, their interactions, and their relationships can be captured, USL – a metalanguage – has "metamechanisms" for defining systems. USL's philosophy is that all objects are recursively reusable and reliable; reliable systems are defined in terms of reliable systems; only reliable systems are used as building blocks; and only reliable systems are used as mechanisms to integrate these building blocks to form a new system. Designers can then use the new system, along with more primitive ones, to define (and build) more comprehensive reliable systems. If a system is reliable, all the objects in all its levels and layers are reliable.

USL is regarded by some users as more user-friendly than other formal systems. [6] It is not only a formalism for software, but also defines ontologies for common elements of problem domains, such as physical space and event timing.

Formalism for a theory of control

A systems philosophy formalism for representing the logic of the control of systems, USL is based on a set of axioms of a general systems control theory with formal rules for its application. At the base of every USL system is a set of six axioms and the assumption of a universal set of objects. [7] [8] The axioms provide the formal foundation for a USL "hierarchy" – referred to as a map, which is a tree of control that spans networks of relations between objects. Explicit rules for defining a map have been derived from the axioms, where – among other things – structure, behavior, and their integration are captured. Each axiom defines a relation of immediate domination of a parent over its children. The union of these relations is control. Among other things, the axioms establish the relationships of an object for invocation in time and space, input and output (domain and codomain), input access rights and output access rights (domain access rights and codomain access rights), error detection and recovery, and ordering during its developmental and operational states. Every system can ultimately be defined in terms of three primitive control structures, each of which is derived from the six axioms – resulting in a universal semantics for defining systems.

All representations of a system are defined in terms of a function map (FMap) and a type map (TMap). With USL, all functions in a system and their relationships are defined with a set of FMaps. Similarly, all types in a system and their relationships are defined with a set of TMaps. FMaps represent the dynamic (doing) world of action by capturing functional and temporal (including priority) characteristics. TMaps represent the static (being) world of objects by capturing spatial characteristics – for example, containment of one object by another or relationships between locations of objects in space. FMaps are inherently integrated with TMaps. Three universal primitive structures derived from the set of axioms and non-primitive structures derived ultimately in terms of the primitive structures specify each map. Primitive structures are universal in that they are able to be used to derive new abstract universal structures, functions or types. The process of deriving new objects (i.e., structures, types and functions) is equivalent to the process of deriving new types in a constructive type theory. Primitive functions, corresponding to primitive operations on types defined in a TMap, reside at the bottom nodes of an FMap. Primitive types, each defined by its own set of axioms, reside at the bottom nodes of a TMap. Each primitive function (or type) can be realized as a top node of a map on a lower (more concrete) layer of the system. Resident at every node on a map is the same kind of object (for example, a function on every node of an FMap and a type on a TMap). The object at each node plays multiple roles; for example, the object can serve as a parent (in control of its children) or a child (being controlled by its parent). Whereas each function on an FMap has a mapping from its input to output (domain to codomain), each type on a TMap has a relation between its domain and codomain. A structure relates each parent and its children according to the set of rules derived from the axioms of control. A primitive structure provides a relationship of the most primitive form (finest grain) of control. All maps are defined ultimately in terms of the primitive structures and therefore abide by the rules associated with each structure: A parent controls its children to have a dependent (Join), independent (Include), or decision-making relationship (Or).

Figure. 1 The three primitive control structures and their rules form a universal foundation for constructing maps in the domains of time and space as FMaps and TMaps Ucs rules.png
Figure. 1 The three primitive control structures and their rules form a universal foundation for constructing maps in the domains of time and space as FMaps and TMaps

Any system can be defined completely using only primitive structures, but less primitive structures defined by and derived from the primitive structures – and therefore governed by the control axioms – accelerate the definition and understanding of a system. The defined structure, a form of template-like reuse, provides a mechanism to define a map without explicitly defining some of its elements. An FMap structure has placeholders for variable functions; a TMap structure has placeholders for variable types; a universal structure has placeholders for functions or types. Async is an example of a real-time, distributed, communicating FMap structure with both asynchronous and synchronous behavior. An example of a TMap structure is TreeOf, a collection of the same type of objects ordered using a tree indexing system. Each TMap structure assumes its own set of possible relations for its parent and children types. Abstract types decomposed with the same TMap structure inherit the same primitive operations and therefore the same behavior (each of which is available to FMaps that have access to members of each of its TMap's types).


The process of developing a software system with USL together with its automation, the 001 Tool Suite (001), is as follows: define the system with USL, automatically analyze the definition with 001's analyzer to ensure that USL was used correctly, automatically generate much of the design and all of the implementation code with 001's generator. [9] [10] [11] [12] USL can be used to lend its formal support to other languages. [13]

See also

Related Research Articles

Ada is a structured, statically typed, imperative, and object-oriented high-level programming language, extended from Pascal and other languages. It has built-in language support for design by contract (DbC), extremely strong typing, explicit concurrency, tasks, synchronous message passing, protected objects, and non-determinism. Ada improves code safety and maintainability by using the compiler to find errors in favor of runtime errors. Ada is an international technical standard, jointly defined by the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC). As of 2020, the standard, called Ada 2012 informally, is ISO/IEC 8652:2012.

OSI model Model of communication of seven abstraction layers

The Open Systems Interconnection model is a conceptual model that characterises and standardises the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.

Pascal (programming language) Programming language

Pascal is an imperative and procedural programming language, designed by Niklaus Wirth as a small, efficient language intended to encourage good programming practices using structured programming and data structuring. It is named in honour of the French mathematician, philosopher and physicist Blaise Pascal.

<i>Principia Mathematica</i> Three-volume work on the foundations of mathematics

The Principia Mathematica is a three-volume work on the foundations of mathematics written by the mathematicians Alfred North Whitehead and Bertrand Russell and published in 1910, 1912, and 1913. In 1925–27, it appeared in a second edition with an important Introduction to the Second Edition, an Appendix A that replaced ✸9 and all-new Appendix B and Appendix C. PM is not to be confused with Russell's 1903 The Principles of Mathematics. PM was originally conceived as a sequel volume to Russell's 1903 Principles, but as PM states, this became an unworkable suggestion for practical and philosophical reasons: "The present work was originally intended by us to be comprised in a second volume of Principles of Mathematics... But as we advanced, it became increasingly evident that the subject is a very much larger one than we had supposed; moreover on many fundamental questions which had been left obscure and doubtful in the former work, we have now arrived at what we believe to be satisfactory solutions."

In object-oriented programming and software engineering, the visitor design pattern is a way of separating an algorithm from an object structure on which it operates. A practical result of this separation is the ability to add new operations to existing object structures without modifying the structures. It is one way to follow the open/closed principle.

Data type

In computer science and computer programming, a data type or simply type is an attribute of data which tells the compiler or interpreter how the programmer intends to use the data. Most programming languages support basic data types of integer numbers, floating-point numbers, characters and Booleans. A data type constrains the values that an expression, such as a variable or a function, might take. This data type defines the operations that can be done on the data, the meaning of the data, and the way values of that type can be stored. A data type provides a set of values from which an expression may take its values.

In mathematics, an algebraic structure consists of a nonempty set A, a collection of operations on A of finite arity, and a finite set of identities, known as axioms, that these operations must satisfy.

In programming languages, a type system is a logical system comprising a set of rules that assigns a property called a type to the various constructs of a computer program, such as variables, expressions, functions or modules. These types formalize and enforce the otherwise implicit categories the programmer uses for algebraic data types, data structures, or other components. The main purpose of a type system is to reduce possibilities for bugs in computer programs by defining interfaces between different parts of a computer program, and then checking that the parts have been connected in a consistent way. This checking can happen statically, dynamically, or as a combination of both. Type systems have other purposes as well, such as expressing business rules, enabling certain compiler optimizations, allowing for multiple dispatch, providing a form of documentation, etc.

In computer science, a list or sequence is an abstract data type that represents a countable number of ordered values, where the same value may occur more than once. An instance of a list is a computer representation of the mathematical concept of a tuple or finite sequence; the (potentially) infinite analog of a list is a stream. Lists are a basic example of containers, as they contain other values. If the same value occurs multiple times, each occurrence is considered a distinct item.

Plessey System 250, also known as PP250, was the first operational computer to implement capability-based addressing, to check and balance the computation as a pure Church-Turing Machine. A Church-Turing Machine is a digital computer that encapsulates the symbols in a thread of computation as a chain of protected abstractions by enforcing the dynamic binding laws of Alonzo Church's Lambda Calculus Other Capability Based Computers including CHERI and CAP computer are hybrids. They retain default instructions that can access every word of accessible physical or logical (paged) memory. It is an unavoidable characteristic of the von Neumann Architecture that is founded on shared random access memory and blind trust in the sharing default access rights. For example, every word in every page managed by the virtual memory manager in an operating system using a Memory management unit must be blindly trusted. Using a default privilege among many compiled programs allows corruption to grow without any method of error detection. However, the range of virtual addresses given to the MMU or the range of physical addresses produced by the MMU is shared undetected corruption flows across the shared memory space from one software function to another. PP250 removed not only virtual memory or any centralized, precompiled operating system but also the superuser, removing all default machine privileges. It is default privileges that empower undetected malware and hacking in a computer. Instead, the pure Object-capability model of PP250 always requires a limited capability key to define the authority to operate. PP250 separated binary data from capability data to protect access rights, simplify the computer and speed garbage collection. The Church-Machine encapsulates and context limits the Turing Machine by enforcing the laws of the Lambda Calculus. The typed digital media is program-controlled by distinctly different machine instructions. Mutable binary data is programmed by 28 RISC instruction set for Imperative programming and Procedural programming the binary data using binary data registers confined to a capability limited memory segment. The immutable Capability Keys, exclusive to six Church-Instructions, navigate the computational context of the Turing Machine through the separately programmed structure of the Object-capability model. PP250 was sold commercially circa 1972.

In computer science, a tagged union, also called a variant, variant record, choice type, discriminated union, disjoint union, sum type or coproduct, is a data structure used to hold a value that could take on several different, but fixed, types. Only one of the types can be in use at any one time, and a tag field explicitly indicates which one is in use. It can be thought of as a type that has several "cases", each of which should be handled correctly when that type is manipulated. This is critical in defining recursive datatypes, in which some component of a value may have the same type as the value itself, for example in defining a type for representing trees, where it is necessary to distinguish multi-node subtrees and leafs. Like ordinary unions, tagged unions can save storage by overlapping storage areas for each type, since only one is in use at a time.

Visual programming language

In computing, a visual programming language (VPL) is any programming language that lets users create programs by manipulating program elements graphically rather than by specifying them textually. A VPL allows programming with visual expressions, spatial arrangements of text and graphic symbols, used either as elements of syntax or secondary notation. For example, many VPLs are based on the idea of "boxes and arrows", where boxes or other screen objects are treated as entities, connected by arrows, lines or arcs which represent relations.

ActionScript object-oriented programming language

ActionScript was an object-oriented programming language originally developed by Macromedia Inc.. It is influenced by HyperTalk, the scripting language for HyperCard. It is now an implementation of ECMAScript, though it originally arose as a sibling, both being influenced by HyperTalk.


In mathematics, specifically in category theory, F-algebras generalize the notion of algebraic structure. Rewriting the algebraic laws in terms of morphisms eliminates all references to quantified elements from the axioms, and these algebraic laws may then be glued together in terms of a single functor F, the signature.

In universal algebra and in model theory, a structure consists of a set along with a collection of finitary operations and relations that are defined on it.

Structured analysis

In software engineering, structured analysis (SA) and structured design (SD) are methods for analyzing business requirements and developing specifications for converting practices into computer programs, hardware configurations, and related manual procedures.

In mathematics, particularly in category theory, a morphism is a structure-preserving map from one mathematical structure to another one of the same type. The notion of morphism recurs in much of contemporary mathematics. In set theory, morphisms are functions; in linear algebra, linear transformations; in group theory, group homomorphisms; in topology, continuous functions, and so on.

Margaret Hamilton (software engineer) American NASA scientist and mathematician

Margaret Heafield Hamilton is an American computer scientist, systems engineer, and business owner. She was director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program. She later founded two software companies—Higher Order Software in 1976 and Hamilton Technologies in 1986, both in Cambridge, Massachusetts.

Parametric design

Parametric design is a process based on algorithmic thinking that enables the expression of parameters and rules that, together, define, encode and clarify the relationship between design intent and design response.

This glossary of computer science is a list of definitions of terms and concepts used in computer science, its sub-disciplines, and related fields, including terms relevant to software, data science, and computer programming.


  1. M. Hamilton and W. R. Hackler, "Universal Systems Language: Lessons Learned from Apollo", IEEE Computer, Dec. 2008.
  2. 001 Tool Suite (1986-2020)
  3. Margaret H. Hamilton, Hamilton Technologies (September 27, 2012). ""Universal Systems Language and its Automation, the 001 Tool Suite, for Designing and Building Systems and Software" Lockheed Martin/IEEE Computer Society Webinar Series".
  4. Hamilton, Margaret H. (2018). "What the Errors Tell Us". IEEE Software . 35 (5): 32–37. doi: 10.1109/MS.2018.290110447 . ISSN   0740-7459. S2CID   52896962.
  5. Dolha, Steve, Chiste, Dave, "A Remote Query System for the Web: Managing the Development of Distributed Systems.", Chapter 32, Internet Management, Editor Jessica Keyes, Auerbach, 2000.
  6. Krut, Jr., B., "Integrating 001 Tool Support in the Feature-Oriented Domain Analysis Methodology" (CMU/SEI-93-TR-11, ESC-TR-93-188), Pittsburgh, SEI, Carnegie Mellon University, 1993.
  7. Hamilton, M., "Inside Development Before the Fact", cover story, Special Editorial Supplement, 8ES-24ES. Electronic Design, Apr. 1994.
  8. Hamilton, M., "001: A FULL LIFE CYCLE SYSTEMS ENGINEERING AND SOFTWARE DEVELOPMENT ENVIRONMENT Development Before The Fact In Action", cover story, Special Editorial Supplement, 8ES-24ES. Electronic Design, Apr. 1994.
  9. Ouyang, M., Golay, M.W. 1995, An Integrated Formal Approach for Developing High Quality Software of Safety-Critical Systems , Massachusetts Institute of Technology, Cambridge, Massachusetts, Report No. MIT-ANP-TR-035.
  10. Software Productivity Consortium, (SPC) (1998), Object-Oriented Methods and Tools Survey, Herndon, VA.SPC-98022-MC, Version 02.00.02, December 1998.
  11. Max Schindler (1990) Computer Aided Software Design, John Wiley & Sons, 1990.
    • Department of Defense (1992). Software engineering tools experiment-Final report, Vol. 1, Experiment Summary, Table 1, p. 9. Strategic Defense Initiative, Washington, D.C.
  12. Hamilton, M. Hackler, W.R., "A Formal Universal Systems Semantics for SysML, 17th Annual International Symposium, INCOSE 2007, San Diego, CA, June 2007.

Further reading