Universal Systems Language
Universal Systems Language is a systems modeling language and formal method for the specification and design of software and other complex systems. It was designed by Margaret Hamilton based on her experiences writing flight software for the Apollo program. The language is implemented through the 001 Tool Suite software by Hamilton Technologies, Inc. USL evolved from 001AXES which in turn evolved from AXES all of which are based on Hamilton's axioms of control. The 001 Tool Suite uses the preventive concept of Development Before the Fact for its life-cycle development process. DBTF eliminates errors as early as possible during the development process removing the need to look for errors after-the-fact.
Philosophy
USL was inspired by Hamilton's recognition of patterns or categories of errors occurring during Apollo software development. Errors at the interfaces between subsystem boundaries accounted for the majority of errors and were often the most subtle and most difficult to find. Each interface error was placed into a category identifying the means to prevent it by way of system definition. This process led to a set of six axioms, forming the basis for a mathematical constructive logical theory of control for designing systems that would eliminate entire classes of errors just by the way a system is defined.Certain correctness guarantees are embedded in the USL grammar. In contrast to reactive approaches to program verification, testing for errors late into the life cycle, USL's development-before-the-fact philosophy is preventive, not allowing errors in the first place. A USL definition models both its application and properties of control into its own life cycle. Providing a mathematical framework within which objects, their interactions, and their relationships can be captured, USL – a metalanguage – has "metamechanisms" for defining systems. USL's philosophy is that all objects are recursively reusable and reliable; reliable systems are defined in terms of reliable systems; only reliable systems are used as building blocks; and only reliable systems are used as mechanisms to integrate these building blocks to form a new system. Designers can then use the new system, along with more primitive ones, to define more comprehensive reliable systems. If a system is reliable, all the objects in all its levels and layers are reliable.
USL is regarded by some users as more user-friendly than other formal systems. It is not only a formalism for software, but also defines ontologies for common elements of problem domains, such as physical space and event timing.
Formalism for a theory of control
A systems philosophy formalism for representing the logic of the control of systems, USL is based on a set of axioms of a general systems control theory with formal rules for its application. At the base of every USL system is a set of six axioms and the assumption of a universal set of objects. The axioms provide the formal foundation for a USL "hierarchy" – referred to as a map, which is a tree of control that spans networks of relations between objects. Explicit rules for defining a map have been derived from the axioms, where – among other things – structure, behavior, and their integration are captured. Each axiom defines a relation of immediate domination of a parent over its children. The union of these relations is control. Among other things, the axioms establish the relationships of an object for invocation in time and space, input and output, input access rights and output access rights, error detection and recovery, and ordering during its developmental and operational states. Every system can ultimately be defined in terms of three primitive control structures, each of which is derived from the six axioms – resulting in a universal semantics for defining systems.All representations of a system are defined in terms of a function map and a type map. With USL, all functions in a system and their relationships are defined with a set of FMaps. Similarly, all types in a system and their relationships are defined with a set of TMaps. FMaps represent the dynamic world of action by capturing functional and temporal characteristics. TMaps represent the static world of objects by capturing spatial characteristics – for example, containment of one object by another or relationships between locations of objects in space. FMaps are inherently integrated with TMaps. Three universal primitive structures derived from the set of axioms and non-primitive structures derived ultimately in terms of the primitive structures specify each map. Primitive structures are universal in that they are able to be used to derive new abstract universal structures, functions or types. The process of deriving new objects is equivalent to the process of deriving new types in a constructive type theory. Primitive functions, corresponding to primitive operations on types defined in a TMap, reside at the bottom nodes of an FMap. Primitive types, each defined by its own set of axioms, reside at the bottom nodes of a TMap. Each primitive function can be realized as a top node of a map on a lower layer of the system. Resident at every node on a map is the same kind of object. The object at each node plays multiple roles; for example, the object can serve as a parent or a child. Whereas each function on an FMap has a mapping from its input to output, each type on a TMap has a relation between its domain and codomain. A structure relates each parent and its children according to the set of rules derived from the axioms of control. A primitive structure provides a relationship of the most primitive form of control. All maps are defined ultimately in terms of the primitive structures and therefore abide by the rules associated with each structure: A parent controls its children to have a dependent, independent, or decision-making relationship.
Any system can be defined completely using only primitive structures, but less primitive structures defined by and derived from the primitive structures – and therefore governed by the control axioms – accelerate the definition and understanding of a system. The defined structure, a form of template-like reuse, provides a mechanism to define a map without explicitly defining some of its elements. An FMap structure has placeholders for variable functions; a TMap structure has placeholders for variable types; a universal structure has placeholders for functions or types. Async is an example of a real-time, distributed, communicating FMap structure with both asynchronous and synchronous behavior. An example of a TMap structure is TreeOf, a collection of the same type of objects ordered using a tree indexing system. Each TMap structure assumes its own set of possible relations for its parent and children types. Abstract types decomposed with the same TMap structure inherit the same primitive operations and therefore the same behavior.