1967 04_#30 04 #30

1967-04_#30 1967-04_%2330

User Manual: 1967-04_#30

Open the PDF directly: View PDF PDF.
Page Count: 809

Download1967-04_#30 1967-04 #30
Open PDF In BrowserView PDF
AFIPS
CONFERENCE
PROCEEDINGS
VOLUME 30

1967
SPRING JOINT
COMPUTER
CONFERENCE

AFIPS
CONFERENCE
PROCEEDINGS
VOLUME 30

1967
SPRING JOINT
COMPUTER
CONFERENCE
APRIL 18-20
ATLANTIC ClTY, NEW JERSEY

The ideas and opinions expressed herein are soiely those of the
authors and are not necessarily representative of or endorsed by the 1967
Spring Joint Computer Conference Committee or the American Federation
of Information Processing Societies.

Library of Congress Catalog Card Number 55-44701
Thompson Book Co.
National Press Building
Washington, D. C. 20004

©

1967 by the American Federation of Information Processing Societies,
New York, N. Y. 10017. All rights reserved. This book, or parts thereof, may
not be reproduced in any form without permission of the publ ishers.

Sole distributors throughout the entire
world (except North and South America):
Academic Pres s
Berkeley Square House
Berkeley Square, London, W. 1

CONTENTS
DYNAMIC ALLOCATION OF COMPUTING RESOURCES
A resource allocation scheme for multi-user on-line operation of
a small computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Effects of scheduling on file memory operations . . . . . . . . . . . . . . .
Address mapping and the control of access in an interactive
computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Allen Reiter
Peter J. Denning

MANAGING THE DEVELOPMENT OF COMPUTER PROGRAMS A USER'S VIEWPOINT
The Air Force computer program acquisition concept . . . . . . . . . . .
Configuration management of computer programs by the Air Force:
Principles and documentation . . . . . . . . . . . . . . . . . . . . . . . . . .

Milton V. Ratynski

The technical specification - Key to management control of
computer programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Air Force concepts for the technical control and design verification
of computer programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
COMPUTER LOGIC AND ORGANIZATION
UNIVAC 1108 multiprocessor system . . . . . . . . . . . . . . . . . . . . . .
Considerations in block-oriented systems design . . . . . . . . . . . . . . .
Intrinsic multiprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The association- storing processor . . . . . . . . . . . . . . . . . . . . . . . .

VISUAL OUTPUT RECORDING
Digitized photographs for illustrated computer output. . . . . . . . . . . .
Mathematical techniques for improving hardware accuracy . . . . . . . .
A new printing principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPLICATIONS OF ANALOG AND HYBRID COMPUTERS
A time delay compensation technique for hybrid flight simulators . . . .
Backward time analog computer solutions of optimum control
problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cartoon animation by an electronic computer . . . . . . . . . . . . . . . . .
Stochastic Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DATA MANAGEMENT
The people problem: Computers can help . . . . . . . . . . . . . . . . . . .
File handling at Cambridge University . . . . . . . . . . . . . . . . . . . . . .

GIM-1, a generalized information management language and computer
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

David C. Evans,
Jean Yves Leclerc

Lloyd V. Searle
George Neil
Burt H. Liebowitz
M. S. Piligian
Lt. J. L. Pokorney
D. C. Stanga
D. H. Gibson
Richard A. Aschenbrenner
Michael Flynn
George A. Robinson
D. A. Savitt
H. H. Love, Jr.
R. E. Troop
Richard W. Conn
C. J. Walter
W. H. Puterbaugh
S. P. Emmons
V. Wayne Ingalls
Max D. Anderson
Someshwar C. Gupta
Takeo Miura
Junzo Iwata
Junji Tsuda
B. R. Gains
E. R. Keller, II
S. D. Bedrosian
D. W. Barron
A. G. Fraser
D. F. Hartley
B. Landy
R. M. Needham
Donald B. Nelson
Richard A. Pick
Kenton B. Andrews

Inter-program communications, program string structures and
buffer files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DM-l, a generalized data management system . . . . . . . . . . . .
File management on a small computer. . . . . . . . . . . . . . . . . . . . . .
HANDLING THE GROWTH BY DEFINITION OF MECHANICAL
LANGUAGES - A SPECIAL TUTORIAL SESSION . . . . . . . . . . . . . . .

E. Morenoff
J. B. McLean
Paul J. Dixon
Jerome D. Sable
Gilbert p. Steil, Jr.
Saul Gorn

I/O DEVICES
An optical peripheral memory system ..
A rugges militarily fieldable mass store (mem- brain file) . . . . . . . .

The "Cluster" - Four tape stations in a single package.
BIOMEDICAL COMPUTER APPLICATIONS
The oscillating vein . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Computer applications in biomedical electronics - Pattern
recognition studies . . • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

R. L. Libby
R. S. Marcus
L. B. Stallard
W. A. Farrand
R. B. Horsfall
N. E. Marcum
W. D. Williams
J. T. Gardiner
Augusto H. Moreno
Louis D. Gold
A. J. Welch
Joseph L. Devine, Jr.
Robert G. Loudon

Experi~ental

investigation of large multilayer linear
discriminators . . . . . . . . . . . . . . . . . • . . . . . . . . . . . . . . . . . .

Effect of stenosis of the blood flow through an artery. . . . . . . . . . . .

SECURITY AND PRIVACY IN COMPUTER SYSTEMS . . . . . . . . . . . . .
Security consideration in a multi- programmed computer system ...
Security and privacy: Similarities and differences . . . . . . . . . . . .
System implications of information privacy . . . . . . . . . . . . . . . . .

.
.
.
.

W. S. Holmes
C. E. Phillips
Peter M. Guida
Louis D. Gold
S. W. Moore
Willis H. Ware
Bernard Pete-rs
Willis H. Ware
Harold E. Petersen
Rein Turn

PANEL DISCUSSION: PRACTICAL SOLUTIONS TO THE
PRIVACY PROBLEM
The ABC time-sharing system . . . . . . . . . . . . . . . . . . . . . . .
Project MAC time- sharing system . . . . . . . . . . . . . . . . . . . . . . . .

James D. Babcock
Edward L. Glaser

COMPUTING ALGORITHMS
The influence of machine design on numerical algorithms . . . . . . . .
Base conversion mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accurate solution of linear algebraic systems - A survey . . . . . . . .
Recursive techniques in problem solving . . . . . . . . . . . . . . . . . . .
Statistical validation of mathematical computer routines . . . . . . . . .

W. J. Cody
David W. Matula
Cleve B. Moler
A. Jay Goldstein
Carl Hammer

.
.
.
.
.

MACROMODULAR COMPUTER SYSTEMS . . . . . . . . . . . . . . . . . .
A functional description of macromodules . . . . . . . . . . . . . . .
Local design of macromodules . . . . . . . . . . . . . . . . . . . . . . . . . . .
Engineering design of macromodules . . . . . . . . . . .
A macromodular systems simulator (MS2) . . . . . . . . . . . . . . .
A macromodular meta machine . . . . . . . . . . . . . . . . . . . . . .
The CHASM: A macromodular computer for analyzing neuron
models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Wesley A. Clark
Severo M. Ornstein
Mishell J. Stucki
Wesley A. Clark
Mishell J. Stucki
Severo M. Ornstein
Wesley A. Clark
Asher S. Blum
Thomas J. Chaney
Richard E. Olsen
Richard A. Dammkoehler
William E. Ball
Charles E. IvIolnar
Severo lVI. Ornstein
Antharvedi Anne

SOlVIE ASPECTS OF COMPUTER ASSiSTED iNSTRUCTiON
Requirements for a student subject matter interface . . . . . . . . . . . .
Central vs. decentralized computer assisted instruction systems ... .
Reflections on the design of a CAl operating system. . . . . . . . . . . . .

INFORMA TION PROCESSING IN THE BUSINESS ENVIRONMENT
Nature and detection of errors in production data collection . . . . . . .
Serving the needs of the information retrieval user . . . . . . . . . . . . .
The Ohio Bell Business information system . . . . . . . . . . . . . . . . . .
TECHNIQUES IN PROGRAMMING LANGUAGE - PART I
Programming by questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . .
using formal specification of procedureoriented and machine languages . . . . . . . . . . . . . . . . . . . . . . . . .

Kenneth Wodtke
M. Gelman
E. N. Adams
William 44. Smith, Jr.
C. Allen Merritt
E. K. McCoy
Allen S. Ginsberg
Harry M. Markowitz
Paula M. Oldfather

Compilel~ genel~ation

An experimental general purpose compiler . . . . . . . . . . . . . . . . . . .
THE BEST APPROACH TO LARGE COMPUTING CAPABILITY A DEBATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Achieving large computing capabilities through aggregation of
conventional system elements. . . . . . . . . . . . . . . . . . . . . . . . .
Achieving large computing capabilities through associative
parallel processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Achieving large computing capabilities through an array computer ..
Achieving large computing capabilities through the single-processor
approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Philip Gilbert
William G. McLellan
R. S. Bandat
R. L. Wilkins

.

Gerhard L. Hollander

.

George P. West

.
.

Richard H. Fuller
Daniel L. Slotnick

.

Gene M. Amdahl

THE EXPANDING ROLES OF ANALOG AND HYBRID COMPUTERS
IN EDUCATION: A PANEL DISCUSSION
"Position" Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

LOGIC-IN-MEMORY
DTPL push down list memory
An integrated MOS transistor associative memory with lOOns cycle
time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Planted wire bit steering for logic and storage . . . . . . . . . . . . . . . .
A cryoelectronic distributed logic memory. . . . . . . . . . . . . . . . . . .
SCIENTIFIC PROGRAMMING APPLICATIONS
Trace-time-shared routines for analysis, classific.ation and
evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Degradation analysis of digitized signal transmission . . . . . . . . . . . .
Digital systems for array radar . . . . . . . . . . . . . . . . . . . . . . . . . .
TECHNIQUES IN PROGRAMMING LANGUAGES - PART II
DIAMAG: A multi-access system for on-line ALGOL programming ..
GRAF: Graphic additions to FORTRAN . . . . . . . . . . . . . . . . . . . . .
The multilang on-line programming system . . . . . . . . . . . . . . . ...

Dr. Lawrence E. Burkhart
Dr. Ladis E. Kovach
A. I. Katz
Dr. Myron L. Corrin
Dr. Avrum Soudack
Dr. Robert Kohr
R. J. Spain
M. J. Marino
H. 1. Jauvtis
Ryo Igarashi
Toru Yaita
W. F. Chow
L. M. Spandorjer
B. A. Crane
R. R. Laane

Gerald H. Shure
Robert J. Meeker
William H. Moore, Jr.
J. C. Kim
E. P. Kaiser
G. A. Champine

A. Auroux
J. Bellino
L. Bolliet
A. Hurwitz
J. P. Citron
J. B. Yeaton
R. L. Wexelblat

RPL: A data reduction language . . . . . . . . . . . . . . . . . . . . . . . . . .
Experimental automation information station: AIST-O . . . . . . . . . . .

PAPERS OF SPECIAL INTEREST
Some issues of representation in a general problem solver . . . . . . . .
A compact data structure for storing, retrieving and manipulating
line drawings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Experience using a time-shared multi-programming system with
dynamic address relocation hardware . . . . . . . . . . . . . . . . . . . . .
THOR - A display based time sharing system. . . . . . . . . . . . . . . . .

ADVANCES IN SOFTWARE DEVELOPMENT
nCompose/Produce: A user-oriented report generator for a timeshared system" . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ,
0

•

Code Generation for PIE (Parallel instruction execution) computers ..
Snuper Computer - A computer instrumentation automation . . . . . . . .

TECHNIQUES IN PROGRAMMING LANGUAGES - PART ill
An algorithmic search procedure for program generation. . . . . . ...

Frank C. Bequaert
A. P. Ershov
G. 1. Kodzuhin
G. P. Makapov
M. I. Nechepurenko
I. V. Pottosin
George W. Ernst
Allen Newell
Andries Van Dam
R. W. O'Neill
John McCarthy
Dan Brian
John Allen
Gary Feldman

William D. Williams
Philip R. Bartram
J. F. Thorlin
G. Estrin
D. Hopkins
B. Coggan
S. D. Crocker
M. H. Halstead
G. T. Uber

A system of macro-generation for ALGOL . . . . . . . . . . . . . . . . . .
COMMEN: A new approach to programming languages . . . . . . . . . .
SPRINT: A direct approach to list-processing languages . . . . . . . .
Syntax-checking and parsing of context - Free languages by
pushdown- store automata. . . . . . . . . . . . . . . . . . . . . . . . . . ..
The design and implementation of a table-driven compiler system ..

.
.
.
.
.

SOME IDEAS FROM SWITCHING THEORY
Synthesis of switching functions, using complex logic modules . . . . . .
Adaptive systems of logic networks and binary memories. . . . . . .. .
Design of diagnosable sequential machines. . . . . . . . . . . . . . . . . . .
NON-ROTATING MASS MEMORY
LCS (large core storage) utilization in theory and in practice . . . . . .
Extended core storage for the control data 64/66000 systems . . . . . .
Simulation of an ECS- based operating system . . . . . . . . . . . . . . . . .
FAILURE FINDING IN LOGICAL SYSTEMS
A structural theory of machine diagnosis. . . . . . . . . . . . . . . . . . . .
Compiler level simulation of edge sensitive flip-flops . . . . . . . . . . .
A logic oriented diagnostic program . . . . . . . . . . . . . . . . . . . . . . .
Automatic trouble isolation in duplex central controls employing
matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
COMPUTERS FOR INDUSTRIAL PROCESS ANALYSIS AND CONTROL
Digital backup for direct digital control . . . . . . . . . . . . . . . . ,
Reai- time monitoring of laboratory instruments . . . . . . . . . . . . . . .
Industrial process control software with human attributes . . . . . . . . .
0

•••

K. R. Gielow
H. Le'i'0Y

Leo J. Cohen
Charles A. Kapps
Victor B. Schneider
C. L. Liu
G. D. Chang
Y. N. Patt
1. Alexander
Zvi Kohavi
Pierre Lavallee

T. A. Humphrey
G. A. Jallen
lvi. H. lvlacDougall

C. V. Ramamoorthy
James T. Cain
Marlin H. Mickle
Lawrence P. lvlcNamee
Herman Jacobowitz

E. M. Prell
J. M. Lombardo

Paul A. C. Cook
J. B. Nebleti

D. J. Brevik

A resource-allocation scheme for
multi-user on-line operation of a
smaii computer
by ALLEN REITER
Lockheed Palo Alto Research Laboratory
Palo Alto, California

INTRODUCTION
Recently a great deal of interest has been evident
in on-line information retrieval systems in which the
retrieval search involves real-time man computer
interaction. The advantages of such systems are becoming well known,.1 Operating systems designed
to allow on-line time-shared information retrieval
have common characteristics which distinguish them
from other types of on-line systems. The system
designer has to face problems in allocating the
available computer resources that are not usually
encountered in other contexts.
Information retrieval tasks typically involve many
repeated accesses to data stored in not so rapidly
accessible peripheral storage. When the system is
being shared by several jobs simultaneously, the
following situation results:
• The entire system is I/O bound.
• System performance times are critically affected
by the order in which various I/O tasks are performed.
• It is obviously advantageous to have many
different jobs in simultaneous execution, each
placing requests into an I/O queue, so that the
monitor can best schedule the order of peripheral
storage accesses.
• It will not do to remove jobs from core temporarily by "rolling them out" into peripheral
storage, since this will merely aggravate the
I/O-boundedness of the system.
• Core storage has to be allocated dynamically,
with care paid to both the present and the future
needs of each job in execution.
This paper presents an approach to solving the
system-design problems when the available computer

resources, and in particular core storage, are quite
limited. It is shown that it is indeed feasible to design
a time-sharing information-retrieval system and obtain
satisfactory working results on a small research laboratory sized computer not specifically intended
for time-shared use.
This work was done in connection with a library
reference-retrieval system designed at the Lockheed
Palo Alto Research Laboratory. The system is currently running on the IBM System 360/30 computer,
equipped with 32 thousand bytes of core storage,
two disk-pack units, and one data-cell drive, all sharing
the same I/O channel. A brief description of the
retneval system has appeared in print;2 a later paper
by D. L. Drew giving a full description of the timesharing monitor will appear shortly.3

A generalized system
'l'he system under discussion is designed to meet
the following requirements, which are shared by most
on-line multi-user information retrieval systems.
PI (Multiple Simultaneous Use) - There are potentially several users on-line with the computer at any
given moment in time, say 10, each of whom communicates with the computer via a slow telecommunication device. (The word user will be used synonymously with console, and will denote a source of
human input to the computer.)
P2 (Independence) - Each user is completely
independent of every other user. Nothing that transpires at one console shall have any influence on what
occurs at any other console.
P3 (On-Line Interaction) - Each user's job involves
many steps. By a step is meant user input followed
by computer processing and system output. Any two
consecutive steps of a job are necessarily separated

2

Spring Joint Computer Conf., 1967

by the period of time it takes a user to initiate the
new step; this period may last anywhere between
several seconds to several minutes. The computer
cannot be doing any processing for this job between
two steps.
P4 (Program Segmentation) - A user's job requires
the services of a group of program segments. These
are selected by a monitor program from a large pool
of such segments, based on an analysis of the user's
input for each step, There is no a priori correlation
between a given user and the set of program segments
that he will require.
PS (Storage Variability) - Different program segments place different core storage demands on the
computer. These storage demands are of three types:
storage for the string of segment code itself, storage
for any working space that the segment might require,
and storage for reading in data from the auxiliary
memory devices.
P6 (Heavy File Manipulation) - Almost every
step of a job will involve one or more accesses to
data stored in auxiliary memory devices. This system requirement, together with its consequence that
the operation will basically be I/O bound, will motivate our approach to the system design.
P7 (Rapid Average Response Time)- The system
should normally produce a response within a fixed
time from the initiation of a step by a user. This
fixed time may vary from step to step, depending on
the nature of the task that the computer must perform
within the step. Delays to a given user caused by
other users should be guarded against; ideally, no user
should even be aware that there are other users of
the system at the same time.
In addition, without increasing the complexity of
the system, we can add:
P8 (Priorities) - There are priority levels associated with each job. These priorities are not meant
to be overriding, but are merely another factor to
consider when the system monitor is allocating the
system resources,
All these requirements are to be satisfied by a system which is to be implemented on a "small" computer. That is, the computer has a reasonably small
core (high-speed) memory augmented by a large (but
slow) random-access-memory device, and no built-in
hardware for multiprocessing. Specifically, these
limitations are:
RLl- There are too many program segements to
fit into core simultaneously. The program segments
will have to be stored in the random-access memory
and fetched as needed.
RL2 - There is not enough core storage to dedicate
a storage area for each user. Core storage will be

pooled and allocated to each user as needed. Each
job is expected to return storage to the pool whenever it can do so.
RL3 - The central processor of the computer can
only be executing one program segment (application
or monitor) at one time. The only activity that may
go on in parallel with the processing is input/output.
As a consequence of P6 and RL 1, it may safely be
assumed that the system will be I/O bound to a large
extent. In order not to increase the I/O load, the
following specification is imposed on the system:
Sl- Once a program segment has been brought
into core and its execution has commenced~ it must
be allowed to come to its conclusion while it is still
resident in core. Although the segment may relinquish control several times before it is finished, the
segment is not to be "rolled out" to peripheral storage
and brought back later in order to make its space
available for other uses.
As will be seen, program segments will be relinquishing control quite frequently before being finished,
and there may be several unrelated segments in core
simultaneously. Taken in conjunction with RL2,
this implies that the storage requirements of every
program segment have to be scrutinized carefully
before the program is loaded to make sure that the
segment will be able to reach a successful conclusion
and not get hung up because of lack of space.
The fact that IiO operations will have to be scheduled carefully implies:
S2 - All I/O operations are to be performed by the
system monitor. The individual program segments
will place their respective requests into a queue
which will be serviced by a system I/O scheduler.
A program segment can relinquish control to the
system monitor (and thence to other program segments) for one or more of several reasons. First, it
may have finished its task. Second, it may have just
placed a request for I/O into the queue and cannot
continue until the request has been acted upon. Third,
it might need some additional core storage, and no
core storage is currently available. Finally, its execution may be taking too long, and it interrupts itself
to give the system a chance to do something else.
With a certain degree of arbitrariness it is being
assumed that the system monitor will not be taking
control away from the program segments, but rather
the segments will relinquish control voluntarily. Thus:
S3. - The system is to be event driven, rather than
time driven.
Because of the core storage limitations and the
variation in the storage requirements from program
segment to program segment~ it is imperative to have
some flexibility in handling storage. In particular,

A Resource-Allocation Scheme
if a contiguous block of storage sufficiently large to
accommodate a storage request is not available, one
should be able. to honor the request utilizing noncontiguous areas. The editing problem in subsegmenting program and data areas is extremely complex,
and in practice some compromise has to be effected
between executing programs interpretively and
placing restrictive demands upon the person writing
the program segments. As this is not directly relevant
to the allocation problem; we shall not go into this any
further, but simply state:
S4 - Storage requests can be honored by scatterloading.

Resources to be allocated
The resources are to be allocated with the object
of optimizing the performance of the total system.
Priorities notwithstanding, overall system considerations will always override the considerations relative
to a particular job. Thus, we do not intend to turn over
control of all of the resources to jobs for fixed periods
of time; the resource allocation algorithms will do
their juggling on the basis of the whole picture at a
given instant.
The system design is governed by two types of
timing considerations: optimization with respect to
total elapsed time, for all of the jobs currently on
the computer, and optimization with respect to the
average response time within a step, for each job and
each console. No guarantee is made that every step
along the line will receive a response within a certain
allotted time span regardless of what is happening at
the other consoles, not even if the particular job has
the highest level; rather, it is hoped that long delays
will be rare, and that the higher the priority the less
frequent the delays. In fact, the internal priority of
a given task for a given job will be a function of both
its initial (external) priority and of the amount of
time that has elapsed since the initiation of the step
to which the task relates.
The first of the resources that will be allocated
explicitly is that of core storage. When a job requests
storage from the system, the monitor has to consider
the following:
• Is enough free storage available to satisfy the
request?
• Suppose that the request is granted, will the job
make storage available to the rest of the system
(because it is now able to run to a conclusion),
thus freeing not only the area just granted, but
other areas as well?
• Will the job be making additional requests for
storage, and if so will the system be able to
satisfy these reQuests?

3

• How will granting this request affect the storage
requirements of the other program segments that
are currently in core but are unfinished?
Of course, the monitor will expect each program
segment to carry enough information about its own
storage requirements to be able to answer all of these
questions.

r-----,
i Segment S requests i
L N~orage cells _

-.J

Are there N cells
of free storage
available?

no

yes
Make a tentative
storage assignment
for segment S as
requested

Compute the new
usable storage
profile (US)

Find the maximum
single future need
of anyone of the
segments currently
in core (MAXNEED)
Does MAXNEED fit
into US?

yes

no
Is segment S already
in core, or is it
about to be loaded?

about to
be loaded

already
in core
Reserve stor"age for all of
the future needs of S -

t-----------I:I-I

Figure 1 - Processing storage requests

Another resource that has to be allocated carefully
Although typically
the hardware configuration is quite complex and varies
from system to system, the only devices in the generalized system whose scheduling vitally affects the performance of the system are the random-access-memory (RAM) units. Without loss of generality it shall
be assumed that only one RAM unit is on-line, and
that its storage capacity is infinite. This device consists of cylinders, each of which is capable of containing many records. Associated with each I/O activity is
a seek time, which we shall define as the time it

IS that of access to the I/O devices.

4

Spring Joint Computer Conf., 1967

takes the RAM unit to respond to the I/O command
before it can commence data transfer. (We are neglecting such things as latency times and read/write
head selection times, which are small compared to
seek times.) The seek time depends on the distance
from the current cylinder to the one where the I/O
is to take place, and is zero when the distance is zero.
To optimize the overall system performance, the
monitor will try to schedule the order of operations
on the RAM unit so as to minimize the total seek
time. Although good data organization can effect
great savings in the total seek time, the monitor will
assume that records are to be accessed in a completely
random order. If the users take the trouble to organize
the data carefully they will be rewarded by faster
response, but no such effort is demanded of them by
the monitor.
The last resource that the system monitor will have
to allocate among the several jobs is that of control
of the central processor. Because of RL3, only one
job can actually be running on the machine at any
moment (apart from the I/O activity that may be
going on simultaneously). The system monitor therefore has to decide (at various decision points in the
course of operation) to which program segments
control is to be transferred.

The core storage allocation problem
As already indicated, the processing of requests
for storage is a complex affair. It must be remembered
that as a result of P5 and RL2, each program segment
which is in core or is about to be placed in core for
execution has two kinds of storage requirements:
( 1) immediate storage for the string of code that makes
up the body of the segment and for its immediate
working storage and (2) future storage that the segment may yet require before it can come to an end
but which it can currently do without.
If storage were to be reserved for each program
segment at the time of its loading, there would be no
particular allocation problem. When the monitor
decided that the services of some given program
segment were desired, it would try to load the segment. If enough storage were available at that time
for all of the segment's needs, the segment would be
loaded; otherwise, the loading would be postponed
until a more propitious time. However, this mode of
operation would mean that the system is not operating at the full capacity of the computer, and that much
of the storage that might otherwise be used profitably
by another job is being wasted.
Since we reject the "simple-minded" approach,
we have to deal not only with the problem of fitting
in the immediate needs of the segment at the time of

its loading, but also with the problem of making
certain that all of its later storage demands can be
satisfied so that it can reach a conclusion and be removed from core. Moreover, the adoption of specification S 1 prohibits us from satisfying these demands
at the expense of some other program segment in core
at that time.
In designing an allocation algorithm, care must
be taken not to over-process. The elegance of any
given scheme must be weighed against the storage
requirements of the algorithm itself and against the
time it takes the computer to execute the algorithm.
It is possible to come up with an excellent resource
allocation algorithm which unfortunately consumes
most of these resources itself. A good algorithm
should allow storage to be allocated efficiently and
quickly in the common cases while at the same time
making sure that when extreme cases arise they are
taken care of (no matter how inefficiently). The
algorithm outlined here is an attempt to proceed along
these lines.
Several definitions are now in order. Any storage
area that is unused (at the time under consideration)
will be called free. If an area of core is at this time
being used by a program segment, but that segment
will be able to come to a conclusion without requiring
any additional storage (thus freeing the area for the
rest of the system), the area in question will be called
storage-in-wai(ing, abbreviated SIW. Free storage
and SIW together form usable storage. All storage
which is not currently usable will be called occupied.
The procedure in determining whether there is
sufficient room for a segment is to match the segment's immediate needs against the free storage, and
its future needs against the left-over usable storage
(which is guaranteed to become free at some later
time). Segments will be loaded, even though at this
moment in time they cannot run to a conclusion due
to lack of space, as long as storage to satisfy their
needs will become available eventually. Reserving
storage is to be avoided whenever possible. The key
to proper allocation is the division of each segment's
needs into immediate and future, and taking the interplay of aggregate future needs into account.
This is accomplished as follows. When the system
monitor receives a request for storage, it first checks
the available free storage to see if the request can be
accommodated. If not, the request is rejected (postponed) without further ado. Assuming that sufficient
free storage is available, a tentative storage assignment satisfying the request is made. The storage
needs of this particular segment are (tentatively)
updated, and new SIW and usable storage profiles
for the system are computed. Next. the monitor ob-

A Resource-Allocation Scheme
tains an estimate of the future needs of the entire
system by computing the largest of the future needs
of any single segment currently in core, including
the segment about to be brought in (if the storage
request is being made in order to bring in a new program segment). This largest future requirement is
matched against the new usable storage. If the usable
storage is sufficient to accommodate the future needs
of everyone (but not necessarily more than one) of
the segments currently in core, the storage situation
is adjudged to be favorable, the tentative storage
assignment is made permanent, and the request is
granted. This takes care of the great majority of the
storage requests.
If, on the other hand, the maximum load is too big
to be handled by the available usable storage, the
storage situation is deemed unfavorable, and we have
to consider the circumstances of the reqQest. If
the request is being made in order to bring in a new
program segment, the request is rejected. New segments generally tend to increase the total load on the
system; in fact, bringing in a new program segment is
the only way that the load can be increased. Such
rejection will follow any indication that the system
may hang up if the new segment is admitted at this
time, and not just those cases where hanging up is
a certainty.
Assuming that the request has been made in order
to accommodate the additional storage needs of some
segment already in core, we know that its storage
needs have been considered when it was first loaded,
and that the request should be granted. It cannot,
however, be granted without some precautions,
since we took into account the needs of only one (the
"hungriest" one) of the segments, and hence have to
make sure that the monitor does not attempt to divide
the available storage among several segments, ending
with the insufficient storage for any of them. At
this time a subset of usable storage is reserved for
all of the future needs of the segment that is requesting storage. The free storage involved becomes part
of the segment; any SIW storage involved will become
part of the segment as soon as it becomes available.
(See Figure 1.) All of the segment's future storage
needs are thus taken care of, the segment will not be
requesting any additional storage from the system,
and hence by definition all of the area occupied by
the segment becomes SIW. The net effect of granting
the storage request on the system is one of increasing the usable storage. (This apparent paradox comes
about as follows: If we were only concerned with
maximizing usable storage, we would always reserve
storage for a segment at the time of its loading.
The effect of any reservation is a loss in the flexi-

5

bility in the order of execution of various independent
tasks, leading to a less efficient use of the other
system resources. Thus, increasing usable storage
can only be done at the cost of possibly not being
able to later execute the segment that is "right" for
that moment, a kind of "law of conservation of resources. ")
The fact that storage is reserved for the segment
means that the segment has to wait for it to become
available, and cannot make use of any other storage
that may in the meantime have become free. In very
extreme cases it may happen that there are several
segments waiting for the same area, and that we have
set up a hierarchy as to the order of execution of
these segments, regardless of other factors. This
is not particularly disturbing, since the chain of circumstances leading to this situation will arise very
rarely. It might be pointed out that even in the worst
possible cases the system will be operating at least
as efficiently as it would have been had we decided
to reserve the necessary storage for every segment
at the time of its loading.
An example will help illustrate the operation of the
algorithm and the motivation behind the adopted
conventions. Let us suppose that at some time
to program segments A and B are both in core. Program A occupies 1,000 cells, and will not require any
more storage before it is done; B occupies 500 cells
and will require an additional 1,500 cells; 1,000 cells
are currently free. If B were to request the 1,500
cells at time to, the request would of course be rejected
since the area is not available. However, we know
that eventually A will be finished, and then B will
be able to get its storage.
Let us suppose that it is desirable at this time to
bring into core program segment C, which is currently
residing in auxiliary memory. Segment C occupies
600 cells, and will need 2,000 more cells before it is
done. Evidently, if we bring C in now (at time to)!
there will not be sufficient room left to complete
either B or C (even after A is completed); hence, we
postpone bringing in C until a more propitious time
(i.e., until after we complete B).
If, on the other hand, at time to segment D wants
to come in, and D occupies 500 cells and will need
another 1,000 eventually, then D is brought in. Even
though there is no room at the present time to complete D, at some later time (t1) segment A will be done,
and then we can complete either B or D, depending
on the order in which their requests come in.
We return to the case where C wants to come in,
but this time assume that C only occupies 500 cells
while still requiring an additional 2,000 later. It
would seem that we should load C, since there would

6

Spring Joint Computer Conf., 1967

still be enough room left to finish B (500 free locations
plus the 1,000 cells currently belonging to A which
are SIW), after which there would be room to complete C as well. Nevertheless, C is again refused
admittance, for the foiiowing reason. Suppose that
we do admit C at time to, and that at time t1 C places
a request for 500 cells. The 500 cells are free, but
should they be granted to C then things would grind
to a halt, as there would not be enough room left to
complete either B or C. This would therefore mean
that at to, when we are trying to load C, we also have
to make a reservation of the remaining usable space
for B. The situation becomes even messier if we have
to contend with several segments like B in core at
time to. To avoid overcomplicating the algorithm, we
simply refuse to load C.
Note wen the difference in ioading D. If Dis ioaded
at time to, and subsequently at time t1 D places a request for 500 more cells, the request is granted and a
reservation of the SIW space (currently held by A)
is made for D; no reservations have to be made at
time to, and no segments other than D have to be dealt
with at time t 1.
lt has been assumed in this discussion that the
storage needs of segments can be satisfied by noncontiguous blocks of core. This assumption is not
crucial, and the algorithm would work with minor
modifications if the scatter-loading hypothesis S4
is dispensed with. The point is that now we have to
worry not only about the total demands of a segment,
but also about the "shape" in terms of the block
sizes.*
The input / output scheduler
Unlike the core allocator, the I/O scheduler will
not be intimately involved with individual program
segments. Instead of being concerned with the aggregate of different segments that are resident in core at
any moment in time, the I/O scheduler will be concerned with the aggregate of I/O requests in the
queue, without regard (except for priority determination) for the segments that have placed the
request. Thus, two distinct requests for I/O by the
same segment will in no way be related to each other
in the scheduling, and will be treated as if they were
placed by different jobs; in particular, their order of
execution is unpredictable.
The considerations invoived in determining which
I/O operation is to be scheduled next are:
(a) Which item in the queue would make for the
lowest seek time?
*For the Lockheed system, it is assumed that the program and
data areas can be split into blocks of either 512, 1024, or 2048
bytes for noncontiguous loading; the block size is at the option
of the programmer.

(b) Which items have the highest urgency (in terms
of the time that has elapsed since the initiation
of the step leading to this request)?
(c) What are the external priorities of the jobs to
which the items pertain?
(d) Which items are most favorable from the point
of view of storage availability? (A request for
input mayor may not require obtaining the
necessary storage from the system; a request for
output mayor may not imply that storage is
being returned to the system.)
Having first eliminated from consideration all items
(necessarily requests for input) for which the required space is not available, the scheduler will select
from among the remaining items the best one, and
this will be the request that will next be. honored.
It shall be assumed that the data transfer rate of
the RAM unit is very fast compared to the seek time.
(This assumption is implicit in our failure to include
the length of the I/O request in the list of factors to
consider in the scheduling.) Since we have also assumed that the seek time in accessing items on the
current cylinder is zero, it follows that any operation that Can be performed without changing cylinders
should be scheduled first, without regard for the other
factors. If there is more than one operation that can
be done on the same cylinder, other factors may be
brought back into consideration; in practice it turns
out that this does not significantly affect system performance, and that we might as well commence the
I/O operation as soon as we find a request calling on
the current cylinder, without further scanning 01' the
queue.
If there are no items in the queue that call for the
current cylinder, we have to associate a numerical
weight with each item. This weight will be some function of factors (a) to (d). The item with the highest
computed weight will be scheduled next.
Note that only one item at a time is being scheduled.
This is consistent with the fact that both the contents
of the queue and the storage situation may change
significantly by the time the currently scheduledI/O
operation is completed.

Also note that no explicit provisions are made to
ensure that the entire queue will eventually be
serviced. This is partly taken care of by including into
consideration factor (b), and partly by the fact that
I/O requests can be placed into the queue by program
segments only when the latter have control of the
central processor; hence reasonable care in sequencing the transfer of control from segment to segment
will ensure that every item in the queue will eventually
be acted on.

A Resource-Allocation Scheme

The control scheduler
The sequence in which the monitor passes control
from segment to segment is not a particularly critical
part of the overall system design. Since the system
is by hypothesis I/O bound, there frequently will be
times when every job is either waiting for access to
the RAM unit or is waiting for user input, with the
central processor being idle. The extent of the mutual
interference between different users will ultimately
be determined by how long each job has to wait for
the I/O devices, rather than the availability of
the central processor.
One possible way to proceed in trying to schedule
the control transfer is to compute (at time to) for
each job not currently in a "wait" state an internal
priority function which will depend both on the external priority of the job and on the time that has
elapsed since the job last had control (measured
against some real time standard). Control would
be given to the job with the highest internal priority.
The internal priority function should rise sharply when
the elapsed time passes some critical value, so that
no job is left waiting too long regardless of priorities.
This scheme would guarantee that every job will
eventually gain control, but will generally allow jobs
with higher external priorities to gain control sooner.

CONCLUSION
The Lockheed LACONIQ system was designed
along the lines indicated in this paper for the IBM
System/360 family of machines. It is intended to be
used almost exclusively in an information-retrieval
setting. The major points in the system design and
the motivation behind them are as follows:
(1) The operations for which this system is designed
largely involve accesses to files stored in peripheral storage, with relatively little processing of
the accessed information.
(2) Because records usually will be accessed in a
random fashion, it is desirable that the system
rather than the individual programmer schedule
the required I/O operations.
(3) Because of 2, it is desirable to have as many
jobs simultaneously in the computer as can be
fitted into core in order to minimize the seek
times of the random-access-memory devices.
(4) Because of 1, it is undesirable to dump a "core
image" of a segment into peripheral storage for
later retrieval in order to make core storage
available for other jobs.
(5) Because of inherent core storage limitations,

7

and because of the fact that the file manipulations will occasionally require that large blocks
of core storage be made available for program
segments, it is impractical to dedicate fixed
areas of core storage for each user. Instead,
core storage is pooled for the entire system and
allocated out of this pool as required.
Points (2) and (5) distinguish LACONIQ from other
on-line time-sharing systems designed for smaH
computers that have been created to date, such as
the MAC system4 developed at MIT for the IBM
7094, and the DARTMOUTH system developed at
Dartmouth College for a series of GE computers.
The latter two were intended for general computation-oriented use and hence make liberal use of peripheral storage devices as an extension of core
memory. It is the rather special orientation of
LACONIQ that necessitates the delicate handling
of the resource allocation problem.
Pending further experience with the system in
actual and simulated environments, it is felt that
satisfactory performance can be expected from the
360/30 with 32 thousand bytes of core storage if
not more than four users are on the computer simultaneously. A 360/40 computer with similar core
(whose performance will be tested in a simulation
study) can be expected to accommodate 12 users
at the same time. Increasing core storage should
improve system performance slightly; it is felt, however, that system performance will level off rapidly
and not be affected much by further increases in core
storage. Since the system is I/O bound, the improvements in performance will be caused largely by allowing more I/O operations to take place simultaneously; i.e., by adding more input channels to
the computer.
REFERENCES
J J ROCCIO G SALTON
AFIPS conference proceedings
Vol 27 part 1293-305 Fall Joint Computer Conference 1965

2 D L DREW R K SUMMIT R I TANAKA R B
WHITELEY
An on-line technical library reference retrieval system
American Documentation Jan 1966
3 DLDREW
The LACONIQ monitor: time sharing for on-line dialogues
to be published
4 A L SCHERR
Time-sharing measurement
Datamation 12 4 1966

Effects of scheduling on file memory
operations*
by PETER J. DENNING
Massachusetts Institute of TechnoLogy
Cambridge, Massachusetts

INTRODUCTION
File system** activity is a prime factor affecting the
throughput of any computing system, for the file
memory is, in a very real sense, the heart of the system. No program can ever be executed without such
secondary storage. It is here that input files are stored,
that files resulting as the output of processes are
written, that "scratchwork" required by operating
processes may be placed. In a multiprogrammed
computing system, there is a considerable burden on
secondary storage, resulting both from constant traffic in and out of main memory (core memory), and
from the large number of permanent files that may be
in residence. It is clear that the demand placed on
the file memory system is extraordinarily heavy;
and it is essential that every part of the computing
system interacting with file memory dQ so smoothly
and efficiently.

moving head devices such as disks this proposition
is still true, but not dramatically so; optimistic predictions look for at best 40 per cent improvement,
an improvement attained only with serious risk that
some requests receive no service at all. The solution
lies at an unsuspected place: a method of "scanning"
the arm back and forth across the disk, which behaves
statistically like the access-time-minimizer but provides far better response than first come first served
policies.
Other analyses of drum and disk systems, but from
different viewpoints, have appeared elsewhere. 1•2 •3
The importance of the results obtained here is that
they are relatively independent of the behavior of
the processes generating requests.
The model of the file system
For our purposes the computing system can be
visualized as two basic entities, main memory and
file memory. Only information residing in main memory can be processed. Since the cost of high-speed
core memory is so high, there is at best limited availability of such memory space. A core allocation
algorithm will be at work deciding which information is permitted to occupy main memory, and which
must be returned to secondary memory; algorithms
for doing so do not concern us here and are discussed
elsewhere. 4 The essential point is that there may be
considerable traffic between slow, secondary storage,
and fast, core storage. System performance clearly
depends on the efficiency with which these file memory operations take place. It is our concern here to
discuss optimum scheduling policies for use by central
file control.

In this paper we discuss some important aspects
of file system organization relevant to maximizing
the throughput, the average number of requests serviced per unit time. We investigate the proposition
that the utilization of secondary memory systems can
be significantly increased by scheduling requests
so as to minimize mechanical access time. This
proposition is investigated m!lthematically for secondary memory systems with fixed heads (such as
drums) and for systems with moving heads (such as
disks). In the case of fixed head drums the proposition is shown to be spectacularly true, with utilization increases by factors of 20 easily attainable. For
*Work reported herein was supported in part by Project MAC,
an M.I.T. research project sponsored by the Advanced Research
Projects Agency, Department of Defense, under Office of Naval
Research Contract Number Nonr-4102(Ol}.

We assume there is a basic unit of storage and
transmission, called the page. Core memory is divided logically into blocks (pages); information is
stored page by page on secondary storage devices;
it follows that the unit of information transfer is the

**By "file memory" in this paper is meant secondary storage devices of fixed and movable head types. Drums are examples of
fixed head devices, while both fixed and movable head disks exist.
Tapes may be regarded as movable head devices.

9

10

Spring Joint Computer Conf., 1967

page. We win assume that requests for file system
lise are for single pages, and that a process which
desires to transfer several pages will have to generate
several page requests, one for each page. Singlepage requests are desirable for two reasons. First,
read requests will be reading pages from the disk or
drum, pages which are not guaranteed to be stored
consecutively; it is highly undesirable to force a
data channel to be idle during the inter-page delays
that might occur, when other requests might have
been serviced in the meantime. And, secondly, the
file system hardware is designed to handle pages.
By far the biggest obstacle to efficient file system
operation is that these devices, mechanical in nature,
are not random-access. This means that each request
must experience a mechanical positioning delay before the actual information transfer can begin. It
is instructive to follow a single request through the
file system. The various quantities of interest are displayed in Figure 1 and defined below.
REQUEST
ENTERS
QUEUE

!

L~

REQUEST CHOSEN
(DECISION POINT)

I

QUEUES

CENTRAL
FILE
CONTROL

I

REQUEST
COMPLETE

~~LI-a--+,-~
.

I

j

!

L____:' ---I

BEGIN OF
TRANSFER

is bound to be a queue. If a first-come-first-served
(FCFS) policy is in effect, the queue is in reality
nothing more than a by-product, a side-effect, of the
system's inability to satisfy too heavy demands. It
is natural to inquire whether the file system can take
advantage of opportunities hidden within the queue.
For example it might be possible to serve the last
request in the queue during the positioning delay of
the first request. Thus it is apparent that something
may be gained by examination of the entire queue
rather than just the first entry.

I

ts
-

REQUESTS

r; -----,

--:]'

wF
Figure 1 - Waiting time parameters for drum

to - the transfer time; the time required to read
or write one page from or to file memory.
a - the access time; the mechanical positioning
delay, measured from the moment the request is chosen from the queue to the
moment the page transfer begins.
ts -the service time; ts = a + to
W q -the wait in queue; measured from the moment
the request enters the queue to the moment
it is chosen for service.
W F - the total time a request spends in the file
system.
The policy
Before discussing scheduling policies, we should
mention the goals a policy is to achieve. The policy
we seek must maximize throughput, and yet not discriminate unjustly against any particular request. In
addition, it must be reasonably inexpensive to implement. Since mechanical devices waste much time
positioning themselves, a policy which explicitly
attempts to minimize positioning time is suggested.
Because the file system does not operate rapidly
enough to satisfy immediately the total demand, there

MAIN
(CORE)
MEMORY

SECONDARY
(FILE)
MEMORY

Information Flow
(Single Channel)

Figure 2 - Modei of fiie system

In Figure 2 we see a generalized representation of
the queueing activity for a file memory system. Incoming requests are sorted by starting address into
one of the queues Qbq2, ... ,qm. We will see shortly
that a drum is addressable by sectors, so in this case
there is one queue for each sector, and two requests
are in the same queue if and only if they are for the
same sector. We will see that a disk is addressable by
cylinders, SOl in this case there is one queue for each
cylinder, and two requests are in the same queue if
and only if they are for the same cylinder. The important point is this: each queue is associated with a
mechanical position of the storage device. The switch
is intended to illustrate the delays inherent in mechanical accessing.
If the device is a drum we may imagine that the
switch arm is revolving at the same speed as the drum
rotates, picking off the lead request in each queue

Effects Of Scheduling On File Memory Operations*
as it sweeps by. This structure is equivalent to the
following policy: choose as next for service that request which requires the shortest access time; this
policy will be called the shortest access time first
(SATF) policy. It should be clear that the FCFS
policy is less efficient because it involves longer
access times per request. It should also be clear that
SATF does not discriminate unjustly against any request.
Now suppose that secondary memory is a disk.
Due to physical constraints, it is not possible to move
the switch arm of figure 2 between q 1 and qm without
passing q2, ... ,qm-l. The arm does not rotate, it may
only sweep back and forth. However it can move arbitrarily from one queue to any other. The operation
of moving the arm is known as a seek; but the policy
shortest seek time first (SSTF), which corresponds
to moving the switch arm the shortest possible distance, is unsatisfactory. For, as we will see, SSTF
is likely to discriminate unreasonably against certain
queues. In order to enforce good service we will
find that the best policy is to scan the switch arm
back and forth across the entire range from ql to
qm. We shall refer to this policy as SCAN. It will
result in nearly the same disk efficiency as SSTF,
but provide fair service. Again it should be clear
that SCAN should be better than FCFS, which results in wasted arm motion.
The drum system
Our first goal is to analyze a fixed head storage device. The analysis deals with a drum system, but is
sufficiently general for extension to other devices
READI
WRITE

HEADS

Figure 3 - Organization of the drum

11

of similar structure. The analysis we use is approximate, intended only to obtain the expected waiting
times, but it should illustrate clearly the advantages
of scheduling.
The drum we consider is assumed to be organized
as shown in Figure 3. We suppose that it is divided
lengthwise into regions called fields; each field is a
group of tracks; each track has its own head for reading and writing. The angular coordinate is divided
into N sectors; the surface area enclosed in the intersection of a field and sector is a page. If the heads
are currently being used for reading, they are said to
be in read status (R-status); or if for writing, they are
said to be in write status (W-status). Since there are
two sets of amplifiers, one for reading, the 'other for
writing, there is a selection delay involved in switching the status of the heads. Thus, suppose sector k
is presently involved in a read (R) operation. If there
is a request in the queue for a page on sector (k+ 1),
and its operation is R, the request is serviced; but if
the request is W, it cannot be satisfied until sector
(k+2) , since the write amplifiers cannot be switched
in soon enough.
We suppose further that there is a drum allocation
policy in operation which guarantees that there is
at least one free page per sector. This might be done
in the following way. A desired drum occupancy
level (fraction of available pages used) is set as a
parameter to the allocator. Whenever the current
occupancy level exceeds the desired level, the allocator selects pages which have been unreferenced
for the longest period of time and generates requests
to move them to a lower level of storage (for instance
a disk). Since these deletion requests are scheduled
along with other requests, there will be some delay
before the space is available, so the desired occupancy
level must be set less than 100 per cent. A level of
90 per cent appears sufficient to insure that the overflow probability (the probability that a given sector
has every field filled) will be quite small. If this is
done, two assumptions follow: first, that a W-request
may commence at once (if the heads are in W-status),
or at most after a delay of one sector (if the heads
are in R-status); and second, it is highly probable
(though not necessarily true) that a sequence of Wrequests generated by a single process will be stored
consecutively. The assumption that W-request can
begin at once is not unreasonable, and can be achieved
at low cost.
We denote the probability that a request is an Rrequest by p and that it is a W-request by (l-p).
That is,
Pr[a given request is R] = p
Pr[a given request is W] = 1 - p

12

Spring Joint Computer Conf., 1967

We suppose that the access time per request is a
random variable which can assume one of the N
equally likely values

where T is the drum revolution time, N the number
of sectors. When no attempt is made to minimize
the access time, the expected access time is
N-l

~

E[a] =

k=O

F"lyl:
w··

(kT)
k =
N-I
Pr[a=-]
-T
N
N
2N
(I)

ing properly, there is a high probability these pages
will be stored on consecutive sectors. It follows that
a sizable subset of waiting R-requests, all originating
from the same process, will want information which
is stored on consecutive sectors, so that the access
times will have higher probability of being smail
than a uniform distribution will assign. Although the
use of a uniform distribution simplifies our calculations, it leads to conservative answers because the
expectations obtained will tend to be too high.
If the service policy is FCFS the expected access
time is just the access time for one request:

p, ~ g W /2 is identical, so we need consider
only kW/2 by symmetry.

,

Fs (u)

I .- - - -

-

-

-

- -

-

------~

I

~

2p(k-1l

I

~

o

2

I

k-2

k-I

1\

k+

W-k

j

Figure 11 - Cumulative distribution for arm motion F iu)

Figure 11 is the cumulative distribution Fiu) that
the seek time s is less than or equal to u units:
Flu) = Pr[s::::;u]

(18)

(20)
Finally the access time is

E[a] = E[s]

+-t

(21)

Saturation and loading effects
We have said nothing about what SSTF is to do in
case of a "tie"; that is, when the minimum arm
movement is the same in either direction. Suppose
we were to adopt the rule that, in case of a tie, the
arm moves away from the center of the disk region;
in this way (we would reason) we can counteract
the effects of outer-edge discrimination. Consider
what would happen if, on the average, there were
one request per cylinder. There would almost always be a tie for a motion of one track, so that the
arm could drift to one edge of the track region and
stay there. Any requests for the opposite edge might
be overlooked indefinitely.
This possibility that there may be times when there
are many cylinder requests is the downfall of the
SSTF policy. For under heavy loading conditions,
the arm will tend to remain in one place on the disk,

Effects Of Scheduling On File Memory Operations*
and pay little or no attention to other regions. Although SSTF provides an increase in utilization, it
is not at all clear that it will provide reasonable
service to the requests. For these reasons we feel
the following policy is superior.

do a transfer of one track at each stop. So the time
t between stops is
t

(22)

N ext we obtain an estimate of the seek time per
request. If there are n requests, these divide the track
region in (n+1) regions of expected width W/(n+1).
The seek time for one such distance is
E[s] = S .

mm

+

Smax -

n+1

=

E[s]

- Smin+ S . + ~ T
t = Smax
n+1
mIn
2

Hence the time to cross W tracks is nt. The time WF
--

----«0;;1'.-

WF =

...

2

'

2

'3 nt = '3 n

+"2T
(24)

N ow we can determine how long it takes the arm
to cross the track region. It must make n stops and

...

[Smax-Smin+
]
T
n+ 1
Smin + n
(26)

Example

To demonstrate the effects of scheduling, we present an example using the following parameters:
Smin =

minimum seek time

= 150 ms
Smax = maximum seek time

= 300 ms
W = number of tracks
=30
T = disk revolution time
=60 ms
n = number of requests in queue
= 10
The utilization factor, or the fraction of time spent
by the disk doing useful transmission, is
t

U = E[a]

+t

(27)

where t is the transfer time for a single request. We
use t = T, that is, each transfer is a full track. Due to
uncertainties resulting from possible saturation effects we do not venture to give estimates of WF
under the SSTF policy. Using WF = n E [ts ] under the
FCFS policy, Q = l/E[ts ] for the throughput factor
Q under all policies, and the disk equations just derived, we obtain the following table for the above
parameters:
milliseconds

(23)

(25)

a simde reauest must wait is. from eauation (22),

Smin

Assuming that, once the arm has stopped at a cylinder7
there is an additional expected delay of T/2 for the
starting address to rotate into position, we have for
the access time

E[a]

3

= E[a] + T = E[s] + '2 T

or,

The SCAN policy

As we mentioned in the discussion following Figure
2, a policy which insures reasonable service to requests is the SCAN policy, in which the switch arm
is swept back and forth between Gl and Gm, servicing
any requests in the intervening queues as it passes
by. We can think of operating the disk arm as a "shuttle bus" between the inner and outer edges of the track
region, stopping the arm at any cylinder for which
there are waiting requests.
U sing average-value arguments we can obtain estimates for the utilization factor U and waiting time
WF of a single request. First assume that there are
sufficiently many cylinders and sufficiently few requests that the probability of finding more than one
request for a given cylinder is much less than the
probability of finding just one request. This is equivalent to assuming that the total number of waiting request falls randomly within the track region, and that
when it arrives the arm is at some random position
within the track region. Then the expected distance
between the arriving request and the arm is W/3.
N ow with probability 1/2 the arm is moving toward
the request, in which case the distance the arm must
travel before reaching the request is W/3. With
probability 1/2 the arm is moving away from the request. in which case the distance the arm must travel
before reaching the request is 3(W/3)=W. Hence the
expected distance the arm moves before reaching
the request is

17

POLICY
FCFS
SSTF
SCAN

E[s] E[a] E[ts]

195
113
164

225
143
194

WF

285 2850
203
?
254 1700

Utilization Throughput
U
Q
per cent Per second

21.0
29.5
23.6

3.5
4.9
3.9

It is apparent that with 10 cylinders requested the
expected utilization increase with SSTF over FCFS is
29.5 = 1 40
21.0
.

18

Spring Joint Computer Conf., 1967

so that the gain under SSTF is a not-too-impressive
40 per cent. It is the large minimum access time,
Smim that impairs efficiency. We conclude that, since
the SSTF gain is marginal, the discrimination certain
requests might suffer is not worth the risk. This substantiates our claim that SCAN is preferable. SCAN
exhibits an improvement of
23.6 = 1 12
21.0
.
or 12 per cent in utilization over FCFS; but the improvement in WF,
2850
1700 = 1.68
or 68 per cent is well worth the cost. It means that
each request sees a disk that is 68 per cent faster.
Finally note that the relative improvement
Smax -

WF [FCFS]
---"'----7--_=::_

W F [SCAN]

=

Smin

~

3

+
3
+ Smax -

(s .

Smin

n+l

mm

"V:;

!

Iope=t

4.v'/
-3T ..' - - - - 2

T

"2 .-',
+---

I

!

I

.----.J.-

2

··--~n

-~

3

N-I

Figure 13 - Comparison of W r for two drum policies
w
"F

~
I

3

+,2 T
Smin + l T)

Slope

=K+ (d
3

I

2

approaches a maximum for
n >>

3Smin
Smin+ - T

Smax -

3T
K ~ Smin+T

2

6. = Smax -

which is obtained under normal load conditions.
v

CONCLUSION
In the case of fixed head devices such as drums, we
have seen that spectacular increases in utilization
can be achieved by the rather simple expedient of
Shortest Access Time First (SA TF) scheduling. Requests serviced under the SATF policy are treated
with the same degree of fairness as under the FCFS
policy . Yet service is vastly improved.
We have seen, in the case of movable head devices
such as disks, the impulse to use Shortest Seek Time
First (SSTF) scheduling must be resisted. Not only
may SSTF give rise to unreasonable discrimination
against certain requests, but also during periods of
heavy disk use it would result in no service to requests far from the current arm position. Enforcing
good response to requests by shuttling the arm back
and forth across the disk under the SCAN policy
surmounts these difficulties? at the same time providing little more arm movement than SSTF. Hence
SCAN is the best policy for use in disk scheduling.
WF, the time one request expects to spend in the
file system, provides a simple. dramatic measure of
file system performance. Figures 13 and 14 indicate
comparative trends in WF for two policies. As usual,
n is the number in the queue, T the device revolution
time, N the number of sectors on the drum, Smax

Smin

6.

"+"3
.-----.--~

6

-

n

m »-Smin

Figure 14 - Comparison of Wr for two disk policies

and Smin the maximum and minimum disk seek times
respectively. Figure 13 shows that even for small n,
WF under the SATF policy is markedly improved.
The curves diverge rapidly. '''Ie call attention to the
asymptotic slopes, which apply under heavy load
conditions. Figure 14 leads to similar conclusions
for the SCAN policy. There can be no doubt that
these simple policies - SATF for drum, SCAN for
disk - can significantly improve hIe memory operations and thus the performance of the computing
system as a whole.
ACKNOWLEDGMENT
The author wishes to thank Jack B. Dennis and Anatol
W. Holt for helpful suggestions received while composing this paper.
Appendix 1 - Expectation of the Minimum of
Random Variables
Consider a set of independent, identically distributed random variables t 1 , t 2 , ••• , tn each having
density function p(t). Define a new random variable
(1.1)

Effects Of Scheduling On File Memory Operations*
We wish to determine the expectation of x, E[x].
Now,
Pr [x ? a [ = Pr [t1 '> a; t2 > a , . .-. , tn > a]
= (Pr[t > a])n
= [F/ (a)]n
where

f

f3
E2[a] =

a

f du + f (1 - 2~ o

¥r

19

du

f3

00

F/ (a) == Pr[t

>

a]

=

(1.2)

pet) dt

is the complementary cumulative distribution for t.
U sing the fact that

f
00

E[x] =

(1.3)

Pr[x

>

u] du

o

we have
00

E[x] =

f CF/

(u))n

du

o

(1.4)

APPENDIX 2-Analysis of SATF Policy
Consider the SATF policy. As indicated by Figure
5, the distribution function for access time is

o

u~O

1

a < u

Fa(u02~+¥ O W/2, with k replaced by (W-k). From Appendix 1, the expected minimum seek time is

(1 _~) k(~) pk (l_p)k
Since this is true for each k = 0, 1, ... ,(n-l), we must
sum over k.
In \ I.
l)k k"
'~k
\k) \ 1 - N P t I-Pr-

(~) [p (1 - ~)

r(1 - Pr-

k
-

pn( 1_~)n

=

[1 - p + p (I - N)] n_ pn (I _~) n
= (1 _~) n_ pn (1 _~) n
Hence the probability
Q=Pr {~o R-request for the present sector and heads 1
In R-status and at least one W-request
J
Q=pn+l

[(~ - ~) n_

(1 - ~) 1(1 - pn)

(2.6)
But Q is just the probability that E[a] =~ . Collecting together the results of cases 1 and 2 we see that
E[a] = ER[a]

pn + TN Q

(2.7)

so that
1 )n+l T(1-p) T(l-p) n+l1 n
_ [TP ( _ _
E[a] - n+l 1 2N
+
N + 0+1
P

f f (1
du +

o

=

From Figure 11 we have for the distribution function for the arm movement for one request, conditioned on the arm moving:

2

This integration is straightforward, so we do not reproduce it here. The result is

E[s]

=

t+

2;

1
(
+ p(n+
I) 1 -

[I - (I - 2P(k-l)t'] n!-I
2p(k-l)

) n+l

(3.3)

Equation (3.3) applies for k < W/2. By symmetry
(Figure 9) it appiies for k > W /2 if we replace k by
(W-k). The case k < W /2 occurs with probability
1/2, and so does the case k > W/2. Hence, collecting terms in equation (3.3),
E[s

4

I k< ~] = + 2 (n!1)

By symmetry, E[s

APPEN D IX 3 - Analysis of SSTF Policy

k--

(3.2)

(1-2~r'lp"+~ pn+, (I-pn)

which concludes the derivation.

f

(1-~(2k-3)-PUr du

(3.4)

_ _(1 _~)n]

P

+ p - 2 U) n du +

1
2

(2.8)

[(~ ~)n

.. 1
W -K+2

.
1
k--=
2

2

E[s] = kE[s
E [s] = E[s

[1 + (1 - 2p(k_l))n+l]

p

Ik > ~ ]

Ik <

i] + i

is the same. Then

E[s I k >

~]

Ik < W
"2 ]

(3.5)

Now, recalling that the head position k is assumed
to be uniform for values of k = 1,2,000 ,W, we can appoximate its distribution function by a ramp of

Effects Of Scheduling On File Memory Operations*

slope 1/W from

21 to W + 2.1

Conditioning on k <

~, we can approximate the conditional distribution by

tt

a ramp or slope 2/W Hom to
integrate

[i ,i

(~ E [s I k <

'i] )

(w+ 1). Therefore we
on

the

interval

(W+l)]. The result is, using p= l/(W-l):

moves), we have for the expected minimum seek time
when n are in the queue:

[.!

E[ ] = (W-1)n
+ S . + Smax - Smin
S
W
2
mm
2(n+1)

(3.8)

(1 + n~2 (W~I)n+1)]
which concludes the derivation.
REFERENCES

1 W-l [
1 ( W) n+l)]
E[s]=2"+2(n+1) l+ n+ 2 W-l

(3.6)

2

recalling that this is conditioned on the arm moving,
we remove this condition by multiplying by the
probability the arm moves:
3

and obtain the following:
E[s] = (W;1r [i+

2~~~) (1 + n!2 (W~1r+l)J

4

(3.7)

Noting that the time required for (W-1) tracks is
Smax, and the time for one track is Smin (if the arm

21

5

A WEINGARTEN
The Eschenback drum scheme
Comm ACM Vol 5 No 7 July 1966
D W FI FE J L SM ITH
Transmission capacity of disk storage systems with concurrent arm positioning
IEEE Transactions on Electronic Computers Vol EC-14
No 4 August 1965
PJ DENNING
Queueing models for file memory operations
MIT Project MAC Technical Report MAC-TR-21
October 1965
LA BELADY
A study of replacement algorithms for a virtual-storage
computer
IBM Systems Journal Vol 5 No 2 1966
T L SAATY
Elements of queueing theory
McGraw-Hili Book Co Inc pp 40 ffNew York 1961

Address mapping and the control
of access in an interactive computer*
by DAVID C. EVANS
University of Utah
Salt Lake City, Utah**

and
JEAN YVES LECLERC
109 rue St. Dominique
Paris, France

*This work was sponsored by the Advanced Research Projects
Agency, Department of Defense, under contract SD-185.
**Formerly ofthe University of California, Berkeley

INTRODUCTION
Computer system designs have attempted to maximize
machine utilization (sometimes called efficiency)
without regard to other important factors including the
human effort and elapsed time required to solve problems. In recent years some computing systems have
been developed which provide communication and
control means by which users can interact with their
own computing processes and with each other. Initial
use of these systems has demonstrated their superiority in computer-aided problem solving applications. These interactive computing systems are mainly adaptations of conventional computing systems and
are far from ideal in many respects. This paper describes a much improved mechanism for protection,
address mapping, and subroutine linkage for an interactive computing system.
The user of a computing system should be able to
interact arbitrarily with the system, his own computing
processes, and other users in a controlled manner.
He should have access to a large information storage
and retrieval system usually called the file system.
The file syst~m should allow access by all users to
information in a way which permits selectively controlled privacy and security of information. A user
should be able to partition his computation into semiindependent tasks having controlled communication
and interaction among the tasks. Such capability
should reduce the human effort required to construct,
debug, and modify programs and should make possible

increased reliability of programs. The system should
not arbitrarily limit the use of input/output equipment
or limit input/output programming by the user.
The system capability specified above is available
to some degree in present computing systems. The
particular limitations to which this paper is directed
are the following:
(1) The familiar memory protection systems limit
or control access to specified regions of physical
memory or to specified units of information.
The actual system need is to control the various
access paths to information. For example, at
one time a particular segment of information
may be a procedure for execution only to itself,
a data segment to a debugging program, and
entirely inaccessible to the other segments in
memory.
(2) In order to protect the input/output equipment
from unauthorized use, most mUltiple access
computing systems deny all direct access to
input/output equipment by user programs. The
system described permits selective controlled
access without limit as authorized by the executive system. For example, a user may be given
unrestricted use of a magnetic tape unit without
hazard to other users or to the system.
(3) Most systems require modification of procedures by program to bind segments together for
a computing process. This is usually done by
means of a "loading routine." The system de23

24

Spring Joint Computer Conf., 1967

scribed permits arbitrary binding at run time
with no modification of data or procedure and
no compromise in protection of information.
(4) It is often the case that a computing task is made
up of a number of semi-independent computing
processes which should operate concurrently
with only limited interaction. Familiar computing systems do not provide a convenient
means for handling such cases.
Before examining the mechanisms proposed let us
examine a computing process. We may think of a process as an activation of a procedure which operates on
other elements of information. We call these elements
parameters and the procedure itself the base parameter of the process. Each parameter may be a simple
element, such as a data element, or may be a compound element, such as another procedure with its parameters. Ordinarily, elements of a process as described are segments of information from the file system. Segments either may be private to a single process or user or may be shared among users or processes.
The subject of this paper is a mapping mechanism
by which procedures are bound to their parameters at
execution time without modification or relocation.
Three functions are performed by means of this single
mechanism. (l) It permits each procedure to see its
parameters through a map which defines the relationship between its own address space and the address
spaces of its parameters. (2) It permits the user (or
the process) to selectively control access to information on every access path. (3) It permits selective
control by the user and the system of access to processing resources, including input/output equipment
and instructions.
Severai address mapping schemes have been described previously which do not provide all of the
desired capability},2,3,4,5 The most serious defect of
such schemes is that access to a segment of information solely depends on that segment of information,
but as will be justified later, should depend on the
access path from the parameter making the access to
the parameter being accessed.

storage block. A segment may be a portion of another
segment or may be a set of segments each of which
also has a symbolic name.
Parameters and parameter spaces
The reiation between two segments depends on
those two segments and not only on the called segment. For example, consider the debugging program
DDT and the program P:
P may not write on P,
DDT may write on P,
DDT may not write on DDT, and so on.
The user should be given tools which permit him to
establish the proper relations between segments.
The structure of a computing process may be represented as a tree. Consider the structure represented in Figure 1. In this structure the procedure
segment nam~d PI may directly access the procedure
segment named P2 and data segments named S 1 and
S2. The procedure segment P2 may directly access
the data segment S 1. In the example shown it is not
necessary for PI to refer to S 1 by the same addresses
as are used by P2 to refer to S 1.
We have chosen the following more convenient
notation which is an adaptation of a functional notation due to Von Neumann to represent information
of the type shown in Figure I. If the computing process of the figure is called a, it is represented in the
notation as
a: (PI, (P2, Sl), SI, S2)

This may also be represented in a less condensed way:
a: (P I, ,8, S I, S2)
,8: (P2, Sl)
The three representatives are equivalent.

PI

Computing processes and addressing spaces
Before examining computing processes and their
control, we will make the following definitions:

Segment
Information is stored in a file system. The basic
entity of the file system is a segment which is an ordered collection of information having a symbolic
name as in the terminology of J. Dennis. 4 Examples of
such segments might be the body of a procedure, an
array, a pushdown stack, a free storage list, or a string

SI
Figure 1- The representation of the access paths of a computing
process

Address Mapping
Consider now the procedure segment P 1. It may
be represented as
(PI, Fl, F2, F3)
where PI is called the root parameter and F 1, F2,
and F3 are formal parameters of the procedure. If the
procedure PI is to be executed, it is necessary that
actual parameters be assigned in place of the formal
parameters F 1, F2, and F3 as has been done in the
expression,
(P 1, /3, S 1, S2)
It may be seen that an actual parameter may be a,
simple segment as is S 1, or it may be a compound
structure as is {3.
Each segment (either a procedure or data segment)
may refer to other segments. These segments are the
"parameters" of the given segment which is called
the root segment. Such a segment SO with its associated actual parameters S 1, S2, S3, ... SN is written
as before,
(SO, SI, S2, ... SN)
and defines a "parameter space."* Two parameter
spaces having the same root segment are different if
any parameter is different. The root segment of a parameter space is always fixed and sees itself as parameter number O. It references other parameters with
numbers 1, 2, 3,... N. Every address appearing in the
memory of the computer (e.g., in instructions) will
refer to such a parameter space in the form
PARAMETER, DISPLACEMENT
where DISPLACEMENT identifies an element of a
parameter. The parameter space to which an address
is relative will be called the "source" of that address.
Note that a parameter space may be a parameter of
a parameter space. In the example given {3 is a parameter space which is a parameter of the parameter
space a.
There are several kinds of parameters: A parameter may be fixed for that parameter space or may
be a dummy parameter which is changed every time
the parameter space is entered. A parameter may be a
scratch segment in which case every time the parameter space is entered, the system assigns a fresh copy
of the scratch segment for temporary storage, which is
released when the program returns from the parameter space. Such a parameter should be declared, but
the user can rely on the system for getting fresh copies.
This can save space in the secondary memory, because a pool of scratch segments can be shared by the
*The term parameter space includes the term subprocess and parameter space reference 6.

25

system among the many users of such segments.
User space

Each parameter space which has been defined is
given a number for identification. The number is
assigned by the system and has no meaning to the
users. Each segment which is not the root segment of
a parameter space is considered to be a parameter
space and is also given a number. These parameter
space numbers are the addresses of the parameter
spaces in "user space." It is necessary for the system to know the identity of the parameter space to
which an address is relevant. An address in user space
has three components.

SOURCE, PARAMETER, DISPT ACEMENT.
An address in user space is an unambiguous address
specification which will be used explicitly in subroutine linkages. Users may freely manipulate parameter space addresses without hazard to the system or
ot other users in the system described in this paper.
Operations on user space addresses must be limited
by the system to assure the system integrity and to
protect the computing processes of users from accidental or intentional damage by other users.
1. A process may request and receive the information which specifies the status of an immediate
dependent.
2. A process may transmit an interrupt signal up
the hierarchy which will be received and acted
upon by the first superior process in which the
corresponding interrupt is armed. If no process
in the user's hierarchy of processes is armed, the
interrupt will be acted upon by the system itself.
3. Processor-generated interrupt signals indicating
faults, attempted violations of protection or
other information may be transmitted up the hierarchy as in No.2 above.
It is evident from the above that there are two means
for defining communications among processes. Each
process should be armed for the desired interrupt
signals. The desired common data segments should be
assigned so that processes may obtain messages from
other processes. A process may have the capability
to alter its priority or its interrupt arming.
Dynamic binding
Binding is the assignment of actual parameters to a
parameter space. In traditional computing systems
the only space which exists at execution time is the
physical address space. Binding is done in the physical
address space before execution by a program called
loader, assembler, or compiler which modifies the

26

Spring Joint Computer Conf., 1967

stored addresses. In the system described, the mapping hardware binds parameter spaces at execution
time with no modification of the addresses stored in
memory and without the sacrifice of protection that
results when conventional base registers are used for
the binding.
When a parameter space is entered it is not always
completely defined. The definition is complete when
all formal parameters in the parameter space have
been replaced by actual parameters. An actual parameter may, of course, be a value, a data segment, a procedure segment, a parameter space, or some descriptor of the parameter. This may be accomplished by
the transmission of some information from the calling
parameter space to the called parameter space as in
the transmission of arguments to a subroutine, or it
may be accomplished by the execution itself.
The mapping functions
The address of any item is uniquely defined in user
space by the three components
SOURCE, PARAMETER, DISPLACEMENT
During execution these three components are always
known although only the parameter and displacement
components are stored in the text of the procedure.
The mapping function translates addresses from user
space to physical address space. The mapping function
may be implemented in any of several forms. Only one
implementation will be described in this paper. Alternative implementations are described in reference 6,
and their relative merits are examined.
In the implementation described, it is assumed that
a conventional pageing strategy as described in reference 1 is used for memory allocation. In this scheme
the physical memory is partitioned into a set of uniform sized blocks. The physical address may thus be
represented by two components,
BLOCK, LINE
where BLOCK is the number of the physical partition and LINE is the number of the element of the
block. Block size is determined by the same criteria
as in other paged memory systems.
An associative implementation of the address translation map is shown in Figure 2. The address in user
space is stored in registers marked SOURCE 0,
PARAMETER, DISPLACEMENT. The PARAMETER, DISPLACEMENT portion is contained in
the address field of an instruction as stored in memory
or an instruction address register. The DISPLACE.
MENT field has been partitioned into subfields called

r'O~EO
SOURCE 1

PARAMETER

DISPLACEMENT

I

I

I

:C.l":l.

1

I 1

7

J
r

I

!

PAGE

SOURCE

CONTROL

BLOCK

0

0

a

6

a

1

0

Il

5

a

2

0

y

1

a

2

1

8

3

Il

I
I

0

0

Il

5

1

0

y

1

1

1

y

0

0

y

0

1

Il

I

I

a

8

I

Tn'E
L./.LJ."

I

/

PARAMETEJi
PARAMETER
SPACE

I

J..:..o

I I

I

I

I

y

II

I

y
y

II

I

1(+

PHYSICAL
ADDRESS

3

1
3

Figure 2 - Associative implementation of address translation
map

PAGE and LINE. A page of information is stored in
memory in a block. In order to understand the operation of the map consider the address structure used as
an example in part B. There are four parameter
spaces:
a: (Pl,,8, SI, S2)
,8: (P2, S1)
y: S 1
0: S2
Consider that the information is stored in the blocks of
physical memory as indicated in Figure 3.
The segment PI is one page in size and is stored in
block 6. The segment S 1 requires two blocks for
storage; page 0 is stored in block 1. and page 1 is
stored in block 3. Other segments are stored as indicated.
This storage allocation and address structure is
represented in the address transformation map as
shown in Figure 2. The first line of the map represents
the parameter PI of the parameter space (source) a.
Any address retrieved from PI when accessed through
this table entry is relative to the parameter space a as
indicated in column 4 of the first row. The information
I

1

I

5EGY,:::~T

KA.V.::::

51

!

I

52

I

!

I

I
51!

.
: P2

- - - - - - ! - --:- --,--- ----j--

o

?AG:2:

o

1

i,'

011:

2

3

I ~1_ i_____ _
--1- :

10
4

i

I
I

i

01
I

5

BLOCK NUMBER

Figure 3 - Representation of storage assignment in physical
memory

7

Address Mapping
is stored in block 6 of memory as indicated in column 6. The second line represents parameter 1 of
parameter space a, which is parameter space {3. The
only part of the parameter space {3 which is directly
addressable from a is P2, the root parameter of (3,
which is a one page segment stored in block 5. Each
page of every pc...:.:a-neter space is similarly represented
by a row in the taole.
Consider now the use of the mapping mechanism.
If execution is to begin with the Kth instruction of PI,
the instruction location registers are set as follows:
SOURCE 0
a

PARAMETER
0

PAGE
0

LINE
K

The associative memory represented by the table
uses SOURCE, PARAMETER, PAGE as argument
and selects the first line. The physical block number 6
is concatenated with the line number Cf~) to make the
physical memory address 6,K from which the instruction is fetched. The parameter space name a
from column 4 is stored in SOURCE 1.
Subsequent operation depends on the nature of the
instruction fetched from memory at address 6,K.
Three cases will be examined to illustrate the operation of the address translation map.
Case 1. A typical instruction for which the operand
is the content of memory at the address specified
in the instruction. In this case the address translation is identical to that of the instruction fetch
described in the paragraph above. SOURCE 0
remains a, and the address from the instruction is
of the form PARAMETER, PAGE, LINE.
Case 2. The same as Case 1 but indirect addressing
is specified. Operation begins as before but when
the content of memory by the first memory access
is used as PARAMETER, PAGE, LINE of the
address for the second memory access. However,
SOURCE 1 is used in place of SOURCE 0 to
select the parameter space for this access. For
example, if the address from the instruction is
PARAMETER PAGE LINE
1 0 m INDIRECT
and the first physical address accessed is 5, m,
and the value of SOURCE 1 is {3. On the second
access the parameter space accessed is {3 as
indicated by the SOURCE 1 register. Indirect
addressing can be nested by this mechanism and
the parameter space for the next access after the
operand is fetched is determined by the content
of the register SOURCE 0 which will remain unchanged as a.

27

Case 3. A transfer of control instruction where the
next instruction is to be from a new parameter
space. In this case the value in SOURCE 1 is
transferred to SOURCE 0 before the next instruction is accessed. For example, if the instruction is fetched from the address the value
SOURCE PARAMETER
a
0

PAGE

o

LINE

K

of SOURCE 1 will be set to {3 as before. If the
address contained in the instruction is
PARAMETER
1

PAGE

o

LINE
n

the address of the next instruction will be
SOURCE 0
{3

PARAMETER PAGE LINE
IOn

because SOURCE 0 is set to {3 by the content of
SOURCE 1.
Simple extension from these three cases will cover
all the addressing cases which are analagous to those
of a conventional computer employing indirect addressing and indexing. The common technique of
using indexing of greater range than the range of the
DISPLACEMENT component of the address field
in storage presents no problem.
It is clear that the capacity of an associative memory which it is reasonable to construct is too small to
accommodate all the information for all users of a
computing system. The same technique employed in
other computers (see reference 5) in which the entire
map is stored in general memory and only those currently active in the associative memory is employed.
Reference 6 gives a detailed description of the structure and manipulation of such tables.
Use of the system by multiple users presents no
problem. One can think of users as owning parameter
spaces and being identified by the assignment of parameter space names. Some parameter spaces may be
common porperty and may be identified as belonging
to the system as a kind of pseudo user.
An important characteristic of this mapping mechanism is that each row of the table represents an access path. The use of this characteristic for access
control will be described in the next section.
It should also be noted that the hardware of the
mapping mechanism described is almost identical to
that of other mapping mechanisms employing small
associative memories. Its cost and speed is therefore
similar to that of the more familiar systems such as
that described in reference 5.

28

Spring Joint Computer Conf., 1967

Access control
Protection or access control in computing systems
is usually of two kinds. Two modes of operation,
sometimes called user and monitor, exist and are distinguished by the monitor mode permitting program
access to input/output instructions and to instructions
which alter the state of the machine; these are called
privileged instructions. Access to memory is controlled by restricting access to regions of physical
memory. In systems employing memory mapping,
access control is applied to units of information called
pages or segments.
As was shown in section I.B, the desired memory
protection depends on the relationship between pairs
of parameters; it is access path protection. A conventional computing system can provide such protection by dynamic modification of protection every
time a subprogram is called and by calling the supervisor for each return to perform the inverse action.
In the system described, much better protection
may be achieved because the CONTROL entry in
each row of the map permits specific control of access
on each access path as desired. We will now show
diffen>nt possible ways of protection.
A. If a call does not permit access to a given segment, the segment does not appear as a parameter of the parameter space. Of course, a parameter space may provide access indirectly to other
segments through one of its parameters if that
parameter is defined as the root parameter of
a parameter space with the indirectly accessible segments as its actual parameters. Each
level of access can be controlled through such
parameter spaces.
B. In each parameter space the access to each parameter may be specified independently; a particular segment may, for example, be an execute
only subroutine in one parameter space and a
data segment in another parameter space.
C. A program parameter has protected entries if it
is possible to give control to only a certain number of privileged points in it. To implement this
feature conveniently, one can reserve the first
N locations of a parameter to point to N entries
in the parameter. A protected branch instruction
to this segment must then be an indirect branch
through one of these N locations"

a user to execute directly are permanently forbidden to
all users. Thus, for example, no user may ever make
direct use through his own program of any input/
output equipment or secondary storage equipment.
The access path control concept permits the same
kind of flexibility of control to peripheral equipment
and instructions as to information. For example, in
a particular parameter space on a particular access
path a user may be given access by means of his own
procedure to a particular magnetic tape unit with no
hazard to users of other tape units. More generally
stated, the access to a particular instruction, peripheral unit, or other system capability depends on the
relationship between the access path and the capability.
It may be impractical to reserve sufficient space in
the CONTROL field of the map to permit the complete range of flexibility described above. A reasonable implementation is to have reserved in general
memory some space corresponding to each row in the
table and a single bit in each CONTROL field, which
when set to 1 causes the hardware to fetch this additional control information. Control information relating to such resources as peripheral equipment for
which maximum speed is not essential should be
stored in this reserved space in memory.
In all these cases we have considered parameters
instead of segments. A segment can be a data parameter for one parameter space and a program parameter for another. A program segment can have protected entries for one parameter space and no protection for another. The real power and perhaps the justification of the system li~s in the fact that protection
is provided in the parameter spaces and not by segments, as has been done in other hardware systems. If
we return to our example of a debugging program
DDT and its object program P, one can conceive the
the following structure:

In the preceding we have considered the control of
access to information. This is an extension of the idea
of memory protection. Let us now examine use of the
same mechanism to control access to processing resources. This is ~n extension of the ideas of privileged
instructions. In the familiar systems all instructions
which under any circumstances may be hazardous for

In this hypothetical situation D 1 is a data segment
on which P is working; 02 is a segment of tables
about P which is used by DDT; P2 is a subroutine
used by P and which will be supposed to be already
debugged.
Consider as another example an executive program
which handles input/output of files through buffers.

a:
{3:

(DDT P.RO., (3, D 1 D., D2 D.)
(P P.RO, D1 D., P2 P.RO.PE)

with the conventions,
P.
D.
RO.
PE.

for
for
for
for

program
data
read only
protected entries.

Address Mapping
Most of these operations are not really input/output,
but exchanges between buffers and the user programs.
Such an executive program requires only limited use
actual input/output instructions. It should call a subprogram having capability to use appropriate input/
output instructions when real input/output is involved.
The protections needed here are:
A. The user program is not allowed to jump everywhere in the executive program.
B. The number a user gives must be checked as
being a real file name belonging to that user.
C. Access path protection must be provided to
input/output and peripheral equipment.
The first protection is given by protected entry.
The entries correspond to the different kinds of input/
output, for example character, work, block, number,
string, line, and so on. The second protection can also
be provided- easily. Suppose the file number consists
of the segment number (in the user space or in the
parameter space of the executive program) of the
segment which constitutes the buffer for this file.
The executive program is a given parameter space in
the user program. Each buffer appears for the executive program as a parameter in its parameter space.
If the file number the user gives is not really a file
number of the user, it will not appear in the parameter
space of the executive and an instruction trap will
result. This kind of protection frees the executive
from such checks. More sophisticated protection
can be given in the case where the system provides
many input/output packages. If a certain file has been
opened by a certain package in such a way that it
will not make sense to other packages, the corresponding parameter will not appear in the parameter
spaces of other packages. This does not complicate
the logic of the program which handles the memory
traps, because the same kind of situation can occur
anywhere in a user program and must be serviced.
Because errors on file numbers occur quite infrequently, an automatic protection saves much time
and programming.
Subroutine calls and transmissions
of arguments
The call of a subroutine usually corresponds to a
change of parameter space. The parameter space is
not always completely defined before the call. To
complete the definition some information may have
to be transmitted from the calling routine to the
called routine. This process transforms formal names
in the called space to actual names or to values. At the
time of the call it is often necessary to store some information about the calling segment in order to be
able to return to it. This information is called the
"link."

29

A. Links
A link consists of the address of the call. The complete address in user space which identifies the parameter space and specifies the logical address in the
parameter space must be stored. Users must not be
permitted to alter directly the parameter space name
in a link because an incorrect parameter space name
(source) may permit unauthorized access to the executive or to the computing processes of other users.
Links are stored in a protected stack type segment
which is attached to each process. A link is pushed
into the stack and popped from the stack by a return.
B. Transmission of arguments
An argument of a subroutine may be an entire
segment, a portion of a segment, or a value. The
mapping we have thus far described is adequate for
the first two categories. It can, however, be extended
for the other category. When transmitting arguments
it is necessary to transmit information about their
addresses as well as the capabilities attached to these
arguments. These capabilities may be specified by
the map of the calling routine and by the formal parameter in the new parameter space for the called routine.
For the case where there is conflict between the two
specifications, some rule has to be designed to determine the resultant capability of the actual parameters.

Consider now the three types of arguments:
1. Entire segment
The argument is equivalent to a parameter as defined previously. The call is
P(il, i2, i3, ... in)
where ij is the number in the calling parameter space
of the parameter number j in the called parameter
space i (ij = 0 means no parameter transmission).
At the time of the execution of the call, the processor
scans the parameter list and copies the information
relative to the parameter ij from the mapping table
of the old parameter space to the mapping table entry
for parameter j in the new parameter space; this information is composed of parameter space number
plus the capability.
2. Portion of a segment
It is often desirable to transmit only a portion of a
segment as a parameter. If this can be done, greater
capability may sometimes be given to the access path
to that portion than could be given to the entire segment. Such an argument should look like any other
parameter. Consider a segment A composed of a
vector of vectors. Suppose we call on a routine B
which operates on one vector only. The user may give
a new segment name to the selected vector which will
then be handled by the standard mechanism.

30

Spring Joint Computer Conf., 1967

3. Values
Sets ·of values can be stored in a stack segment and
accessed direciJy.

CONCLUSIONS
The system described provides access path control
for access to information and to processing resources
in a multi-access interactive computing system. Three
benefits of this are (1) strong selective control of
access to information, (2) dynamic binding capability
at run time, and (3) elimination of arbitrary restrictions on access to peripheral equipment and processing instructions. These benefits are all implemented by one simple mechanism. The system also
provides for execution of a hierarchy of computing
processes having controlled interaction but executed
independently in time.
Although the system has not been implemented,
the hardware and the software problems have been
analyzed extensively as reported in reference 6. The
improvements are gained without substantive increases in hardware cost, and the software complexity is reduced.
Many of the system concepts have been developed
by others. What is claimed is an integrated system
design with a reasonable set of hardware-software
decisions, which is an improvement over previously
described systems"

REFERENCES
TKILBURN
One level storage system Trans of the Professional Group
on Electronic Computers 2 223 1962
2 RSBARTON
A new approach to the functional design of a digital computer
Proc Western Joint Computer Conference 1961
3 J P AN DERSON
A computer for direct execution of algorithmic languages
Proc Eastern Joint Computer Conference 20 184 193
4 J B DENNIS
Segmentation and the design of multi programmed computer
system IEEE International Convention Record Part 3214225 1965
5 E GLASER J COULEUR G OLIVER
Description of the G E 645 Proc Fall Joint Computer Conference AFIPS 1965
6 JYLECLERC
Memory structures for interactive computers
PhD dissertation University of California Berkeley June
1966 or project GENIE document No 40 10 110 University
of California Berkeley May 25 1966
7

BWLAMPSON
Reference manual time sharing system project GENIE
document No 30 10 31 University of California Berkeley
August 1 1966

The Air Force computer program
acquisition concept
by MILTON V. RATYNSKI
Electronic Systems Division L. G. Hanscom Field
Bedford, Massachusetts

puter program data AFTER the initial acquisition. In this instance, the activity is primarily
with the "software" implementation process
from the point of view of the "software" implementor's problems within his own environment.
This paper and the series of papers to follow address
themselves to area "a," that series of events and
activities which involve the initial design and acquisition of computer programs and the integration of the
resultant efforts into the overall system. Those activities identified in the second category, "b," are the
user's activities after the system is declared operational and turned over to the user. The "b" activities involve the updating and maintenance of existing operational computer programs and the evolvement of a
limited number of new and additional programs. Management procedures for the "b" activities are in the
process of evolvement by the Electronic Systems
Division for the U. S. Air Force and will be presented at a later date.
The objective of this paper is threefold:
1. To introduce the Air Force developed procedures for the acquisition and control of command system computer programs based on the
concept of the computer program as the end
item of a definable process;
2. To suggest that the developed process is general
enough to cover a wide variety of users outside
the military domain; and
3. In terms of this process and the Air Force system management philosophy, set the stage for
the papers 2 ,3,4 that follow.

INTRODUCTION
The classic approach to the development of Air
Force operational computer programs has been to
award separate contracts for the hardware and for
the "software" aspects of an electronic system. The
integration of the hardware and the "software" into
a homogeneous total system has not always been a
planned certainty, primarily due to the lack of definitive management procedures and contractor guidance
and control techniques for the area popularly known
as "soft-ware." It was with this history in mind that a
study! was initiated to evolve a technique which would
permit the following:
a. Development of contractual requirements standards to provide positive control over the contractor's effort in the development of computer
programs.
b. Development of a series of principles and procedures which would be applied to the configuration management of computer programs.
c. Development of a series of design standards
and specifications for use during computer program design and development.
d. And most important of all, to develop an orderly
process of "software" production that would
assure full compatibility and timeliness with
hardware production.
The "development" and "acquisition" of computer programs, as discussed in this paper, has
been broadly categorized to two areas:
a. Those early events, activities and steps involved
in INITIALLY acquiring the computer hardware and the related computer programs. Here
is the arena for activities and problems from
the viewpoint of the system manager, the system
designer, and the system acquisition agency.
b. Those events and activities by the military user
and implementor to maintain and constantly update the computer programs and the com-

The computer program as an "end item"
Classical definition of "software"
The term "software" is being removed from official
Air Force terminology because of the diversity of its
entrenched definitions; some of the more popular
definitions of "software" are as follows:
33

34

Spring Joint Computer Conf., 1967

HARDWARE

"SOFTWARE"

t- COMPUTER PROGRAM CONTRACT END ITEM (CPCE I)

CONTRACT END ITEM (CE I)

I

l

I

ANTENNA
POWER SU PPLY
AIRFRAME

I

DATA ITEMS

TAPE
CARD DECKS

COMPUTER PROGRAM DATA ITEM

MANUALS
DRAWINGS
SPECIFICATIONS

FLOWCHARTS
LISTINGS
MANUALS
SPECIFICATIONS

Figure 1 - The computer program as an end item

1. Computer programs, together with associated
data, training materials, and the operational
personnel.
2. All computer programs, including the hardware of the computer system itself.
3. All computer programs, excluding hardware.
4. Special utility computer programs which are
supplied by the digital computer manufacturer
as part of a computer.
5. Deliverable contractor data associated with
the development and operation of system equipment.
6. System personnel, as contrasted with system
hardware.
"Software" as an end item
In order to adapt the Air Force 375 concept of
system management to "software," it was first necessary to define "software" precisely and, more specifically, to attempt to describe it in engineering and
hardware terminology. It was determined that it was
more reasonable to adapt "software" to the "375
hardware acquisition techniques," than to develop a
separate "software" management process, which in
turn would require a third or higher level management process to integrate "software" and hardware
into a total system.
Fundarriental to the management of "hardware"
is the readiness with which it is possible to identify
an item of hardware as an End Item (a Contract End
ltem 5) and the various paper products (Drawings;
Manuals, Specifications) as Data Items. It is this
philosophy which was adapted to "software," and as
depicted in Figure 1, "The Computer Program as an
End Item," permitted the identification of "software" products into the more precise categories of:
(1) Computer Program Contract End Items
(epeE!), and
(2) Computer Program Data.

It win be noted from Figure 1 that, as is the case
with hardware, the computer program is now a designated, deliverable, and contractually-controlled product. The Data Items for both hardware and for computer programs are those paper products which "describe" the deliverable "end item" or describe how to
use, test, or update the end item. Card Decks, although physically "paper," are essentially integral
to the direct operation of the computer itself, and are
not considered a Data Item per se. Both the hardware and the computer program data items have
standards for their preparation, however, the format
and content for computer programs is recognized in
that there are separate "standards" for hardware
and separate "standards"6 for computer program
data items.

Definition of contract end item (eEl)
The term "contract end item" (CEI) has been
selected to identify individual design packages. A
contract end item has become a very useful and common reference for program management, i.e., alignment of design responsibilities, contracts, schedules,
budgets, etc. The CEls, thus, represent a computer
program or a level of assembly of equipment selected
as the basis for management. Once the "design package" has been identified as a contract end item
(CEI), this end item is then described in an individual
specification. 2
Experience to date with electronic command systems contracts, 7 has indicated that there is indeed a
common basis for management when computer programs are designated as CEls; management by the
government of the contractor's efforts and management by the contractor of his own or subcontractor's
efforts. An understanding by both the government
and the contractor of what is to be delivered is an
important step towards developing an orderly process
for the production of computer programs.

The Air Force Computer Program Acquisition Concept

HARDWARE END ITEMS
(CEls)
COMPUTER PROGRAM
CONTRACT END ITEMS
(CPCEls)

x

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

35

Figure 2 - Some commonalities between computer program
end items and hardware end items

Computer programs and the 375
system management process
The basic decision that a computer program could
be defined as a Computer Program Contract End
Item (CPCEI) permitted adaptation of virtually all
the Air Force 375 System Management concepts to
the management of computer programs. Specifically,
the concepts of uniform specifications, baseline management, change control, specification maintenance,
design reviews, and a test program became all as pertinent to computer programs as they are to hardware
acquisition. More importantly, however, a common
definition and acquisition process now assures a full
integration and in a timely manner of both the equipment and the computer programs into an integrated
and homogeneous military system,
There were sufficient, substantive differences between hardware end items and computer program end
items to warrant the development of separate but
companion procedures and standards for computer
programs, and these will be described at opportune
moments during this and the following papers. 2 ,3,4
However, it was possible, in the real live world situations that the Electronic Systems Division is constantly exposed, to adapt the "end item" philosophy
of management to computer programs, and yet retain
full technical integrity and full technical identity for
all disciplines concerned.
Comparison of computer program end items with
hardware end items
Figure 2, "Some Commonalities between Computer Program End Items and Hardware End Items,"

portrays in a capsule form that the major technical
events and milestones, which pertain to hardware,
are also applicable directly to computer programs.
Under the Contract End Item (CEI) concept, there is
a common and understood method for specifying
the technical requirements prior to computer program design, for specifying the interfaces between
computer programs/hardware/personnel, and for the
development of sufficient computer program documentation to assure that the user can operate the system effectively.
The basic premise is that it is equally important to
specify the system requirements for computer programs as it is for hardware, thus the initial common
ground for both is in the System Specification. In
the normal design process for military or for commercial computer programs, both the hardware designer and the computer program designer require a
document identified as a Specification, in which the
performance/design and test requirements and/or
parameters can be detailed. Likewise, design reviews,
testing, change procedures, manuals, technical descriptions of the product are equally common to both
areas. The discussion on the system management
process that follows attempts to point out that it is
primarily due to the "commonality of approach"
by the computer program designer and the hardware
designer, that it was possible to adapt the 375 process
to computer program development.
Just as it was possible to identify common activities,
it became quickly apparent that substantial differences

36

Spring Joint Computer Conf., 1967

HARDWARE END ITEMS

x

X

X

X

COMPUTER PROGRAM END ITEMS

X

X

X

X

X

X

Figure 3 - Differences between hardware and computer
program end items

existed too. These are listed in Figure 3, "Differences
between Hardware and Computer Program End
Items." Unlike hardware, computer program instructions do not "wear out." Further, it is not necessary
to build and to maintain an elaborate special production facility to produce each computer program in
quantity since, regardless of its configuration, any
number of copies can be normally duplicated on standard machines at small cost. Therefore, the elimination of concepts, such as, reliability, spare parts,
quality control, useful life, etc., required careful
tailoring of the hardware oriented management procedures to computer programs. It is felt that this goal
was substantially achieved, and the following discussion on the pertinence and relative compatibility
of the Air Force 375 System ~1anagement Process
to computer program development is an attempt to
demonstrate that, with modified procedures, the basic
375 process can readily be accepted by the computer
program community.

Concept of systems management
The contemporary Air Force 375 series regulations
and the AF Systems Command manuals establish
the procedures of acquiring a new military capability
in a finite and structured manner. These documents
were intended to include all the activities and all the
events necessary to assure a complete military system, however, the emphasis in the current AFSC
manuals is on hardware acquisition and does not adequately identify the inherent peculiarities of "software" acquisition. The "375" technique, nevertheless, can be applied and the "software" activities
readily associated with the 375 life cycle. This is the
objective of the discussion following.

The system life cycle is divided into four phases:
Conceptual, Defini-tion, Acquisition, and Operational,
as shown in Figure 4.
An overview of the Air Force
system management process

System management of large-scale military systems is a complex team efiort, in which many government agencies and the contractors pool their resources
to balance technology, cost, time and other factors
to achieve the best performing product for the military
inventory. One of the most important points to understand about the 375 process is that it is not a new way
of life nor is it an entirely new approach to the development of a system. As stated by Gen. B. A.
Schriever/' the Air Force is taking advantage of the
lessons learned over past years, and has formalized
and standardized on a "typical" way of doing business.
This is not to say that every program or project was
or is intended to follow all the 375 procedures or all
the processes, but that it is a "road map" of events,
activities, and milestones that make sense, can save
the taxpayers dollars, and the military time. The
emphasis in the Air Force has always been on the
"selective use" and on the "discrete application"
of these formal and standard procedures."
The final portion of this paper is essentially an
introduction of a management concept for computer
programming and is intended to set the stage for the
papers 2 •3 .4 that follow. The significant activities of
the programming process, in terms of the four phases
of a systems' life cycle with an emphasis on key milestones and key outputs; are summarized on a phase
by phase basis.

The Air Force Computer Program Acquisition Concept

37

CONCEPTUAL PHASE
Ope rational Requ i rement Identified
I nitial System Concept Evolved
Design Requirements & Gross System
Functions Determined
DEFINITION PHASE
System Specification Developed
FunctionsfTasks Defined
Design Trade-offs made
~njlrifir

Ann r-n::lrh <:olortorl
..,"'.v"'",,.....

-1""--"'''''' • "t'I"I_-VII

ACQUISITION PHASE
Detail Designs completed
Tests conducted
Contract End Items produced
Logistics/Support plans
activated
OPERATIONAL PHASE
System Tests completed
System/Equip. updated
System tu rned over to User
Figure 4-Air Force system life cycle

The conceptual phase for
a computer program
This is the period during which new inventions,
technological advances, user requirements, time and
money, and other considerations are traded off to
define a valid requirement.
Of particular interest to computer program development is a firm delineation of the system mission,
the operational environment, interfaces, and doctrine of operational employment. F or information

IDENTIFY
OPERAT IONAl
REQU I REMENT

1

..,......

DEFINE
INITIAL
SYSTEM
CONCEPT

2

management and handling systems, the analyses of
the system information processing functions should
begin during the Conceptual Phase. These analyses
will typically include the detailing of system functional flows, the identification of design requirements,
and the performance of trade-off studies based upon
estimates of cost effectiveness.
Figure 5 depicts typical key events/activities that
would be important to insure early and adequate

DETERMINE
DESIGN
..,.. REQU I REMENTS
& GROSS SYSTEM
FUNCTIONS

CONDUCT
SYSTEM
...... FEAS I BIlllY
...,.
STUDIES

~

3

PERFORM
SYSTEM
~ ENGINEERING

5

-

4
Figure 5 - The conceptual phase for a computer program

-

---..

38

Spring Joint Computer Conf., 1967

consideration for the computer programming aspects
of an information processing system.
Block 1, "identify operational requirement"
For computer-based systems/subsystems, this is
the initiation of the information processing analysis.
Mission requirements are analyzed, the operating
concept is defined as are the modes, environments
and constraints. The responsibilities, geographic
locations and the levels of the user are identified. A
preliminary estimate of personnel requirements is
made. Depending on whether the requirement is to
satisfy a military or a non-military user, the information processing requirements are included in the appropriate planning documentation, in order to identify
the total system operational requirements.
Block 2, "define initial system concepf'
This step is concerned with developing qualitative
requirements of sufficient potential value as to warrant further effort and definition in specific terms.
The qualitative requirements should recognize the
status of the pertinent state-of-the-art and should
conceive those concepts which will satisfy the basic
mission and plans. The initial operational functions
and concept are developed at this time, as would be
the identification and nature of the sources and the
destinations of data elements. The requirements for
data collection, generation and/or transIhission are
initially defined. It is often pertinent to evolve several
information processing concepts, in order that various
approaches can be assessed, particularly from the
major time and money trade-off viewpoints.
Block 3, "conduct system feasibility studies"
This step represents the initial effort toward the
formulation of a specific operational requirement for
a system. For computer-based systems, this involves
the translation of a qualitative requirement into system concepts by the assignment of functional and
operational capabilities to specific areas of equipments, procedures, and man/machine relationships
on a trial basis. This is the first point at which the
considerations of timeliness, technological and economic feasibility, and capability are explored in any
detail.
Block 4, "perform system engineering"
A specific concurrent and prime technical activity
at this point in time is the system engineering activity.
In the case of military systems, this activity will be
performed more and more by in-house government
agencies and less and less by contractor-industry
activities. For the Air Force, captive contractors,
such as, the MITRE Corporation and the Aerospace

Corporation, and in-house engineering agencies, such
as the System Engineering Group and the Rome
Air Development Center, perform the bulk of the
initial system engineering studies.
System engineering studies are conducted to the
level of detail necessary to establish that the system
selected will meet the operational performance capabilities and will be technically attainable within the
required time period. Basic technical data should
essentially be complete in the following areas:
a. Information processing. This will at least include: a description of the mission requirements,
including deployment requirements and integration
with other systems; concept of operation associated
with each mission/environment; the system information flows; the allocation of functions between man
and computer; a description of the system data base
including processing and storage requirements; a
description of selected techniques of computer programming; a description of the command organization with preliminary estimates of personnel requirements; a description of requirements for system
exercising; and a description of interfaces with other
information systems.
b. Computer and associated equipment. The performance characteristics of the computer, the operational consoles, the other Input/Output units, and
the special equipments for system exercising are derived from the analysis of system information processing functions, in parallel with the determination of
functions to be performed by personnel and computer
programs. Both off-the-shelf and state-of-the-art
equipments are considered. Additionally, customconfigured or significantly modified existing equipment are included in the cost-effectiveness studies,
in order that technical feasibility, cost and schedule
estimates, and interfacing characteristics with the
computer program system, communications, and
facilities are firm enough to warrant the development
of a System Performance Specification. Factors,
such as, general, logical and physical equipment
configuration; data processing speeds, storage requirements, input-output interfaces; peripheral requirements for magnetic tape units and card machines;
operator consoles; special equipments; and growth
potential, are identified preliminarily at this point in
time in order to assure feasibility of the system to
meet the mission requirements.
Block 5, "determine design requirements
& gross system functions"
This step signifies that sufficient system concept
studies, system feasibility studies, exploratory development, and/or system engineering have been

The Air Force Computer Program Acquisition Concept
performed to satisfy decision makers that the system
costs are realistic, estimated schedules realizable,
the high risk areas identified, and that this is the system which should be funded and resources allocated
with which to proceed to the next phases, the Definition/ Acquisition Phases.

pected to occur whenever a system goes through the
Definition Phase.
Block 6, "initial system specification"
This step represents the technical effort that is
applied to preparing a specific document upon which
many subsequent steps and processes are dependent.
The initial system specification is largely oriented to
the operational requirements and allows considerable
latitude in the system design, except in those areas
wherein gross design considerations are specified
or obvious. In some instances, expediency does not
permit more than a cursory refinement of previous
concepts and tentative performance requirements in
the formulation of this document.
The preparation of the initial System Specification
generally first requires that trade-off studies are identified and performed and that technical studies, consisting of reviews, verification, and expansion or
alteration of technical concepts and data resulting
from the activities from the Conceptual Phase are
accomplished. If time precludes in-house accomplishment of these studies, this activity may be tasked upon
the Definition Phase contractor(s). In this case, the
Definition Phase contractor(s) would be required
to evolve a fully defined System Performance Specification as one of his end products. For computerbased systems, information processing functions are
re-examined and verified in relation to the user's
organization, mISSIon, and operating doctrines.
Alternative approaches in the areas of computer
programming, equipment, communications, facilities,
personnel, procedural data, and training are assessed.
The direct objective of these studies is to establish

The definition phase for a computer program
This phase, which came into being under Secretary
McN amara, sees the entire system defined and identified down to the level of contract end item specifications. During this phase, the systems analysis activities are carried out, considering such factors as total
system cost/schedule/performance, identification of
interfaces and high-risk areas. The Definition Phase
culminates with the preparation of a definitized development contract setting forth the results of the
Definition Phase as the Design Requirements Baseline.
For electronic systems, the information processing
aspects are identified as a system segment. Technical
studies and alternative approaches are made at this
time in the areas of computer programming, equipment, communications, facilities, personnel, procedural data, and training, including considerations
of development lead times, system testing criteria.
The direct objectives of these technical studies are
to establish the total spectrum of design requirements and design constraints firmly, both for hardware and software, at the levels required for the
System Specification and other documents which
must be prepared.
Figure 6 identifies some of the major events, activities, and output products that would normally be ex<

------------.
PART I
,

- - INITIAL
- - - - -,

:
,
:

I

SYSTEM
,
SPECIFICATION I
,
6'

,,,
,
,

~

I

I

.

I

7

CEI
SPECIFICATIONS

I

:

,_ _ _ _ _ _ _ L2 ___,

'- - - t - - -'

DOCUMENT
SYSTEM
REQU I REMENTS

39

..,......

EXPAND
SYSTEM
REQU IREMENTS

...,..

DEFINE
COMPUTER
r-PROGRAM
REQU I REMENTS
9
DEFINE
MANUAL
TASKS

r---r-

10

8
DEFINE

EQUIPMENT
........ REQU
I REMENTS
II
Figure 6 - The definition phase for a computer program

t---

___4: _...

40

Spring Joint Computer Conf., 1967

the total spectrum of design requirements and design
constraints at the levels required for a System Specification.
Block 7, "document system requirements"
Under the 375 system management concept, the
entire technical control of the system is based on the
establishment of three (3) baselines/specifications.
The first of these is the Program Requirements Baseline, the technical requirements of which are defined
in the System Specification described earlier. The
Program Requirements Baseline consists of documents which provide a conceptual technical description of the system, a description of the Definition
Phase inputs/events/expected outputs and the estimated cost. This is the document that is evolved prior
to initiation of the Definition Phase. From the total
system approach, it is critical that the entire man/
machine concept be sufficiently detailed particularly
from the time, money and integration aspects.
Block 8, "expand system requirements"
The Definition Phase contractors first technical
activity is to conduct a comprehensive and critical
reveiw of the functions, the performance, and the
design requirements contained in the System Specification. Objectives are to verify, expand, and/or alter
on the basis of the contractors approach and technical
experience. Selected trade-off studies would be performed, interface requirements of the major hardware and computer program end items would be expanded.
Block 9, "define computer program requirements"
and Block 11, "define equipment requirements"
The nature of the technical efforts will typically
begin to diverge at this point in time with respect to
their direct concern with system operational functions.
This effort will define the requirements for the detailed tasks to be performed by the operational
computer programs and the system equipment. It
is predicted on the basis that the interfacing equipment characteristics have been defined at a level
which will permit the analysis and specification of
functions to be performed by the computer programs
and equipment contract end items.
Block 10, "define manual tasks"
A concurrent activity is the definition of manual
tasks. The technical effort during this phase encompasses the analysis of manual and man/machine tasks.
This leads to the definition of:
a. manual tasks and procedures
b. console operator procedures and decisions
c. design requirements for console controls and
displays.

Block 12, "Part I eEl specifications"
One of the most important products of the Definition Phase is the development of all the necessary
"design-to" specifications for the Computer Program Contract End Items. In Air Force terminology,
these are caiied Part i-Performance and Design
Requirements Specifications. 2 This part of the
CPCEI specification is used to specify requirements
peculiar to the design, development, test and qualification of the contract end items (CEls). The Part 11Product Configuration and Detailed Technical
Description specifications5 are not prepared until
well into the Acquisition Phase. An important section
of every computer program Part i specification is
the detailing of the requirements imposed on the design of a computer program end item because of its relationship to other equipment/computer programs.
I nterfaces defined in this section of the specification
shall include at least all relevant characteristics of
the computer, such as memory size, word size, access and operation times, interrupt capabilities, and
special hardware capabilities. The Part I specification permits the first opportunity for initiating configuration management procedures 5 for the control
of design requirements changes. Part I specifications
permit competition for the Acquisition Phase contract(s).
The acquisition phase for a computer program
The contractor designs, produces and tests the system hardware and computer programs during this
phase. This phase continues until the last article
is delivered to the operational user and all system development test and evaluation has been accomplished.
Figure 7 identifies many of the important activities
in the design and validation process that would
normally be initiated during an Acquisition Phase.
Block 13, "Part I specification"
Now that the initial end item performance specifications have been developed, the test requirements
detailed, and all the necessary man-machine tradeoffs made, it is necessary that the System Specification be updated and approved for contractual use in
the Acquisition Phase contract(s). For hardware,
it is usually possible to have defined in detail the functional interfaces, however, for computer programs
this is normally not possible unless a firm selection
and approval of specific hardware, computer programs, and communications has been made. Thus,
the system specification will normally not be fully
updated, insofar as computer program requirements
are concerned at this point in time, but rather, after

The Air Force Computer Program Acquisition Concept
1- -

-

-

-

-

-

L _ _ _ _ _ 13 _ ~'

I

-..: PROCEDURES

.-

I 'I - 16- -''

,I

I

('nMDIIT~D
VI .... '

PROGRAM
DESIGN

14

___

"

.J

1

I I II I

•

I

.---_..... ---I1

: PRELIMINARY:
I CRITICAL
: DESIGN
•
: DESIGN
I REVIEWS
:-. I REVIEWS

I .,..

I

I

15

I

L~

,

1

I

I _ _ _ _ _18_ _ JI

____ I

SYSITEM

TESTS

- - ....

24

I
t

I

----- ;.---

•

f

1

-

1-_- ,

DETAILED
DESIGN OF
CO!)! NG
COMPUTER
COMPUTER
....-.&
........... PROGRAM
PROGRAM
ASSEMBLY
TESTS
COMPONENTS
& DATA BASE
21
17
20

PRELIMINARY

-

I

I

I

:-

I PART II
I SPECIFI CATIONS
I
23

,J'
I______
19

I

VV"II

r-------I

r-- - --,•
TEST

r:: - - -,

,

• PART I
I
1 TEST
: SPECIFI CATION ... ,~ PLANS

41

i-FiRfr- - - - ---:

I

: ARTICLE
1
I
I CONFIGURATION
~J
1 INSPECTION
I
I1- _ _ _ 22_ _ _ _ _,I

Figure 7 - The acquisition phase for a computer program

some of the Design Review activities in the Acquisition Phase.
Blocks 9, 10, 11 and 12 constitute the technical
substance of the Design Requirements Baseline. This
baseline represents the technical requirements for
the Acquisition Phase contractor(s).
Block 14, "preliminary computer program design"
The fundamental purpose of the Acquisition Phase
is to acquire and test the system elements required
to satisfy the users requirements. Upon award of
the Acquisition Phase contract(s), the design of all
contract end items begins. The Part I (design-to)
specifications developed earlier, plus the System
Specification, will be the contractor's technical baseline and, essentially, are a start on the design of the
end items. For computer program end items, this
activity consists of finalizing the analysis of system
inputs/outputs/functions, allocation and grouping
of computer programming tasks into individual computer programs or program packages. Additionally,
individual programs will be described and the interprogram interface requirements detailed. All this,
plus the development of functional flows, the accomplishment of trade-offs, etc., will be the basis
of the detailed design th~t will be described in the
Part II specification.
Block 15, "preliminary design reviews," Block 18,
"critical design reviews," and Block 22, "first
article configuration inspection"

During the Acquisition Phase, a series of technical
reviews and inspections are held to provide discrete
milestones for an exchange of technical information
between the Air Force and the contractor. Two of
these, the Preliminary Design Review and Critical
Design Review, are analyses of the design of the contract end items at various stages of development.
The third milestone, the First Article Configuration
Inspection, is an audit of the documentation that
describes the contract end item. A more detailed
discussion of these milestones is contained in the
paper by Piligian. 3
Block 16, "test plans," and
Block 19, "test procedures"
A parallel effort to the computer program end item
design is the development of a Category I qualification test program. Draft of the test plan and associated
test procedures for the validation and evaluation of
computer program end items are written for submission to the procuring/engineering agency for approval.
Block 17, "detailed design of computer
program components & data base"
The detailed design of the computer program is
accomplished based on the approved Part I Specification and the results of the Preliminary Design Review.
The detailed flowcharts logic diagrams, narrative
description, etc., will provide the basis for actual
coding of the computer program(s). The design of

42

Spring Joint Computer Conf., 1967

the data base is developed at this time resulting in
the number, type and structure of tables, as well as
description of the items within the table. The detailed design forms the basis for the Critical Design
Reviews 3 discussed previousiy.
Block 20, "coding & assembly," and
Block 21, "computer program tests"
Immediately following the Critical Design Review,
coding of the individual components of the computer
program end items takes place and the process of
checkout and testing of the components begins.
Computer Programs are generally first tested during
the Category P test program. Cat I demonstrates
that the CPCEI, as produced, satisfies or does not
satisfy the design/performance requirements of the
Part I CPCEI specification.
Block 23, "Part II specifications"
The Part II Specification is a detailed technical
description of the CPCEL Essentially, it consists
of elements which have appeared as computer program documentation in the past in a variety of forms
and combinations e.g., functional allocations, timing
and sequencing, data base characteristics and organization, flowcharts, etc. The Part II Specification organizes these into a single, comprehensive description
which includes the data base and listings, It is an
"as-built" description, which the procuring agency
accepts only after its completeness and accuracy
have been formally verified, and normally after the
computer program performance has been qualified
in relation to the Part I Specification. Like the Part
I, it does not contain operating instructions, test
procedures, or other non-specification materials.
Its subsequent technical uses are as an aid in correcting errors and designing changes. Following formal
verification of its completeness and accuracy, it defines the Product Configuration Baseline.
Block 24, "system tests"
The objective of Category II system tests is to
demonstrate that the system will satisfy the system performance/design requirements of the System Specification. For computer programs, Category
II testing will assure the overall systems engineer
that the computer programs are fully compatible with
the hardware in an integrated performance environment, and that they meet the total system requirements, including personnel, communications, manmachine relationships, etc.
The operational phase for a computer program
The Operational Phase permits the transfer and
turnover of systems/equipments from the design

and acquisition agency to the using (customer) agency.
This phase begins when the operational user accepts
the first article and ends when all the elements of
the system have been accepted by the user.
Most Air Force systems are turned over to the user
on an incremental basis: squadron by squadron for
missiles; site by site for electronic systems; or system element by system element. In the case of computer-oriented systems (command/control systems),
there is an evolutionary aspect present, which seldom
permits the completion of specific Operational Phase.
In this instance, it might be stated that there may be
many Operational Phases for anyone System, as a
requirement, for system-updating occurs and as this
requirement is satisfied.
As the development agency acquires end items, and
satisfies the user that a group of end items meets the
user's operational requirement, a formal release of
both the physical entities, as well as the engineering
responsibility, is made by the development/acquisition
agency. For computer programs, the transfer of
engineering responsibility would not normally be
to the Air Force Logistics Command (as is true for
hardware), but rather would more likely be to the
user. There are instances, however, where certain
utility and/or maintenance-diagnostic computer programs· furnished with, or as parts of, the computer
equipment are engineering-transferred to the Logistics
Command, rather than the user.
As elements or end items are turned over to the
user, the configuration management responsibility
also becomes the responsibility of that agency. For
purposes of configuration management of computer
programs, the updated System Specification and the
Part I Computer Program End Item Detail Specification function as the design requirements baseiine
throughout the Operational Phase.
Figure 8 identifies many of the specific activities
that pertain to a process that permits the design and
acquisition agency to turn over to the user those
completed elements of a system, as the operational
requirements are met.
Block 25, "turnover to user"
Under current Air Force concepts, equipment,
facilities and computer programs can be incrementally
"turned-over" to the user on an operating unit by
operating unit basis. The standards for computer
program turnovers is in the process of evolvement,
however, it is general practice to "turn-over" both
the hardware as well as the applicable computer
programs on a concurrent basis. Under any circumstance, turnover implies that the minimum operational
capability has been satisfied for the total system or

The Air Force Computer Program Acquisition Concept

43

-"',..
"'4~

r~

0.....-

TRANSFER OF
ENG I NEER I NG
TURNOVER ~~ & LOGISTIC
RES PONS IB ILITO USER
TIES

27

25

UPDATING
CHANGES
ON CONTRACT

H

USER
OPERATIONAL
SYSTEM
TESTS

-.

~

SYS.TEM
UPDATING

28

29

.........

MISSION
PERFORMANCE

-

30

~

26
Figure 8 - The operational phase for a computer program

for some element thereof, and that the industry and
government design agencies consider the primary
design/engineering activities as completed.
Block 26, "updating changes on contract"
As with hardware, computer programs are subject
to follow-on development tests which normally result
in updating change requirements. As the user exercises his system, or some element of a system,
deficiencies and/or improvements become suggested.
Updating changes are most practical to contracts
which have not been completed, and can be broadly
categorized as those which are (1) the contractor's
responsibility and essentially under contract "guarantee," and (2) improvements and performance updating initiated by the user, which requires a new
contractual understanding and new design effort. In
essence, the "design-updating" changes that are
necessary are now placed on contract, system tested
and recorded.
Block 27, "transfer of engineering
& logistic responsibilities"
There is no formalized Air Force policy on the
logistics and engineering responsibilities for computer
programs once they have been turned over to the user,
however, an unofficial process is in effect. Several
large electronic systems have been officially turned
over to using commands. The "engineering" responsibility for controlling corrective actions and incremental improvements of operational capabilities through
changes in the computer programs has in all cases,
to date, been assigned to and assumed by the using
command. In some instances, this responsibility
extends to the maintenance of handbooks, user manuals, and other documents which are directly de-

pendent upon the computer program end item configuration. The "logistics" and the so-called "engineering" aspects of computer programs are being studied
and debated at appropriate levels, and a decision
issued, particularly with reference to certain utility
and/or maintenance-diagnostic programs furnished
with, or as parts of, the computer equipment.
Block 28, "user operational system tests"
Upon the completion of Category II system tests
and the incremental transfer of computer programs,
computer equipments, handbooks, user manuals,
etc., to the user, the using command may elect to
conduct Category III type tests. Category III tests
are system tests similar to Category II and for computer programs may either be unnecessary or may be
conducted concurrently with Category II. At this
point in time, the system is fully operational, all live
environment, and is conducted by the user, generally
with the assistance of contract services from the automated data industry. As during Category II testing,
deficiencies and/or improvements are revealed, and
system modifications made dependent on significance
to mission and budgets.
Block 29, "system updating"
One of the final technical functions is to document
and record the precise system/equipment configuration and to update all manuals, handbooks, etc. Beginning back in the latter part of the Definition Phase,
a "configuration management" procedure would
have been defined, agreed upon by the contractor(s),
and would at this point in time be thoroughly updated
and turned over to the user. The user would continue
to use the system specification and the Part I de-

..

44

Spring Joint Computer Conf., 1967

tailed "design to" specification, as the design requirements baseline for the purposes of configuration
management and for a design updating standard.
The system itself is also updated to incorporate updating changes and modifications resulting from the
users operational testing and system usage.
Block 30, "mission performance"
This event represents the continued operation of
the system by the user until such time as the system is phased out of the operational inventory.
SUMMARY & CONCLUSION
The management framework established by the 375
series Air Force regulations and manuais is appiicabie
to electronic systems, as well as to aircraft and missiles. This management concept is exemplified by
electronic computer-based systems, such as, 412L,
416L, 425L and 465L; namely, operational military
systems which provide information processing assistance to command personnel who are responsible
for planning, decision-making, and control of resources and forces. A major impact of considering
this type of system is to emphasize information processing and associated technologies as the lead items
in system concept and design. This emphasis is needed
in order to assure that the specification and procurement of hardware and facilities will be based upon
adequate consideration of the user's information
processing procedures and requirements.
The modification of the current hardware-oriented
375 system management process to include "software" activities places primary emphasis on events
associated with:
1. Analysis of system information processing
functions.
2. Allocation of functions to operational personnel
and the computer hardware.
3. Definition of the functions to be performed by
computer programs.
4. Development of operating procedures.
5. Design, development, and testing of computer
programs.
6. Development of provisions for operational
training and other personnel subsystem products.
The implications of the concept described in this
paper can be summarized as follows:
1. The normally hardware-oriented System Program Director is now provided with a management tool with which to evolve requirements.
and assess the total system's progress by the
establishment of computer program key events,
milestones and activities during the system's
life cycle. The "visibility" aspects of computer
program intricacies will be more evident to the
System managers.

2. Computer program requirements documented
in a technical specification provide a standard
by which the performance of the contractor
and the performance of the resultant computer
program can be evaluated.
3. The design documentation and specifications
developed during a normal Definition Phase
activity will provide for the first time an opportunity for the government to acquire computer programs on a true price competition
and open-bid, fixed-price basis, rather than the
current predominant sole-source, cost-plus
situation.
4. The computer program management techniques
evolved will significantly reduce the excessive
cost-overruns and will reduce the overall system costs that were uncontrollable without a
finite management control process.
5. The eventual user and operator of the electronic system will be provided with sufficient
data and documentation which will permit the
user to operate, maintain and update the system much more effectively and efficiently.
6. The concept described is considered to be applicable to any system, military, business, or industrial and to any programming exercise that
warrants the use of computer program management techniques.
REFERENCES

2

3

4

5

6

7

8

00-1498:
Computer programming management
Air Force Project 67-2801 1967
B H LIEBOWITZ
The technical specification-key to management control of
computer programming
SJCC Proceedings 1967
M S PILIGIAN J L POKORNEY
Air Force concepts for the technical control and design
verification of computer programs
SJCC Proceedings 1967
L V SEARLE G NEIL
Configuration Management of Computer Programs by the
Air Force: principles and documentation
SJCC Proceedings 1967
AFSCM 375-1:
Configuration management during definition and acquisition
phases
Air Force Systems Command U S Air Force 1 June 1964
AFSCM 310-1:
Management of contractor data and reports
Air Force Systems Command U S Air Force Revisions
September 1966 and March 1967
System 416-M:
BUIC-back-up interceptor control
Electronic Systems Division U S Air Force
B A SCHRIEVER General USAF:
Foreword to AFSCM 375-4-system program management
manual
Air Force Systems Command U S Air Force 16 March 1964

Configuration management of computer
programs by the air force: principles
ancJ cJOCllmpnt~tl()n*
______ ...... ....,....&. .........

~

..... .&."" ........... .L""' ... .L

by LLOYD V. SEARLE and GEORGE NEIL
System Development Corporation
Santa Monica, California

INTRODUCTION

the system status and technical objectives can be
formalized, for the mutual benefit of the many agencies which are typically associated with the procurement, development, logistic support, and operation
of a complex system.
Contract End Items (CEls) are the system parts
to which configuration management applies. In the
Defense Department and NASA, the CEI designation* does not apply to system personnel, items of
data, or to contractual studies and services. It refers only to identified items of equipment, facilities,
and computer programs, as the major deliverable
elements of a system which is developed for use by
an operational agency.
Although the emphasis in this discussion is on computer programs, it should be recognized that the procedures to be discussed .are designed to fit within a
common framework of configuration management for
all types of CEls in a system. In fact, they incorporate
many concepts and terms which have been borrowed
from established practice with items of equipment.
At the same time, they are specifically tailored to
reflect the many unique characteristics of computer
programs as contract and items. In general, they are
derived from actual experience in developing computer programs for electronic systems, and are
presently in use by a number of system contractors.
General concepts
Within the scope of configuration management requirements, distinctions are made among the three
major sub-processes of identification, control, and accounting:

This paper is addressed to Air Force concepts relating to configuration management of computer programs. For this meeting, our purpose is to summarize
the nature of the concepts, and to present an introductory outline of the documentation and procedures.
Although we are using the Air Force terminology and
phased system program relationships, it should be
recognized that the same general principles, and many
of the particulars, are also in process of being adapted
for use by the other military services and NASA.
The basic standards lend themselves to general application in the formal management of computer programming projects.
As described earlier in this session, l configuration
management represents only one of several management areas which apply to a total system program.
Contrary to a prevalent misconception, it is not
synonymous with, nor a substitute for, the technical
system engineering effort which constitutes the heart
of a system design and development program. However, as an auxiliary structure which evolves in steps
during the Definition and Acquisition Phases it
is closely related with the other areas of syst~ms
management, particularly with the processes of system engineering and testing. Its special concern is
with procedures for controlling the performance requirements and actual configurations of the various
physical parts of a system. One of the principal needs
it fulfills is to provide a systematic means by which
*The authors have been associated with the development of computer programming management procedures for Air Force Systems Command, through contract studies conducted in support
of the Electronic Systems Division. This report summarizes
selected aspects of the Air Force procedures as viewed by the
autho.rs; it is not to ~e construed as an official expression of policy
by AIr Force agenCIes or the System Development Corporation.

Configuration identification refers to the technical
definition of the system and its parts, primarily in
*In the Army, CEI denotes Configuration End Item, rather than
Contract End Item.

45

46

Spring Joint Computer Conf., 1967

the form of specifications. In general, configuration
management is based upon the concept of uniform
specifications, which implies simply that in each
system program there should be one general specification for the system as a whole and one specification
for each contract end item. General format and content requirements of the specifications are uniform
for all systems. However, requirements for the system specification and CEI specifications differ. The
system specification is written at the level of performance and design requirements only, while the
specification for each major CEI is written in two
parts - Part I as a performance-level specification
to estabiish technical objectives and design constraints, and Part II as a technical description of the
actual configuration resulting from the design/development/test process. Detailed requirements for specification format and contents are different for the major
classes of CEls, i.e., for equipment, facilities, and
computer programs, as a function of the typical differences in technical characteristics. Once written
and approved, each specification formally defines a
baseline configuration of the system or item. A baseline, in general, is an established and approved configuration, constituting an explicitly defined point
of departure from which changes can be proposed,
discussed, or accomplished.

Configuration control refers to the procedures by
which changes to baselines are proposed and formally
processed. These procedures involve standard classes
and types of change proposals, as well as formal
mechanisms for review, evaluation, approval, and
authorization for implementing the proposed changes.
Configuration accounting refers to the reporting
and documenting activities involved in keeping track
of the status of configurations at all times during the
life of a system. For production items of equipment,
it includes the intricate process of maintaining the
status of production changes, retrofits, and spare
parts for all production items in the current inventory.
In the case of a computer program item, it is principally a matter of maintaining and reporting the status of
the specification, associated documents, and proposed
changes.
Documentation and procedures
While the items of central reference in configuration management are contract end items, as distinct
from data or services, the management process itself
proves to be principally a matter of documentation
and procedures. As indicated above, technical specifications are the principal substance of the Configuration Identification process. Configuration Control
and Accounting are accomplished by means of other

standard forms and reports. And, particularly in the
case of complex computer program systems, account
must also be taken of technical manuals and other
data prepared for the using agency, whose contents
are sensitive to changes in computer program configuration.
Hence, the major framework of configuration
management and its sub-processes can be represented
as a structure of the principal documents with which
standard procedures are associated. This structure is
illustrated in Figure 1, which shows (a) the specifications, as the baselines which are defined and managed,
(b) the dependent procedural data, in the form of
handbooks or manuals, and (c) the set of forms and
reports which serve as tools for control and accounting. It may be noted that the computer program contract end item (CPCEI) is also represented, in the
physical form of a tape. While the tape (or alternative
form, such as punched cards) is not forgotten as the
eventual object of these activities, most of our concern about working procedures is with the other
elements. Additionally, it should be noted that events
are related in a gross way to phases of the system
life-cycle. In general, the structure begins at the outset of the Definition Phase with issuance of the System Specification, is expanded during the Acquisition Phase, and is subsequently maintained during
the system's operational life. The specifications are
established as the three baselines at successive times,
and in dependent relations, during the developmental
periods. However, an earlier baseline is not replaced
by a new one; once established, all are maintained together, indefinitely.
Specifications
The system specification is typically written and
issued by a procuring agency as the primary requirements document governing the developmental process
for all contract end items. Its function is to define
objectives and constraints for the system as a whole.
It sets forth requirements for system performance
and system testing, identifies all major parts to be
developed or otherwise acquired, and allocates performance requirements to the parts. As a basis for
information processing efforts, one of its important
roles is to define and control essential functional interfaces among computer programs, computing equipment, communications links, and personnel. When
issued at the outset of the Definition Phase it is established as the program requirements baseline.
While it normally undergoes subsequent expansion
and refinement, all changes must be approved by a
central control board, documented, and coordinated
with the agencies concerned.

Configuration Management Of Computer Programs By The Air Force

~

____

.,./
,/,-/'

/

//

I

" ,/

I"

SYSTEM

I

'"

I

.",.,.-'

I

I
I

I
I

SPECIFICATION

ACCOUNTING

/;'

DOCUMENTS

/1/

I

,,"
",'"

CONTROL &.

i

/'

/' /

//

47

I I

I " II
I I
I I
I I
'
I
I

I

I
I
I

I

I

I

i

I

PROGRAM REQUIREMENTS BASELINE

/ /
I

/

PART'

".""

"

I

;

':

I
I

/

I
I

I

//

I

,':

/ ,I
I
/

I

I
I

/
i

\
\

\
\

\

\
\

\
\

\
\

DESIGN REQUIREMENTS BASELINE

PART II
SPECIFICA TION

PRODUCT CONFIGURATION BASELINE

HANDBOOKS

MANUALS

DEFINITION

ACQU ISITION

OPERATIONAL

Figure 1 - Sequence and structure of documents

The Part I specification for a computer program
contract end item (CPCEI) is primarily a detailed
compendium of information processing functions to
be performed by the computer program. As a product
of the Definition Phase analysis activities, it is not
a computer program design document, as such, although it may specify design requirements or constraints and should reflect an appreciation of feasible
computer program design solutions. I t contains a detailed definition of all input, output, and processing
functions to be accomplished, specifies all pertinent
interfaces with equipment, personnel, and other computer programs, and identifies the means by which
the eventual performance of specified functions wilI
be verified by formal testing. The standard format
which has been developed for the purpose 2 is written
at a very general level to permit application to many
types of computer programs, both large and small.
As a specification, it does not contain planning information or procedural data pertaining to use or operation. Its functions are to govern the processes of
computer program design, development, and testing, and to provide the primary instrument for manage-

ment control throughout the course of a system program. Since it is written in mathematical, logical,
and operational terms, rather than in technical computer programming language, it provides an essential
vehicle by which the computer program functions
can be communicated and managed at the level of
operational performance. Part I Specifications for
the collection of computer program and equipment
elements for the system as a whole are verified for
consistency with the System Specification and compatibility of interfaces, and are established collectively
at the outset of Acquisition as the design requirements baseline. Because of its exceptional importance
to the conduct of a system program, the Part I CPCEI
Specification was chosen as a special topic to be
amplified in another paper in this session. 3
The Part I I specification is a technical description
of the CPCEI structure and functions. Essentially,
it consists of elements which have appeared as computer program documentation in the past in a variety
of forms and combinations-e.g., functional alIocations, timing and sequencing, data base characteristics and organization, flow charts, etc. The Part I I

48

Spring Joint Computer Conf., 1967

Specification organizes these into a single, comprehensive description which includes the data base
and listings. It is an "as-built" description, which
the procuring agency accepts only after its completeness and accuracy have been formaHy verified, and
norrnaHy after the computer program performance
has been tested against performance requirements
of the Part I Specification. Like the Part I, it does
not contain operating instructions, test procedures,
or other non-specification materials. Its subsequent
technical uses are as an aid in correcting errors arid
designing changes. Following completion and verification, it constitutes the product configuration baseline.
As in the case of preceding baselines, it is maintained
subsequently through the processes of configuration
control and accounting.
Procedural data
As indicated above, operating and instructional
information is not contained in the computer program
specification. This class of information is the proper
subject of separate handbooks or manuals, which
should be written specifically to meet the needs of
operating and support personnel. Configuration
management does not apply directly to such documents. However, since their content is typically sensitive to CPCEI performance and/or design characteristics, they must also be maintained to reflect approved changes to the CPCEI. Hence, they appear
as prominent "impact items" in the configuration
control processes.
Configuration control and accounting documents
Configuration control and accounting documents
are standard forms and reports which serve as the
instruments by which changes to established baselines are processed and recorded.
The engineering change proposal (ECP) is the
vehicle by which a change is initiated. I t is a form of
long-standing use for equipment which has been
adopted with appropriate modifications for computer
programs. A completed ECP describes the nature
and magnitude of a proposed change, estimated developmental requirements, and impact of the change
on all associated documents and other system elements. During most of the Acquisition Phase, "computer program changes" normally refer to changes
in the Part I Specification. At later stages, a fully
implemented change will also involve the preparation
of change pages to the Part II Specification and other
derived documents, as well as incorporation of
changed instructions into the computer program.
Assuming that the Part II Specification is based upon
completed design and testing of the altered computer
program, changes are essentially implemented with

the issuance of approved change pages to the specifications.
The specification change log, end item configuration chart, and specification change notice (SCN)
are also standard forms, originally developed for
equipment, which have been adopted with modified
uses for computer programs. They constitute, respectively, (1) a cover sheet, (2) a listing of current
pages, and (3) a summary of incorporated changes
to accompany each issue of change pages to a specification. As a group, they are inserted into the revised
specification, to provide ready indicators of the
specification's current status.
The version 4escription document is a collection
of pertinent information which accompanies each
new reiease of a computer program tape, or cards.
Its purpose is to identify the elements delivered
and record additional data relating to their status and
usage.
The' configuration index and change status report
are items issued periodically (e.g., monthly) to inform interested agencies of the current status of the
CPCEI configuration and proposed changes. The
Index contains up-to-date listings of basic issues and
revisions of the specifications and derived documents,
with dates of issue and approved changes. The Change
Status Report is a supplement to the Index which
records the status of all current change proposals.
CONCLUSION
The preceding description has attempted to provide
only an introductory overview of configuration
management for computer programs. The documentation and procedures are the result of some years
of study, experience, and coordination which were
accomplished principally under the direction of the
Technical Requirements and Standards Office at the
Electronic Systems Division of Air Force Systems
Command. At the time of writing this report (January
1967), the detailed requirements are in process of
being inserted into the forthcoming revision of
AFSCM 375-1,4 which is scheduled to be issued
within the next few months. A full set of requirements, in the form of a collection of the proposed
changes to AFSCM 375-1, was also issued separately
for interim use as ESD Exhibit EST-l in May 1966. 2
Although that exhibit has had limited distribution,
it is presently being used in a number of Air Force
contracts and significant provisions have also been
coordinated for joint use by NASA in managing computer programs for the Apollo program. 5 Experience
to date has tended to confirm that the provisions
are generally sound, and capable of meeting a num-

Configuration Management Of Computer Programs By The Air Force
ber of long-standing needs. I t is anticipated that refinements will be suggested by further use and study.
REFERENCES
M V RATYNSKI
The Air Force computer program acquisition concept
SJCC Proceedings 1967
2 ESD Exhibit EST-I:
Configuration management exhibit for computer programs
Electronic Systems Division Air Force Systems Command
Laurence G Hanscom Fieid Massacnuseits May i 966
3 B H LIEBOWITZ
The technical specification -key to management control of

49

computer programming
SJCC Proceedings 1967
4 AFSCM 375-1:
Configuration management during definition and acquisition
phases
Air Force Systems Command U S Air Force June 1 1964
5 B H LIEBOWITZ E B PARKER III C S SHERRERD
Procedures for management control of computer programming in apollo
TR-66-342-2 Bellcomm Inc September 28 1966
6 M S PILIGIAN J L POKORNEY
Air Force concepts for the technical control and design
verification of computer programs
SJCC Proceedings 1967

The technical specification-key to
management control of computer

programmIng
by BURT H. LIEBOWITZ
Bellcomm, Incorporated
Washington, D. C.

program and the performance of the program itself.
F or computer programming, the cycle formed by
these steps looks something like that shown in Figure
1. The standard is expected costs, estimated schedules, and desired technical characteristics. Evaluation is accomplished by means of reviews and tests.
Corrective action is accomplished by allocations of
resources, clarification of the standard and, when
necessary, changes to the standard.
The part 1 specification is an important segment of
the management standard. It documents the technical
requirements for the computer program, thus providing both the basic "design to" guide for the programming contractor and the standard by which the
user can evaluate the resultant program. * Without it
the program developer must rely on word of mouth
and informal notes and the user has no way of determining the validity of the evolving program. Thus
there is no firm basis for management control.
To answer the second question, we must consider
several factors, some common to both hardware and
computer program development, others peculiar to
computer program developments.
In the former category we find in some cases that
lack of time prevents an adequate definition of requirements. Also, in some cases the nature of the
effort is such that total requirements are not known
prior to some experimentation with the system as
(partially) built.

INTRODUCTION
If one considers the life cycle of a system as described in the paper by Ratynski, l it becomes evident
that effective management is dependent upon the
presence of detailed specifications. In general, a
specification describes what a product should be so
that someone or some group can design and/or build it.
In the previous paper the concept of a two-part specification was introduced - the first part describing the technical requirements for the item, the second
part describing the actual configuration of the completed item. In this paper we will consider the content
of the specification and its application to the management control of the computer programming process.
Particular emphasis will be placed on part 1 of the
spec. In doing so we will pose and answer two
questions: (1) why is the part 1 spec so critical to
management control? and (2) why, if so important,
have so many programming efforts been characterized
by its absence?
To answer the first question, let us consider the
objective of and the steps required for management
control.
The objective of management control is to assure
that the resultant program does the job for which it
was intended, is ready when needed, and is produced
within expected costs. To achieve management control the managing group must: develop a standard
which describes expected performance, evaluate
actual performance against this standard, and take
corrective action when undesired deviations from the
standard occur. Performance in this context covers
both the performance of the group developing the

In computer programming we are faced with one
other factor-the flexibility of the programmable
digital computer. A somewhat exaggerated view of
this capability had led unwary managers to the belief that, since changes to a finished program can be
easily made, the time and costs to define requirements,
and the need to exercise control once they have been

*For convenience in this paper, the managing group will be refered to as the "user" or "using agency"; the program developer
will be referred to as the "contractor."

51

52

Spring Joint Computer Conf., 1967

CHANGES OR ADDITIONS
(FROM FURTHER SYSTEM ANALYS I S)

~
COMPUTER

THE

PROGRAM

MANAGEMENT
STANDARD

TECHNICA/
CHARACTER I STI CS;
EXPECTED
COSTS;
SCHEDULES

/
EVALUATION BY
MEANS OF TESTS,
REVIEWS

CHANGE OR
CLARIFY
THE
STANDARD

NO
CHANGES
REQUIRED

PRODUCTION

OUTPUTS OF THE
PROGRAMMI NG
"
PROCESS:
DES I GN DOCUMENTS;
TEST RESULTS;
ACTUAL COSTS;
MILESTONE
COMPLETION
DATES

CHANGE THE
PROGRAM;
REDEPLOY
RESOURCES

Figure I - The management control cycle

released, can be avoided in computer programming.
Another difficulty is caused by the use of computers
to provide flexibility in systems which operate in a
changing environment. These systems are designed so
that computer programs will absorb the major portion
of expected changes. This allows firm definition of
hardware requirements early in the development cycle
of the system but makes it difficult to define the computer program requirements at the same time.
The impossibility under realistic conditions of
establishing complete and definitive requirements
in the programming process should not, however, be
interpreted as a hopeless impasse to management control. On the contrary, if we accept as the general
rule that the definition of requirements is an evolving process, we must conclude that a major function of management control is to insure that the development of the part 1 spec is an orderly one. This

can be accomplished by providing mechanisms for the
development of the spec and then for controlling
changes to the spec as the requirements become better
defined. This is actually what configuration management is all about as discussed in the paper by Searle
and Neil. 2
The rest of this paper will discuss the content of the
first part of the specification, some methods for developing it in face of the realities mentioned above,
and its relationship to the second part of the spec
and other management control tools.
We begin with a brief description of what the first
part of a computer program specification should contain.
The technical specification (Part 1)
Part 1 of the specification results from an analysis of the role the computer is to play in the system;

The Technical Specification-Key To Management Control
it is a translation of user needs to the language of
computer systems analysts. The specification is developed in the definition phase prior to extensive
design of the program.
Content of the specification

The computer program specification contains performance requirements, interface requirements, design requirements, and test requirements.
The performance requirements describe what the
program is to do and the required data base characteristics. F or each major function of the program the
specification describes the type of data inputs, the
required computer processing and the required outputs. The interface requirements describe the content and format of data transferred between the computer program and other computer programs and
equipments.
The design requirements delineate
items, not directly related to the desired performance
of the program, which constrain the design of the program, e.g., requirements for modularity and expandability. The test requirements define the types of
tests needed to verify that the resultant computer
program satisfies the performance and design requirements contained in the specification. Test
requirements are included in the specification to al·
low the contractor sufficient time to adequately plan
for running the required tests and to facilitate management control of the testing process. 3
An outline of a model format for the first part of
the specification is given in Figure 2. A description of a model spec is given in the Appendix of this
paper. The format was developed with two things in
mind: (1) to provide a convenient framework for the
documentation of computer program requirements,
and (2) to conform as much as possible to the format
already in use for hardware specifications. The
format and model were produced as part of an effort,
undertaken on behalf of NASA's Apollo Program
Office, to apply configuration management to computer programming. 4 This effort was closely coordinated with a similar one undertaken by the
USAF's Electronic Systems Division. 5
Development of the specification

Ideally, the user would produce a complete set
of requirements prior to the design efforts- of the
contractor. With adaption of the phased system
acquisition concept as discussed by Ratynski,l
this ideal can be more closely approached than has
b~en in the past.
In this approach the interface,
performance, design and test requirements would be
developed in the definition phase prior to the contractor's design efforts in the acquisition phase

53

(see Figure 3). However, in many cases for the reasons discussed earlier in this paper, some overlap
of requirements analysis with design must be allowed
if the program is to be available when it is needed.
An orderly development of requirements can still be
achieved in these cases. The requirements can be
built up in several ways depending on exact circumstances. In some cases the functions of what will
eventually be a single program can be split into
severai subprograms, each of which can be developed
separately. For example, in the case of an automated checkout system the final program may be composed of a supervisory system plus a package of test
programs. The detailed requirements for the supervisory system may be relatively insensitive to the
object under test and hence can be developed prior
to the availability of the complete set of test program
requirements. Significant design and development' of
the final program can then be accomplished prior to
the total definition of computer program requirements.*
Another approach is to develop enough of the requirements to start design of the program at a high
level, detailed design taking place as more requirements become available. For example, design of a
program could commence subsequent to the establishment of a set of qualitative performance and design requirements. As more quantitative requirements - accuracies, response times, exact interface
data formats, etc. - become known, the specification can be amended allowing the contractor to design the program in more detCi-il. As requirements
evolve, the program can be designed, evaluated (such
evaluation perhaps aiding in the further definition of
requirements) and flow charted. Coding, debugging,
and assembly of the program would commence upon
release of the completed requirements.
Even where the ultimate form of the system is
not known at the inception of design - as in the case of
some research and development projects - the requirements can be built up in an orderly fashion. To do
this we borrow the concept of a prototype from hardware development. For many systems enough requirements can be developed in the definition phase
to serve as the basis for producing a meaningful prototype computer program. This program can then be
used in the operational system. As experience is
gained by using the prototype, the requirements can
be revised, reissued, and from them a "second gen*Another benefit of this approach is the isolation of those portions of the program which are expected to change; they in turn
can be designed to be flexible, this being stated as a design requirement.

54

Spring Joint Computer Conf., 1967

--

- --

I
COMPUTER PROGRAM SPECIFICATION
(Part I)

l. Scope

2. Applicable Documents
3. Requ ireme nts
3. 1 Performance
3. 1. 1 System Requirements
3. i .2 Operationai Requirements
1) Funct ion 1
1 • 1 Inputs
1.2 Outputs
1 .3 Information
Processing
2) Funct ion 2
2.1 Inputs
2.2 Outputs
2.3 Information
Processing

3.1.3 Data B
3 1
ase Req .
3 2 • .4 Human Perft ulrements
• Computer P
ormance
3 ? 1 I . . rogram Def: ... :L'
3 2 IOferfa Ce Re • ··""'on
• • 2 User F . qUlrements
3.3 Design Req ~rnlshed Programs
UIrements
. · - • .1

4. Qua/it As
4. 1 1m Y surance
plementat'
4. 2 Inte r '
IOn Test Re '
g atlon Test Re . qUlrements
qUlrements

I
I

I
I
I

NOTES
APPENDICES

I

n} Fund ion n

Figure 2 - PART 1 of the computer program specification

eration" program developed. This iterative procedure can be repeated in controlled discrete steps
until the final operational system is produced.

and develop flow charts to show the interrelationship among the components.
Control of the specification

Variations and combinations of the above described approaches may be appropriate in particular
efforts. Whatever approach is used however, a common factor exists: as soon as sufficient requirements
have been developed to allow initial design of the program, they are documented and officially released as
the "design to" specification. This usually occurs
when the performance and design requirements have
been defined to a level of detail which permits the
contractor to segment the program into component
subprograms, allocate functions to the components,
1

Control of changes and additions to the part 1
specification is essential if it is to be used as the
standard for controlling the design and development
of the computer program.
Forma! control, by the user, begins with the release
of (some subset of) the requirements as the part 1
specification. Control is vested in a change control
board (CCB) made up of user personnel who are
aware of the technical effects of changes throughout
the system. Any change to the specifiCation, except
for correction of editorial errors, must be approved

The Technical Specification-Key To Management Control

55

+ TEST REQUIREMENTS
I FOR OTHER
I ELEMENTS IN THE
SYSTEM

DEFINE
SYSTEM
TEST
REQUIREMENTS

DEFINE
COMPUTER

_---~PROGRAM

DESIGN
REQUIREMENTS
DEFINE
DATA
BASE

PERFORMANCE
REQUIREMENTS

EXPAND SYSTEM
REQUIREMENTS

AllOCATE FUNCTIONS
TO SYSTEM ELEMENTS;
INITIAL DEFINITION
OF INTERFACES

~-11"'"

DEFINE COMPUTER
PROGRAM
FUNCTIONS

";0
~
C
"tI

I
I

r--- - --,
I I DEFINE
I

t..l
I

MANUAL TASKS

I

Z

-I

m

~

~ - - - - -I

"»
()
m

I ,-------1

,

0

m

"Z

.-------,

: I
I~

1

DEFINE
EQUIPMENT
FUNCfJONS

'___ -

TO THE
ACQUISITION
PHASE

~

I

0

1_ _ _ _ _ _

Z

•

I

---'

Figure 3 - Definition phase activities leading to the development
of the Part 1 specification

by the CCB before the change can be incorporated
into the specification. All approved changes must be
documented and disseminated to all agencies affected
by the changes. t
The CCB must be able to recognize and react to different kinds of changes to the part 1 specification.
Many of the early changes to the specification will
actually be additions, filling in areas not previously
defined. Changes of this type will come from the
group in the using agency that developed the original
requirements. Changes will also come from other
groups in the using agency as a result of further dt!finition of or changes to the system's requirements.
The CCB transmits and coordinates these types of
changes to the contractor. Other proposed changes
may come from the contractor as he uncovers inconsistencies in the requirements, or formulates new con-

t A discussion of change control and accounting documents which
aid in the change control process is given in the paper by Searle
and Neil."

cepts as to what the program should do. If acceptable to the CCB, they are incorporated into the specification.
The specification as a management
control tool
Once released, the part 1 specification serves as a
valuable tool in controlling the contractor's design;
in assuring the quality of the program, and in accepting the resultant computer program. In many
cases it is also a valuable tool in procuring the services of a programming contractor.

Procurement

In those cases where the services of an outside programming contractor are required, the part 1 specification, included as part of a statement of work6
in a request for proposal, helps define the task to be
done. The more complete the specification the better

56

Spring Joint Computer Conf., 1967

the chances are of getting realistic bids from contractors.
Design control
The specification provides the standard by which
the contractor's design may be evaiuated. This
can be done in several reviews during the programming process, permitting detection of design errors
(or faults in the requirements analysis) early enough
to do something about them. At least two types of
reviews are helpful: a preliminary design review
(PDR), and a set of critical design reviews (CDR'sV
The PDR is held early in the design process. The
contractor's initial overall design approach is reviewed
with respect to the part 1 specification. The review
gives the user an opportunity to evaluate the proposed
design to see if it will meet the requirements as stated
in the spec. After the PDR, the contractor proceeds
to the detailed design of the individual components of
the program.
Once the detailed design of an individual component
is complete, it is reviewed in a CDR, prior to coding.
This provides an additional check on the ability of
the computer program to meet the design and performance requirements. Since the detailed design of a
large scale computer program may take considerable
time, several CDR's may be held.
Quality assurance
The "quality" of a computer program is determined
by its ability to do the job for which it is intended,
to be modified as required, to be maintained, and to
be understood by others than those who produced it.
Although quality in this sense is difficult to measure,
it can be enhanced by the availability of programming
standards, the application of good documentation
techniques; and comprehensive testing of the evolving
program. The total specification - both part 1 and part
2 - can be used as an instrument in achieving these
conditions.
Programming standards are used to control and
guide the efforts of programmers during the acquisition phase to ensure that a self consistent computer
program is developed (see Figure 4). They are usually of three types: standards of formats, for example,
for punched cards and flow charts; standards of design
techniques; and standards of procedures regulating
programming personnel. 7 Although the responsibility
for developing the standards usually lies with the programming contractor, the requirement for producing
them is levied by the user in the design requirements
section of the part 1 specification. The user may also
include detailed standards in part 1 if appropriate.
For example. if the user knows the program will have
to be modified extensively in operational use, he could
include a requirement in the part 1 specification limit-

ing program module size to 1,000 storage locations.
The part 1 specification also provides a vehicle for
indicating the types of tests the contractor must perform during the programming process. These tests are
used to determine if the program components are error
free, a condition which must be approached if a high
quality program is to be produced.
Another essential aspect of quality assurance is
documentation of the resultant program. Without
adequate documentation, the program cannot be modified or corrected, causing it to lose its value as time
progresses. Part 2 of the specification provides a description of the program and as such is the instrument
for making and controlling changes to the program in
the operation phase. The part 2 specification is a collection of information that is generated during the
acquisition phase of any well managed programming
effort (see Figure 4). It contains:
(1) a description of the overall program design
including high level flow charts;
(2) programming specifications for the individual
components of the computer prograll);
(3) the detailed flow charts for the components;
(4) and program listings.
A complete description of a suggested format and content of the part 2 spec is given in the aforementioned
government manuals. 4 •5

Acceptance of the program
The role of the part 1 specification in the formal
acceptance of the program is discussed elsewhere in
this session. Suffice it to say here that part 1 has a
twofold role in the acceptance process. It provides
the quantitative and qualitative measures by which the
performance of the program can be evaluated; it also
provides specific requirements for the types of tests
and inspections necessary to make this evaluation.

CONCLUDING REMARKS
Computer program requirements, documented in the
part 1 specification, provide a standard by which the
performance of the contractor and the performance of
the resultant computer program can be evaluated.
Despite some inherent problems which may prevent
a user from developing complete requirements prior
to the design of a computer program, it is possible
to use the evolving requirements as a key management sool during the program's development.
An initial part I specification can be released early
in the programming process for use by a contractor as
the basis for the design of the program. The remaining requirements can be transmitted to the contractor
in an orderly fashion as they are developed. All sub-

The Technical Specification - Key To ~1anagement Control

DETAILED
PRELIMI NARY
DESIGN OF
COMPUTER
COMPUTER
~
PROGRAM
PROGRAM
COMPONENTS
DES IGN
AND DATA BASE

I

CODING
AND
ASSEMBLY

~

COMPUTER
PROGRAM f-+TESTS

\~~

\

1.

COMPUTER
PROGRAM
FLOW
CHARTS

THE PART
2 SPEC

o

n

+

L

~

0

~

"'tI

0

~

zm
....Z
\

y

OVERALL DESIGN DESCRI PTION

o
~'"
~
~

COM:10NENT
FLOW
CHARTS

COM:~NENT

I

LISTINGS
/1/1 I I I I I I I

2£

~

'"

0

....
111111

COMPONENT #1 DESCR I PTION

0

)

COMPONENT

#r!

#n

FLOW
CHARTS

LISTINGS
III

~

Z
m
Z

y

COMPONENT

~6

"'tI

I I I II / II I I I

SYSTEM
TESTS

n

o

57

fg.

II II I / I II

1111/1/1111

Ii III

IIIII

y

I

COMPONENT #n DESCRI PTION

Figure 4 - Programming standards and the Part 2 specification
in the acquisition phase

sequent changes to part 1 can be controlled by a
change control board, composed of user personnel, to
insure the availability of up-to-date requirements consistent with the requirements of any interfacing
elements.
Several benefits accrue from having an up-to-date
part 1 specification throughout the development
cycle of the program. The user can evaluate the contractor's design at periodic intervals. The contractor
is provided a basis by which he can develop programming standards, which along with the program description documented in part 2 of the specification is an
essential tool in assuring the quality of the program.
Also, the user is provided with a measure for determining the acceptability of the program since the result of formal acceptance tests can be compared
against the performance requirements in the part 1
specification.

APPENDIX - A model for the Part 1 specification
This appendix presents a more detailed description
of the types of information that should be included
in a computer program requirements specification.
The format illustrated in Figure 2 will be used as
the basis for discussion.
Performance requirements (3.1)
The performance requirements put bounds on the
expected performance of the program. This is done at
several levels. The first level specifies the system
characteristics which define the environment that the
program operates in (3.1.1). For example, in a space
tracking system this could be the number and types of
radars involved, the maximum number of space
vehicles to be tracked, the numbers and types of displays to be driven, etc. For a payroll program this
could include such things as the number of employees,
the types of deductions, the salary ranges, etc.

58

Spring Joint Computer Conf., 1967

The second level provides an identification of the
distinct functions that the computer program must
perform. The functions are described, with the aid
of a functional block diagram, under the heading
'''operational requirements" (3.1.2). The block diagram illustrates the relationships of the functions to
each other to clarify the textual descriptions that follow in the spec.
The third level provides the inputs, outputs, and
required processing for each function depicted in the
block diagram. In the space tracking example, as a
case in point, the first identified function might be
that of orbit determination. A lead paragraph (3.1.2.1) describes the function in general tenns with particular emphasis on its relationship to other functions.
Then the source and type of inputs associated with
the function are described (3.1.2.1.1). in our exampie
this might be spacecraft position data from each tracking station and a table of past spacecraft positions
generated by the computer program. For each of the
input sources, such things as data rates, accuracies,
units, and limits should be given.
The types and destinations of data outputs associated with the function are then given (3.1.2.1.2).
F or example, one such output might be an orbital
prediction used for driving a flight controller's display. Again such things as data rates, accuracies,
units and limits are specified.
The information processing required for the function is then described (3.1.2.1.3). This is done by
prose and mathematical descriptions including necessary logical concepts, timing requirements, formulas
and processing accuracies. In our example this might
include among other things, the differential equation
describing the orbit, the accuracy with which the
equation must be solved, and the interval of time within which it must be solved.
The next major class of requirements considered in
the performance section of the spec is the requirements for the data base - the collection of data that the
program operates on (3.1.3). For many programs the
storage requirements for data may exceed the requirements for instructions and must be carefully considered before the program is written. This consideration
should include such things as the volume of data, a
definition of data classes, for each datum, a description of the units of measure and ranges. If special
methods are required to convert the data to a form
suitable for use by the computer program, they should
be specified. If the program is to be used at several
sites where the data values will vary from site to site,
the site adaption procedures should be specified.
Many computer programs have extensive human
interfaces and like hardware items should be designed

with human performance in mind. Therefore, the part
1 specification includes such things as clarity requirements for displays, times for human decision
making, maximum display densities, etc. (3.1.4).
Computer program definition (3.2)

While the performance requirements may take the
bulk of analysis time and occupy most of the content
of the specification, there are other important factors
that must be considered prior to the design of a computer program. Two of these factors - the interfaces of
the computer program with the other elements of the
system, and the available computer programs that can
or must be used as components of the desired program - are specified under the category, "computer
program definition."
The interfaces with other computer programs, communication devices, and equiprnents must be specified
prior to detailed design of the computer program
(3.2.1). This includes all relevant characteristics of
the computer or class of computers the program is to
operate in, including such things as available memory,
programming languages, word size, etc. The relationship of the computer program to other equipments and
programs should be portrayed in a block diagram, with
detailed paragraphs in the spec describing the individual interfaces. The descriptions should include
such things as data formats, data rates, and data content. In addition, this portion of the spec should
describe all requirements imposed upon other system
elements .as a result of the design of the program. For
example, certain program requirements may affect the
design of a display console; if so, they should be
documented in the spec.
In many programming efforts there may be available
already completed programs which are of potential use
to the program designers. For example, a tightly
coded numerical routine for solving differential
equations may exist in a program library. If there are
such programs, the requirements to use them should
be stated in the spec (3.2.2).
Design requirements (3.3 )

There are certain requirements which affect the design of a computer program, which are distinguishable
from the performance requirements. These requirements result from general considerations of usability
and maintainability, and may include such things as requirements for: the use of programming standards;
program organization; special features to facilitate
the program's testing; and expandability. These types
of requirements should be considered in the definition
phase and included in the spec.

The Technical Specification - Key To Management Control
Quality assurance (4.0)
One of the major functions of the specification is to
define the tests and demonstrations necessary to qualify the program for operational use. For most computer programs the time and resources expended for
testing exceed those for any other activity in the programming process. Unless the requirements for testing are considered early enough, there may be delays
later in the process when these needs arise. Also, in
a large system the requirements for the testing of a
computer program are directly related to the requirements for testing the entire system. For these reasons
test requirements should be considered in the definition phase and included in the specification.
A method of verification should be given for each of
the performance and design requirements stated in the
specification. The requirements should be stated to a
level of detail which will permit detailed test planning
by the program developer. The specification itself
should not be a test plan. The types of tests that
should be considered include implementation tests, integration tests, preliminary qualification tests, final
qualification tests, string tests, etc. 3

59

REFERENCES

2

3

4

5

6

7

MVRATYNSKI
The Air Force Computer Program Acquisition Concept
SJCC Proceedings 1967
L V SEARLE and G NEIL
Configuration Management of Computer Programs by the
Air Force Principles and Documentation
SJCC Proceedings 1967
M S PILIGIAN andJ L POKORNEY
Air Force Concepts for the Technical Control and Design
Verification of Computer Programs
SJCC Proceedings 1967
NPC 500-1
Apollo Configuration Management Manual (Exhibit XVIII)
National Aeronautics and Space Administration May 18
1964
ESD EXHIBIT EST-l
Configuration Management Exhibit for Computer Programs
Electronic Systems Division Air Force Systems Command
Laurence G Hanscom Field Bedford Massachusetts
May 1966
B H LIEBOWITZ E B PARKER III and C S SHERRERD
Procedures for Management Control of Computer Programming in Apollo Appendix I
TR-66-320-2 Bellcomm Inc September 28 1966
IBID APPENDIX VI

Air Force concepts for the technical control
and design verification of computer programs
by M. S. PILIGIAN andJ. L. POKORNEY, Captain, USAF

Electronic Systems Division
L. G. Hanscom Field

Bedford, Massachusetts

once it is developed. Generally, a one to one relationship exists between Sections 3 and 4 of the specifition. Thus each requirement of Section 3 will have
an appropriate test requirement and test method
identified in Section 4. The specified requirements
form the bOasis for three formal technical reviews
through the system and contract end item design
and development. Concurrently the specification
test requirements are the basis for subsequent test
planning documentation and system testing at both
the contract end item and system performance levels.
The relationship between the specifications, design
reviews and test program is illustrated in Figure 1.
The lower blocks of the figure identify the design
reviews during the system life cycle each of which
will now be discussed in more detail.

INTRODUCTION
While much has been written about the design and
development of large scale computer-based systems,
little has been published about the testing of these
systems and in particular about the testing of computer programs within the context of a system.
Similarly, while extensive techniques for design control of system hardware have been developed by the
Air Force over the past five years, technical control
and design verification procedures for computer programs have not been aggressively investigated. An
Air Force project was established at the Electronic
Systems Division (AF Systems Command) to rectify
this situation. Concepts resulting from this investigation are presented and current procedures to insure
design integrity of computer programs by technical
reviews of the designer's efforts and by tests during
program development are summarized.

System design review
The System Design Review (SDR) is held late in
the Definition Phase* of the system life cycle. 4
The purpose of this first review is to study the
contractor's system design approach. At the SDR
a critical examination is performed to insure that
contractor's design reflects a proper understanding
of all technical requirements. An analysis of contractor documentation in the form of functional
diagrams, trade study reports, schematic diagrams,
initial design specifications, etc. is conducted. A
prime objective of the SDR is to review the allocation
of functional requirements to the various system
segments and contract end items. Thus, for computer
programs, the SD~must insure that only those system
requirements that can be realistically satisfied by

Uniform specijications
Fundamental to Air Force management of computer
program design, development and testing is the
definition of computer programs as deliverable contract end items and the adaptation of the Air Force
uniform specification program to these end items. 1,2
The uniform specifications,3 both at the system and
computer program contract end item (CPCEI) level,
consist of two basic sections; Section 3, performance/
design requirements section, and Section 4, the quality
assurance or· test requirements section. It should
be realized that even as early in the design process
as the preparation of the system and end item specifications, the methods of testing end item performance
against technical requirements should be known.
It is a waste of time and money to specify technical
requirements if a method of performance verification is not available to evaluate the computer program

*Phases as discussed here (i.e. Conceptual, Definition, Acquisition
and Operational Phases) refer to the 4 phases of the System Life
Cycle as defined in AFSCM 375-4, System Program Management
Procedures.

61

62

Spring Joint Computer Conf., 1967

. - - - - - - - - - + - - - - - - - . . 1 CATEGORY II
TEST
PLAN

,
I

CATEGORY II
TEST
I PROCEEDURES

I-------~,

I

..------~I~

L---\

PART I
CPCEI
SPECIFICATION

SYSTEM
SPECIFICATION

DETERMINE \
SYSTEM
REQU I REMENTS

I
I

I
I
I

I
I

PRELIMINARY
DESIGN
REVIEW

SYSTEM
DES IGN
REVIEW

CRITICAL
DES IGN
REVIEW

FIRST
ARTICLE
CONFIGURATION
INSPECTION

~:..- : - . - - - - DEFINITION PHASE --~JI··------------ACQUISITION PHASE -------------,~~
I

I

I

Figure 1- Computer program design flow

computer programs have been allocated to computer
program contract end items (i.e. operational, utility,
diagnostic, etc.). Prior to the conduct of the SDR,
trade-off studies concerning equipments vs. computer
programs must have been completed to provide a cost
effective allocation of requirements. Satisfactory
completion of the SDR permits preparation of the
Part I specifications ("design to" specifications) for
all CPCEI's. These specifications form the basis for
the second technical review in the design process.
Preliminary design review
The Preliminary Design Review (PDR) is normally
held within 60 days after the start of the Acquisition
Phase. Concurrently the preliminary design of the
CPCEI can progress based upon the approved
"design to" specifications for the end item. The purpose of the PD R is to evaluate the design approach
for the end item or group of end items in light of the
overall system requirements; thus, the prime objective
of the PD R is achieving design integrity. A review
of the intetfaces affecting the computer program contract end item is an important element of a PDR.
Emphasis is placed on verification of detailed interfaces with equipment and with other CPCEI's.
At the PDR the instruction set of the computer to
be used must be firmly established. The programming
features of the computer, e.g. interrupts, multiprocessing, time sharing, etc. must be known. All
external data formats and timing constraints must be

identified. The computer program storage requirements and data base design are reviewed for technical
adequacy at this time. The structure of the computer
program contract end item is also reviewed at the
PDR. During the initial design process for a complex
CPCEI, the requirements of the Part I specification
which are function-oriented are allocated to computer program components or modules. The relationship of the components of a typical CPCEI to the
functions identified in a Part I CPCEI specification
is shown in Figure 2. The allocation of functions to
computer program components within the CPCEI is
examined at the PDR. The primary product of the
review at this level is establishing the integrity
of the design approach, verifying compatibility of
the design approach with the Part I specification,
and verifying the functional interfaces with other
contract end items in order that detailed design of
the epCEI and its components can commence.
ATR

BAG

MIM

RADAR INPUTS
TRACKING

COMPUTER
(M) PROGRAM
COMPONENTS

X
X

X

IDENTIFICATION

X

DISPLAY CONTROL

X

DATA TRANSFER

RST

X

X
X

X

(N) FUNCTIONS

Figure 2 - Allocation of performance functions to computer
program components

Air Force Concepts For The Technical Control And Design
Critical design review
The Critical Design Review (CDR) is a formal
technical review of the design of the computer program contract end item at the detailed flowchart
level. It is accomplished to establish the integrity
of the computer program design prior to coding and
testing. This does not preclude any coding prior to
the CDR required to demonstrate design integrity,
such as testing of algorithms. In the case of a complex CPCE!, as the design of each component proceeds to the detailed flowchart level, a CDR is held
for that component. In this manner, the CD R is
performed incrementally by computer program components, and the reviews are scheduled to optimize
the efficiency of the overall CDR for the end item
as a whole. Due to the varying complexity of the
parallel design efforts for CPCEI components, it
would be unreasonable to delay all of the components being developed to hold one CDR for the
computer program end item.
At the CDR, the completed sections of the Part II
CPCEI specification (detailed technical description)
are reviewed along with supporting analytical data,
test data, etc. The compatibility of the CPCEI design
with the requirements of the Part I specification is
established at the CDR. "Inter" interfaces with other
CPCEI's and "intra" interfaces between computer
program components are examined. Design integrity
is established by review of analytical and test data,
in the form of logic designs, algorithms, storage
allocations and associated methodology. In general,
the primary product of the CDR is the establishment
of the desigfl as the basis for continuation of the
computer program development cycle. Immediately
following the CDR, coding of individual components
takes place and the process of checkout and testing
of the components begins.
Computer program testing
System testing as defined by the Air Force is
divided into three classes or categories of testing,
two of which, Category I and 11 5 are important in
development testing of Air Force systems and will
be discussed here. Category I tests for CPCEI's
are conducted by the contractor with active Air
Force participation. These activities, when properly
planned and managed, will normally proceed in such
a way that testing and functional demonstrations of
selected functions or individual computer program
components can begin early during acquisition and
progress through successively higher levels of assembly to the point at which the complete computer program CEI is subjected to formal qualification testing.
Since the total process is typically lengthy and represents the major expense of computer program

63

acquisition for the system, the test program includes
preliminary qualification tests at appropriate stages
for formal review by the Air Force. While the tests
are preliminary in nature (they do not imply acceptance, or formal qualification), they do serve the
necessary purpose of providing check points for
monitoring the contractor's progress towards meeting
design objectives and of verifying detailed performance characteristics, which, because of sheer
numbers and complexity, may not be feasible to verify
in their entirety during formal qualification testing.
Category II tests are complete system tests, including
the qualified computer program end items, conducted
by the Air Force with contractor support in as near
an operational configuration as is practicable.

Figure 3 - Test documentation

Computer program testing is accomplished in
accordance with Air Force approved test documentation as illustrated in Figure 3. As previously
discussed, test requirements and corresponding test
methods (to the level of detail necessary to clearly
establish the scope and accuracy of the methods) are
contained in Section 3 and Section 4 of the CEI specification. The Category I test requirements are further
amplified in the contractor-prepared Category I
Test Plan. This document contains comprehensive
planning information for qualification tests; complete with schedules, test methods and criteria, identification. The Category I test requirements are further amplified in the contractor-prepared Category I
computer programs and personnel. The Test Plan
forms the basis for Category I Test Procedures which
are also prepared by the contractor. These describe
individual Category I qualification tests in detailed
terms, specifying objectives, inputs, events, recording/
data reduction requirements and expected results.
Actual test results are reported in a formal Category I
Test Plan. This document contains comprehensive
planning information for qualification tests; complete
with schedules, test methods and criteria, identification of simulated vs. live imputs and support require-

64

Spring Joint Computer Conf., 1967

CONDUCTED AT THE CONTRACTORS FACILITY

CONDUCTED A:r
CATEGORY II
TEST SITE

~coding

r:

CDR
COMPONENT
#3

n

CDR
COMPONENT

PRELIMINARY

#2

QUAliFiCATiON

COMPUTER

FORMAL

PROGRAM

QUALIFICATION

INSTALLATION

TESTS

TESTS

CDR
COMPONENT
#1

TIME - - - - -..
~
Figure 4 - Computer program contract end item critical
design review and Category I tests

ments for test equipment, facilities, special test computer programs and pronnel. The Test Plan forms
the basis for Category I Test Procedures which are
also prepared by the contractor. These describe individual Category I qualification tests in detailed
terms, specifying objectives, inputs, events, recording/
data reduction requirements and expected results.
Actu test results are reported in a formal Category I
Test Report.
Category I (qualification) testing
of computer programs

The Category I test program verifies that the computer program contract end item satisfies the performance/design requirements of the Part I "design
to" CpeEI specification. The test program must
be designed to insure that all of the functional requirements, as translated into computer program components, are tested and that requirements are not lost
in the translation. The program is divided into two
major classes of tests: Preliminary Qualification Tests
(PQT) and Formal Qualification Tests (FQT). The
former are designed to verify the performance of
individual components prior to an integrated formal
qualification of the complete epCEI.
Preliminary qualification testing

The PQT phase is conducted incrementally by
components in the same manner as the Critical

Design Review. Figure 4 depicts the relationship
between CDR and the Category I test program. The
crosshatched blocks in Figure 4 indicate coding of
individual computer program components. The
Preliminary Qualification Tests are modular and a
"building block" effect occurs as testing progresses.
As each computer program component is added and
each PQT conducted, increased confidence develops
in the CPCEI being tested. Generally, parameter
tests are conducted prior to and in parallel with
Preliminary Qualification Tests. 6
Parameter tests are those designed to prove that
an individual sub program satisfies the detailed design specification, not that the program performs
as coded. These tests compare the actual operation
of each sub program against the design specification.
Parameter testing usually requires a utility system
incorporating sophisticated parameter test tools.
These test tools, which are computer programs themselves, allow more efficient testing because they
increase the ease with which a test can be specified,
implemented and analyzed. They allow a programmer
to easily input data, make corrections and record
results. In addition to the test tools, the programmer
needs the compiled or assembled program, the Part I
specifications, the test plan and the test procedures.
In parameter tests, the programmer must input a
simulated program environment to the computer.
The environment should include the broadest range

Air Force Concepts ForThe Technical Control And Design
of anticipated inputs, including some illegalities. The
program is operated in this simulated environment,
and the actual outputs are compared with the expected outputs. After each test run, the programmer
analyzes the results and makes corrections to the
code. All corrections are verified by submitting them
to a parameter test once again.
Assembly testing verifies that the computer program components in the contract end item interact
according to design specifications. It is conducted
with simulated inputs in order to minimize the effects
of people and equipment and allows a broad range of
input conditions to be simulated. Elaborate test tools,
such as input simulation, recording, and reduction
programs, are required to conduct assembly tests.
Since these programs take time to prepare, test
requirements such as instrumentation must be anticipated. For example, provision must be made for
core storage to accommodate test control and test
recording programs along with the program being
tested.
At the conclusion of Preliminary Qualification
Testing, all of the computer program components
will have been integrated and tested and the CPCEI
is being ready for formal qualification and acceptance.
Formal qualification testing
Qualification testing of a complex computer program contract end item requires extensive use of
simulation techniques. The use of these techniques
is dictated by the high cost of providing overhead
computer facilities or by the unavailability of new
computers undergoing a parallel design and development effort. Although Preliminary Qualification
Tests will make maximum use of simulation techniques, the Formal Qualification Tests of an operational CPCEI will require live inputs, live outputs
and operationally-configured equipment. A prerequisite, then, of FQT is usually the installation and
checkout of the CPCEI in an operationally-configured
system at the Category II test site. The exception
would be in the case of a support CPCEI such as a
compiler that would require live inputs, e.g. radar
data, and could be fully qualified at the contractor's
facility. To provide reliable data during FQT, the
CPCEI installation requires fully installed and
checked out equipment CEl's. The first opportunity
for FQT will normally occur at the Category II test
site after equipment CEl's that have successfully
passed First Article Configuration Inspection have
been installed and checked out and an operationallyconfigured system exists. FQT is conducted subsequent to installation and checkout of the CPCEI.
The conclusion of FQT signals the end of the Category I test program. The CPCEI will have been fully

65

qualified and all of the requirements of the Part I
specification should have been satisfied except for
those requirements of the Part I specification that
can only be demonstrated during a Category I I
system test. After successfully passing this phase
of testing, the CPCEI is fully integrated into the
system and is ready for system testing.
First article configuration inspection
With CPCEI design and testing essentially completed, Part II of the CPCEI Specification is available for review. The Part II specification provides
a complete and detailed technical description of the
CPCEI "as built," including all changes resulting
from prior testing. It will accompany the CPCEI to
each installation or site and functions as the primary
document for "maintenance" of the CPCEI. Consequently, the technical accuracy and completeness
of the Part II specification must be determined prior
to its acceptance by the Air Force. The First Article
Configuration Inspection (F ACI) provides the
vehicle for the required review; thus it is an audit
of the Part II CPCEI specification and the CPCEI
as delivered. The primary product of the F ACI is
the formal acceptance by the Air Force, of (1) the
epCEI specification (Part II) as an audited and
approved document, and (2) the first unit of the computer program contract end item. Air Force acceptance of the CPCEI is based on the successful completion of the Category I Test Program and the
FACI, but it does not relieve the contractor from
meeting the requirements in the system specification.
Subsequent to FACI, the configuration7 of the CPCEI
is essentially controlled at the machine instruction
level so that the exact configuration of the CPCEI
is available for Category II system testing.
Category II system testing
After acceptance of the CPCEI, the Air Force
conducts an extensive Category II system test program with the objective of demonstrating that the
total system meets the performance/design requirements specified in the System Specification. Insofar
as the computer programs are concerned, Category
II testing will verify the CPCEl's compatibility with
the system elements and its integrated performance in
meeting system requirements in the live environment,
with operational communications, personnel, etc.
Residual design and coding errors discovered in this
phase of testing are corrected prior to the system
becoming operational.

SUMMARY
The techniques for design reviews and testing presented in this paper provide a means of insuring the

66

Spring Joint Computer Conf., 1967

design integrity of computer programs during the
lengthy design and development cycle. It provides
the Air Force with technical control, at discrete
phase points, which was not before available. To
provide this control; existing Air Force Systems
Command management techniques were assessed
and adapted to computer programs. No attempt has
been made to equate computer programs with equipments; rather, the requirement for similar technical
controls has been recognized with due consideration
for the inherent differences between computer programs and equipment. While these techniques were
developed for computer programs within the context of large computer-based systems, they are and
have been readily adaptable to small individual computer program procurements. More detailed information on requirements and procedures are included
in ESD Exhibit EST-I and ESD Exhibit EST-2,
published by the Electronic Systems Division.
Though the above techniques have been used on
contracts at ESD, none of the programs have progressed through the complete cycle. The limited
experience to date indicates that the techniques are
feasible, they do provide vitally needed Air Force
technical control and visibility and in turn they have
been useful to the contractors as a formal management scheme and a means for mutual understanding
and problem resolution.

REFERENCES

2

3

4

5

6

ESD Exhibit EST-l
Configuration management exhibit for computer programs
Test Division of the Technical Requirements and Standards
Office Eiectronic Systems Division Air Force Systems
Command L G Hanscom Field
Bedford massachusetts May 1966
AFSCM 375-1
Configuration management during definition and
acquisition phases
Andrews AFB Washington D C
Headquarters Air Force Systems Command June 1 1964
B H LIEBOWITZ
The technical specification - key to management control
of computer programming
SJCC Proceedings 1967
M V RATYNSKI
The Air Force computer program acquisition concept
SjCC Proceedings j 967
AFR 80-14
Testing/evaluation of systems subsystems and equipments
Washington D C
Department of the Air Force August 14 1963
LEONARD AF ARR
A description of the computer program implementation
process
System Development Corporation
TM-I021/002/00 February 25 1963

7 L V SEARLE G NEIL
Configuration management of computer programs by the
Air Force: principles and documentation
SJ CC Proceedings 1967

Univac ® 1108 multiprocessor system
by D. C. STANGA
Univac Division, Sperry Rand Corp.
Roseville, Minnesota

INTRODUCTION

posed of many distinct modules or system components
which are functionally, logically, and electrically
independent. Any system component can be removed
from the system, resulting only in a degradation of
system performance, and not total system destruction. The removal of the system component is accomplished by a combination of software and hardware actions. (This will be discussed further under
System Availability.)
The following system components can be interconnected into a variety of pre-specified system
configurations.

Two prime objectives existed during initial conception of the 1108 Multiprocessor System. These were:
• Increased system performance, and
• Increased system availability.
Increased performance in a "central system" was
achieved via multiple processing units, multiple input/
output units, and multiple access paths to critical
peripheral devices. To accommodate this increase in
computer capability the main memory was increased
in size to provide storage for a large number of resident programs.
Increased availability was achieved by providing
multiple access paths to all system components,
and by providing for removal of system components
for offline testing and maintenance.
In order to accomplish the prime objectives, several
self-imposed restraints were placed on the design
considerations, these are: modifications to the 1108
Processor would be minimal, the two processors
(1108 & 1108 II) would be functionally identical, all
peripheral subsystems and existing memory modules
must operate in the new configuration. The self imposed restraints were intended to minimize development time and ensure that the existing upward compatibility between 1107 and 1108 Processors would be
continued through the 1108 II Processor.

1108 II processor
This processor is functionally identical to the 1108
Processor except that an additional mode of main
memory addressing was introduced, and another instruction was added to the Unprivileged Set.
Additional mode of main memory addressing.To the programmed overlapped addressing of the 1108
Processor was added the interleaved capability with
an extension of this addressing form to include
262K, 36-bit main memory words. This interleaving
is accomplished after the basing and indexing operation by decoding· the upper two bits and the lower
bit of the absolute memory address.

Logical
Bank 0-3

System configuration (hardware)
Figure 1 shows a maximum 1108 Multiprocessor
System configuration, with the exception of the
Peripheral Subsystems which are essentially unlimited with respect to the rest of the system. A
minimum configuration (unit processor) of the same
system would consist of a processor and two memory
modules (65K).
The 1108 Executive system views the minimum
configuration as a subset of the more general multisystem configuration. To better understand the multiprocessor system, it is helpful to think of it as com-

Even/
Odd

Address Field
The upper two bits specify the logical bank and the
least significant bit of the address field specifies the
even or odd module within the logical bank. Each
logical bank contains 65K of 36-bit words. The interleaving feature permits optimum simultaneous
execution of a common area of procedures by two
67

68

Spring Joint Compnter Conf., 1967

(or more) processors. The degree of interleave is
a trade off' between simultaneous access capability
and hardware functional capability during times of
main memory hardware malfunction.
Addition of the test and set instruction to the unprivileged set. - The function of this instruction is to
permit queued access to common procedure areas
that cannot be executed simultaneously by two or
more processors. This function is accomplished by
testing the specified main memory cell and setting
it during the same extended memory cycle.
30

Memory Cell 2 = 1
No
Yes
Take NI
Interrupt to Loc. 164
Consequently, this common area of procedures is
protected from simultaneous entrance by virtue of
the fact that all references to it must test the cell associated with that area. If simultaneous access is
attempted, an internal interrupt to the Executive System is effected. These restricted entrances into procedure areas will occur most frequently in the Executive area during assignment of, or changes in, priority
of system tasks. It is beyond the scope of this paper
to delve into discussions on re-entrant or pure procedure, and conv.ersational mode compilers. They are,
however, planned. as standard software packages for
1108 Multiprocessor Systems.
Main memory
Main menmry is provided in 65K word increments,
expandable from a 65K minimum to a 262K maximum
configuration. The main memory cycle time is 750
nanoseconds. Eight distinct paths are provided for
each Processor and IOC, thus enabling each of these
components to address the maximum memory configuration. Main Memory is composed of eight separate 32K modules, thus eight SImultaneous references could occur in a system configuration containing the maximum memory, processor, and IOC
components.

Multiple module access unit (MMA)
This system component provides multiple access
to individual memory modules. A pair of MMA's
provides access to one logical bank of 65K words.
A maximum of five paths to each module exists.
Priority resolution between simultaneous memory
requests is accomplished in this unit. The ProcessorI OC-Memory interface is request -acknowledge logic.
Therefore, at a time when queues develop at a module
interface a Processor or IOC can be kept waiting
while memory requests are serviced on a predetermined priority basis. This priority is so arranged

that IOC's are serviced first due to the inability of
most peripheral devices to "wait" for any extended
period. Requests are serviced in the following manner. Priority is sequenced from left to right in each
class with Class 1 having preemptive priority over
Class 2.
lOCo lOCI
Class 1
Input output controller
The main function of this unit in the system is to
provide the capability for simultaneous compute and
input/out data transfer operations. It also enhances
the real-time capabilities of the system by providing
high speed Externally Specified Index operations.
Other primary functions include system channel expansion capability and data buffer chaining. The IOC
is functionally similar to the input/output section of
the 1108 II Processor. It does, however, exhibit the
following advantages over the processor as a memory
to peripheral subsystem data transfer device.
(1) Requires no interruption of processor computational capability to execute data transfers.
(2) Possesses data buffer chaining capability.
(3) Performs ESI data transfers to main memory
utilizing only one main memory reference
versus three main memory references for a
processor executed ESI transfer.
The operations of the IOC are initiated via control
paths from each of the three processors in the system. A channel from each processor is required as a
control path for the issued commands and the reSUlting termination interrupts. The commands specify
where function and data buffer control words are
located in main memory; it is then up to the IOC to
procure and issue functions as well as initiate, control,
and monitor the reSUlting data transfers. Upon completion of an operation, a pre-specified processor is
interrupted and notified that the channel has been
terminated. The status associated with this termination interrupt is automatically stored at a pre-specified location in main memory by the IOC.

The control memory of the IOC is 256 words (expandable to 512 words). Its cycle time is 250 nanoseconds.
This high speed internal memory enables the IOC
to hold up to 448 ESI buffer control words internally.
During an ESI transfer the IOC need only reference
this memory for its control words and therefore requires only one main memory reference at the time
that data is to be transferred. In contrast the processor must reference main memory three times for the
ESI buffer control word (as shown below):

Univac ® 1108 Multiprocessor System

roc:

69

\Read B I \ . Wri te BCW/ \ Store Character in
250 ns

',250 ns

Main Memory 750 ns

,\verlapped with laSj!
Transfer
Processor

\Read BCW~ Write BCW~ Store Charac ter in /
750

\NO

TIS

750 ns

Main Memory 750 ns ,

overlap possible /

The maximum aggregate data transfer thruput of an
IOC is 1.33 million words per second.
Multiple processor adapter
This functional unit provides mUltiple access
capability to a peripheral subsystem. It honors requests for access on a first come-first served basis.
The unit has two basic modes of operation, one for
Internally Specified Index (lSI) operation and the
other for Externally Specified Index (ESI) operation. Up to four input/ output channels from any combination of Processors and IOC's can be connected
via the MPA to a peripheral subsystem.
In the lSI mode the MPA will "lock" onto the first
channel that issues a function and will continue servicing that channel until one of two contingencies occur.
They are:
(1) An External Interrupt is issued by the Peripheral Subsystem, or
(2) A Release Control function is issued by a Processor or IOC.
In the ESI mode the MP A will remain locked onto
a Communications Subsystem until another channel
issues an External Function. In the normal ESI mode
the MP A remains continuously dedicated to the
initiating input/output channel. In the case of a channel malfunction, control of the Communications Subsystem can be switched to another channel connected
to that MP A. The switching is accomplished by a
function being issued by the channel wishing to take
control.
Dual access devices
In addition to providing multiple access to individual subsystem control units, the capability also
exists for dual access to certain devices by two control units. The devices provided this capability are
Tapes, FH Drums, and F ASTRAND Drums. These
devices have the capability for resolving simultaneous
requests for service from two independent control
units. If one of these devices is busy, a busy status
is presented to the other control unit. Upon com-

pletion of the current service request, the "waiting"
control unit is granted access. Further discussion of
simultaneous service requests to a device is included
under the System Control section of this paper.
System-control (software)
It is obvious from the preceding hardware discussion that many hardware configurations exist and also
that many alternate paths between system components are available. However, software and system performance considerations makes it advantageous to pre-specify legal system configurations, and
the primary data flow paths as shown in Figure 2.
System control is maintained by the Executive
(EXEC) software system. The EXEC can be executed
by any processor in the system. Each, in turn, acting
as the EXEC processor will inspect the list of current activities and select a task to be done. As previously stated in the hardware discussion, the EXEC
processor may interlock an area of critical common procedures or data during task assignment or
facilities assignment operations. Input/output operations are normally initiated using the primary data
flow path shown in Figure 2. To increase system performance the EXEC will also assign another path to a
string of dual access devices such as the FH Drums.
This secondary path may also serve as the primary
path in the case of malfunction. Secondary paths to
single access device subsystems (such as a card subsystem) are also assigned during system generation so
that they may function as primary paths during IOC
or Processor malfunction. The EXEC routines interfacing with the resident worker programs are reentrant in design. For minor tasks requested of the
EXEC, many of the routines are totally re-entrant.
Others, when in the multiprocessing environment, will queue the worker program requests where
serial processing in a particular area of the EXEC
is required. At the lowest level, the EXEC must
queue interrupts and issue input/output service requests on the pre-designated processor. Above this

70

Spring Joint Computer Conf., 1967

basic level, any of the available processors can perform a given task with selection based on the priority
of the task currently being executed by the processors.
System performance
Several methods have been used in an attempt to
quantitatively express the additional increase in
computational performance afforded by the addition
of one or more processors to the basic system.

Most of these methods consist of complex mathematical expressions and simulation models or a combination of the two in order to depict all of the factors
of the configuration and their comolex inter-relation~
ships.
The simple expression presented below is only
intended to show the primary effect of the factors.

PXI06
•
•
N =.
InstructIons per second (1 )
C+Q+D+E
'

Where,
P = number of processors
C = cycle time of memory (the memory itself)
Q = delay due to queues at memories
D = delays due to hardware (MMA, etc.)
E = time added due to extended sequence instructions and C, Q, D, and E are in microseconds
C and D are straightforward factors; E is best
gotten from the Gibson Mix or the like, and Q
is the most difficult number to arrive at.
As an extreme case, consider the I-processor configuration with a 750 nanosecond memory, no queues
at memory and no hardware delays. The maximum
rate of instruction execution with no extended sequence instructions would be,
N =

lXl~
~=

..
1.33xI06 InstructIons per second

(theoretical maximum-one processor)
The maximum rate of instruction execution with
extended sequence instructions would be,
lXI06
. ,
N = .75+.300 = 0.95xI06 InstructIons per second
(for one processor)
As an example of a 2-processor case; set C= .750
and D = .125. An estimate for E would be about .300.

Through the medium of various simulations of
the 2-processor case, a value of Q = .050 may be
arrived at.
Hence,
"'IX 1nS

N = . 7 5+.05~. ~ ~~+.300 = 1.63x 10 instructions
6

per second (for 2 processor-multiprocessor system)
Therefore,
Gain for 2nd processor is

1.6g~.95 = 0.71

The value of E may be adjusted through a small
range to reflect the type of problem mix. Q is influenced most strongly by the configuration, the I/O
load, and the intelligence of the assignment portion
of the Executive. Q is also somewhat interdependent
with E.
System availability
Central System availability is assumed to be required on a continuing basis. To achieve this goal
modular independency is stressed throughout the
system. Each system component is electrically and
logically independent. The same provision is made
regarding cooling and power supplies. Provision is
also made for disconnecting any malfunctioning components without disrupting system operation.
This disconnection is initiated either by the Executive System or the operator. The component in either
case is first "program disconnected" by the Executive
System and then the operator is informed via the system console. System operation will then degrade to a
level which is dependent upon the malfunctioning

units normal contribution to system performance.
The Availability Control Unit (ACU) and the Availability Control Panel (ACP) shown in Figure 3 provide the capability for isolating components from the
remainder of the operational system for purposes
of test and maintenance. Within this framework two
other important features are included. They are:
Partitioned System capability, and an Automatic
Recovery System (ARS).
The ARS is basically a system timer; it is dependent
upon the Executive System to reset it periodically
(millisecond to several second intervals). If it is not
reset, a catastrophic malfunction of the Executive
System is assumed, and an initial load operation will
be initiated by the hardware using a pre specified portion of the total system. An example of a pre-specified
split in the system configuration is shown in Figure 4.
For the system shown in Figure 4 the left-hand
portion would try to initial-load the Executive Sys-

Univac ® 1108 Muitiprocessor System

SUMMARY
The 1108 Multiprocessor System is a large scale
central data processing system which functions
equally as well in a real-time, demand processing
application as in a scientific batch processing environment. The symmetrical system configuration permits
a high degree of parallel processing of tasks by all
system processors. Modularity of system components provides for total system availability as well
as ease in expansion capability for the future.

tern first. If the malfunction still exists (the system
timer would trigger again) then the right hand portion
of the configuration would attempt the initial load
operation. Assuming one malfunction, one of the two
configurations will be operational.
This then is the Partitioned System recovery concept implementation. The system can also be partitioned manually by selection. The partitioning is
pre-specified, and the initiation only serves to activate
the pre-selected partitions.

MEMORY BANK

MEMORY BANK

(O-65K)

(65K-13IK)

32K
MMA

i

•

I

E

I

32K

~

MMA

0

i' :· .·.n

I

I I
I

I

I

r

T

IL ___

TT
I
I

:

•••

I
I

I

I
T

( 198K - 262 K )

I

0

:

I I
I

I
I

I

I
I
I
I

PROCESSOR
8

L __ .$-_

----+-

•••

I

~

~

r

I

INPUT IOUTPUT
CONTROLLER

Cf
II08A

PROCESSOR

PROCESSOR

~--erl2;i6

8

~~l=~---4_-----~--

r

•1

CONSOLE
ACP

.~Lf

_J

1

-,~
I

2

AVAILABILITY
CONTROL UNIT

,

INPUT IOUTPUT
CONTROLLER

e

I

3

~4I8rI2rli

II

T

I

r - - - - ...., - - - - - - - - - -

CU/S

1
CONSOLE

-t-t$!!

---l

CU/S

• 4

:

I

~-8:12Ti6

~4rerI2Ti6

MPA

~

I

;

~

I

....L

I

T

1

MPA

:

i

I I
I

I

0

MMA

II08A

L_ ~)¢
~3

CONSOLE

..L

32K

I

MMA

~

•

d

32K

MMA
I

I

I

•I

..

32K

El

MMA

T

I
I

II08A

~t

- ..

0

32K

:
!
~ __ -,-l ____ 1 ____ 1 ___ _.1.. _ _ _ _ ..:

..l... _ _ _

~--8ri2T1i

MEMORY BANK

( 131K -198K )

I

!

...J

z

0::
0::

14

u.

All

z



50L

l-

...J



0

u.

I-

0

_ _ _ PROGRAM FITS COMPLETELY
..-WITHIN 541 BLOCKS

30

z
(/)

III

u

4

a:

~

z

w
~

~

25

3

2

Z

III

a:

20

PROGRAM FITS COMPLETELY
WITHIN 812 BLOCKS

III

u.

w
a:

15

I-

z

III

U

a:

10

III
CL

5

2

4

8

16

32

64

128

256

512

NUMBER OF !i6 WORD) BLOCKS IN LOCAL STORAGE

Figure 6 - Local store sizes

The replacement algorithms divide into three
classes. The congruent mapping algorithm is probably
cheapest to implement but makes least efficient use
of local store. A modified version of this algorithm
will cost more but can improve efficiency. This class
of algorithm uses a binary decode of the address to
choose the space in local store. The other two classes
use an associative search to choose a space. The
"first in, first out" algorithm searches the available
space to find the space first filled (i.e., longest ago
filled). This class of algorithm is based upon only the
blocks in local store and does not deal with block
history in the backing store. On the other hand, the
third class of algorithm deals with reference activity
information stored in extra cells in the backing store;
e.g., the total number of times a block was referenced
for all stays in local store might be stored in backing
store, and used whenever the block is in local store on
thp replacement algorithm.

A

B

C

D

E

F

G

DIFFERENT ADDRESSING PATTERNS

Figure 7 - Replacement algorithm

Program size vs. block transfer
effectiveness

The usefulness to the CPU of block transfer is
clearly a function of the program running in the CPU,
if by "program" we mean "address pattern." No
other meaningful description of "program" can be
correlated to the swapping activity in a block transfer
system. The trace of a single FORTRAN compilation
illustrates the inadequacy of program size as a determining factor of swapping activity.
Figure 8 emphasizes the changing address pattern
within a single "job." Time has been sliced into units
of 200,000 references. The upper chart indicates the
changing size of storage used by the compiler, varying
from a low of 6.4 K to a maximum of 32K in the tenth
time slice. This chart is detailed to indicate relative
storage required by data and by instructions. The

Considerations in Block-Oriented Systems Design
lower chart indicates the percentage of references
not found in local store during the various slices.
Note particularly that the greatest incidence of going
outside the local store occurs when the used storage
size is smallest (during the fifth time slice, when
unique words used is nearly minimum).
From this and many similar programs, it is concluded that the program size is of second-order importance to the addressing pattern in determining the
effectivness of b10ck transfeL

79

core/drum hierarchy. Thus, if a drum is accessed for
1024 words per block, and if the program has only
4096 words allotted for use in core, then 1.9 words
will be transferred from drum to core for each word
transferred from core to CPU.

(32K) 100

LOCAL
STORAGE

CPU

MEMORY

OR

BACK ING

STORAGE

90

o

~ 80
~

~ 70


M'_'

PHOTOMULTIPLIER
TUBE

~~FUTURE

LENS

1~':t

I

~

..

~~~~~J

PLIER TUBE

t,

~,

CONDENSER

I

COMPARATOR

~UTURE

DARK ROOM

..

l..ttfRT COORDINATES

....

~,

t
-.J

MONITOR
CATHODE-RAY TUBIE

........

BEAM INTENSITY

~

YES-NO
POLARITYOIF
DIFFERENCE

"--Jj~

...
f"""
PDP-I COMPUTER

lREFgNCE

•

PRI~YJ

PHOTOMULnPLIER
HIGH VOLTAGE SUPPLY AND
CONTROL

Photograph digitizing

Figure I - "Eyeball" - film reading system

The large amount of filmed analog data processed
at this Laboratory led to the development of a computer controlled reading device. 5 In its present state

As may be seen in the figure, light from the CRT
is split by the pellicle and directed toward both a
primary and a reference photomultiplier tube. This
light is focused against a film in the primary holder

*Work performed under the auspices of the U.S. Atomic Energy
Commission.

103

104

Spring Joint Comper Conf., 1967

and a neutral density filter or nothing in the reference
holder. Light passing through is collected by each
condenser for its respective photomultiplier.
Future plans call for the log-difference of the photomuitipiiers to be sampied by an analog to digital
converter and made available to the computer program. It was originally planned that this scheme would
be used to determine gray shades in the digitized film.
While technical difficulties with this plan are being
looked into, gray scale determination is made by a
programmatic variation in the beam intensity of the
eyeball CRT. The photomultiplier outputs have been
closely matched, so that for a single CRT beam intensity the eyeball output is a simple "yes - no,"
reflecting the polarity of their difference. Eyeball
sensitivity is a function of the high voltage to the
photomultipliers and, more importantiy, of the relative voltage between the two.
The CRT coordinates as well as the beam intensity
are under program control. The eyeball CRT has
4096 by 4096 addressable points over a 3-inch square.
Beam intensity is variable through eight equal voltage
levels. For these experiments only five could be used
satisfactorily.
The latest photograph digitizing routine follows
the flow indicatetl in Figure 2. Once the operator has
positioned a film and set the photomultiplier voltage
to within a known tolerance, a prograrpmed scan
sweeps the entire face of the eyeball CRT. This and
subsequent eyeball operations are visible to the
operator on a 16-inch monitor CRT.
During the sweep a bit pattern of eyeball yes - no
responses is stored in memory. The yesses are replayed for operator observation. The operator adjusts
the reference with respect to the primary voltage
until he is satisfied that the yesses cover what will be
the reproduction's darkest areas. (Because positives
or negatives can be equally well used and can produce
either positive or negative reproductions - polarity
is unimportant, i.e., yes may be substituted for no,
and lightest for darkest).
When the operator signals his satisfaction, the bit
pattern is written as a single record on magnetic tape.
The beam intensity is then reduced to the next lower
level, the scan repeated, and the response pattern
written as a second tape record. This sequence is
repeated through the remainder of the lower beam
intensities being used.
Resolution is necessarily dependent upon the mesh
chosen for the programmed scan. A square array employing every sixteenth point was arrived at as a
compromise between photographic detail on the one
hand and time and storage on the other. It was found
that the quality of the output picture was greatly im-

proved by shifting the response pattern over and up
fourth point. As on the scan, the playback pattern
was shifted over and up for each subsequent record.
At that time the reference coordinates were restored.
The computer time for digitizing a single film is less
than a minute and can probably be reduced by a factor
of two. The storage requirement is under a third of
a million bits and can also be appreciably reduced by
mapping out backgrounds or areas of no significance.

SCAN AT 16 POINT INTERVALS
~"TO RIGH':', 10':'':'0;'; TO'l'Cf'
SAY[ PATTERN Of'RESPONSES

Figure 2 - Flow of photograph digitizing routine

Photographic reconstruction

Although photographs were recreated for test purposes on the digitizing computer, plans for integrating
the pictorial output with text made it advisable to use
faster equipment with character generation capabilities included in the hardware. Accordingly, a
CDC 00-80 was used for the outpuLti It is interfaced
to an IBM-7094 through a direct data channel.
For film recording, the 00-80 employs a 5-inch
CRT with 1024 by 1024 points across a square a
little under two and one-haif inches on a side. Because
there (lre four times as many points in both directions

Digitized Photographs For iHustrated Computer Output*
on the eyeball CRT, the reconstruction of film digitized at every sixteenth point is determined at every
point. As on the scan, the playback pattern was shifted
over and up for each subsequent record.
After commanding the plotting of a header frame
and a film advance, the reconstruction program reads
the digitized photograph from magnetic tape a record
at a time. Following each read, all points corresponding to the pattern of yes responses are displayed. All records are displayed at a single intensity
and on a single frame. The program uses less than 10
seconds of 7094 time.
Half and quarter size pictures were also recreated
by displaying the response pattern with the increment
between points reduced to two and one points respectively.

While a great deal of work is still to be done to
achieve truly fine quality at low cost, the present
output is satisfactory for many internal uses. It is
probable that even a presentable Xerox copy may be
attained by a proper pre screening of the negatives.
The exaggerated flatness in shade is due largely to
the use of an extremely high contrast film previously
.chosen for its good line reproduction characteristics.

CONCLUSIONS
The experiments indicate the technical feasibility of
including photographs with computer output. Some
results are shown in Figures 4 through 6. Figure 3
is a print of the negative which was digitized for use
in this paper. (The young lady is replacing the filter
holder on the reference side of the eyeball.) Figure 4
is the Xerox output at full size. Figure 5 is a print
made from the same 00-80 film. Figure 6 is a print
made from a OD-80 film in which the text shown
was included along with__a_ half size reconstruction.
Figure 4 - Xerox output

EYEBALL
Figure 3 - Print of digitized negative

To date, all negatives have been on 4/1 x 5" cut
film. Plans in progress call for the use of 35 mm rol1
film. This change should eliminate most of the set up
time without seriously affecting resolution.

105

liliiii EYEBALL
Figure 5-Print of DD-80 film

106

Spring Joint Computer Conf., 1967

ACKNOWLEDGMENTS

REFERENCES

I would like to thank George Gielow for requesting
a study of this nature, Ervie Ferris for his suggestions
and help with the "EyebaU," and Sidney Fernbach for
his support.

M P BARNETT

2

3

4
Pece~!

,t':des ~o~e ~ e~

r:-:cde :o,.,c"c :he Oyton', :ec
e c : : ; [, 9 0 I P': r. tee rr.o e' 0:,
Qr C e ¥ e (, rr,o" e c \oJ of''' e (, t ';;

IOtlo'c the ger,e-o::or 0 1
c yO: ; t ~ p ~ ; r.t : r, 9 - t ~ P eo',
~ : 11'" - e so: ~ t : 0 r. C C : ",0 Ce - 'c.
(:.;:lB.
He 'e o'e desc ~; bee
some e'::le' 'rr.er.:s :r. d :9 t- •
: z: rig o~oto~"opr.s ."Ii-:; c!- '
s:~~e?:.;e~::¥ ~Q~ be c~rrb fec
,"".

~ei~ . . al

!(,fo~rr:c:!or.

cr,,: corr,Q.:er ee'tee: lor
cc:noce--C:i t:.;Oe outp,,:.

Figure 6 - Print of half size reconstruction with text

D J MOSS

D A LUCE

K L KELLEY
Computer controlled printing

5

6

Proc 1963 Spring Joint Computer Conference Spartan Books
Washington DC Vol 23 263-271 1963
M V MATHEWS J E MILLER
Computer editing typesetting and image generation
Proc 1965 Fall Joint Computer Conference Spartan Books
Washington DC Vol 27 389-398 1965
R J MCQUILLAN J T LUNDY
Computer systems for recording retrieval and publication of
information
Proc 1965 Spring Papers and Presentations of DEeDS
DECUS Maynard Mass pp 61-91 1965
V C SMITH
3600 publisher
CIC Report 06-001 LRL Livermore 1965
R W CONN R EVON HOLDT
An online display for the study of approximating functions
JACM 12 No 3 326 1965
A CECIL G MICHAEL
DD80 programmers manual
LRL Livermore 1963

Mathematical techniques to improve
hardware accuracy of graphic
display devices
by CLOY J. WALTER
Honeywell Inc.
Waltham, Massachusetts

INTRODUCTION

accuracy of a computer graphic output device despite
its hardware limitations?
This developmental research problem involves
discriminatory analysis, differential equations, and
simulation. Methods are needed to predict the location
of an error as a function of position on the screen of
a Cathode Ray Tube (CRT). Compensation must
be made for this error. If the errors in a CRT electron beam can be corrected before the beam is generated, then at least one of the vital questions stated
earlier can be answered affirmatively. Mathematical
techniques can be used to improve the accuracy of
a computer graphic output device.

The problem
Background of the problem

The contribution of scientists pioneering the design
and construction of electrical apparatus has been
recognized and valued by our society. Equipment
ranging from toasters to air conditioners to electrocardiographs have been widely implemented and
regularly used. People have viewed each new apparatus independently and sought to derive maximum
benefits by judicious application of its potential.
Large scale digital computers were invented scarcely a decade ago and offered new possibilities for
application of electrical design. People accepted a
computer as another independent electrical apparatus,
i.e., a computer was regarded as an entity. Computer
peripheral devices were developed and the importance
of a processing system was recognized. Although
several units were coordinated to satisfy a specific
requirement, no attention was given to techniques
of interaction/adjustment/response among devices.
Cannot a peripheral device be regarded as a governable, adjustable unit? Or a main processing unit as
a sense/response mechanism that can accept/transmit
information to/from elements within the system as
well as control action instigated by the preassigned
specific requirement?
Can a computer and a peripheral device be considered as a single unit? If a computer and a peripheral
device can be considered as one unit, can the accuracy
and the reliability of the peripheral device be improved
by mathematical techniques? Or can improvements in
electronic devices only be achieved by modifying
electrical circuitry or hardware? For example, can
mathematical techniques be used to improve the

Reason for research
Operations performed by computer systems could
be greatly expedited by an application of techniques
that require an accurate computer graphic output
device. Such a device is not available. The purpose
of this research was to give detailed consideration
to the development of a technique for converting
computer digital data into accurate film image representation.
Immediate application of graphic data processing
to solve a variety of problems is both physically
possible and economically desirable. Graphic data
processing can be effectively applied in mathematics, engineering, banking, education, communications, medicine, management information systems,
programming, and many other fields. Barriers to
rapid development of graphic data processing include the failure to fully develop graphic devices and
to recognize benefits that can be derived from applications involving such devices.
Two recent developments make the use of computer
graphic devices economically feasible. Time-sharing
107

108

Spring Joint Computer Conf., 1967

enables a number of customers to utilize a single
computer in a manner such that apparently simultaneous processing results. Remote data terminals
permit geographically distributed installations to
receive the benefits of rapid data .processing as though
computers were located at each facility.
Attempts have been made to improve the accuracy
of computer graphic devices. New and improved
circuits, equipment for precise voltage control, improved tubes, and other electro-mechanical features
have been innovated. Engineers, system designers,
progralJ1mers, and mathematicians recognize the
desirability and ultimate necessity of providing a
data processing system that accepts either digital data
input or graphic input and provides accurate graphic
output. Several universities and companies have developed graphic input/output devices. These devices
are an advancement in the computer field but lack
the degree of accuracy required for certain engineering
design drawings.
The aim of this research was to contribute to the
advancement of the computer and electronics fields
by demonstrating that mathematical techniques can
be applied to increase the accuracy of an electronic
device. This goal was achieved. Such techniques were
applied to General Dynamics' Stromberg-Carlson
4020 microfilm machine. Accumulated results show
mathematically that a visual display system can produce accurate images, i.e., that an inaccurate computer peripheral device can provide accurate data
output.
The development of an accurate computer graphic
device portends significant changes. The throughput
time for product design and specification and subsequent engineering modification will be greatly
reduced; new vistas will open in the field of publications; new techniques will be available for the
rapid production of animated films that permit the
simulation of many situations. Most importantly,
graphic data processing can be intimately associated
with on-line systems, thus adding new dimensions
to man/machine interactive systems.
Hopefully, the conceptual ideas of this paper will
assist the best minds in the computer industry in a
reexamination of the computer-peripheral device
relationship. The result should be a faster rate of
progress in the computer field than we have today.
Statement of the problem
The problem of producing an accurate image with
a computer-controlled CRT was assumed to be a
fundamental process control problem or a process
mode1 buiiding problem.

Specific questions to be answered
This research was conducted to formulate bases
for answers to the following questions:
1. Can a computer be used to derive equations that
can predict the locations of errors in output of
computer peripheral equipment? An affirmative
answer to this question implies that:
(a) Errors transmitted by an output device can
be predicted.
(b) Mathematical techniques can enable the computer to supply modified, seemingly inaccurate data to its output device.
If these implications are valid, then an inacclIrate
peripheral device can, in turn, provide accurate
data output.
2. Are the errors of linearity predictable in both X
and Y directions? Linearity of the SC 4020
is reported as ± one percent. Prediction and
subsequent correction of such variation should
be possible.
Summary of related research
Many large companies and universities are engaged
in computer graphic research. Interest in Engineering
applications is especially prevalent. A list of aspects
currently being investigated and details concerning
research related to Engineering applications follows.
1. Automatic design systems
2. Programming systems and routines
3. Microfilm updating techniques
4. Improvement of accuracy by hardware advancements
5. Development of character readers
6. Console instrumentation
7. Logical arrangement of the console
8. The quality, flicker rate, modification timt::,
drawing ability, and pointing ability of CRT
units.
9. Production of hidden lines in perspective
drawings
10. Development of half tones in CRT images
11. Development of color CRT images
12. Introduction of motion
13. Coupling and translation of data from one form
to another form
14. Getting the structure of an image into the
computer
15. Logical arrangement of drawings
16. Adequate abstraction in graphics (models are
needed)
17. Engineering applications
(a) Sandia Corporation and the Thomas Bede
Foundation have jointly developed an Automated Circuit Card Etching Layout Program

Mathematicai Techniques To Improve
(ACCEL). ACCEL was developed to design
printed circuit boards and to produce drawings
for their construction. The drawings are produced on an SC 4020 CRT plotter. 1 Sandia is
currently trying to design and build a mosaic
camera to improve the accuracy of the SC
4020. 2
(b) Bell Telephone Laboratory is using an
SC 4020 and an IBM 7094 digital computer to
produce animated films- The coordinates of
points are recognized by the computer and used
to position the electron beam of a CRT. A
picture is traced on the face of the tube. A
16-mm camera, also under the control of the
computer, photographs the surface of the tube
while the picture is being traced. The coordinates
determined by the computer are automatically
connected to produce the desired film. Applications are in the areas of satellit'e stability and
orbit presentation, physical motion of objects,
and display of the development of three-dimensional objects. 3
(c) Rand Corporation has developed the RAN D
Tablet, which has been operational at Rand
since September 1963 and has recently been
installed for research purposes at several
institutions. An electric pencil is used to write
on a ten-inch by ten-inch conductive sectored
tablet. The tablet is connected to a computer
and to an oscilloscope display which provide
a composite of the current pen position and
meaningful track history. The Rand Corporation
is currently developing a method by which
characters can be recognized as they are drawn
on the tablet, as well as on the oscilloscope
display unit. 4
(d) Stromberg-Carlson Corporation is continuing to develop its microfilm printer-plotters
for additional engineering applications. More
than forty operational systems are translating
computer-generated data into drawings, annotated graphs, etc. The system converts binarycoded input signals into images on the face of a
shaped-beam tube. 5
(e) MIT's Lincoln Laboratory has developed
SKETCHPAD. SKETCHPAD deals primarily
with geometry. Sketches are drawn on a CRT
with a light-sensitive pen or an electronic stylus.
Freehand irregularities are automatically transformed into neat lines. SKETCHPAD can be
employed to animate a drawing or to rotate parts
of a drawing at high speeds or in slow motion
so that linkages may be studied in action. Electric-circuit diagrams can be animated to show

1£\£\

IV7

current flow. Other operations are available.
SKETCHPAD has three-dimensional display
characteristics. Front, plane, and side views as
well as a rotatable perspective view of an object
can be presented. 6 Roberts of MIT generates
views of solid three-dimensional objects with
all hidden lines removed. 7
General Motors and IBM have cooperated
in the development of the Design Augmented
by Computer System (DAC-I). An electrical
probe contacts a resistive X -Y coding on the
front of a Scan CRT, which has been developed
by IBM. The X-Y voltage pulses are transformed by the computer into the coordinates
of the spot under the probe. After the computer
determines the coordinates, an X appears on
the screen under the probe. The operator may
write or draw on the CRT. Three CRT's are
involved: a Scan CRT for automatically converting drawings into digital coordinate information, the console ten-inch CRT with the
resistive probe input for drawing, and a CRT
from which the display is photographed and
recorded on microfilm.
(f)

The Scan CRT for digitizing drawing information has a dynamic threshold adjustment which
is set by the computer as each line is being
scanned and digitized. The output of the DAC-l
CRT at General Motors is ten inches in diameter
and has a resolution of 1: 2000 obtained by a
daily calibration, correction and adjustment procedure. The DAC-l output CK I' has a rourteenbit drive. After calibration and correction, the
accuracy is eleven bits. DAC-l personnel have
developed a drawing control system. General
Motors uses the system in designing various
parts of automobiles.
(g) The Computer-Aided Mechanical Engineering Design System (COMMEND) is a problemoriented system and works equally well in the
design of a card punch, a printer, a document
transport, or similar machines. The primary
objective of COMMEND is to assist design
engineers with high speed computations and to
provide large memory capacities by means of
a computer. The program determines a mathematical model of the requirement and performs tolerance, dynamic, and wear analyses.
The computer determines a sensitivity coefficient for each dimension and tolerance so
that critical situations are recognized by the
engineer. The system reduces human error in
design calculations and data handling. All

110

Spring Joint Computer Conf., 1967
analyses are documented and stored for retrieval
purposes. s
(h) Douglas Aircraft has a graphic research program to assist in design, documentation, manufacture, and test of eiectronic hardware. A major
research goal is to solve wiring interconnection
problems. A three-level wiring program has
been developed. The first level petforms chassis
wiring from point to point and specifies size and
length of wire, number of wire wraps that can
be mounted on a given terminal, and associated
documentation. The second level petforms harness wiring (branched wiring assembly), and the
third level designs cables. In the cable program,
the computer first tries to satisfy current requirements by using a previously designed cable
or its dosest matching subset. Douglas uses
an SC 4020 to show wire build-ups on wirewrapped pins. Personnel monitor this operation.
Plans for expansion involve generalization of
programs and program modules to allow for more
efficient programming (less reprogramming for
new requirements) and to facilitate more
efficient program organization (master control
program module sequence, per run).9
(i) The Norden Division of United Aircraft
Corporation has developed a computer-aided
program to design integrated circuits. Much of
their effort has been directed toward improved
methvds for synthesis, analysis, layout, and
packaging of electronic circuits. Circuit design
and connectivity are inputs to a computer, which
petforms a pattern and diffusion analysis of
the data. The size and shape of the mask for
each part as well as routing and wiring information is determined. This user-oriented system describes the circuit node by node. Engineers determine values and tolerances. The
Norden program utilizes a designer's initial
thoughts about parts layout but completes the
layout automatically. The system currently
uses a computer-controlled plotter for graphical
display and for automatic preparation of mask
artwork. Plans for future developments include
on-line operation with graphical display and
manipulation of circuit layout patterns on a
CRT display with a light pen. 10
(j) M IT personnel have established projects
MAC (Multiple Access Computer) and AED
(Automated Engineering Design), and offer
their automated design tapes to the general
pUblic. MIT is currently deveioping AED
Graphics. This graphic system uses an Algorithmic Theory of Language which requires

no distinction between verbal language communicated through a typewriter keyboard and
graphical language communicated by means
of push-buttons and a light pen. This graphic
system is called Computer-Aided Design Experimentai 1 ransiator (CADET). CADET
permits the user to apply verbal or graphical
languages of his choosing. 11 Project personnel
extend an invitation to industries: Send a representative to Boston to study the automated
design project and participate in its design and
development. The cost to a company is the salary
and travel expense of its representative. I n return, the company acquires the latest design
automation information available at MIT.
Computer-controlled drafting machines can be
obtained from Gerber Scientific Instruments Company, CalComp, U niversai Drafting Machine Company, Benson-Lehner, EAI, IBM, G. Coradi Ltd.,
Dennert and Paper (Aristo-Werke), Sheffield (Ekstrom-Carlson), Visual Inspection Products, and
others. The machines can be used for large-scale
drawings. The time required to produce a drawing by
means of a computer-controlled drafting machine
normally ranges from thirty minutes to ninety minutes.
Visual display systems can be obtained from Stromberg-Carlson, Straya Industries, Benson-Lehner,
Data Display, IBM, ITT, GE, RCA, Bunker-Ramo,
PhiIco-Ford, Sanders Associates, Raytheon, and
others.
It has been established that displays and graphic
input-output devices, virtual1y undeveloped as recently as 1963, will constitute approximately eleven
percent of the information processing equipment cost
for a typical manufacturing company by 1973. 12

Computer graphics usually involve a CRT, a light
pen for drawing and manipulation of the image, an
associated console, and switches for control of
frequently-used subroutines and macro instructions.
This peripheral equipment is linked to a computer.
Communication through graphics is inherently structural; it is reasonable that a truly fundamental effort
toward implementation of man-computer conversation
is the most important step taken in computer technology.ls
Graphic systems are particularly suited to design
tasks because of their capability to shorten cycle
time and facilitate change. Graphic data processing
can rapidly provide accurate designs. Graphic systems
can translate graphic and alphanumeric information
and can process words, tables, and equations as well
as graphs, drawings, and charts. Until recently, these

Mathematical Techniques To Improve
tasks appeared to be beyond the capabilities of a
computer. Computer graphics will continue to expand.
Handling of information graphically in computer systems will be as normal in a few years as handling of
characters is today. 14

Experimental procedure
Background
The major problems encountered during attempts
to improve the accuracy of the SC 4020 visual display system were:
1. Development of a procedure to accurately
measure errors.
2. Identification of a stable film base that did not
change dimensions as variations occurred in the
environment.
3. Determination and isolation of causes of deflections.
4. Determination of mathematical functions to
correct the CRT display.
5. Dynamic focus.
6. Tangential errors.
7. Interaction errors.
The major causes of problems encountered during
attempts to improve the accuracy of a visual display
system were:
1. Astigmatism.
2. Pincushion correction.
3. Effect of the earth's magnetic field.
4. Exponential stretch of the film.
5. Quanta noise (error due to the size of the raster).
Preliminary investigations
Preliminary investigations led to the supposition
that if errors in the SC 4020 system could be measured
accurately, then mathematical techniques could be
developed to predict the locations of errors on the
CRT screen. Predictable errors could be corrected.
Discovery that a microfilm image could be enlarged
to exact dimensions led to recognition that designing,
programming, and microfilming a standard matrix
test pattern should be possible. The resulting image
could be enlarged and the test pattern could be
measured.
Development of a standard calibration pattern
A standard matrix test pattern which covered the
CRT screen was designed and seemed to be the most
valuable technique to use in checking for errors in
orthogonality (skewness) and in checking the film
transport mechanism.
Collection of data
The appendix contains pictures of the equipment
used in this research. Data for the study was collected
by the following procedure:
1. The magnetic tape labeled "4020 Calibration

2.
3.

4.
5.

6.

iii

Pattern" was processed at least twice daily on
the SC 4020 machine.
Test patterns were run immediately before and
after the regularly scheduled SC 4020 operations.
The test pattern was run both before and after
any adjustments were made to the SC 4020.
Thirty-five millimeter film was used.
A note indicating the date and time of the test
was attached to the exposed film. The film was
developed by a microfilm laboratory.
The microfilm image of the test pattern was
enlarged and the coordinates of each symbol
were measured by a Ferranti machine.

Mathematical analysis and programs
Producing an accurate image with a computercontrolled CRT was assumed in this study to be a
process model building endeavor initiated to solve
a process control problem. A process simulation
analysis was performed.
Many processes can be represented by displays
similar to the following diagram:
Controlled
Variables
~ C

Uncontrolled
Variables
U
~

B

rocess

S
~

State
Variables

Process parameters which can be adjusted are classified as controlled variables. Process parameters
which cannot be adjusted are regarded as uncontrolled
variables. Variables which are the result of process
action on the controlled and uncontrolled variables
are referred to as state variables.
The controlled variables in the model developed for
this research were the coordinates of points to be
accurately positioned by the SC 4020 display system. The coordinates could be changed before they
were entered in the digital to analog converter of the
SC 4020. The uncontrolled variables were the parameters associated with the hardware of the system.
At any given time, the uncontrolled variables which
affected CRT performance could be measured.
The dynamic state of a process control model with n
state variables can be characterized by a system
of n differential equations. One equation is required
for each state variable. This implies that n equations
of the following form can be used.
dS i

= f.(SI

••• Sn, Cl, ... c , Ub ... up)

m
dt
l '
for i = 1, n, where m = the number of controlled variables and p = the number of uncontrolled variables.

112

Spring Joint Computer Conf., 1967

--------------------------------------------------------

The following notation can be used. Define S,
C, and U as follows:
S
C
U

sn}
c m}
••• up}

{Sb S2, ...

{cj, c2 ,
{U}, U 2 ,

•••

Then S = F(S, C, U) where the dot above S indicates
differentiation with respect to time.
Changes in either controlled or uncontrolled variables can produce changes in state variables. Corrective action may be required. Such corrective
action is called system control. In practice, only
two control policies exist: feedback control and feedforward control. Perfect feedforward control requires
a perfect process model and precise measurement
of uncontrolled variables. Feedback control does not
provide corrective action until after an error in a
state variable has been observed. Since one aim of this
research was to correct errors in the CRT electron
beam before the beam was generated, a feedback control design could not be employed. A system was
developed for feedforward control.
In this research, the state variables S were measured
and compared to the theoretical or desired condition
ST' The error E defined by the expression E = ST - S
was determined and routed to a statistical computer
program. The output of this program was applied to
the controlled variables C and significantly reduced
the magnitude of E.
System inaccuracy due to uncontrolled variables
was measured as described in the section of this
paper entitled "Collection of Data." The measurements of inaccuracy were used in statistical programs
to simulate posIUonmg ot the coordmates and predIct
system performance. The output predictions governed
manipulation of the controlled variables C to produce
the desired state variables S.
I n summary, the model was a feedforward control
system developed to prevent deviation of actual from
theoretical in positioning performance of the CRT.
Computer process control models were derived
from a multiple regression analysis of error measurements. Such statistical models provided an explicit
description of the process and were modified when
deviations in positioning occurred.
The model parameters were adjusted periodically
as a result of comparisons of current model behavior
to actual process behavior. A multivariate prediction
computer program was used to make these comparisons.
Functional relationships between final and initial
conditions of the process were determined. A regression analysis was peliormed on the output data.

The analysis revealed independent variables which
most significantly reduced the errors. Errors in
the CRT display were revealed to be systematic in
nature. Recognition that such systematic errors must
be correiated throughout the caiibration matrix led
to the supposition that the errors could be predicted
and subsequently corrected.

Multiple regression analysis
Flow charts, statistical methods, and computer
programs used in this research are discussed in this
section. Techniques of multiple regression are well
known; no attempt is made to present a complete
discussion of regression analysis. Some basic discussion of multiple regression is presented to clarify
differences between regression techniques used in
this research and conventional regression techniques.
Multiple regression analysis is used primarily to
obtain the equation which best fits a given set of data.
The equation is typically of the form:
y = bIx 1 + b2 x 2 + b3x3 + ... bnx n + a.

(1)

y is commonly referred to as the dependent variable,
the criterion variable, or the predicted variable.
{Xi: i = I,n} is the set of variables of prediction or
the set of independent variables. Classification of
these variables as independent does not imply that
the variables are uncorreiated. {bi: i = l,n} is ihe
set of coefficients of the regression equation. a is a
constant.
The solution of a particular equation may be interpreted as the value of the coefficients for a specific
data sample. The standard error of each coefficient
is calculated. These calculations provide a measure
of the reliability of the coefficients and are the bases
for inferences regarding the parameters of the population from which the data sample was obtained.
Multiple regression procedures were employed in
this project but were adapted to fit nonlinear equations of the form:
y = bIz I + b 2z 2I + b 3 z t z 2+ ... + bnfnCzbz2, ... zn) + (2)
Equation (2) can be obtained from equation (1) by a
process of transgeneration where
Xl =Zl

x2 = Z2

j

X3=ZlZ2

A conventional stepwise multiple regression analysis
computer program was modified for use in this research project. The original program was designed by

Mathematical Techniques To Improve

113

M. A. Efroymson. 15 MUltiple linear regression equations were derived by the computer in a stepwise
manner as follows:
Y I = a+blx l
Y 2 = a'+b'lx l +b2X2
Y 3 = a" + b" IX I + b' 2X2 + b3x3
If the addition of Xj contributed significantly to error
reduction, this variable was added to the regression
equation. New coefficients were calculated whenever a variable was added. In general. each succeeding equation contained a new variable. The variable
which achieved the greatest improvement in the fit
of the equation to the data sample was selected. This
variable produced the best estimate of the criterion
variable as evidenced by the sum of the squares of
the errors. It possessed the highest partial correlation
to the dependent variable partialed on the variables
which had previously entered the regression equation.
It was also the variable which had the highest F value
when added to the equation.
The output of the computer program showed:
1. Sum of each variable
2. Sum of squares and cross products
3. Residual sums of squares and cross products
4. Means and standard deviations
5. Intercorrelation matrix
At each step, the output showed:
1. Multiple R
2. Standard error of the estimate
3. Constant term
4. For each variable in the regression
(a) Regression coefficient
(b) Standard error of the coefficient
(c) F to remove
5. For each variable not in the regression
(a) Partial correlation coefficient
(b) Tolerance
(c) F to enter
In the stepwise procedure, the variables were
divided into disjoint sets:
Xl = {xu, ... x IQ }
X 2 = {X21' ... X2r}
where Xl was the set of independent variables in the
regression equation and X 2 was the set of independent variables not in the regression equation and all
dependent variables. If a variable was no longer significant, that variable was removed before another
variable was added. Only significant variables appeared in the final regression equation.
The symbols used in the subsequent discussion
should be interpreted as follows:

E2, E2 is differentiated partially with respect to each

N = the number of cases of data or the number
of observations
m = the number of variables (input and trans-

b i . Normal equations are then obtained by equating
each partial derivative to zero. The normal equations
can be written in the following concise form:

generated variables and the dependent variable)
Xip = the pth value of the ith variable
X mp = Yp = the pth value of the dependent variable
Xi = the mean of the ith variable
Sij = the residual sum of squares and cross products of the ith and jth variables, i.e., Sij =
N

L

(Xip - Xi) (Xjp - Xj)

p=1

= VS;; (This is not the standard deviation.)
rij= the correlation coefficient between the ith
and jth variables. The ordered array of the
m2 coefficients forms the simple correlation
matrix r.
Cij = the element in the ith row and jth column of
the inverse matrix of the matrix r
N min , N max = selected independent variables
V min = the increase in variance obtained by deletion
of the variable N min from the regression
equation
O"ii

V max = the decrease in variance obtained by addition
of the variable N max to the regression equation
b i = the estimated value of the coefficient of the
ith variable
Sy = the standard deviation of the dependent
variable
Sb = the standard error of the coefficient of the
i
ith variable
yp = the predicted value of the dependent variable
for the pth observation
Dp = the discrepancy between actual and predicted
values of the dependent variable on the pth
observation, i.e., Dp = yp - ~
F I = the F value established as the criterion for
entrance of a variable in the regression equation (for this project, F I ~ 2.5)
F2 = the F value established as the criterion for
deletion of a variable from the regression
equation (for this project, F2 ~ 2.5)
m-l

Ep = yp -

Y-

L

bi

(XiP - Xi)

for p

= I, N

i=l

To determine b h i

= I, m-I, which minimize

114

Spring Joint Computer Conf., 1967

N

L

y)

(XiP - Xi) (yp -

p-t

The set of m-l simultaneous linear equations in
b i can be solved by several methods. In this research,
linear transformations were applied to the partitioned
matrix illustrated as follows:
I S H' I
M=
H K D
-I B
C
B was a one-column matrix. D was a one-row matrix.
K was a constant illustrated as follows:
K= ~ (yp - y)2 = ~ (x mp - xm)2 where Xmp = yp.
I was the identity matrix. H was a one-row matrix
illustrated as follows:
(H)tj = hlj = (Xjp - Xj) (yp - y) for j = 1, m-l.
h' jt = hlj defined the elements of the matrix H'.
The element Sij of S was the deviation sum of squares
and cross products as defined previously.
Regression coefficients were entered into the B
matrix. The D matrix was obtained by first transposing the B matrix and then multiplying the new
matrix by -1. That is, d il = -b li .
The juxtaposition of the submatrices S, H, H',
and K formed an m by m matrix and could be partitioned in any manner. This m by m matrix was normalized and became an intercorrelation matrix.
As the calculation proceeded, the S matrix was
inverted. The D matrix replaced the H matrix.
The B matrix replaced the H matrix, and the C
matrix replaced the S matrix. The C matrix contained the inverse of the portion of the S matrix
which corresponded to the variables in regression
at that time.
Correlation coefficients needed at various steps
in the computation were extracted from the M matrix.
As the addition of variables proceeds, the elements
of S become partial correlation coefficients; because
all included variables being held constant.
The computer initiated the regression procedure
by examining the intercorrelation matrix and selecting the independent variable which had the highest
correlation with the dependent variable. An F test was
made to determine whether the contribution of the
selected variable to the prediction of the dependent
variable would be significant. The determination was
made by examining the reduction in the standard error
of the dependent variable. If the reduction would be
significant. i.e .. above an established F level, then the

I

program retained this variable. The major steps performed by the computer are described in detail within
the discussion of system flow charts. Essentially, * the
computer program proceeded as follows:
1. The transformations were generated.
2. The sum of each variable was accumulated.
3. The raw sum of squares and cross products
were calculated.
4. Deviation sums of square5: and cross products
were calculated. Each eleraent of the intercorrelation matrix was calculated.
5. Means and standard deviations were determined.
6. The simple correlation coefficients were calculated by evaluating the following equation:

As an alternate procedure, a raw score formula
could have been used.
7. The estimated population value of the standard
deviation of y was obtained as follows:

8. The estimated population value of the standard
error of the estimate for y was determined as
follows:
a-est.y

=.4- yvT=""W

~N -~ -

q

I

where q was the number of variables in the regression equation at the time of the calculation.
9. The coefficient b i was determined by evaluating
the following expression:

10. The standard error of b i was determined by
evaluating the equation:

The flow chart follows. At certain branch points
in the chart a finite number of alternative statements
'" Although the output conformed to the following steps, the program
did not foliow precisely all formulas shown.

Mathematical Techniques To Improve
are specified as possible successors. One of these
successors is chosen according to criteria determined
in the statement preceding the branch point. These
criteria are usually stated as a comparison of a specified relation between a specified pair of quantities.
A branch is denoted by a set of arrows leading to each
of the alternative successors, with each arrow labeled
by the comparison condition under which the corresponding successor is chosen. The quantities compared are separated by a colon in the statement at the
branch point. A labeled branch is followed if and only
if the relation indicated by the label holds when
substituted for the colon.
Block A, Block B, and Block C: The content IS
self-explanatory.
Block D: The simple intercorrelation matrix was
obtained by normalization of the residual sums of
squares and cross products.
Block E: Procedures to selest the variable to be
added to the regression equation were initiated.
Block F: The size of ~i was checked; this check
reduced the probability that an independent variable
which was a linear combination of a variable more
highly correlated with the criterion variable would
enter the regression equation. A value of .001 was
assigned to Tol.

3

1

V max = Vi
J

START

am
1

b'1 =
8y8
6i

L

IVi I

Vcli
11

~

IVmin I

<
Vmin = Vi
M

Nmin = i

N

0

m-l

I
Q

6

b o =xn -

bi xi

i=l

IV min I ¢/rmm

F2

<

Input Data
K = number of sets of data or number of observations
m = number of variables
xip = pth observation of the ith variable
i=1,m-1:p=1,N
E = ST - S = X mp = pth observation of dependent variable
p = 1,

bim ;;-:

K

~
A

Nmax

bi

p

I

115

F

K

Nmin

¢

¢ + 1

~

F1,F2 = F values for tests of significance
Transformations Performed

6

5

K

Sums of variables = '" xip for i

~

1, m

p~1

Sums of squares and cross products =

B

K
~

xip Xjp for i

=

1, m; j = i, m
"i = V Sii for i ~ 1, m

p=l

1
Mean =

Xi = ~

xip for i = 1, m
K

D

bi

E

for i

= 1, m;

Sijl"i"j for i = 1, m - 1: j - i - 1, m

I

Residual sum of squares and cross products =

c

qj

=0

(j

= 1, ... ,

m - 1)

"min ~ "'-

Vmin =

Sy = "n Jrmml <'>

Kmin

j - 1, m

i = 1

I

4

_I

0.0

= 0

116

Spring Joint Computer Conf., 1967

F

G

H

8~----~(

~V· . 0

"

0)

/

s
.r------_.--.-------------"

S "-

v max

(¢ -

l)/(rmm - Vmax) : .1.'1

T
k

~

I

= N max

¢=¢-11
5

u

II

Calculate a new matrix
akk aij - aik akj

1. ai" (new) =
J

akk

for i f. k, j f. k
2. aik (new) = - aik/akk for i
3. akj (new)

= akjlakk for

j

f.

f.

k, j = k

k, i = k

4. akk (new) = l/akk

8·1~----r,------"
I

v

m-l
Yp (pred.)
D

=

bo +

= Yp

~

i=l

b i xip

- ~p

STOP

Block G: The quantity Vi was calculated.
Block H: The sign of Vi was determined. Vi positive implied that Xi was not in the regression; Vi
negative implied that Xi was in the regression at the
time of the test.
Block I and Block J: The variable Xi which would
cause the greatest reduction in the variance was
selected.
Block K: The standard error and the regression
coefficient were calculated for each variable currently in regression.

Block L and Block M: The Xi which contributed
the least toward reduction of variance was identified.
Block N, Block 0, and Block P: The content is
self-explanatory.
Block Q: The variance contribution of each variabie was measured; insignificant variables were
deleted from the regression.
Block R: The content is self-explanatory.
Block S: A test determined whether the variance
reduction obtained by adding Xi to the regression
would be significant.
Block T: If Xi would contribute significantly, the
variable was entered into the regression equation.
The number of degrees of freedom was reduced by
one.
Block U: A new matrix was calculated and replaced
the original matrix in the computation. The elements
were normally entered into the I matrix. I was generated except for the elements in the row and column
corresponding to the subscript of the variable added
to the regression. The new matrix was computed by
the following procedure:
1. au = rij when both Xi and Xj were not in regression.
2. au = bij when Xj was not in regression and Xi
was in regression.
3. au = dii when Xi was not in regression and Xj
was in regression.
4. au = cij when both Xi and Xj were in regression.
The C matrix was the inverse of the r matrix for
all i's andj's in regression.
Block V: The predicted values of the dependent
variable were calculated. The computer determined
the actual value of the dependent variable, the predicted value of the dependent variable, and the
difference between the two values,
Cross validation

The results of the multiple regression program show
how the regression equations performed for the data
sample from which they were derived. The way such
equations perform for an independent sample is more
important. Major concerns of this research included
not only how well regression equations predicted
for the particular sample from which they were
derived, but also how well and for how long the
equations provided reliable predictions related to
new sets of data.
The correlation between actual and predicted errors
serves as an index of the accuracy of the prediction
determined by the equation derived from the same
data sample. This correlation cannot be used to assess
the accuracy with which this same equation can be
applied to a different data sample. To assess the
accuracy with which a regression equation derived

Mathematical Techniques To Improve
from one set of error measurements can be applied
to another set of error measurements not satisfying
the conditions of the regression model, it was necessary to use an index based on actual errors of
etimates (i.e., y - y).16
Cross validation procedures for this research were
contained in a multivariate prediction computer program. The final regression equation was applied to a
new sample of error measurements. Values of the
dependent variable were predicted by the computer.
The accuracy of these predictions was evaluated by
computing the product moment correlation coefficient (Pearson r) between the predicted and actual
values.
The regression equations used in the multivariate
prediction program were derived from data collected
daily throughout one week. These equations were
applied to predict the errors of a new data sample.

The results of analysis
This research project provided the bases for responses to questions proposed earlier in this paper.
Several questions which arose during the research
project were successfully answered.
The aim of this research was to demonstrate that
mathematical techniques can be applied to increase
the accuracy of an electronic device despite hardware limitations. This goal was achieved. Such techniques were applied to the SC 4020. Accumulated
results show that the SC 4020 can be used to produce
accurate engineering artwork, i.e., that an inaccurate
computer peripheral device can provide accurate
data output. This affirmation implies that a Cathode
Ray Tube (CRT) connected to a computer can
function as an accurate high speed artwork generator.
Results of this research indicate that artwork generatioE by a visual display system is possible. Location
accuracy of ± .004" for 8" x 8" artwork and ± .0025"
for 5" x 5" artwork can be obtained.
Equations were derived to predict the locations and
magnitudes of errors in the output of the SC 4020
system. Errors transmitted by the CRT were predicted. A computer supplied modified, seemingly
inaccurate data to a peripheral device. Accurate
data output resulted. Errors of linearity were predictable in both X and Y directions. Exponential
terms in the prediction equation compensated for
film stretch due to irregular transport.
Initially, the data obtained from the morning test
was used to predict afternoon performance of the
tube. A cross-validation computer program was used
on the data from the afternoon test. After the proper
generating functions had been derived, the correlation

) )7

coefficient on the cross-validation program was as
high as .973. Calibration equations derived from
data obtained during a week of testing were used to
predict tube performance eight days later. The correlation coefficient obtained was .968; the equations
which were originally obtained for corrections were
valid eight days later. Tube maintenance was performed during this period. Thus, the tube appeared
stable during the elapsed time period. Recalibrations
of the tube less frequently than once a week would
perhaps suffice.
The range of errors before correction was typicaJJy
.025 inches to -.080 inches. The range of errors
after correction was ± .004 inches. The maximum
error before correction was .087 inches. The maximum error after simulation correction was .004
inches. The average degree of error before correction was .0150 inches. The average degree of
error after simulation correction was .0015 inches.
The correction equations derived by the computer
program were applied to data obtained from the
Ferranti operation. All symbol coordinates were
recalculated and compared to theoretical coordinates.
Computer programs determined where the symbols
would have been located by the SC 4020 if correction
equations had been applied to original coordinate
information. The error measured by the Ferranti
machine, the calibration correction for each position,
and the difference between corrected and theoretical
coordinates were determined by the computer. An
example of the error distribution before and after
correction is displayed on the accompanying graph.
The simulation correction procedures were used
primarily to derive the equations necessary for
correction of actual data. The calibration equations were employed to generate accurate circuit
card artwork. The SC 4020 software was modified
to include compensated deflection voltages. The
deflection voltages were corrected by adding the
calibrated errors to the corresponding given coordinate pair.
That is,

(X, Y)
= (X, Y) given + E
deflection
= (X, Y) original + E
or, (X, Y)
calibratea
or, the plotted (X, Y) = the theoretical
(X, Y)

or, the adjusted coordinate positions

= the result of application of the derived
equations to original coordinates.
The calibration equations \\ ere applied to given coordinate points: a predetermined correction was added
to the deflection voltages for each point to be located

118

Spring Joint Computer Conf., 1967

by the SC 4020. The given coordinates were converted to calibrated deflection voltages. The result
was accurate computer graphic output.
SC 4020 production of engineering drawings would
be approximately 500 times faster than existing computer-controlled drafting machines. More important
than speed, however, is the possible on-line production of circuit cards by application of the techniques
developed by this research.
Honeywell is considering an advanced design automation program for on-line circuit card design/production in which a visual display system functions
as a production tool. In this program the circuit card
(without components) could be generated directly
during the manufacturing process. Such a system
would provide unlimited flexibility in producing
circuit cards. One or several of each kind of card
could be easily, quickly, and economically produced.
The design engineer could retrieve a design from
storage or could enter the coordinates of the card elements and parameters such as connections, into the
computer, and the exposed circuitry would be automatically produced on a card. The research completed
to date indicates that such on-line operation is possible. Each design produced would be stored for online retrieval. When the program outlined here is
fully implemented, no draftsman will be required for
circuit card design/artwork!

.~~
II

.6\1

>-

UNCORRECTED DATA

\

I-

::J

iii
eX

m

AI

0

g:
.2

CORRECTED DATA
0
0

10

20

30

40

50

X IN THOUSANDTHS

60

70

80

Figure 1 - Sample of error distribution before and after corrections

1"' ,

I·
!

i

_~j---;." . ::J[ii__.1

INTERPRETATIONS AND CONCLUSIONS
Research efforts portending significant improvements
or alterations to existing conditions or acceptance of
new techniques frequently introduce new questions
which are as significant as answers provided for
original queries. From this research evolve questions
such as "In what other areas and by what procedures
can the techniques of this research be applied to solve
similar problems?"
The production of engineering artwork is only one
example of how the results of this research can be
applied to advance the electronic and computer
industries. The initial goal in this application is to
proceed directly from a computer to the artwork by
means of an accurate CRT image.
Concepts analyzed apd utilized throughout this
study may contribute to process control or process
model building applications in the following areas:
1. Air traffic control (collision avoidance).
2. Low approach aircraft landings.
3. Microwave video transmissions.
4. Off-course aircraft computers.
5. Graphic data concentration and transmission
systems.

P (IE I ~X)

a
Figure 2 - Stromberg Carlson 4020 microfilm machine

Figure 3 - Charactron tube and camera

..

Mathematical Techniques To Improve

119

One-ahot .mu.l....ethell.f 10,.1"1 choract.r.
MATRIX - Shap ••
• Iectron b.am Into
a charact... by .x·
tru.lon prac...

ELECTRON GUN - Shoot.
unahapocl .I.ctron b.om
SELECTION PLATES - Direct
unahapocl .I.ctron boom to lIIumlnat.
a pr.· •• I.ctocl ap.rtur. In tho motrl---~--- REFERENCE PLATES -

Align ahapeel beam on axl.

of tub.

VIEWING
SCREEN

FOCUS COIL - Focu •••• hopocl
b.am charoct.r on .cr.en
DEFLECTION YOKE - Bond.
b _ to po.ltlon "'oped baam
choroetor on vl.wlng .croon

HELICAL ACCELERATOR Glv •••hapocl b _ character
".p.eeI" for Incr.a.eeI brlghtn...
METAL SHIELD

Figure 4 - Charactron shaped beam tube

STANDARD PLOTTING
AREA (4'x4" SQUARE)

---=I::::--±~..

?t
?,.tp~

Figure 5 - Standard plotting format

~- CHARACTRON

ft..

SHA PED BEAM TU BE

PLOTTING CIRCLE

120

Spring Joint Computer Conf., 1967

VECTOR ORIGIN

CHARACTRON
SHA PED BEAM TU BE

STANDARD PLOTTING -----",...-.--i-_____~
AREA(4X4" SQUARE)
14---#---

PLOTTING CIRCLE

Figure 6 - Vector component direction

Conjectures concerning how the techniques of this
research can be applied are difficult to formulate.
Clearly, an apparatus under consideration must be
computer controlled and some aspect of its performance must be measurable.
The results of this research demonstrate that the
accuracy of a visual display system can be improved
despite hardware limitations. Potential benefits of a
computer-controlled graphic device are comparable
to benefits derived from the introduction and application of automatic data processing. The value of
graphical information processing is difficult to access; only with the passing of time will this value be
properly realized.

REFERENCES

2
3

4

5

6

C J FISH D D ISETT
A utomated circuit card etching layout
Technical Memorandum Sandia Laboratory Albuquerque
October 1965
Ibid 22
A MICHAEL NOLL
Computer generated three-dimensional movies
Computers and Automation 20 23 November 1965
M R DAVIS TO ELLIS
The RA N D tablet A man machine graphical communication device
Instruments and Control Systems XXXVIII 101 103
December 1965
N WADDINGTON
Some applications of graphic data output
Computers and Automation 24 27 November 1965
I E SUTHERLAND
SKETCHPAD A man machine graphical communication
s}'stem

AFIPS Conference Proceedings XXIII 329 346
Spring 1963
7 LAWRENCE G ROBERTS
Machine perception of three-dimensional solids
MIT Lincoln Laboratory Technical Report No 315 Boston
Massachusetts Massachusetts Institute of Technology 1963
8 L F KNAPPE
A computer-oriented mechanical design system
Paper read at the Share Design Automation Workshop
Atlantic City New Jersey 23 25 June 1965
9 D K FRAYNE
Three levels of the wiring interconnection problem
Paper read at the Share Design Automation Workshop
Atlantic City New Jersey 23 25 June 1965
10 A SPITALNY W MANN G HARTSTEIN
Computer aided design of integrated circuits
Paper read at the Share Design Automation Workshop
Atlantic City New Jersey 23 25 June 1965
11 D T ROSS
Current status of AED
Paper read at lhe Share Design Automation Workshop
Atlantic City New Jersey 23 25 June 1965
12 JOHN DIEBOLD
What's ahead in information technology
Harvard Business Review XLIII No 5 77
September October 1965
13 S A COONS
Computer Graphics and Innovative Engineering Design
Datamation XXII No 5 32 34 May 1966
14 CHRISTOPHER F SMITH
Graphic systems for computers
Computers and Automation 14 16 November 1965
15 M A EFROYMSON
Muitipie regression analysis in
Mathematical methods for digital computers
A Ralston and H S Wi If eds pp 191 203 New York Wiley
1960
16 P BLOMMERS E F LINDQUIST
Elementary statistical methods
Houghton Mifflin Company Boston 460 1960

A new printing principle
by W. H. PUTERBAUGH
lVationul Cash Register Co.
Dayton, Ohio

and
S. P. EMMONS
Texas Instruments, Inc.
Dallas, Texas

INTRODUCTION
Previous printing applications have been largely
confined to the processor printout, where high speed
and multiple copies were necessary. These printers
were largely mechanical impact devices operating
near the edge of the performance expected of highspeed mechanisms. The few non-impact printers developed for these applications have not found general
use because of unsuitable cost/performance ratios.
The recent development of time-shared systems
has created a need for printers in the performance
range of 20 to 50 characters per second for use in
inquiry and terminal equipment. A recent survey of
the peripheral market by Stanley Zimmerman showed
that in 1955 this totaled $20 million or 19 percent
of the computer market. In 1965, the peripheral
market had increased to $1.68 billion or 51 percent.
Mr. Zimmerman estimated that by 1975 peripheral
equipment will have a total value of almost $4.5
billion or 69 percent of the computer market.
Three aspects of this need are reviewed. The first
discusses the system trends towards electronic compatible printers as on-line multiple computer systems come into greater use. Problems associated with
printers, such as speed and power requirements
and reliability deficiencies~ are discussed showing
that a new printing principle is necessary to obtain
the cost/performance needs of the future. This
principle, that of thermal printing, is discussed together with a solid-state embodiment.
System trends

Definite trends in computer systems and especially
in data processing systems indicate that time sharing
121

of the central processor and its files is well under
way. These types of systems require terminals and/or
inquiry stations of many varieties to satisfy the need
of the customer who is time sharing the processor.
Figure 1 shows a time-shared system where many
remotely located terminal units are connected by
communication lines to a processor and its files.
These terminal devices must have several capabilities,
the minimum being a keyboard, a display and a printer.
As this trend continues the major cost of the system
will be in the terminal area. It is in this area, therefore, where cost and performance will be very important. Satisfactory costs, however, are difficult
to obtain.
One of the most critical functions in the terminal
area is that of the printer. The printing of alphanumeric data from electronic signals has always been
difficult from a cost/performance point of view and
even more disappointing from the standpoint of reliability. As system trends continue, the day of the
"'household computer" is not too far removed, where
on-line availability of a processor will be possible.
The printer associated with this device and other
terminals must possess at least an order of magnitude
increase in reliability over present mechanical
printers.
Monolithic silicon technology has contributed much
to improvements in logic and memory. The developments now occurring in the use of complex arrays
of monolithic silicon promise even greater reliability and cost reduction. It would be logical, therefore, to examine this technology for its suitability to
printing applications. It certainly is not obvious what
relationship exists between printing and integrated
circuit technology. In fact, at first thought, this ap-

122

Spring Joint Computer Conf., 1967
Print head design

I

I~
}~

'REMOTELY

~I

TIME SHARED
PROCESSOR
FILES

a

II

i

I

~

COMMUNICATION

LINE

LOCATED TERMINALS

Figure 1 - Time shared system

pears to be the one function least compatible with
the application of silicon technology.
The printer
The process of producing alphanumeric characters
on paper from electronic logic signals must necessarily
involve the change of electrical energy to a form of
energy that win affect the paper in such a manner as
to produce legible print. In the past, this has largely
been done by controlling mechanisms whose power
and speed differed markedly from the logic signals.
Since these differences are the prime reason for the
high cost of present printers, an economical method
of transforming energy with better compatibility between the power and speed of the logic circuits and
the printer is suggested. The most efficient and easiest
energy transformation of electrical current is to that
of heat. Papers have been available for some time
which change from white to black when exposed to
heat. A printing concept, then, involves selectively
heating areas on some surface which is in contact
with a thermally sensitive paper. Such a printer could
be realized using the PR losses within resistors assembled to form a matrix of 5X7 or 5X5 heating elements. Selection of resistors within the matrix would
produce the desired alphanumeric symboL

Normally, heat energy is not selected as the form
of energy to be used when speed of any consequence
is desired. Intuitively heat energy is thought to be
inherently slow, but this is because the majority of
everyday experiences involve sizable thermai masses.
Actually, the thermal time constant for a given
structure depends upon its thermal mass, which includes the physical mass of the heated material, and
the thermodynamic mechanisms acting to conduct
energy away from it. A three-dimensional heat flow
analysis is necessary to accurately predict the rise
and fall times of temperature. For the purposes here,
it is sufficient to generalize.
If thin-film resistors are to be used as heating elements, the thermal rise time of the element is largely
dependent upon its physical mass. The choice of a
substrate material upon which the heating element is
placed largely governs the fall time of the temperature. The design of a printer, for a given speed of
response, using the heat generated in a resistor, becomes one of selecting the most suitable combinations of resistor elements and substrates. Approaching the problem in this manner, without other considerations, resulted in the choice of thin-film resistors and ceramic (A1 2 03 ) substrates. Each character,
consisting of a 5x5 matrix of resistor elements, required 26 leads. A head assembly of five characters
thus required 130 external interconnections. The
complexity of these interconnections together with
other considerations of importance, such as life,
reliability and cost, have directed attention in an
entirely different direction.
Reduction in interface complexity by
silicon implementation
The integrated circuit art has demonstrated the
economics of fabricating components within a monolithic structure of silicon. Such components as resistors, diodes and their interconnecting leads, have
been routine for some time, and the feasibility of
fabricating 125 resistors and diodes to produce a
silicon structure containing five characters is attractive. Each character would be a 5x5 matrix of heater
elements. A diode-resistor pair within each heater
element would reduce the number of external leads
for printing five characters sequentially from 130
to 30 as shown -in Figures 2 and 3. Within the five
character head. the characters would be printed sequentially. In a typical printing sequence the common
for character # 1 would first be activated and the ap,
propriate drive lines corresponding to the correct
alphanumeric symbol would be pulsed negatively.
After a cool-off period; c-ommon #2 would be ac-

ANew Printing Principle

I 2 3 4 5
6 7 8 910
II 12 131415

1617 1819120
2122 232425

I 2
6 7
II 12
1617
2122

3 4 5
8 9 10
131415
181920
231~ 25

I 2 3 4 5
6 7 8 9 10
II 12131415
1617 18 19 20
21 22~ !--Wv-i

~

~

~

~

,~

4
5
6
7

Dj----VIIy---i

~

8
9
10

!3
z

::i

:~ ~
13
14
15

iii

0

I-

:~ ~
:~ ~

-

CERAMIC
SUBMOUNT

20
21
~
~
~

22
~

~

CHARACTER

~

~

23
24
25

COMMONS

Figure 3 - Interconnection scheme for 5X5 matrix
printing head

tivated and a different combination of drive lines
would be pulsed.
Various types of system drive schemes are conceivable. If the line in the machine is made up of an
assembly of the five character heads, every fifth
character could be printed in parallel. The highest
speed printer, therefore, will be one in which a line
will be printed in the time necessary to print five
characters. In the lowest speed printer all characters
in the line will be printed sequentiaJly.
Print head fabrication
A prototype print head has been fabricated in
monolithic form with the physical dimensions shown
in Figure 4. Each heater element shown in Figure 3
is fabricated within the silicon mesas, shown in Figure
4 and each mesa contains a resistor-diode pair, prod~ced by conventional integrated circuit diffusion
techniques. The array was interconnected by normal
evaporated leads. The leads are protected from paper
wear because the silicon structure is mounted with
the leads at the interface between the silicon and a
ceramic substrate.
The structure of a silicon mesa mounted on a
ceramic substrate was chosen to provide the desired
thermal transient performance. Because silicon is a
very good thermal conductor, the mesas are par-

Figure 4 - Construction of monolithic silicon print head

ticularly necessary to provide thermal isolation between heater elements. As discussed earlier, the
thermal characteristics of the interface and the ceramic as well as the thickness of the silicon mesa determine the temperature rise achieved for a given
pulse width and power level.

AAAAA88B88CCCCCDDDDDEEEEE
FF~FFGGGGGHHHHHIIIIIJJJJJ

KKkKKLLLLLMMMMMNNNNNOOOOO
PPPPPQQQQQRRRRRESSSSTTTTT

,:.1. '.'
, . :I.II'.III'
II II II II I i II II II II I········ .................. · 1·..·1· · 1·..·1··'
•
1..1 ',I ',' ,., 1,1 ,I, ,I, ,I, ,I, ,I, ••••••••••••• ".,,", I

ZZZZZOODDClI I I I 122222 E:E:E:E:E:

~~~·~~5S5S5bbb~b1'1"88888

qqqqq+++++-----.",.///il

Figure 5 - Example of print and printing head

Print head performance

Although the process is still in a development
phase, much has been learned about the performance
of such a head. The print head photographed in Figure
5 uses a 10-millisecond current pulse corresponding
to a power level of approximately 700 mw/element to
achieve a 200°C peak temperature. A 5-millisecond
cool-off time, necessary to allow the diodes of the
pulses character to recover before the next character
is pulsed, results in a sequential character rate of 15
milliseconds per character. Typical prints are also
shown in the photograph.

124

Spring Joint Computer Conf., 1967
process is an improvement in print intensity during
the life of the print head; (2) the silicon is considerably
thicker and harder than the films and provides more
life in this manner. The monolithic silicon printing
head will provide longer life and increasing print
quality during its life without a change in the value
of the resistors.
Most people observing the operation of the thermal
printer wonder when the printer is going to start to
operate without realizing that it is indeed already
operating. The printing, of course, makes no noise
in itself and paper spacing is the only mechanical
motion necessary. Many techniques are available to
reduce this noise and thermal printers have been
built whose operation is only apparent by the gentle
swoosh of the paper movement.

Thermal paper

Figure 6 - Thermal printer (80 characters per line - 240
characters per minute)

Machine performance
No..complete printers have yet been built using
the sIlIcon configuration. Many printers of various
types have been built with other print head configurations using films of various types for the resis tors .. Figure .6 shows one such printer which operates III a senal-by-character mode, printing a line
of 80 alphanumeric characters at a rate of 240 characters per second. The mean-time-between-failure
of this printer is 2,000 hrs. at 30% duty cycle with a
minimum life of the print head of 50x 106 lines of
print. Other printers have been delivered to operate
in systems whose design objectives are in excess of
15,000 hrs. MTBF at 100% duty cycle. This illustrates
the increase in life and reliability which can be expected of thermal printing.
The change of printing heads from films to monolithic silicon will give additional life and reliability.
The silicon heads will provide much longer life for
two reasons: (1) since the resistors and diodes are
at the silicon-ceramic interface, as shown in Figure
3, mechanical wear of the silicon surface by the paper
can proceed until practically all of the silicon is removed. The only difference noted during this wear

The printer shown in Figure 6 produces an original
and two copies. The use of thermal energy for printing assumes a paper sensitive to this energy with
properties suitable for legal records. Several paper
systems have been developed for various applications requiring up to twelve copies. These printing
papers' are difficult to tell from untreated papers by
inspection or handling, and can be stored indefinitely
at 65°C.
CONCLUSIONS
The feasibility of extending the electronic circuitry
directly to the printed page by the solid-state embodiment described has been proven.
Tests have shown that reliabilities of the same
order as experienced with integrated circuits can be
expected.
Paper systems have been developed as an adjunct
to this work which will provide copies, although in
most terminal applications this will not be required.
Redesign of the printing head for production must
be done before accurate cost estimates can be made.
Life test data has not yet been obtained due to the
length of time required for failure. The failure mechanisms are much the same as those in an integrated
circuit having two levels of interconnections.

A time delay compensation technique for
hybrid flight simulators
by V. W. INGALLS
The Boeing Company
Seattle, Washington

INTRODUCTION
A flight simulator or vehicle simulator of any type except those involving only a point mass, appears at
first glance to be ideally suited for mechanization on ~
hybrid computer because of the difference in requirements of the rotational and translational equations
of motion. Solutions to the rotational equations contain high frequencies, making the use of the analog
computer best for solving these equations. The translational equations have mostly low frequency solutions but requires high accuracy so the digital computer is best. Also the digital computer is the best
means of generating multi-variable functions such
as aerodynamic coefficients. The equations to be
solved and the conventional methods of mechanization of flight simulators are discussed by Fifer! and
Howe. 2
The division of the problem between the two halves
of the hybrid computer is to solve the rotational
equations mainly on the analog computer and the
translational equations mainly on the digital computer.
The rotational eqpations require multivariable functions so that part of the solution must be done digitally
and because of the interaction of the translational
equations with the rotational equations, part of the
solution of the translational equations should be done
by the analog computer. Because this division cannot completely isolate the rotational equations to the
analog computer and the translational equations to
the digital computer, several problems arise.
The problems
In the hybrid computer solution of differential
equations several sources of error occur that are
either not present or are easily compensated for in
all digital or all analog computation. One of these
sources of error, as reported by Miura and Iwata,3

is the delay introduced into a closed loop because of
digital computation. The length of this delay is the
time from an analog voltage being sampled and transferred to the digital computer until all computations
using that value are completed and the results returned to the analog computer. This source of error
has a counter-part in an all digital simulation but
there are well known methods of reducing the error,
in the all digital case. Some of these methods are
directly applicable to hybrid computation, some can
be used in modified form and some cannot be used at
all. The most notable of the last group is the RungeKutta method. To use this method for hybrid computation would require the analog computer to make several trial solutions at the same instant of time which
cannot be done. A number of papers have been written
discussing various methods from the first two groups
but most are only effective for linear problems.
Another source of error in a hybrid computer is
data reconstruction following digital to analog conversion. This source of error, as well as some others,
is discussed by Karplus. 4 Theoretically, the output
of a digital to analog converter is a string of impulses that are passed through some form of holding circuit. It is normally considered that reduction
of the error by using any holding method more complicated than a simple zero order hold is not worth
the problems created. This contention is not disputed but this paper will describe a method by which
the effect of a higher order hold can be achieved
without the actual hold circuit being present. One
of the problems of using a zero order hold, which
holds the value of the voltage constant between conversions, is that if the variable converted is a derivative to the integrated on the analog computer, which
is often the case, especially in vehicle simulators,
the integral can be determined algebraically at each
sampling time. This means that although the integra125

126

Spring Joint Computer Conf., 1967

tion is done by the analog computer, the result is
the same as if it were done by the digital computer
using the most elemental method of integration,
i.e., rectangular or Euler. This being the case, there
is some question as to the utiiity of using a hybrid
computer for solving differential equations or at least
for solving the equations of motion for a vehicle
simulator.

A solution
The suggested solution, which is similar in some
respects to that proposed by Gelman, 5 to the problem
of derivative functions being represented by a series
of step functions is to rewrite the equations so that
every loop can be closed without going through the
digital computer. As an example, to check the method,
the equation
d2y
dt2 = - ay

Iy I

was chosen because of several factors. These factors
are, first, it is nonlinear; second, it has a solution that
is periodic with constant amplitude and the period
is functionally related to the amplitude; third, the
period and amplitude can be determined analytically so errors can be checked; and last, it can be mechanized on an iterative differential analyzer simulating a hybrid computer. Actually this equation can
be solved entirely by the analog computer, but the
game was played assuming that the absolute value
could not be found on the analog and thus the digital
computer (or simulated digital computer) was needed.
The general form of this equation is
d2y
dy
dt2 = f(y, dt' t)

or in state quation form it is

as in the example, the simplest way to rewrite the
equation is to divide and mUltiply by y and mechanize
it such that the function divided by y is generated
by the digital computer and the multiplication by y
is done by the analog. This mechanization might have
some computation probiems if y goes to zero but
can be overcome if f also goes to zero for some y.
To do this, divide and multiply by y plus a constant,
such that y plus the constant goes to zero when f
goes to zero and define zero over zero as zero.
This mechanization will not completely eliminate
the problems of the time delay or the use of the zero
order hold. However the outputs of the analog integrators can no ionger be computed aigebraicaiiy
at a sampling instant from the conditions at the previous sampling instant. Instead, a linear differential
equation must be soived. The result of this manipulation, therefore, is to change a nonlinear differential
equation to a linear equation with parameters that
change at every sampling instant so as to approximate
the original equation. This is also approximately
the result of using a higher order hold in the data
conversion equipment.
Nothing in the foregoing discussion does anything
directly to overcome the time delay problem. The
example will be used to describe the attack on this
problem rather than a general case. Assume that the
analog to digitai converter, ADC, and digital to
analog converter, DAC, operations occur simultaneously and repeat with a period ~t, then the example equation as mechanized becomes

d2 y(t)
dt2 - = -a I y(tl - ~t)

I y(t)

for tl ~t to. Then
minimum time is the smallest time, t, at which
e(tf ) == 0.
(11)
The result is that the required final states, x(tf), will
be enforced at that time, since e (t) is a measure of
the terminal error with time. By this method, the final
states, x(tf), can be considered as being unconstrained;
in reality, the constraints have merely been shifted from
the final states to the criterion function by defining
grange multipliers and perform a computer search for
these additional parameters.
Method for solving the problem
backwards in time
A method for converting a problem with state variable constraints to one which apepars to be without
constraints has been shown. This method allows the
classes of problems without constraints on the state
variables to be enlarged considerably. The motivation
is that many of the actual optimum control problems
fall within these classes. A method will now be presented which greatly simplifies the computational requirements for solving optimum control problems without constraints on the state variables.
Consider the properties of Pontryagin's Maximum
Principle, stated in Appendix A, that hold for a system with free or unconstrained state variables. By free
(unconstrained) state variables is meant that the state
vector x == (X},X2, ... , Xn) can be any point in the
n-dimensional Euclidean space X. If x remains within
some smooth manifold S L X without imposing constraints, then the state variables also behave as though
they were free. By requiring the state variables to be
unconstrained, the hypothesis of Theorem A.l is satisfied. For a linear system with additive control li(t)
Theorem A.l provides both a necessary and a sufficient
condition for optimum control. In addition, this theorem
provides final values for the adjoint variables; i.e.,
p(tf ) == (-1,0,0, ... ,0)
(12)
or
po(tr) == -1 and Pi (tf) == 0, for i == 1,2, ... , n.
With this additional information, brought about by
the requirement that the state variables be unconstrained, a new computational procedure can be developed. Instead of solving an initial value problem
with x(to) known and p(to) unknown, the problem can
be solved as a final value problem with x(tf) known
or arbitrary and p(tf ) ==) (-1,0,0, ... ,0) known from
Theorem A.l. But it is very difficult to solve final
value problems, even with the help of a computer.
Many computer runs are required to find one solution whose trajectory passes through the required final
values x(tr) and p(tf). A better approach is to convert

j

35

this final value problem into an initial value problem,
since the latter problem is easier to solve. This is true
because only one computer solution is required to
uniquely solve an initial value problem. This is in con-trast to the many computer solutions required for the
iterative parameter searching techniques.
The problem can be solved as an initial value problem by solving it backwards in time; i.e., by starting
the solution at time tf and solving the problem backwards in time until time to. The initial conditions for
this backwards time method are x(t ) and i5 (tr ) ==
(-1,0,0, . . . , 0). To state this approach formally,
let T be the independent variable for the backwards
time solution; i.e., let T be time running backwards.
The, during the time interval [to, tr], T is defined by
T==tr-t
(13)
where tr is the final time, and t is real time. The
backwards time solution begins with T == 0, which occurs at time t == tr, and ends when t == to; i.e., when
T == tf - to. For the case to == 0, T runs from
to t r.
By making the change of variable,
(14)
t == tr - T,
the problem is converted from a final value problem
to an initial value problem. The final states (tr) and
p (tf)' become the initial values for the backward time
solution, and x(to) and p(to) become the final values
upon which the backward time solution must terminate.
The method for solving an optimum control problem
backwards in time can now be stated in three parts.
1. Write a program to solve the system equations
== ~x(t)
Bil(t)
(15)
backwards in time. This can be accomplished by
negating each input to every integrator or integration subroutine. The initial conditions are
x(tr ) •
2. Maximize the Hamiltonian H with respect to li
mathematically, and program the resulting expression for ii, which is a function of and p.
3. Write a program to solve the adjoint system equations
(16)
Pi == - eXt, for i == 1,2, . . . , n

°

x

x

+

x

backwards in time, where the partial derivative of
H with respect to Xi is taken by hand and the
resulting equation programmed on the computer.
The initial conditions are p(tr ==(-I,O,O, ... ,0).
Note that the equation for H is not programmed on
the computer. This method can be represented by the
block diagram shown in Figure 1. There are now 2n
equations in 2n unknowns with 2n initial conditions
known; hence, there are no more initial conditions for
which to search. Furthermore, no Lagrange multipliers
have been used. Therefore, all parameter searching has
been eliminated.

136

Spring Joint Computer Conf., 1967

-u

1.

Solve Backwards

i = !i{t)

1

Generate

2
•

~(t)

I

-

-P

-x

3.

u

II

I

lI:

.

Solve Backwards

-p

~

= - ax

Figure I-Method for solving an optimum control
problem backwards in time on a computer

Examples
Example 1: Minimum time frequency control
of phase-locked loops
The problem is to minimize the time for a phaselocked loop to lock onto a step change in frequency.12
The sine term represents the non-linearity of the phase
detector. The system is described by the state differntial equations
Xl == y'2W:" sine -Xl) + X2- u, xdO) == 0 (17)
X2

==

w" sin( -x!),

X.2

0

==

-~w

X 2 (tf )

== 0
== 0

u == K sgn(Xl-pl)
PI == -[-y'2"Wn(PI-Xl)+W2n (P2- X2] cos Xt
+\12 CUn sin X1 -X2 +U,
Pl(tr ) == 0
2
P2 == - Xl+pl+W n sin Xl,
P2(tr) == 0
An analog computer solution of these equations is
shown in Figure 2. These results agree with those obtained by Sanneman and Gupta. 12 A small perturbation
of the adjoint initial conditions to the values Pt(t r) ==
0.02 and P2(tr ) == 0.03 produced an accurate solution.
This indicates that analog computer errors are on the
order of 0.3 percent of full scale. The problem was
time scaled to let one second real time equal 10 seconds computer time. This reduced the sensitivity of the
problem and allowed the computer to give a more accurate solution.

~(t)

I

-

I

+

Xl(tf )

X2 == Clln sin Xl,

(18)

One second real time equals ten seconds COIIll"'ter tillle.
1 = 1

1

i
+

0.5

I

n

Find the control u(t) that will drive the system from
its initial states to the final states x1(tr) == X2(tr) == 0
in minimum time, where luiLK.
The criterion function of minimum time is converted
to a minimum error function defined as the new coordinate
xo(t) ==Vz [(Xl (t) -Xl (t c)
(X2(t) -X2(tr) rl

U"n

=1

1=2

I

J

~ = 1

1
Tille

in Seconds

r+

(19)

Then minimum time is the shortest time, t f , at which
Xo ( tf ) goes to zero.
The Hamiltonian is
H

== poxo + PIXI + P2X2
== (PI-x lh/2w n sine -Xl) + x2-u]

+ (P2-X2)W n sine -xd,
2

Figure 2-So1ution of second order nonlinear
phase-locked loop problem (Time Backwards)

(20)
O. H is

since po == -1 by Theorem A.l and Xl (tf ) ==
maximum with respect to u if
u == K sgn (XI-PI)'
(21)
The adjoint equations are
PI == [\12 Wn(pl-XI)+Clln (P2- X2)] cos( -Xl)
+V2Wn sine - X I )+X2-U
(22)
2
P2 == XI-PI+W n sine -Xl).
(23)

To solve this problem backwards in time, the following equations must be programmed on the computer.

Example 2: Third order nonlinear minimum
Time problem
The purpose of this example is to show how much
the difficulty of obtaining a solution increases in going
from a second order to a third order nonlinear problem.
Let the system be described by the state differential
equations
(24)
Xt(O) == 0.8
Xl == X2 ,
(25)
x 2 (0) == -0.8
X2 == Xa,
(26)
Xa == -aXa-X2!X21+ u , Xa(O) == -6.4

Optimum Control Problems
Find the control u (t) which will drive the system from
its initial states to the final states Xl (t) == X2 (1r) ==
Xa(tf)==0 in minimum time, where lulL! and a==0.333.
The criterion function of minimum time is converted to
a minimum error function defined as a new coordinate
by
xo(t) == ~ [(xl(t) -x1(tr) )2+ (x2(t) -X2(tr»2
+ (Xs(t)-Xa(tf ) )2].
(27)
Then minimum time is the smallest time, t f , at which
xo(1r) == O. Since x(tf ) == 0
xo == xlil+X2~+XsXa
(28)
= Xlx2+X!!Xs-aXs2 -x2I x2IXs+Xsu.
The Hamiltonian is
H == P"xO+P1X1+P2X2+paXa
== - XIX2 - X2Xs.+ aXs2 + X21X21Xs - XsU
+ PlX2 + P2Xs - apaXs-paX2(X21+ paU,
(29)
since po == -1 by Theorem A.l. H is maximum with
respect to u if
(30)
The adjoint equations that must be solved are
Pl == X2,
Pl(1r) == 0
(31)
P2 == Xl + Xa - 21X21 Xa - Pl + 2pa1X21, P2(tf ) == 0
(32)
-P2
ap3,
(33)

+

To obtain a solution, equations (24,25,26) and (31,
32, 33) had to be solved backwards in time along with
equation (30). This problem was solved on the analog
computer, and the results are shown in Figure 3. No
particular difficulties were encountered in obtaining a
solution. Only one multiplier, two integrators, and one
amplifier were required for the third order problem in
addition to those required for the second order problem. This was insignificant as was the additional effort
to perturb p(tf) == ± Efor one additional component.
This problem was also slowed down by 10, by time
scaling, to obtain less sensitive and more accurate results.
Nonlinear problems have been chosen for the examples in order to demonstrate the capability of this
method to solve nonlinear problems with the analog
computer. On the contrary, it has not been shown in
this work that the Maximum Principle is a sufficient
condition for optimal control of nonlinear systems. It
turns out, however, that the sufficiency condition holds
for these examples. To show this, the notion of normality relative to X and the solution of the HamiltonianJacobi partial differential equations are required. These
have been worked out by Athans and Falb. 13

137

6

4

2

o

-2

-4
One second real time equals ten seconds
computer time.
-6

Figure 3-Solution of third order nonlinear problem
(time backwards)

CONCLUSIONS
A simple method has been developed for solving optimum control problems by Pontryagin's Maximum
Principle. The requirement for searching the adjoint
initial conditions for an acceptable set and the use of
Lagrange multipliers has been eliminated by solving the
problem backwards in time.
A good criterion for evaluating a computing method
is to note the increase in the complexity of obtaining a
solution when going to higher order systems. The
operating procedure does not change for the backward
time method; only the computer program becomes more
complex .. In going from a second order to a third order
system, the procedure for obtaining a solution remains
the same, except that there is one more parameter,
P3 (tf ), to perturb by a small amount ± Ea to measure
error and sensitivity. On the other hand, in the forward
time mechanization, the computer time required to
search for an acceptable p (to) increases by an exponent
equal to the order of the system; e.g., if m2 seconds
were required for a second order system to converge to
a solution, then mS seconds are required for the convergence of a third order system. In addition, about 20
percent more analog hardware is required. Curves for
evaluating these methods, based on several examples,
are shown in Figure 4.
The capability of the backwards time method is also
shown in its use as a design tool. If it is desired to

138

Spring Joint Computer Conf., 1967

I
12

'g

150

0

(,)

~

....d
s::
....0
~

~

Forward Time Solution

100

I

~

.Q

0
0

~

CD

!!

f<

50

3. The state differential equations (1) are continuous
in the variables x and u and continuously differentiable
with respect to the components of x. The integrand
fo(x,u) of the criterion function is also defined and
continuous together with its partial derivative with
respect to i.
4. The system described by equations (1) is autonomous.

c8
I'l

2. There exists a control region U, which is a
bounded subset of some r-dimensional vector space.
The control variable u(t) e U must be a bounded
piecewise continuous vector function of time, with domain in [to,tf ] and range in U. If li(t) satisfies these
requirements, it is called an admissible control.

I

5. The criterion function J, defined by equation (2),
has at lease a local minimum at time t f • This is true
when the first variation of J is zero and the quadratic
form of the second variation of J is positive definite. IS
2

:5

4

Order of System

Figure 4-A comparison of the times required
to obtain a computer solution

drive a system from a given initial state X(1:.,) to a required final state x(tr ), it really doesn't matter whether
the problem is solved forward or backwards in time.
By solving the problem backwards in time from x (tf )
with u(t) constrained by lulLM, the trajectories of
x(t) are easily obtained, and the manner in which
x(to) is approached can be observed. If the time
tf - to is constrained, it can be seen immediately
whether or not x(t) will move to x(to) in reasonable
time. If not, then the information is available on how
to change M to satisfy this requirement Changing M
is easily done on the computer. This approach is very
difficult to achieve using the forward time method,
because -each time M is changed, a new set of initial
states p(to) must be found by a searching procedure.

Appendix A
The following assumptions were made in order to
solve the optimum control problem, stated in the body
of the paper, by Pontrayagin's Maximum Principle.
1. The system is controlable; i.e., the states of
the system can be changed from some initial states
x(to) to some final states x(tf) in a finite time tf - ~
by the application of some bounded control function net) over the time interval [to,tel. The state vector
x (t) is the solution to the state differential equations
(1) with x(to) given. The state vector x(t) exists as a
unique point x in the Euclidean space X of dimension
n at each instant of time in the interval [to,tr].

The following theorems can be stated for systems
with unconstrained final states: IS

Theorem A.l: Let ii(t) be an admissible control
which moves the system described by equations ( 1)
from the fixed initial states x (1:.,) to some unconstrained
final states x(tr ) in X. In order that ii(t) be an optimal
control and x(t) the corresponding optimal trajectory,
it is necessary that there exists a nonzero continuous
vector function ptO ==(PO(t),Pl(t), ... , pn(t)), corresponding to u (t) and x (t) , on the time interval
[to, trJ, such that
a. p(t) is a solution to the adjoint system of equations defined by
6H
(A.l)
PI == --6--' for i == 0,1, ... ,n,

.

Xi

where H

(p,x,u)

is defined by

n

H(p,x,u) ==
b.
with
c.
u(t)

L PIXI.

(A.2)

i==O
The functional H(p,x,u) has an absolute minimum
respect to u(t) on the interval [to, tr].
The maximum value of H(p,x,u) with respect to
is zero on the interval [to, tel; i.e.,

sup H(p,x,u) ==
ueD
d. At the final time, tr,

°

pete) == (-1,0,0, ... ,0).

(A.3)

(A.4)

If the system is linear and the control additive, as in
equations (1) for 4 and B matrices with constant
elements, then Theorem A.I provides both a necessary
and sufficient condition for optimum control.
Theorem A.2: Let the system be described by the

Opiimum Controi Problems
set of differential equations (1), where the controls Uj
are subject to the constraints
IUjILMj, for j

== 1,2, ... ,r,

(11)

for M j a positive real number. If the system is moved
from its initial states x(to) to some unconstrained final
states i. (tr ) in X in such a manner that the criterion
function defined by equation (5) is minimized to zero,
then the condition H (p (tr), i (tr ), UCt.-)) == 0 is redundant.
REFERENCES
GEORGE A. BEKEY Optimization of multiparameter
systems by hybrid computer techniques Simulation
February, 1964, pp. 19-32, and March 1964, pp. 21-29
2 GEORGE A. BEKEY and ROBERT B. McGHEE
Gradient methods for the optimization of dynamic system
parameters by hybrid computation Computing Methods
in Optimization Problems, edited by A. V. Balakrishnan
and L. W. Neustadt Academic Press, Proc of U .C.L.A.
Conference January 30, 1964, pp. 305-327
3 EDWARD J. FADDEN and ELMER G. GILBERT
Computational aspects of the time-optimal control problem Computing Methods in Optimization Problems,
edited by A. V. Balakrishnan and L. W. Neustadt Academic press, 1964, pp. 167-192
5 O. R. HOWARD and Z. V. REKASIDS Error analysis
with the maximum principle IEEE Trans. on Automatic
Control Vol. AC-9, No.3 July, 1964, pp. 223-229

6

139

CHARLES H. KNAPP and PAUL A. FROST Determination of optimal control and trajectories using the
maximum principle in association with a gradient technique Proc. of Joint Automatic Control Conf., 1964,
pp. 222-225, also in IEEE Trans. on Automatic Control,
Vol. AC-lO, No.2 April 1965, pp. 189-193.
7 R. L. MAYBACH Optimal control by pontryagin on
hybrid computer IEEE Region Six Conference Record.
April, 1965, also ACL Memo No. 119, Electrical Engineering Department, University of Arizona, April 27,
1966
8 BERNARD PAIEWONSKY, PETER \VOODROW,
WALTER BRUNNER, and PETER HALBERT Synthesis of optimal controllers Using hybrid analog-digital
computers Computing Methods in Optimization Problems, edited by A. V. Balakrishnan and L. W. Neustadt,
Academic Press, 1964, pp. 285-303
9 M. D. ANDERSON and S. C. GUPTA Analog computer solution of a third-order pontryagin optimum control system Simulation, Vol. 5, No.4 October, 1965,
pp. 258-263
10 DIANG-TSENG FAN The continuous maximum principle John Wiley & Sons 1966
11 JULIUS T. TOU Modern control theory New York:
McGraw-HilI, 1964
12 R. W. SANNEMAN and S. C. GUPTA Optimum strategies for minimum time frequency transitions in phaselocked loops IEEE Trans. on Aerospace and Electronic
systems, Vo1. AES-2, No.5 September, 1966, pp. 570581
13 M. ATHANS and P. L. FALB Optimal control McGraw-HilI 1966

An application of hybrid curve generationcartoon animation by electronic computers
byTAKEO iviiURA
Hitachi Central Research Laboratory
Tokyo, Japan
and
JUNZOIWATA
Hitachi Electronics Co.
Tokyo, Japan
and
JUNJITSUDA
Hitachi Central Research Laboratory
Tokyo, Japan

INTRODUCTION
Curve generation techniques are gaining importance
in the field of computer graphics. Curve generators
using either digital or analog techniques can be built.
However it is extremely advantageous to use hybrid
techniques by taking advantage of superior analog
curve generation capability. This results in small
storage requirements for a digital computer and a
relatively fast display time.
In this paper, as an application of hybrid curve
generation techniques and computer graphics, computer animation problems are dealt with.
Motion picture cartoons and other types of animation require extraordinarily great expenditures of
labor, since each individual cartoon frame must be
drawn by hand. These frames, each one of which incorporates only minute changes, are then photographed one after another. We have recently developed two computing methods for producing
animation: (1) Representing the picture in mathematical equations and moving it by switching the
constants of the equations (analog computer method);
and (2) having two frames drawn by an animator.
The curve indicating the movement between these
two frames is then read into the computer. According
to the results calculated by the computer, animations
between the two frames are machine-drawn (hybrid
141

computer method). The second method offers more
advantages from the practical point of view, because
it is easier to draw a picture which is faithful to
the artist's intention.
A nalog computer method
Basic principles
Individual pictures in animated cartoons consist of
a multitude of highly complicated lines. However,
each individual section of the picture can be simulated by means of relatively simple curves. For
example, a curve can be approximated by a series of
parabolas. In most cases, each section consists of
simple closed curves. Consequently, it is possible
to take a circle as the basis of a closed curve, and
then to modify it to make a desired pattern.

-y•

Figure 1 - Circle-test circuit

142

Spring Joint Computer Conf., 1967

A circle can be generated by a so-called "circle-test
circuit," shown in Figure 1. In an analog computer,
the modification of a pictorial pattern can be performed simultaneously with the generation of the
circle. Thus, it is possible to produce a picture by
varying in succession the manner of modification as
numerous circles are being produced repeatedly one
after another. These are displayed on a cathode ray
tube. If slight differences are introduced in the parameters in the transformation circuit for each one of these
individual curves, then it will appear as if the picture
is moving continuously.

x-0-v-0-( 0)

X

Y

Lh
yx

stretch
(Compression)

/m'

~'\e
i
qJ

$x kl,

!

I I I I I II I I

-

111111111

111111
I II

I
I

I ;

111111

I

I

1111111

T ran sf 0 r mat i on

by

I

I

I I

( d)

. i . i
x

i

y

I

I

y

-

Displ acement

V

:~

T ran s for mat ion

-$-x
(c)

(e)

Figure 3 - Transformation of coordinate grid

Rotation
y

:-m-: $v -$-,
:~: $v +,
(d)

by

Non-Linear

Transformation

(e) Non-Linear

Transformation

formation. In this manner, one can modify the basic
circle to produce a large number of desired shapes.
Besides modifying circles, it is naturally possible
also to begin with other differential equations. For
example, one can use a damped oscillation ~ircuit.
If this is displayed on the phase plane, one will
obtain logarithmic spirals. However, if the decrement
is made smaller, it will be possible to black out the
area inside the circle. If this process is discontinued
before completion, one will obtain a circle with thick
lines. Other differential equations for obtaining other
solutions are also conceivable. However, just as in
the case of modifications, if they are exceedingly
complex, they will cease to be practical.

Figure 2 - Transformation methods

The chief means of modifying the basic pictorial
patterns are as shown in Figure 2.
Although all of these are transformations of the
coordinates, the procedures of (d) and (e) in Figure
2 have the effect of distorting the coordinate axis.
Figure 3 shows how the coordinate grids are changed
by these transformations. Thus, if one takes into
consideration these transformations of the coordinate grids, one can anticipate the shape which
a given pictorial pattern will have after its trans-

Examples of actual applications
Figure 4 is a picture of Oba-Q, the hero of a comic
strip enjoying popularity in Japan. Figure 5 is a picture of rabbit driving a car. As for the former the
truck, eyes, mouth, and legs consist of seven closed
curves. The eyeballs are blacked out by spirals, and
the hands and the hair are made by conics. The
functions of movement, expansion and contraction,
modification, etc., can be provided by several potentiometers in the computing circuit This can be done

Cartoon Animation By Electronic Computers

143

Figure 5 - A rabbit driving a car

Problems of the analog computer method
This method has the advantage that the pictures
produced on the cathode ray tube can be moved on
real time. However, the method also has two important drawbacks. One is the fact that it is difficult to
produce a picture which is faithful to the artist's intention. The second drawback is that in order to obtain
complicated pictures the computing circuit itself
will become complicated.

Hybrid computer method
General introduction
this method an animator draws out by hand two
separate frames of the cartoon. These two original
drawings as well as the curves indicating the movements between the two, are read into the computer.
Then the computer generates the intervening frames
by interpolation.
A hybrid computer is used for the following reasons.
First, input operations can be performed conveniently
if the curves are read in an alog fashion. In addition,
since the pictures must ultimately be drawn, analog
techniques will be necessary in these sections. The
curves were represented by means of the coordinates
of representative points. Although in this method it
is necessary to use a greater amount of data to represent the picture, it is possible to represent even
highly complicated curves, and any picture conceived by the animator can be produced easily. The
curves can also be modified or revised freely in any
way.
~n

Figure 4- Oba-Q displayed on a cat hod ray tube

either manually or under the program control of the
digital computer. In carrying out these experiments,
we used the Hitachi ALS-2000 analog computer,
which has an iteration rate of 3 KC.

Reading in the pictures
As is shown in Figure 6, a curve is represented
approximately by suitable sampling points: PI'
P z••• P7 •
The following four types of points will be necessary:
a Initial point. This is the point where the curve
begins. The pen of the XY recorder is lowered
at this point.

144

Spring Joint Computer Conf., 1967
2 Then one must generate a smooth curve which
will pass accurately through the given points
and wi11 connect with the given tangents.
The first process is performed by the digital computer, and the second by the analog elements.
Ps

Figure 6- Representation of a curve by point coordinates

b Intermediate points. These are the intermediate
points along the curve. They ought to be connected smoothly with the points preceding and
following them.
c Break point. This is an intermediate point on a
curve at which the curve bends in a different
direction.
d Terminal point. This is the point where a curve
ends. The pen of the XY recorder is raised at
this point.
The pictures are read into the digital computer by
means of a series of points, and are then memorized
by the computer. Each point ir:cludes information
concerning the position (the coordinates) and the
type of point.
A special curve reader is used. This reader consists
of a pen for position detection and a set of function
switches. As the pen is moved along the curve, the
coordinates of the points are detected electromagnetically and are transformed into digital quantities.
The point coordinates are read into the computer by
operating the switch. The type of point is distinguished
by selecting the appropriate function switch.
Reproducing the pictures
There are various conceivable methods of reproducing a curve by joining together a series of points, for
instance the method of joining the points by means of
arcs or parabolas. We adopted a method of utilizing
analog elements by which it was possible to draw
these curves simply and conveniently.
As shown in Figure 7, if one specifies both the positions of each of the points and the tangents of the
curves at each of the points, then it. will be possible to reproduce the original curve with almost complete fidelity. However, a prerequisite for this is that
the series of points must have been sampled with a
sufficient degree of coarseness making possible a
faithful representation of the original curve.
The following two processes must be performed:
1 The tangents must be calculated.

Figure 7 - Curves are designated by the positions of the
points and the directions of the tangents

Figure 8 - Calculation of tangents by parabolic approximation

Calculation of tangents
In order to calculate the tangents, the smooth curve
passing through a given series of points must be expressed by equations. Here we adopted the parabolic
approximation. Let us suppose that there are four
points: Pi -2 , Pi-I, Ph and Pi+l' as shown in Fig. 8.
First, we shall draw the parabola Ii-I, having an axis
perpendicular to Pi-2Pj and passing through the three
points: P i-2, Pi-I, and Pi. Let Qi-I,2 be the point of
intersection of the tangents of li-l at point P i - l and
point Pi. Next, we shall draw the parabola Ii> having
an axis perpendicular to P i - 1 Pi+l and passing through
the three points: Pi-I, PI. and PHI. Let Qi,l be the
point of intersection of the tangents of Ii at points

Cartoon Animation By Electronic Computers
P i-1 and Pi· Taking into consideration Qh the central
point between Qi-l,2 and Qi,h we assumed that
Pi-1Qi £!nd PiQi were the tangents at P i-1 and Pi of the
approximate curve between points P i-1 and Pi. Since
the tangents of the curve at each point will not
strictly coincide before and after the point, the curve
will therefore bend in a different direction at each
point. However, if the points in the series have been
spaced at suitable intervals, the differences in the
tangential directions will be so small as to be negligible, and these variations will make no difference
from the practical point of view.

a

b

+

(, + sf

145

Consequently:

d~

x (0)

= Xl

X (00)

= X2

yeO)

= YI

X (00)

= Y2 dy

dx t=o

dx

Q

=

trYI

f-XI

I - trY2
f-X2
t=oo

"'"

x
Q

b'

0'

+

y

Figure 9 - Block diagram for generation of a smooth curve

Generation of smooth curves
Having obtained the two points Pt(x1,yt) and P 2
(X2,Y2), as well a', Q(~, 7]), the point of intersection of
tangents T t and T 2 at PI and P 2, we next draw a curve
passing through these points and having the given
tangents. This can be conveniently mechanized using
the analog elements. Taking into consideration the
dynamic characteristics of the XY recorder, we employed the circuit shown in block diagram form in
Figure 9. Let us suppose that each input terminal is
fed the values: 1 = Xb l' = x , 2 = X and 2' = Y(X
and Yare certain values), and that the circuit is in
steady state. Then the outputs will be x = Xl and
Y = Yl· Let us next change the input at 1 and i' to
X2 and Y2 respectively, and at the same time let us
change the input at 2 and 2' to X + ~ - Xl and Y + 7]
- Yb respectively.
Then the response of the circuit will be:
x(t) =X2 + [(XI-)(2) (l+t) + (g-X2)

Q

PI

P2

Figure 10 - The curve changes its shape according to the
tangents TJ and T2

Therefore, the resultant curve I = (x(t) , yet)) starts
from PI (XbYI), terminates at P 2 (X2,y2) and has the
given tangents at PI and P 2. Curve l has a shape enclosed by the triangle QPIP2 and its shape changes
depending upon the directions of tangents TI and
T2 , as shown in Figure 10. This method can provide
a seemingly natural curve and is quite adequate for
the purpose of curve generation required here.

Interpolation of pictures between the two frames
There are two methods available now to provide a
cartoon figure with a sequence of movement.

146

Spring Joint Computer Conf., 1967

I

I
I
I

I
I

.

I

\

t

\

,,
,

i\

\

52

\

I

,

\

,

\

\

\

\

;Olj

\

\

\

I

\

\

,
I

I
I

I
I
I

,

;

I

I
I

I

I

I

I

I
I

I

/
I

I

I

I

I

I

I

!

\

,

\

I

I

I

I

\
\

,

I

I

\

,

\

I

I

I

\

I
I

\

I

\

I

\

I
I

\

\I

\
\

Aeij

,,

\

\

Finally, let us take the weighted mean of ASii and
to obtain the required point Au.
This will give:

tu2j

i

)

I

,
,,

"

/,'

Matrices /cSiwsi and keiwei can each be calculated by
the following equations:
~iwsi 1
- (SIX ~ Snx)2 + (SlY - Sny)2

If the expansion rate is

k~j:

f/::
1, 2, ... ,n,
\; - 1, 2, ... ,m

Next, let us assume W ej to be the rotation matrix for
superposing the vector enel on vector qjPj. If the expansion rate is kei :

urJ~
wilJ

WWjl + (Slx-Snx) (PjX-Qjx)
+(Sly-SnY) (Pjy-Qjy)
WSj2 = (SlySnY) (PjX-QjJ
-(Slx-Snx) (Pjy-Qjy)

Figure 11 - Interpolation of Type I

qjPj

uril

L-U,si2

Here,

/""

Type I
In this method, the original curve is given, as well
as the curve after it has been moved and/or modified.
Furthermore, the sequence of movement is specified
for representative points on the curve. Then the
specified number of interpolation curves are prepared for the changes intervening between both
curves.
Linear interpolation is adopted as the method of
interpolation. That is, interpolation is performed
by the fundamental operations of movement, rotation, and expansion and contraction.
Let us assume that the curve in the original drawing No.1 is given by the series of points S., S2 ... ,
Sn, and that the curve in the original drawing No.2
is given by the series of points el, e2 ... , en (see
Figure 11). Let us suppose that there is a one-to-one
relationship between the points in both series, for
instance, that point Si will be at point ei after it has
completed its movement. Let us also suppose that
points Sl and Sn are chosen as representative points,
and that the sequence of movements of each is given
by points PI-Pm and points ql-qm respectively.
If we wish to calculate Au, the ith point on the
jth interpolation curve, we assume wsi to be the rotation matrix for superposing the vecotr SnS 1 on vector

r

Here,
wejl
Wej2

(eIX-e nx ) (Pix-Qjx) + (ely-e ny ) (Pjy-Qjy)
(ely-e ny ) (PjX-Qjx)
(eIX-e nx (Pjy-Q y)

By means of this transformation, one can obtain the
series of points for the group of curves changing continuously, in both their shapes and their positions,
from curve S., S2 .... Sn to curve el, e2 .... en.
Type II
In this case, one original drawing will suffice. The
original curve is moved by a combination of movement, rotation, and expansion and contraction.
This type of transformation is depicted graphically
in generalized form in Figure 12. The method of moving the curve is the following. The reference point
S' n is established at an appropriate point, and vector
S' nS' 1 is drawn from this reference point to a suitable
length and in a suitable direction. This is taken as
the reference vector. N ext, if the curve is a jtk transformation curve, two points: Q'j and P'j are given,
and one determines the transformation relationship
for shifting the reference vector to the vector Q' jP' j.
The original curve is then moved using this relationship.
The following equation is used to calculate Ai}.
the itk point on the jtk interpolation curve:

Cartoon Animation By Electronic Computers

the representative points are, nor does it matter what
types of points are the points in betw~en both of the
representative points. For instance, if oner. wishes
simply to move the picture as a whole, it will be
enough merely to select the first and last points in
the series of points as the representative points. The
parts to be moved are not limited to a single place .
Any number of places can be specified.

,

.

,,
,
I

I

I
I
I

147

I
I

,

\

\

\

\,

"

\

,,

\

,
I

I

"\

\I

,
I

I

I

I

I
I

I

I

I

I

I

Pm

,

PJ

\,

P2

qm

,
qj

s~

q;

q2

Figure 12 -Interpolation of Type II

Here,

w\ = (S'lX-S ' nx) (P'jX-QjJ

+ (S'IY-S' ny) (P'jy-Qjy)
Wj2 = (S'IY-S' ny) (P'jX-Q'jx)
-(S'lX-S' nx) (P'jy-Q'jy)
By means of this transformation, both the position
and magnitude of the original curve can be transformed while maintaining a similar shape.
In designating the range within which the curves
are moved, it does not matter what types of points

Figure 13 - Examples of animated cartoon

Results of application and their consideration
Animated cartoons were actually prepared on the
basis of the methods described above. A typical
example is shown in Figure 13. As is evident from
the figure, the pictures can be moved about quite
freely by this method, and the animated cartoons
made in this manner were more or less satisfactory.
In the future, when further improvements have been
incorporated in the picture input device and the digital
program, it is expected that this system will be quite
satisfactory from the practical standpoint.
In the system described above, the pictorial patterns are read in as planar patterns, and new patterns
are formed by specifying movements on the flat planar
surface. However, animated cartoons are fundamentally projections on a plane surface of the movements of spatial objects.
In order to approach this problem, one may formulate, by the trial and error method, an equation
corresponding to a clay model such as that shown in
Figure 14, and the eyes and mouths can be produced
by drawing frontal diagrams. Their x-y coordinates
can be read, and assuming them to be present on this
curved surface, one can calculate z from the above
equation. If the spatial pattern is prepared in this way
as an equation, one can draw a diagram of its projection on a flat surface as long as the center, the scale,
and the direction of the designated points have been
specified.
This is, however, merely a provisional method
which can be used only for limited purposes.

148 Spring Joint Computer Conf., 1967
It is found extremely advantageous to use hybrid
techniques in order to meet the demand of faster
curve displays with lower computer memory requirements. In our experiments, however, still a large
amount of computing tasks were done in the digital
computer, i.e. calculation of tangents. It was desired
to develop an analog curve generato,r capable of generating a smooth curve given only successive point
coordinates.
We have developed such a curve generator, which
is now in use.

ACKNOWLEDGMENT
Many thanks are expressed to Researcher Fujii,
who took charge of many sections of the actual work
in the performance of this research project.

Figure 14 - Three demensional display of an equation
extracted from a clay model, and features drawn on its surface

Stochastic computing
by B. R. GAINES
Standard Telecommunication Laboratories
Harlow, Essex, United Kingdom

for realization of the STeLLA learning scheme,l and
later extended to give rise to a family of computing
elements capable of performing all the normal functions of an analog computer-this was called a Stochastic Computer.4
It is impossible within the scope of this paper to do
more than describe briefly a few basic stochastic computing elements and configurations; Reference 4 discusses the theoretical basis of stochastic computing and
describes some previous uses of random variables in
data-processing, whilst Reference 5 describes the application of stochastic computing to process identification by means of gradient techniques, Bayes estimation and prediction, and Markov modelling.

INTRODUCTION
The Stochastic Computer was developed as part of
a program of research on the structure, realization and
application of advanced automatic controllers in the
form of Learning Machines. l,2 Although algorithms for
search, identification, policy-formation and the integration of these activities, could be established and tested
by simulation on conventional digital computers, there
was no hardware available which would make construction of the complex computing structure required
in a Learning Machine feasible. The main problem
was to design an active storage element in which the
stored value was stable over long periods, could be
varied by small increments, and whose output could
act as a 'weight' mUltiplying other variables. Since
large numbers of these elements would be required
in any practical system it was also necessary that they
be small and of low cost. Conventional analog integrators and multipliers do not fulfill requirements of
stability and low cost, and unconventional elements
such as electro-chemical stores and transfluxors are
unreliable or require sophisticated external circuitry
to make them usable. 3 Semiconductor integrated circuits have advantages in speed, stability, size and cost,
and it was decided to design a computing element
based on standard gates and flip-flops which would be
amenable to large-scale integration.
A binary up/down counter has the properties of
an incremental store, but requires many bits if the
increments are too small and of variable size. If incrementing is made a stochastic process, however,
'fractional increments' may be effected in the stored
count. Thus, if an increment of one-tenth of the
value corresponding to the least significant bit is
required, the counter may be incremented by unity
with a probability of one-tenth-this is the basic principle of stochastic computing' to represent analog quantities by the probability that an event will occur. This
principle was first embodied in the ADDIE, a smoothing and storage device with stochastic input and output

Stochastic representation of numerical data

The stochastic computer is an incremental, or
'counting,' computer whose computations involve the
interaction of unordered sequences of logic levels
(rather than digital arithmetic between binary 'words'),
and is in this respect similar to the Digital Differential
Analyser,6 Operational Hybrid Computer,7 and Phase
Computer. 8 In all these computers quantities are represented as binary words for purposes of storage, and
as the proportion of ON logic levels in a clocked sequence (or frequency of pulses in the operational computers and asynchronous DDAs) for purposes of computation. In conventional computers, however, the
sequences of logic levels are generated deterministically and are generally patterned or repetitious, whereas
in the stochastic computer each logic level is generated
by a statistically independent process; only the generating probabiJity of this process is determined by the
quantity to be represented.
This distinction is illustrated in Figure 1 which
shows typical sequences in the various forms of computer: (a) is the output from a synchronous rate
multiplier, or from the 'R register' of a DDA, corresponding to a store % full-it will be noted that
the ON and OFF logic levels are distributed as uniformly as possible; (b) is the output of a differential
149

150

(a)

Spring Joint Computer Com., 1967

01

101

101

in its representation of quantity, the lack of coherency
or patterning in stochastic sequences enables simple
hardware to be used for complex calculations with
data represented in this way.

101

Output from Rate Multiplier
(b)

0000 I

Stochastic computing

Output from Differential Store
(c)

0101

(d)

O r"'\1
V
I
(f)

10

1001

10

10101

101

o

000
101

Ensemble of Stochastic Sequences
Figure 1-Typical computing sequences in various incremental
computers

store in the Phase Computer-the OFF logic levels
in a cycle all occur before the ON logic levels giving
the synchronous equivalent of a mark/ space modulated
signal; (c) through (f) are examples of stochastic
sequences with a generating probability of % -any
sequence [including (a) and (b)] may occur, but the
proportion of ON levels in a large sample of such
sequences will have a binomial distribution with a
mean of %.
Although a probability is a continuous variable
capable of representing analog data without quantization error, this variable cannot be measured exactly
and is subject to estimation variance. The effect of
this variance on the efficiency of representation may
be seen by comparing the number of levels required
by various computers to carry analog data with a
precision of one part in N:
• The analog computer requires one continuous
level;
• The digital computer requires lo~ kN ordered
binary levels;
• The DDA requires kN unordered binary levels;
and
• The stochastic computer requires kN2 unordered
binary levels;
where k > 1 is a constant representing the effects of
round-off error or variance, k == 10 say. The N 2 term
for the stochastic computer arises because the expected error in estimating a generating probability
decreases as the square-root of the length of sequence
sampled.
Although this progression from 1: log2N : N : N 2
shows the stochastic computer to be the least efficient

Although there are occasions when the [0, 1] range
of probabilities may be used directly in computation,
e.g. Bayes estimation and prediction,5 it is usually
necessary to map analog variables into this range both
by scaling and shift of origin. Many mappings have
been investigated, but the two considered in this paper
are of particular interest because they give rise to
computations similar to those of the conventional
analog computer. These are:
(i) Single-line symmetric representation.-Given a
quantity, E, in the range -V L E L V, represent it
by a sequence with generating probability, p, such
that:
p(ON) == lhE/V
lh
(1)
so that maximum positive quantity is represented by
a logic level always ON, maximum negative quantity
by its being always OFF, and zero quantity by a random sequence with equal probability of being ON or

+

OFF.
(ii) Dual-line symmetric representation.-The first

representation suffers from the disadvantage that zero
quantity is represented with maximum variance, and
when values near zero must be distinguished it is
better to use a two-line stochastic representation. Let
the quantity, E, in the range -V L E LV, be represented by sequences on two lines, the UP and
DOWN lines, such that:
if E > 0 (2)
\E/V
p(UP == ON)
if E ~ 0
l 0
I., '\
< 0 \.J)
if
E:::::""
0
l 0
These equations give a minimum variance representation which is not necessarily maintained during a computation, and the most general form of the Dual-Line
Symmetric Representation follows from the inverse
equation:
E/V == p(UP == ON) - p(DOWN == ON) (4)
The next sections describe stochastic computing
elements to perform the complete range of analog
computing functions, inversion, multiplication, addition, integration, and so on, using synchronous logic
elements acting on stochastic sequences.

p(DOWN

==

ON)

~-E/V if E

Stochastic invertors, multipliers and isolators
To multiply a quantity in representation (ii) by
-1 requires only the interchange of UP and DOWN
lines. In representation (i) the logical invertor, whose
output is the complement of its input, performs the

Stochastic Computing
same function. Consider the relationship between the
probability that its output will be ON, p', and the

( i)

[E] ~>-p-----[>-p-'~) [E']

UP

:

[E']

Dowil

probability that its input will be ON, p; that is
p' == I-p
(5)
From equation ( 1 ) , the relationship between these
probabilities and the quantities they represent is:
p
~E/V
~
(6)
p' == ~E'/V
~
(7)
hence
(8)
E' == -E
Multiplication of one quantity by another may be
effected by an inverted exclusive-OR gate in representation (i), and by a pair of similar gates in representation (ii); realizations of these stochastic multipliers
in NAND logic are shown in Figures 3 (i) and 3 (ii)
respectively.

+
+

~:~ ::~Vl
C = A.B v

+
+

+

p(V.V'.D.D.')

and:p(DX) == p(U)p(D')

+ p(D)p(V')

(14)

p(V.V'.D.D')

Figure 2-Stochastic invertors

(j)

+

p(C) == p(A)p(B)
(1-p(A» (1-p(B»
(9)
and from equation (1):(10)
peA) == lhE/V
~
(11 )
pCB) == ~E' IV
V2
so that:pee) == ~(EE'/V)/V
~
(12)
which is normalized mUltiplication of E by E'. A
similar result is obtained for 3 (ii) by substitution from
equation (4) in the relationships:p(VX) == p(V)p(V')
p(D)p(D') (13)

+

x

(i i)

i 5i

An important phenomenon is illustrated by the use
of a stochastic multiplier as a squarer. For example,
it is not sufficient to short-circuit the inputs of the gate
in Figure 3 (i), for its output will then be always ON.
This difficulty arises because we have assumed that
the stochastic input sequences are statistically independent in obtaining equation (9) above. Fortunately
an independent replication of a stochastic sequence
(in fact a Bernoulli sequence) may be obtained by
delaying it through one event, and Figure (4) illustrates
how a squarer may be constructed using the multiplier
of Figure 3 (i) together with a flip-flop used as a
delay; similarly the multiplier of Figure 3 (ii) may be
used as a squarer by feeding delayed replicas of V and
D to V' and D' respectively. Flip-flops used in this
way act as stochastic 'isolators', performing no computation but statistically isolating two cross-correlated
lines.

[E] ---'i>__~~~ [E2]
SYMBOL

A.B
CLOCK

[E]

Figure 4-Stochastic squarer

rEEf v]
[E]
(i j)

u. u' yo. 0'
0- = U.o' v o. u'
U" =

Figure 3-Stochastic multipliers

That multiplication does occur may be confirmed
by examination of the relationship between input and
output probabilities for the gates of Figure 3. For
3 (i) we have:

Stochastic summers

Having seen how readily inversion and multiplication may be performed by simple gates, one is tempted
to assume that similar gates may be used to perform
addition. However this is not so, and stochastic logic
elements must be introduced to sum the quantities
represented by two stochastic sequences. For example,
consider two stochastic sequences in representation (i),
one representing maximum positive quantity and hence
always ON, the other representing maximum negative
quantity and hence always OFF. The sum of these
quantities is zero, and this is represented by a stochastic sequence with equal probabilities of being ON
or OFF. A probabilistic output cannot be obtained

i 52

Spring Joint Computer Conf., 1967

from a deterministic gate with constant inputs, so that
stochastic behaviour must be built into the summing
gates of a stochastic computer.
Stochastic summers may be regarded as switches
which, at a clock-pulse, randomly select one of the
input lines and connect it to the output. The output
line then represents the sum of the quantities represented by the input lines, weighted according to the
probability that a particular input line will be selected.
The random selection is performed by internaIlygenerated stochastic sequences, obtained either by
sampling flip-flops triggered by a high bandwidth
noise source, or from a delayed sequences of a central
pseudo-random shift-register; these sequences we call
'digital noise.'

r_l

~

l c. J

[E']

A

B
DIGITAL
NOISE

(0

p(DX) = Y2p(D) (l-p(U'»
(l-p(U»

+ Y2p(D')
(18)

Stochastic integrators, the ADDIE and interface
The basic integrator in a stochastic computer is a
reversible counter-if this has N 1 states, then the
value of the integral when it is its k'th state is:f = (2k/N - l)V
(19)
If this quantity is to be used in further computations
it must be made available as a stochastic sequence,
and this may be generated by comparing the binary
number in the counter with a uniformly distributed,
digital random number ( obtained from a central
pseudo-random shift-register or a sampled cycling counter). In representation (i) the integrator output line
is ON if the stored-count is greater than the random
number. In representation (ii) the stored count is
regarded as a number in twos-complement notation,
whose magnitude is compared with the random number, and whose sign together with the result of this
comparison determines whether the UP or DOWN
output lines shall be ON.

+

CLOCK

u

[E]

0

u'

[E'J

D'
[E]

~A~oof\

[E']

~B.....t.....I>-i-V

DIGITAL

(in

NOISE

(I)

CLOCK

Figure 5-Stochastic summers

Two-input stochastic summers for quantities in
representations (i) and (ii) are shown in Figures 5 (i)
and 5 (ii) respectively; the cross-coupling between the
inputs in Figure 5 (ii) reduces the variance of the output. That addition does occur may be confirmed by
examination of the relationship between input and output probabilities for the gates of Figure 5. For 5(i),
assuming symmetrically distributed digital noise, VIC
have:pee)
~p(A)
~p(B)
(15)
and hence from equations (10) and (11):pee)
~ (~(E
E') )/V
~ (16)
which is normalized summation of E and E'. A similar
result is obtained for 5 (ii) by substitution from equation (4) in the relationships:p(UX)
~p(U) (l-p(D'»
~p(U')
(l-p(D»
(17)

=
=

=

+
+

+

+

rJE+E']
Digital
Noise

Figure 6-Stochastic integrators

Figure 6 shows two-input stochastic integrators for
each representation with output lines as described
above, and gating at the input of the counters to form
the sum of the quantities represented by the input
lines (stochastic summing is not required because the
number of lines used to represent the sum is greater
than the number of lines used to represent each input).
A HOLD line at the input of the integrators determines
whether they are in the integrate or hold modes, and

Stochastic Computing
the normal integrator symbol is used for the overall
device as shown in Figure 7.

[E]~---I

.

Ul"\1 "-

""'~..,

Figure 7-Integrator symbol

That integration does occur may be confirmed by
examination of the expected increment, 8, in the counter at each clock-pulse. For 6(i):8

== N2V [p(A)p(B)

-

(l-p(A) (l-p(B))] (20)

== (E + E')/N

(21)

by substitution from equations (10) and (11), which
is equivalent to an integrator with a time-constant:
T
Nlf
(22)
where f is the clock-frequency. A similar result may
be obtained for 6(ii) by substituting from equation (4)
in the relationship:-

=

8

=~[2P(U)P(U')

+ p(U) (l-p(U')) + p(U')

(l-p(U)) - 2p(D)p(D') - p(D) (I-p(D'))
- p(D') (I-p(D))]
(23)

== ~ [p(U) - p(D) + p(U') - p(D')] (24)
=2(E + E')/N
(25)
which is equivalent to integration with a time constant:
(26)
T ==N/2f
where f is the clock-frequency.

153

it may be shown that the fractional count in the store
tends to an unbiased estimate of the probability that
the input line will be ON at a clock-pulse (for the
integrator of Figure 6 (i) connected as in Figure 8).
That is, for an N+l state store in its k'th state:
p(lNPUT == ON) == kiN
(27)
with an estimation time of order N clock-pulses, and
a final variance:
(7"2(i)) == p(1-p) IN
(28)
Thus any quantity represented linearly by a probability in the stochastic computer may be read out to any
required accuracy by using an ADDIE with a sufficient
number of states, but the more states the longer the
time-constant of smoothing and the lower the bandwidth of the computer. Since the distribution of the
count in the integrator is binomial, and hence approximately normal for large N, variables within the
stochastic computer may be regarded as degraded
by Gaussian noise whose power increases in proportiOn to the bandwidth required from the computer.
Integrators or ADDlEs form the natural output
interface of the stochastic computer. Integrators with
their HOLD lines OFF also form the input interface
for digital or analog data, since binary numbers may
be transferred directly into the counter to generate a
stochastic output sequence, and analog quantities may
be converted to binary form by comparison with a
standard ramp generated by a cycling counter driving a
digital! analog convertor. Similarly an integrator may
be used to hold a constant and thus act as a 'potentiometer' if coupled to a multiplier. Arbitrary functional
relationships may be realized by imposing a suitable
nonlinear relationship between the stored count and
the stochastic output; for example, an integrator whose
output is ON when the count is equal to or above
mid-value, and OFF when it is below mid-value [in
representation (i)] approximates to a switching function.

[Ee-kt]
[E]
HOLD
Figure 8-ADDIE

The integrator with unity feedback illustrated in
Figure 8 is called an ADDIE, and performs the important function of exponentially averaging the quantity represented by its input. In terms of the quantity
represented it may be regarded as a transfer function:
1I (s+ 1) , and in terms of the stochastic sequences

Time --+

•

Figure 9-Stochastic second order transfer function-response
to unit step in position and velocity

154

Spring Joint Computer Con£., 1967

Higher-order smoothing than that of the AVDIE
may be realized by connecting integrators in cascade
with appropriate feedback loops. The inset of Figure
9 shows a stable second-order stochastic transfer-function using two stochastic integrators in representation
(i). If the first integrator has M+ 1 states, and the
second N 1, then the transformation realized is:MN
M
-r- E out + T E out + E out = E in (29)

Random Pulse

Generators

+

where f is the clock-frequency. So that the undamped
natural frequency is:
f

fn = 2II(MN) 1/;
and the damping ratio is:

(30)

I = 'h (M/N)lh

(31)

FF.'I

F~

1 ne responses to unit step in position and velocity
for the two conditions: M=2 1O , N=210 and M-29 ,
N=210 : are shown in Figure 9; these were obtained
on the Mark I Stochastic Computer at STL.

Generation ot stochastic sequences
The central problem in constructing a stochastic
computer is the generation of many stochastic sequences
(K for each integrator, where K is the number of flipflops in the integrator counter), which are neither
cross-correlated nor auto correlated , and which have
known, stable generating probabilities. This reduces to
a requirement for a number of independent sequences
each with a generating probability of 'h, since any
probability may be expressed as a fractional binary
number and realized to any required accuracy by appropriate gating of a set of lines equally likely to be
ON or OFF. For example, Figure 10 illustrates one
technique for generating stochastic sequences with a
generating probability of }~ by sampling flip-flops
toggling rapidly from a noise source: the following
NAND gates convert two of these sequences to one
with a generating probability of %. This may be confirmed from the relationship:p(C) = (l-p(A))
p(A)p(B) = 3A
(32)
The generation of digital noise as shown in Figure 10
is quite attractive since radio-active or photon-emitting sources may be coupled directly to semiconductor
devices to form random pulse generators. It suffers
from the disadvantage that very high toggling rates
must be attained in FFl and FF/ and sampled by
very narrow strobes in FF2 and FF/, if a high clockfrequency is to be used.
The Mark I Stochastic Computer had six ten-bit
integrators, each with their own internal digital noise
source consisting of ten-bit counters cycling at a high
clock-frequency. These counters were sampled at a
very much lower and anharmonic clock-frequency to

Figure lO-Generation of stochastic sequence (p==%)

give an effectively random output. This was not a
practical arrangement since the sampling frequency
had to be so low (500 cs), that the overall bandwidth
of the computer was only 0-1 cs ! ; as an experimental
tool, however, it has enabled us to check out configurations, such as that of Figure 9, whose behaviour
is difficult to determine theoretically.

+

PSEUDO-RANDOM
OUTPUTS <

<

([)--G)---

Figure It-Central pseudo-random generator

The Mark II Stochastic Computer, at present under
construction, uses entirely different techniques which
have reduced both size and cost and increased the
clock-frequency to IMcs. A single, central pseudo~
random shift-register9 •16 is used to generate stochastic

i55

Stochastic Computing
sequences for all computing elements. Different sequences for each element are obtained by appropriate
exclusive-OR gating of the shift-register outputs, giving
delayed replicas of the sequence in the shift register
itself. Such a generator is illustrated in Figure 11, and
with 43 flip-flops it is capable of supplying 100 16-bit
integrators for one hour without cross-duplication.
Serial arithmetic is used in the integrators of the
Mark II computer so that the counter may be realized
using shift registers and the comparators by far fewer
gates. In this way a sixteen-bit stochastic integrator
may now be fabricated from only six dual in-line
packages. A clock-frequency of 16 Mcs in the shiftr.egisters gives rise to a clock-frequency of 1 Mcs in
the stochastic computer, and respectable bandwidths
of 100 cs or so may now be attained.

Applications of stochastic computers
The Stochastic Computer was developed for problems arising in automatic control, and immediate applications are apparent mainly in the fields of adaptive
control and adaptive filtering. Gradient techniques for
process identification and on-line optimization are the
simplest examples of powerful control methods which
lack the hardware necessary for their full exploitation. Direct digital control using conventional computers
is not practical with a small plant, and conventional
analog computers· are expensive because of the large
numbers of multipliers required. Two-level or polaritycoincidence multiplication10.11 has been suggested 12 as
one means of realizing gradient techniques cheaply
and reliably using digital integrated circuits; however
a comparison of six techniques for multiplication in a
steepest-descent computation has shown that, for the
same convergence-time, polarity-coincidence and relay mu1tiplication give much greater variance in parameter estimates than Goes the equivalent stochasticcomputing configuration. 5 In this particular computation the stochastic multiplier may be regarded as a
statistically-linearized I3 •14 polarity-coincidence multiplier, and the addition of sawtooth dither to the input
signals, which has been suggested as a means of effecting such linearization,11.15.16 may be seen as a technique for obtaining a pseudo-stochastic sequence.
Maximum likelihood prediction based on Bayes inversion of conditional probabilities is the basis of many
'learning machines' for control and pattern-recognition,
but the equations for estimation and prediction are
difficult to realize with conventional computing elements, and a stored-program digital computer has been
required for experiments with this technique. Using a
three-input variation of the ADDIE, however, the
estimation of normalized likelihood ratios, and pre-

diction based on them, become very simple operations
requiring little hardware. 5
The theoretical basis for the economy in hardware
offered by stochastic computing lies in a theorem of
Rabin 17 and Paz,I8 to the effect that a stochastic (or
probabilistic) automaton is equivalent to a deterministic automaton which generally has more states. An
immediate practical example of this phenomenon may
be found in adaptive threshold logic as used in patternclassifiers such as the Perceptron19 or Adaline. 20 An
adaptive threshold logic element with discrete weights
will not necessarily converge under the Novikoff conditions,21 even though the weights can take values
giving linear separation, whilst the equivalent stochastic element may be shown to converge under the
same conditions. 5
A pictorial explanation of this difference is that the
direction of steepest descent followed in adaptive
threshold logic with continuous weights cannot be
taken if the weights are discrete, and there are then
several directions of 'almost steepest descent.' Deterministic logic has to 'chose' one of these directions and,
if it is the 'wrong' one, may get into a cycle· of wrong
decisions, whereas stochastic logic has a probability of
taking any of the possible directions of descent and is
bound to take the right one eventually.
CONCLUSION
The main performance measure of a computer are
size and range of possible problems, speed and accuracy of solution, and physical size, reliability and
cost of the computer. There are strong interactions
between these measures and it is unlikely that any
one form of computer will ever be optimal on all
counts. The identification and simulation of complex
processes, and the realization of multi-variable control
systems, requires large numbers of computing elements such as multipliers, summers and integrators,
working simultaneously and costing little. However
these elements do not have to compute a solution
quickly or accurately, for a bandwidth of 10 cs and
an overall accuracy of 1 % is adequate in the simulation of economic and chemical processes, and in control systems where feedback is operative a computational accuracy of 10% may be ample. In these situations it is advantageous to trade the accuracy of the
digital computer and the speed of the analog computer,
for the economy of the stochastic computer.
ACKNOWLEDGMENTS
My thanks are due to Dr. J. H. Andreae (now at
University of Canterbury, Christchurch, N.Z.) for long
discussions on learning machines and computers, and
for his criticism of this manuscrapt; to Mr. P. L. Joyce

Spring Joint Computer Conf., 1967

156
for constructing the first Stochastic Computer and obtaining the results of Figure 9, and to S.T.L. for permission to publish this paper.
REFERENCES
1 J. H. ANDREAE Learning machines m .tmcyclopaedia
of Information, Linguistics and Control (Pergamon
Press, to be published)
2 B. R. GAINES and J. H. ANDREAE A learning ma-

3
4

5

6
7
8
9
10

chine in the context of the general control problem
Proceedings of the 3rd Congress of IFAC 1966
G. NAGY A survey of analog memory devices IEEE
Trans. Electron. Compo 12 388 1963
B. R. GAINES Stochastic computers in Encyclopaedia
of Information, Linguistics and ControJ
Pergamon
Press, to be published
B. R. GAINES Techniques of identification with the
stochastic computer Proc. IFAC Symp. Problems of
Identification 1967
F. V. MAYOROV and Y. CHU Digital differential
analysers Iliffe Books, London 1964
H. SCHMID "An operational hybrid computing system IEEE Trans. Electron Compo 12 715 1963
B. R. GAINES and P. L. JOYCE Phase computers
5th AICA Congress 1967
W. W. PETERSON Error correcting codes MIT Press
& Wiley, New York 1961
C. L. BECKER and J. V. WAIT Two-level correlation
on an analog computer IRE Trans. Electron Compo 10
752 1961

11

12

:~

3

14
15

]6
J7

18
19

20

21

The applicability of the relay correia tor and the polarity coincidence correia tor in automatic control Proc. 2nd Congress IFAC 1963
P. EYKHOFF, P. M. van der GRINTEN, H. KWAKERNAAK, B. P. TH. ''ELT~1AN Systems modelling
and identification Survey Paper 3rd Congress of IFAC
1966
O. I. ELGERD High frequency signal injection: a
means of changing the transfer characteristics of nonlinear elements WESCON 1962
A. A. PERVOZANSKII Random processes in nonlinear
control Academic Press, New York 1965
P. JESPERS, P. T. CHU, and A. FETTWEIS A new
method to compute correlation functions Proc. Int.
Symp. Inf. Theo. 1962
G. A. KORN Random-process simulation and measurement McGraw Hill, Inc. 1966
M. O. RABIN Probabilistic automata Inf. & Contr. 6
230 1963
A. PAZ Some aspects of probabilistic automata Inf.
& Contr. 9 26 1966
F. ROSENBLATT A model for experimental storage in
neural networks in Computer and Information Sciences
Spartan Books, Washington, D.C. 1964
B. WID ROW and F. W. SMITH Pattern-recognizing
control systems in Computer and Information Sciences
Spartan Books, Washington, D.C. 1964
A. NOVIKOFF Convergence proofs for perceptroTU
in Mathematical Theory of Automata Polytechnic Press,
Brooklyn & Wiley Interscience 1963
B. P. TH. VELTMAN and A. van den BOS

The people problem: computers
can help
by E. R. KELLER, 2nd and S. D. BEDROSIAN
University of Pennsylvania
Philadelphia, Pennsylvania

INTRODUCTION
Each day tens of millions of people parade in and
out of our academic and industrial facilities in search
of their daily bread. Of these, many find their work
challenging and stimulating. Countless others, however, are reduced to vestiges of human spirit by the
frustrations of their environment, boredom with lack
of responsibility, or misdirection of their talents.
Consequently, they approach their assignments with
something less than a maximum of enthusiasm.
Meanwhile each day thousands of holes in personnel pegboards go unfilled. Positions requiring
skill at all levels remain unclaimed because of inadequate or unavailable descriptions of qualified
workers. Personnel Departments charged with the
responsibility of recruiting, retaining, and developing
effective human support for their respective organizations are often hopelessly frustrated by their inability to bring together people and jobs. From the
standpoint of computer implementation we may interpret this as the problem of mapping a set of tasks
into a universe of talents.
A natural recourse, for people so inclined, is to
attempt to manage this massi ve matching operation
through computer mechanization. As evidenced by
pertinent articles in such magazines as Business
Week,l.2.3 American Education4 and Dun's Review,5
the people problem is far from being ignored. Although
the mechanization of personnel information is by
no means a novel concept, the mass storage of comprenehsive analyses of individuals is in its infancy.
Of the many personnel data systems now in existence,
those of Essol and IBM2 seem to be the most comprehensive and coordinated. From a cursory inspection, however, even those do not appear to
treat the many details necessary to exploit fully
the employee's desires and capabilities for future
work, especially if unrelated to his present (or past)
assignment. Through the use of existing techniques

in mechanized inference-making6 and by judicious
application of on-line storage and retrieval systems
6.7.8.9 it should be possible to develop and maintain
a work force consisting primarily of interested
workers. One can envision for instance filling a vacated position with someone from a relatively unrelated position by exploiting his competence in a
hobby.
We are concerned more with the general problem
of storage and retrieval systems than with a particular application of them. In fact, the system described in this paper is directed toward flexibility
of application rather than toward implementation of
a specific file type. In order to demonstrate the
utility of the system, data for use in resolving the
people problem are being collected, stored and
applied at the University of Pennsylvania.
System organization
The filing system

The communication language and the system of interpretive processors used for maintaining the information files and for manipUlating the information
during retrieval and output are named, collectively,
GENERAL STORE. The overall system layout is
shown in Figure 1. Although an input item to GENERAL STORE may be constrained in its form or its
relation to other items in storage at the discretion of
the user, GENERAL STORE is indiscriminate as to
the nature of information stored in its files. For
instance in the pilot model, a file of mechanical and
electrical descriptions of electronic assemblies for
use in system design and test is stored along with personnel information. lo In addition the user is permitted
a maximum of flexibility in describing procedures for
controlling file maintenance, interfile retrieval, and
manipUlation of data for output.
We turn now to the specific objectives in the conceptual design of GENERAL STORE which have
been implemented in greater or less degree. In gen157

158

Spring Joint Computer Conf., 1967

Outline Item

Description
Document Nome

2

(Authorship)

2. I

(Author I)

2.1.1

Nome

2.1.2

Address

2.1.3

Affiliation

2.2

(Author 2)

2.2. I

Nome

2.2.2

Address

2.2.3

Affiliation

3

(Publisher)

Figure'l - General store system diagram

3. I

Publisher's Nome

eral, however, the following discussion focuses on our
goals rather than accomplishments. In fact, the GENERAL STORE concept could be implemented, with
some reservations, as an extension of many existing
on-line systems of which the Probiem Solving Facility at the University of Pennsylvania7 is an example.

3.2

Strl)ctl)rf?d F de

and Constraints

GENERAL STORE

SysTem Executive

Report Generator

C)··6

List structured data files
Just as the technique of preparing an outline is a
familiar and powerful organizational tool for nearly
everyone who has set pen to paper, the structuring
of data records is becoming a commonplace solution
to the problems of storing variable length, multiple
entry, or historical information. This development is
due in the main to LISP,ll IPL-V,12 and certain other
existing list processing languages 13 ,14,15,16 through
which manipulation of complicated data structures
is simplified.
In concept, each data fiie in GENERAL STORE
has associated with it an ordinary outline describing
the contents of a record in that file. By means of this
outline both the user and the machine can establish a
useful means of communicating information about the
fiie so defined.
In Figure 2 is shown an example of an elementary
bibliographic file as the description might be given
to GENERAL STORE. The numbers represent a
means by which the user may reference each line of
the outline,· and names are symbols by which the user
may refer to each line. Some Hnes are contained in
parentheses to indicate that these lines never actu-

Publisher's Add ress
Figure 2 - General store fixed file description

ally contain data but are used only as classifications
for, or pointers to, the items subordinate to them in
the structure. These lines represent intermediate
entries in the end-point code for each data line.
This figure contains locations in the structure for
information about two authors. As shown in Figure
3, the concept of multiple authorship can be indicated more concisely by replacing the author
number with a letter. This practice permits the letter
specified to assume any integral value. In fact, the
number of items at any level may be specified as a
variable.
Data may be represented for input to G EN ERAL
STORE in at least two ways. First, it is possible
to specify an item for entry by stating a reference,
either as a number or name from its outline description, followed by the pertinent information. In addition, GENERAL STORE employs a flexible system which permits specification of the line name by
an abbreviation of the user's choosing. The second
method involves writing the input information in a
more conventional list notation where each sublist
is enclosed in parentheses. Examples of these alternatives are shown in Figure 4.
Relocation o/programs and data
in available storage
Since GENERAL STORE is intended to be implemented on a computer having iimited storage

The People Problem: Computers Can Help

Variable File

Fixed File

Outline Item

Description

Outline Item

Document Nome
(Authorship)

2. I

(Author I)

)

2. 1.1

Name

2.1.2

Address

2. I. 3

Affiliation

I"'"",

(Author 2)

Description
Document Nome

2

2.2

J 59

,..
,.. ,..

/

.....

,

,.. ,.. ,..'"

2

(Authorship)

2.N

(Author N)

2. N.I

Nome

2.N.2

Address

2.N.3

Affiliation

2.2. I

Nome

2 .2.2

Address

2.2.3

Affiliation

3

(Publisher)

3

(Published

3. I

Publ isher 's Nome

3. I

Publisher's Name

3.2

Publisher's Add ress

3.2

Publisher's Address

."./

Figure 3 - General store comparison of fixed and variable
file descriptions

capacity in anyone device, it has been necessary
to design the system in such a way that only active
programs and data are stored in the fastest memory
devices.17 The user, by specifying to which files
he will need access, causes G EN ERAL STO RE to
arrange for as many of these files as possible to be
loaded into direct-access devices. Files not so specified will still be available during processing, but
may entail longer access times.
Flexible arithmetic and string
manipulating functions

The user may in some cases request standard
output formats and may give specific information
for input. In this system he has been provided with
a report-generating facility and the ability to describe
procedures to be followed in selecting records for
output or in preparing a record for output. By making
available to the user a set of list -processing functions
in a language understood by the GENERAL STORE
Interpreter, or included as a program in the GENERAL STORE data files, he can perform extensive
modification of any item. Such modification may
be made either in terms of other items in the file
or on the basis of information introduced at the time
of modification.

User-defined constraints on input data
In preparing an outline to describe a file, the user
may include certain restrictions to be placed on the
data that will fill each outline item. In this way, a
considerable amount of checking can be done by the
processor to help insure the validity of input data.
For example, the constraints may simply require that
the data contain only numeric characters, or that
the input field be a particular fixed length. Again,
constraints specifying a relationship among parameters in this or other files may be stipulated. This
procedure is demonstrated by the personnel file described in Figure 5. Shown with the description are a
few examples of constraints which may be imposed
on input data. Of particular interest is the restriction
of total salary to a value greater than or equal to the
sum of all individual project salaries.
I nterfile reference
Just as in specifying constraints, the boundaries of
a single file may be crossed at will when specifying
criteria for retrieval. In fact, it may be convenient
to think of each data file as a sublist of items in the
master file structure. It is exactly in this way that
programs and data fit into the GENERAL STORE
concept.

160

Spring Joint Computer Conf., 1967
JONES,BT)

(2.1.1

(2.1.2= 3120 WALNUT ST.-PHILA.,PA.)
(2.1.3= UNIV. OF PENNA.)

REFERENCE BY NUMBER
OR
(AUTHOR I/NAM E

= JON ES,

BT)

(AUTHOR II ADDRESS = 3120 WALNUT ST. - PHILA., PA.)
(AUTHOR I/AFFILlATION

= UNIV.

OF PEN NA.)

REFERENCE BY NAME
OR

2

=«

JONES, BT)(3120 WALNUT ST.}(UNIV. OF PENNA.»

CONVENTIONAL LI ST ENTRY

Figure 4 - Generaf store input forms
Outline Item

Description
Employee Number

2

Nome

3

(Address l

3.N

(Address Nl

3. N.I

Dote first occupied

3.N.2

Address

4

Phone

5

(Earnings)

5. I

Totol Salary

Constraint
FORM

~

FORM SXXXXX.XX
MAG~

5.M

XXXXX

r

WI

(5.M.2l

(Project M)

5.M.1

Fund Number

5.M.2

Project M Solary

FORM: XXXXX.XX

Figure 5 - Possible constraints on input data

Complete operating instructions
At any point a user may request guidance from the
system as to what alternative steps are available to
him, or how to proceed in accomplishing a specific
goal. It should be possible, given the ability to gain
access to the system, for an uninitiated user to bootstrap his way into useful, and possibly even optimal,
operation of GENERAL STORE. For example, a
prospective user need only know that GENERAL
STO RE contains information pertinent to his problem and that he can at any time request aid from the
system by pressing an interrupt key. Following an
affirmative response to the initial system-generated
question:

DO YOU NEED HELP? TYPE (YES) OR (NO),
a dialogue ensues in which the user may be informed
of the different types of file available and the data
contained in each file. If a useful file is disclosed,
a discussion may be requested concerning the ele-

mentary techniques for retrieving items from specific
records. Logical statements are then written which
define retrieval constraints on the items to be observed and on other items in the same record. As
the user gains facility, he is introduced to techniques involving more complex functions of the form
and magnitude of the data fields. If he wishes to
spend the computer time and money, the user can
eventually learn from the system itself virtually
all of the operating details of GENERAL STORE.
Optional queueing of ajob for
deferred production
During any retrieval procedure, the approximate
number of records which will result is noted by
GENERAL STORE and may be requested in advance by the user. If either this number or the time
estimate for completion of the job appears to be
too large, the user has two options. First, he may reduce the scope of his request and reinitiate searching,
or second, he may place the procedure and data in a
production queue with a specified priority. Jobs in the
queue will be performed in order of priority when the
system is not involved with real time operation.
File protection
GENERAL STORE allows the user to modify
the contents of a file not only by introducing data
directly from the outside, but also by writing a
procedure which will operate on items within the
file as well as on external data. As mentioned earlier,
it is often the case that constraints specified by the
user will be adequate to check modification procedures. However, when it is felt that the constraints
are not adequate to ensure proper updating, the user
may request a display of the files as they would appear
after modification but \vithout actually introducing
a permanent change. As a further hedge against
unintentional destructive modification of its files,
GENERAL STORE maintains a complete historical
record of the transactions it has processed. This
record may be used to recreate the file structure
if necessary.
Delayed completion of on-line procedure
I t is often the case that a user has not allocated
enough on-line time to complete a particular procedure. By using the appropriate features of GENERAL STO RE, the user can store his procedure and
the intermediate results in such a way that they can
be subsequently recalled. The resultant effect IS
one of no apparent interruption in processing.
Storage and modification of procedures
Although some procedures may be used only once
and discarded when the results have been obtained~

The People Problem: Computers Can Help
it is more likely that others will be used repeatedly.
This eventuality is accommodated by storing these
complicated procedures with variations as required
for execution on different sets of data.
A filing system having many of the characteristics
of GENERAL STORE is being used to store personnel information on research workers at the Univeristy of Pennsylvania. By storing job descriptions,
historical analyses, and the individual's own interpretation of his capabilities and his interests, it is
anticipated that Personnel Directors will have a new
tool with which to move closer to their goal of successfully matching jobs and people. Preliminary to full
scale implementation of GENERAL STORE on an
IBM System/360 computer, pilot runs are being made
using programs developed for the IBM 1401 and
IBM 7040.
Data collection
Collection of original and up-date information is
by far the most time consuming, unreliable, and
frustrating of all the tasks involved in operating the
personnel file. This feature is by no means unique to
the approach under discussion. I ts solution relies
heavily on the proper approach not only to each individual, but also to the managers of the institution
or department for which he works. Through frequent,
but unobtrusive, contact with the individuals, and
by building an attractive, responsible, and worthwhile image of the system, it is hoped that the problems generally e~countered in massive personnel
data collection can be minimized.
The personnel file concept described herein is
completely in step with the times. Never before
has the people problem centered so specifically on
getting the right person in the right job. Technological progress accompanied by social unrest has introduced new pressures on individuals and on employers. One has only to read current help-wanted
advertising in any newspaper to see evidence of the
present magnitude of a perennial problem which has
been complicated by the introduction of new requirements based on new skills stemming from new technologies. One advertisement which appeared in the
New York World Journal Tribune for October 20,
] 966, was presented essentially in the form of a
structured list with eight first-level descriptors, 22
second-level and more than 195 third-level descriptors. We submit that without competent assistance
neither an individual nor his prospective employer
can respond effectively to an advertisement written
to this degree of specificity. I n our judgment, the
most promising approach to the "People Problem"
at this time lies in full and intelligent cooperation
between computers and people.

161

ACKNOWLEDGMENTS
The research on which this paper is based was performed at the I nstitute for Cooperative Research
of the University of Pennsylvania. It was supported
in part by the U. S. Navy under Contract NObsr95215. The authors wich to acknowledge with thanks
the stimulating discussions with Mr. A. M. Hadley
and also critical evaluation of the manuscript for
this paper.
REFERENCES
2
3
4

5
6

7

8

9
10

II

12

13

14

15

16

17

Describing Men to Machines Business Week I 13
4 June 1966
C ompllters move lip in personnel ranks
Business Week I 18 23 Oct 1965
Picking top men
Business Week 97 6 March 1965
WO REED
Data link
American Education 31 1 June 1965
Office services
Dun's Review 86 part 2 166 Sept 1965
M E MARON R LEVIEN
Relational data file: A tool for mechanized inference execution and data retrieval
3rd National Colloquium on Information Retrieval University
of Poonsylvania May 1966
N S PRYWES
A problem solving facility
Moore School of Electrical Engineering 20 July 1965
TOLLE
IN FOL: A generalized language for information storage and
retrieval application
Control Data Corp April 1966
Generalized information system
IBM Application Program White Plains New York 1965
A M HADLEY et al
Project monidan final report on contract NObsr-95215
Dept of Navy BuShips
The Institute for Cooperative Research University of
Pennsylvania 30 June 1966
J McCARTHY et al
LISP 1.5 programmer's manual
M IT Press Cambridge Mass 1962
NEWELL ALLEN
Information processing language V
Prentice-Hall Englewood Cliffs N J 1961
G LOEV
SLIP list processor
University of Pennsylvania Computer Center Philadelphia Pa
April 1966
K C KNOWLTON
A programmer's description of L6
Communications of the ACM 9 8 616 1966
COM IT programmer's reference manual
Research Lab of Electronics M IT Cambridge Mass 1961
D J FARBER R E GRISWOLD I P POLONSKY
SNOBOL: A string manipulation language
Journal ACM 11 21 Jan J 964
W C McGEE
On Dynamic Program Relocation I BM Systems J 4 3 184
1965

File handling at Cambridge University
by D. W. BARRON, A. G. FRASER, D. F. HARTLEY,
B. Ll\.NDY and R. 1\1. NEEDHAl'v1
The University Mathematical Laboratory
Cambridge, England

INTRODUCTION

On designing a filing system

The file handling facility now in use on the Titan*
computer at the University Mathematical Laboratory,
Cambridge provides storage for data over indefinitely
long periods of time and yet contrives to make that
data available on demand. An 8 million word disc
is augmented by the use of magnetic tape. The organization of this available space is entirely a system
responsibility and the user can normally expect data
to be transferred into his immediate access store
area on demand.
The filing system is part of a multi-programming
system which has the ability to hold several user
programs simultaneously in the core store, and provides on-line facilities for interacting with these programs. Jobs are initiated either off-line for normal
job-shop working, or through console keyboards for
interactive on-line working. Several of the basic
concepts of the Titan system have been derived from
the earlier supervisor written for the Atlas 1.1 In
particular, the concept of a storage "well" which is
used to buffer all data passing to and from the "slow
peripherals" was an essential part of the Atlas system. This well has been implemented at Cambridge
as an integral part of the more versatile file handling
mechanism now described. The concept of a standard
internal code with interpretation for every peripheral
is also carried over from the earlier work.
The file handling proposals for the Multics system 3 had an important influence on the design as did
the experience gained during an earlier attempt at
implementing a permanent storage facility. 2 The final
choice is a compromise between a number of conflicting requirements. Some of these are listed below.
This choice was not made easier by the realization
that it would have a profound influence on the future
pattern of machine use.

Paramount amongst the design requirements for
a filing system is the need for confidence on the part
of the user. To obtain this the protection given against
the effects of system failure must be demonstrably
adequate. The user must also be able to determine
the extent of the protection provided against misuse
of his files either by his own error or by the activities
of others. On the other hand, the protection system
must not be so designed that it absorbs an unwarranted amount of the available space or time, and the
normal method of securing file access must not be too
cumbersome. The natural patterns of file use (including group working) should not be distorted by system controls.
Protection against system failure implies some safeguard against the misplaced activities of the operating staff. Not only is it necessary to check operator
actions but the system design should be such that
non-standard activities are unnecessary and unreliable short cuts are eliminated. The latter may be
expected to arise when the normal mechanism for
recovery from system failure itself fails, and also if
the recovery mechanism is protracted or too expensive in terms of lost computing activity.
Poorly designed controls ahd inadequate flexibility can give rise to unexpected patterns of activity. Not all of these will be foreseen, but the design
must be checked against such variations as can be
foreseen. For example, the system of priorities used
for space allocation should not be so designed that
it can be negated by a simple change in the user's
pattern of behaviour.
The demand for space at Cambridge exceeds the
supply of space on disc. Magnetic tapes are used to
provide the necessary extra space and housekeeping
operations are therefore required to regulate disc
loading. The file store must, for operational purposes,
appear to be uniform and some care is required to keep
disc and tape transfer to a minimum. The limited

*Titan was developed from the prototype leT Atlas 2

163

164

Spring Joint Computer Conf., 1967

facilities provided by the hardware should not be
totally concealed, however; some feedback which
encourages the user to work along lines in keeping
with the physical limitations of the system will prevent the extravagance which arises when a uSer is
not aware of the fact that he is overloading the system.

Documents
The Titan system provides storage and handling
facilities for documents, where a document is defined
as any ordered string of data that is available to a user
program, but is stored outside the area administered
by that program. Access to a document is provided
by system calls and the user program may use these
to read, alter or create documented information.
Data that are input through the slow peripherals
(paper tape and punched cards) are assembled into
individual documents by the system. Each document
is identified by a title !hat is supplied by the user,
and is local to the job to which it belongs. Similarly,
a user program may create documents which may be
assigned individually to particular types of slow
peripherals (line printer, paper-tape punch or plotter).
The input and output processes themselves are timeshared supervisor activities that operate quite separately from the associated user program execution.

Jobs
The word job is used here to identify the connected
series of activities initiated by one set of input documents, and one distinct activity is called a phase.
Each phase of a multi-phase job operates on some
or all of the documented data from that job and may
at the same time create new documents. The documents iefl by one phase can be used by the next and
represent the major connection between the separate
phases of one job. A typical example of a multiphase job is the sequence: edit, compile, assemble
and run.
The word job also' identifies the series of activities
initiated from an on-line console during the time that
the user of the console is logged in. I n this case it is
most likely that the activity will be multi-phase.

Local and global data
The data flow to and from peripherals and the flow
of data between phases is an organizational consideration which is not necessarily the concern of the user
program. The commands which control the data flow
and initiate each phase, resemble a simple programming language in which documents are the data
elements.
For many command sequences it is necessary to

recognize a number of intermediate documents which
exist only to interface between distinct activities.
I ntermediate documents are also brought into existence to communicate with slow peripherals. These
documents are the local data for the job concerned
and for convenience their names have a scope which
is local to the job; thus no confusion arises if two
identical jobs are timeshared.
Global documents are required whenever data from
one job are held over for subsequent processing by
another, and for this purpose a document can be given
a title that is recognized in a global context. Such
documents are called files.
There are a number of important differences between local and global documents:
(a) The scope of the name.
(b) The iife - iocai documents cease to be of value
after the last phase of a job has been completed.
(c) Activity - a local document usually has a high
rate of activity throughout its short life.
(d) Backup-by virtue of its short life and high
activity a local document will usually be guaranteed high cost space. An infrequently used
global document could be relegated to lower
cost and less immediately available space.
(e) Protection -local documents are protected
by the narrow scope of the document name.
Globai documents require a separate mechanism for protection against accidental or malicious misuse.
(f) Recovery - after a system failure the cost of
recovering a lost local document will usually
be no more than the cost of repeating one job.
Global documents, which can be expected to
be much greater in total volume, are not so
easiiy recovered.
In view of these differences, two distinct software
packages are used to provide the supporting facilities
for the document handling system. One is concerned
with local documents and the other is responsible
for the files.
The facilities for processing a document are quite
independent of the two support packages and the
method of processing makes no assumptions about
how a document is classified. Two types of processing
are provided:
(a) Character string processing - The document is
assumed to contain variable length records
of characters in a standard format. Appropriate
system calls are provided for character at a
time and line at a time transfer.
(b) Literal processing- No format assumptions
are made and the data is transferred in blocks
of 512 48-bit words.

File Handling At Cambridge University
Disc space control
One system of space allocation is used for all documents and all disc transfers are supervisor controlled.
Files are also held on magnetic tape (see below) and
space allocation here is the responsibility of the File
Support package.
Document storage space on the disc is allocated
in units of 1 block (512 words), and this is controlled
by a map of the disc space. Each block of disc space
is represented by a corresponding entry in the map,
and a document is represented by linking together
the appropriate entries. Free space is also linked
through the map. I t is important to note that this
linking is not part of the data space, and the map is
stored separately. This enables the system to locate
the position of any block of a document without access to the document itself: for example, a document
can be deleted from the disc by a simple rechaining
operation within the map.
Parts of the map are held in the core store as and
when space requirements permit, but they are dumped
on to the disc when it is necessary to ease the demand
for core space, and also periodically so as to permit
recovery of documents in the event of system failure.
The remaining sections of this paper describe the
various facilities and support packages of the filing
system; further details of local document organization are dealt with in a further paper.
5

File identification and access
Any prospective user of the computer must gain
access by quoting his initials and project number.
This combination, known as his title, is required for
off-line as well as on-line working, and is checked
before any computing is permitted.
The title of the file owner is the first of three alphanumeric components which identify a file. In
general it is the file owner who creates and maintains the files which carry his title and the protection
system is based on this.
A file owner can extend some or all of his privileges
to one or more nominated part owners. When making
such a nomination the file owner gives the title of
the part owner together with a status which specifies
the privileges which can be enjoyed. These privileges
range from permission to read from a restricted set
of files to the right to create new files on behalf of
the owner.
Certain privileges can be acquired by anyone who
can quote an alphanumeric key specified by the file
owner. A person who is able to do this is known as a
key holder.
A prospective file user may therefore be acting
simultaneously in up to four different capacities,

165

namely: Owner, Part Owner, Key Holder and General
User. In each capacity his privilege with respect to
one file may be different and if he requires access
to a file then it will be granted if in any of his capacities the required activity is permitted. It is the file
status that defines the four permitted ranges of
activity.
File status
Four letters, each chosen from the following set,
define the status of a file, and each corresponds to
one capacity in which the user might act.
N Access not permitted.
L Loading permitted for execution only.
R Reading permitted for any purpose including
loading.
C Status change permitted in addition to reading.
D Explicit deletion permitted in addition to reading and status change.
U Updating (changing the contents) is permitted
together with explicit or implicit deletion.
(The latter arises if a new file is created with
the same title.)
F All activities (including change of status) are
permitted.
The author of a file will usually specify the status
when a file is created, although a default setting is
available and file status can be changed at a later
date.
File class
In addition to status the author also specifies the
class of file. This item exists to allow the system to
choose the most suitable space allocation strategy
for the file. The four principal classifications are:
A Archive file - The file will normally be held on
magnetic tape.
W Working file- The file will be held on disc
where possible and, for security, a copy will
be held on tape.
T Temporary file - Disc space will be used but
no security precautions will be taken.
S System file - The file will be given preferential
treatment, but will otherwise be handled as a
class W file.
File deletion
We define file life as that span of time during which
the file is known to the system. It is not in any way
related to the existence of anyone copy of a file held
on one particular medium. File life is terminated in
response to an explicit command, although file deletion can also take place when a new file is created

166· Spring Joint Computer Conf., 1967
with the same title as an existing file. Both activities
are subject to the status checks described above.
The performance of a filing system depends upon
the volume of data held within its control, particularly
where more than one siorage medium is involved.
Protracted file life and the undue proliferation of
files must therefore be viewed with some concern.
To restrict either of these without adversely affecting
the value of the filing system requires a sympathetic
analysis of the file owner's requirements. The user
must be encouraged to make this analysis himself
and a management procedure is required to ensure
that the appropriate standards are being maintained.
Arbitrary controls applied by the system are likely
to result in abuse or undue frustration. Compromise
is clearly necessary.
A system which allows the user to make post-dated
requests for file deletion and status change was rejected on the grounds that, at Cambridge, the validity
of a file depends more on circumstance than on time
and therefore would not significantly assist the user
to make a realistic evaluation of his files. In contrast,
the chosen policy is to make file deletion as simple
as possible by providing a variety of aids to file directory maintenance. These are included as special
facilities in the command system.
Commands
The commands which are handled directly by the
filing system are augmented by other macro-commands which provide more specialized facilities. The
basic set is the minimum complete set necessary to
provide the facilities outlined above. OPEN, CLOSE,
DELETE and CHANGE STATUS provide essential file handling facilities. SET KEY and UNLOCK service the key holder system and CREATE
PART OWNER and REMOVE PART OWNER
service the part-ownership mechanism.
The basic set is extended so that many of the administrative features (including dump and re-Ioad)
can be carried out by conventional object programs
that communicate with the central filing facility. In
particular there are system calls that operate on the
individual attributes of a file held by the system.
Each attribute type has an associated system defined status against which all requests are checked.
File storage on magnetic tape
Magnetic tape is used for two distinct reasons; to
augment the limited supply of disc space and to hold
redundant copies of files so that the chances of accidental loss by system failure are reduced. Operationally the two are linked. Data are copied to mag-

netic tape at intervals of about 20 minutes and thereafter are protected against loss by system failure. The
existence of a copy on tape leaves the system free to
recover disc space when necessary simply by erasing the disc copy of a selected file. However, since
the latter action reduces the level of security, magnetic tapes are duplicated.
A dump program copies to magnetic tape only
those files for which there is no up-to-date dumped
version. Class T (Temporary) files are never dumped.
At weekly intervals the files for one owner are collected together on an archive tape. Several file owners will usually share one tape for this purpose.
If a file is deleted or updated the old version is automatically removed from the directory of files. However, since three generations of archive are kept the
careless file owner has up to two weeks in which to
recover an erroneously deleted file.
The file directory contains a record of the files
that have been stored on magnetic tape and this is
sufficient to allow automatic file recovery. In addition, it is planned to make the archive tapes available on demand so that a file owner may, for the duration of one job, have access to all his files even though
the total volume may exceed the available disc space.
File reloading is batched and a file containing a
queue of requests for file reloading is processed at
suitable intervals. The user can file such a request
and when doing so he can ask for a message to be
transmitted to him upon completion. For off-line work
the execution of a job may be dependent upon the
availability of a file and if not available a request
for reloading is added to the queue.
Disc space allocation
Each file owner is allocated a specific amount of
disc space which he may not exceed. The allocation
is split into space for ordinary files and space for
temporary files. If a filing attempt for an ordinary
file fails through lack of space then the file will be reclassified as temporary and a second attempt will be
made.
The total space allocated exceeds that available and
thus it is possible for space to be exhausted even
though no user is in error. In this case all the files for
one user are off-loaded. The user affected in this way
is chosen in strict rotation from all those not active
at the time. When a file is off-loaded the disc copy
is erased as soon as it is known that a copy exists
on magnetic tape. Temporary files are lost by the offloading process.
System files and other files which are in general
use are classified as S and are never off-loaded. Each
user is given a (usually zero) space allocation for his

File Handling At Cambridge University
class S files; all users are treated equally.
Protection against system failure

File dumping takes place every 20 minutes and has
already been described. Each dump tape contains
sufficient information to allow the file directory to be
reconstructed. The restart process recovers files from
dump tapes and archives ad-lib until recovery is complete. The first files to be recovered are those owned
by the system which are held on the appropriate
archive; thereafter recovery proceeds simultaneously
with general use of the filing system.
Many system failures do not result in loss of information on disc and a recovery procedure is available that retrieves as many files as possible on the
assumption that the file was not over-written arbitrarily. To make this possible the methods used to
update the disc control map and the file directory
must failsafe and this it is hoped has been achieved
by carefully sequencing the operations which take
place during the file creation and deletion. In a
system in which overlapping is extensively employed, care is required to ensure that the official
recognition of a change in state is withheld until that
state has been established.
CONCLUSION
A number of implementation points are worth noting
because of the extent to which coding and maintenance are thereby simplified. A privileged but
otherwise conventional user program handles file

1L..,

101

access and the various necessary interlocks. The
file processing and disc control are again separate
but part of the supervisor. All other facilities (including dumping and file recovery) are carried out by
conventional user programs. One file format is used
for all dump and archive tapes and all file directories
are held as files in their own right. The interlock requirements are thus minimized and by holding a detatched map the timing considerations which are essential to a successful recovery system are simplified.
ACKNOWLEDGMENTS
The work described in this paper is part of the program of research and development being carried ou
at the University Mathematical Laboratory, Cambridge under the direction of Professor M. V. Wilkes
F.R.S. The early stages of the basic supervisor work
were carried out in collaboration with International
Computers and Tabulators Ltd., subsequently the
project has been supported by the Science Research
Council.

REFERENCES
T KILBURN R B PAYNE D J HOWARTH
The Atlas S.upervisor
Proc EJ C C n 279 1961
2 A G FRASER J D SMART
The COMPL language and operating system
Computer Journal vol 9 p 144
3 R C DALEY P G NEUMANN
A general-purpose file system for secondary storage
Proc F J C C p 213 1965

GIM-l, a generalized information management
language and computer system
by DONALD B. NELSON, RICHARD A. PICK

AND KENTON B. ANDREWS
TRW Systems
Redondo Beach, California

The current demand for more comprehensive information systems had created an increasing need for
generalized information management. Generalized
information management denotes a complex of
interrelated information capabilities encompas~ing
both human functions and the operation of automatic
devices which supplement and extend human capabilities. The methodology and techniques for such
generalized information control have been defined
and are exemplified in G 1M-1, a generalized information management language and computer system
now being implemented at TRW Systems. With the
use of GIM-I, the problems inherent in defining more
comprehensive information systems can be completely and economically resolved.
The definition of a system for such information
management requires a communication network of
many remote stations and a central complex of one
or more computers. It also must accommodate natural
language queries and multiple technical vocabularies.
Additionally, such a system must provide automatic
correlation of information both within and between
data files, complete as well as selectively limited
information security, and automatic controls for
data reliability, data conversions and the synthesis
of data as a function of other data. All of these requirements for comprehensive information transfer
can be satisfied by the use of G 1M-I.
GIM-I permits natural language access to data
list information stored in a random bulk storage device
which also is available to other computer programs,
and the remote user may select any available equipment in the entire network for an information output.
Although GIM-I is general to information management needs, its design accommodates the particular

information requirements of anyone application area
with special purpose efficiency in computer operating
times. GIM-I is essentially machine independent,
and the calculated addressing scheme permits retrieval of any required data from random storage in
a single access.
The GIM-I language is limited natural English,
and the formats and rules for remote inputs are both
simple and very general. The language processors,
together with the use of dictionaries, permit inputs
to be stated directly in the technical terminology
natural to each application area, and also provides
the user with plain language outputs. The GIM-I
language uses the lineal format natural to prose text,
accepts any number of variable length words, and
permits a limited freedom of word order. Minimal
vocabulary prohibitions to ensure uniqueness apply
only to the data list identifiers and are guaranteed by
automatic language audits, but no vocabulary prohibitions are imposed on the information values.
Additionally, the GIM-I language permits the definition of any number of identifer synonyms, and
provides a large selection of input conditionals
which may be used to limit outputs to only relevant
information.
In G 1M -I, the "master" dictionary contains the
data list identifier nouns, and the "user" dictionary
associated with each data list contains the attribute
identifier nouns. The master dictionary also contains
the process identifier verbs and the language connectives; and, in each of these dictionaries, any
number of synonyms may be defined for each identifier. The connective words include all conjunctions,
prepositions, articles and special symbols specified
for possible use in language inputs. The definition
169

170

Spring Joint Computer Conf., 1.967

of these connectives, then, includes the designation
of relational operators and other conditional words
for limiting information searches to only relevant
data. Therefore, the specification of connectives
will dictate operational procedures not only for the
language preprocessor but also for the automatic
correlation of data and the numerous data processors
within GIM-l. Additionally, a limited natural syntax
has been defined for GIM-l, since any completely
natural syntax would require a probabilistic processor contradictory both to practical efficiency and
to the absolute identifications required for updating
data lists with complete accuracy.
The GIM-! data base consists of many different
data lists, and all GIM-l information is stored in
data lists. Each data list is identified by a DATA
LIST 1. D. and consists of many different items of
information; and each item consists of an ITEM
1. D. followed or not by relevant information values.
All information values, then, are stored in items
within data lists, and each VALUE is identified by
one of the many attributes defined for each data list.
Each attribute is identified by an ATTRIBUTE
I. D. and any number of attributes can be defined
for the identification of all possible data list values.
However, since items contain only relevant values
or none at all, the usual document has values for only
a few of the many attributes defined for a data list.
The standard format for organizing GIM-I information, then, has a column heading for each of the
following four information elements:
Information
element
DATA LIST I.D.
ITEM LD,
ATTRIBUTE I.D.
VALUE

Mnemonic
Code
D
I
A
V

An example of information organized in accordance
with such a format is illustrated in Figure I.
Since a data list may have virtually unlimited attributes which may be used or not in any given item,
a user is neither restricted to a small set of fixed
identifiers nor required to assign a value to each
identifier for every item. For example, assume all
references ror transporation systems are itemized
by library code, with each reference containing such
standard information as TITLE, AUTHOR, ABSTRACT, etc. In addition to these standard attributes, however, much greater indexing depth can be
achieved by also defining many special attributes
such as GROUND EFFECT MACHINES; HELICOPTERS, tvl0NORAILS, TOTAL COST, and

PRINCIPAL CITY. These extra attributes, then,
define special information which mayor may not be
relevant to anyone transportation system reference.
For instance, the majority of references may include
absolutely no information for these extra attributes
and; therefore; no extra values would be stored,
However, for any item which may contain such special
information, these extra attributes would enable an
indexer to describe the reference item in much greater
depth. Provided such attributes were defined, then,
a GIM-I user might initiate the following input:
LIST THE TITLE AUTHOR AND ABSTRACT OF EVERY TRANSPORTATION SYSTEM REFERENCE WITH
THE PRINCIPAL CITY "LOS ANGELES" AND THE GROUND EFFECT
MACHINES "AVC-l" OR "HOVERCRAFT"
Furthermore, the organization of G I M -I information
permits the remote user to add new attributes for a
data list whenever he may wish, and without any
effect on the existing data list information. For
instance, an indexer might encounter a transportation
system reference which included a description of
the net change in smog levels during trial tests of
some proposed system. Assuming all of the existing
attributes to be unsuitable for a description of this
information, the indexer might wish to add the new
attribute HYDROCARBONS. This new attribute
then would be available for possible use in any old
or new transportation system reference.
The four elements within the standard format for
G 1M -1 information can be considered both as an
attribute value DATUM having three IDENTIFIERS (Figure 2), and as a set of two dyads, with
each dyad having one DATUM and one IDENTIFIER (Figure 3).
Consideration of the standard format as a sequence
of two dyads of information is a concept of particular importance. Together with the automatic correlation of G I M -1 data, both within and between
data lists, this concept permits the definition of extensive and very complex information formats. The
construction of an extended data format by a unidirectional chaining of dyad units is illustrated in
Figure 4.
As an elementary example of data format extension,
assume the unidirectional construction in Figure 5
as defining both the retrieval and update-add correlation between the attribute A UTH 0 R in the ANEW
DOCUMENT data list (defined in Figure 1) and
another data list identified by TECH/AUTHOR.
In Figure 6, therefore, any value for AUTHOR
automatically will be also an item 1. D. for TECH/

Gim-l, A Generalized Information lVianagement
DATA LIST I. D.

ATTRIBUTE I.D.

ITEM I.D.

NADC-AX-6123

ANEW DOCUMENT

J7 J

ATTRIBUTE VALUES

TITLE

MOD 3 SIMULATION DESIGN

AUTHOR

JOHN DOE
WAL TER SMITH

SOURCE

DDC 457 321

DESCRIPTORS

P-23 SIMULATION
ADX AIRCRAFT SIMULATION

- -- -

-

- --

-

...:.

v

NOL-25682

-

-

TITLE

S012 REPORT

SOURCE

NEL

REMARKS

ORDERED ON MAY 7, 1966

-

~
~

~-

TITLE

-

-

PETER BROWN

SOURCE

DDC 123 896

DESCRIPTORS

X503 TRAJECTORY

"""'--

-

Figure I-Example ofGIM-I data organization

rA~UMI

I

Figure 2 - Standard data format A

~----------~~--~
IDENTIFIER DAJUM
IDENTIFIER DATUM .-----------.-----~

A

I

V

Figure 3 - Standard data format B

I~1-"-1A. ,.~lnD~lt~ITI7ATIVV',------t
. . . ,~.
_------,.

~

D

D--'I~IL.....,Ir--A--'I-v""'l

-I

A

V

1------...

V

V

Figure 4 - Extended data format

ANEW DOCUMENT

AUTHOR

-.

BALLISTIC PERFORMANCE

AUTHOR

--

"V"

IDENTIFIERS
D t
A

D

WITH P-23 AIRCRAFT

MISS DISTANCE

--

D

I

A

-~

NEL-251367

.A..

12 NOV 65
DESIGN FOR SIMULATION OF
JULIE AND JEZEBEL EXERCISES

- - -.-

DATE
ABSTRACT

-

--

item I. D. for TECH/AUTHOR. However, any
retrieval of an item I. D. for TECH/AUTHOR will
not include any associated data.
The elementary correlations in Figures 4, 5, and 6
are constructed by unidirectional chaining of the
values of an attribute in one DIA V unit with the item
I. D. in another DIAV unit. However, many other
types of automatic correlation also are available to
the GIM-l user. For instance, "Christmas Tree"
interrelationships between different items within
the same data list require bidirectional chaining of
the values of an attribute with the item I. D. in a
single DIAV unit. Additionally, some commonly
required correlations are considerably more complex. For instance many interrelationships require
correlations between the values of two attributes
in different data lists, together with automatic item
identifications. This type of correlation is illustrated in Figure 7 as an elementary construction with
only two unidirectional correlatives and with only
one correlative defined for the values of an attribute.
I

TECH/AUTHOR

..-......_

....._.L...--I

Figure 5 - Example of extended data format

AUTHOR, although each item I.D. for TECH/
AUTHOR is not necessarily also a value for AUTH 0 R automatically also will include, as associated
data, all the information stored under the relevant

In Figure 7 then, each update of a value in DI
A3 requires the automatic update of an item I.D.
in D 2. Similarly, each update of a value in DIAl
requires the automatic update of a value in D 2A 4·
However, the automatic update of D2A4 further
req~ires the automatic identification of each item
I.D. in D2 which also is defined as a value in DI
A 3. The automatic creation of such "bridge" values

I

172

Spring Joint Computer Conf., 1967

I

I

I

I
...

,

II""\..

..

i\

JOHN DOE

I

II

WALTER SMiTH

-

~

AUTHOR

I

I

MOD 3 •

TITLE

NADC-AX-6123

ANEW DOCUMENT

VALUE

ATTRIBUTE I. D.

ITEM I. D.

DATA LIST I. D.

SOURCE

--

- -I

DATA LIST I. D.

-~--

I ATTRIBUTE I.D. II

!TEM !.D.

)

JOHN DOE

TECH/AUTHOR

DOC 457321

-

-

ADDRESS

I

I

VALUE
NAS, SD

OCCUPATION
AGE

I

TEST PILOT
35

CATEGORIES

NAVY
FLIGHT TEST

------~

--

~

~

--

~,

-

-~

- -

WAL TER SMITH

PO'\..

-

.-

1
I

--~-

SIMULATION

--

~

--

- -- - - --

ADDRESS

NAS, SD

OCCUPATION

MATH. ENG.

~~---~

-------- -

.-

~

Figure 6 - Example of extended data format

Figure 7 - Example of data list correlation

between data lists, then, is required for any correlation between the values of two attributes in different data iists. Although these few examples of automatic correlation are elementary, they are sufficient
to indicate the flexibility provided the G I M-1 user
in defining extensions of the standard format for
organizing information.
GIM-l, then, permits the user to specify very complex data list interrelationships for automatic correlation. Only a simple dictionary code enforces any

defined correlation for all subsequent inputs, and
G I M -1 processes all interrelated information with
total relevance and with complete accuracy. The
several correlations available for specification by
the GIM-I user include:
• The automatic retrieval of associated information stored in other data lists.
• The automatic updating of correlated information stored in other data lists.
• The automatic updating of cross-indexed data
lists.
• The automatic calculation of data values as a
function of other stored values.
• The automatic coupling of unit values in associated sequences of mUltiple values.
• The automatic creation of "bridge" values for
correlation between data lists and items.
• The automatic updating of all relevant information in "Christmas tree" data lists.
• Full "Christmas tree" searches for retrieval
and counting requests.
• The automatic retrieval and updating of nonredundant information stored only in another
data iist.

Gim-l, A Generalized Information l\tianagement
Among these several optional capabilities defined
for user convenience, the automatic updating of
information in correlated items and data lists is of
particular importance.
For example, a user might require optional access
to information by classifications unique to his own
technical area, while the technical library might
wish to file new information only by DDC index
number. These apparently different user needs are
not contradictory, however, since both requirements
can be accommodated by the automatic updating
of correlated information. Assuming the information
for each D DC index number is defined to include
such attribute identifiers as TITLE, AUTHOR,
ABSTRACT, SOURCE, TECHNICAL AREA
and DESCRIPTORS, and also assuming the relevant correlation codes are stored in the dictionaries,
the GIM-I system would update not only the DDC
data list stated in the technical library input, but also
automatically would update any number of correlated
data lists and items defined by the dictionary codes
and the values stored under the encoded identifiers.
This complex capability, therefore, eliminates not
only the need for complex intervention by the user
but also the probability of human error, and ensures
the complete accuracy and relevance of interrelated
information.
GIM-I further accommodates the remote user
by providing complete as well as selectively limited
information security, automatic value conversions
and complex format audits of input values. Additionally, the executive control system provides priority
processing and automatic record-keeping of all transactions. The standard data processing capabilities
of GIM-l include the retrieval of stored information;
the counting of information values; the deletion,
addition or changing of stored information; the remote initiation of new dictionaries and data lists
and a special report processor for generating special
output formats.
As exemplified by GIM-I, then, generalized information management is based on a new and interdisciplinary approach to the total problem of information, and is a comprehensive complex of in-

173

terrelated capabilities. As indicated by its name,
however, GIM-l is only an initial competence with
many extensions of present capabilities, as well as
new capabilities, planned for the future. At present,
for example, the automatic updating of information
between data lists provides a selective dissemination
of information, but only within the GIM-I data bank.
However, the rapidly growing need for selective
dissemination requires an external distribution; and,
because of the construction of functional group
interest profiles, the impetus for the flow of information rests with the system rather than with the
user. Therefore, in a future version of GIM-I,
the present selective dissemination of information
will be extended to indude automatic decisioninformation outputs to all users. Similarly, the increasing demand for international information transfer requires a system which accommodates multiple
languages, as well as multiple technical vocabularies,
with direct access to mutually shared data banks
without language translation. However, GIM-I
already accommodates mUltiple technical vocabularies with direct access to mutually shared data
lists without vocabulary translation. Additionally,
GIM-I is both machine independent and language
dependent. Therefore, in a future version of GIM-I,
the present natural English language will be supplemented by Russian, French and German.
This description of GIM-I has been brief, and the
summary of its capabilities gross. As an example of
generalized information management, however, it
has been sufficient to indicate the methodology and
some of the techniques for resolving the problems
inherent in designing more comprehensive information systems. Also, it has indicated the need for
integrating the definitions of company information
standards and management responsibilities with the
specification of a communication network and the
software control system. And hopefully, this brief
description of GIM-I has been sufficient to verify
generalized information management as a new and
powerful tool for supplementing and extending present
capabilities in information systems.

Inter-program communications, program
string structures and buffer files
by E. MOREN OFF andJ. B. McLEAN
Rome Air Development Center
Griffiss Air Force Base, New York

INTRODUCTION
Receptiveness to change is one of the most important
attributes of a programming system. There are obvious
advantages associated with being responsive to
changes in a system's environment without being
required to essentially redesign the system. These
environmental changes may take the form of variations in the functions to be performed by the system
or in the applications to which the system is put. They
may be reflected in modifications of the content or
structure of the data which the system is to process.
They may even appear as changes in the number, type
or function of the equipments comprising the computer within which the system is operated.
The introduction of program modularity is one of
the most common approaches to designing programming systems capable of evolutionary growth and
modernization. Traditionally, modularity is associated
with the division of a program system into its major
components, which in turn are divided into their subcomponents, and so on. The degree to which this can
be actually reduced to practice, however, is a function
of the facilities available for combining the program
modules into larger programs. Factors which must be
considered are the extent to which inter-program
dependencies exist, the nature of the mechanism
available for resolving such dependencies, and the
time at which they are resolved.
If the program modules could be treated as completely separate entities, wholly independent of one
another, they could be used as program building
blocks to be arbitrarily combined to form larger programs. This generalization leads to the notion of a
pool in which all program building blocks are maintained, available for use in larger programs to perform
user-oriented functions. The application of Program
String Structure techniques l allows such a generalization to be made, and hence allows for the realization of the notion of a program building block pool.
The most essential feature of the Program String
Structure concept is the introduction of Buffer Files

through which all inter-program communications are
achieved. Although the primary motivation for the
development of this Buffer File mode of operation
was to provide ~ program linkage mechanism which
could be used as part of a Program String Structure,
several very important benefits can be realized by its
application outside the Program String Structure environment. It is the intent of this paper to examine
these benefits in terms of the unique characteristics
of the Buffer Files which make their realization
possible.
Program string structures
The Program String Structure is based on the fundamental principle that a set of programs can be used
collectively without actually being combined or integrated. This collective use of programs is realized by
providing a mechanism for moving the data from one
program in the set to another. Each program in the
set is afforded, in turn, an opportunity to operate on
the data in some prescribed manner. The mechanism
is sufficiently general to allow for the collective use
of totally independent programs.
A program in the context of the Program String
Structure, is a physically identifiable unit through
which streams of data are passed. The program
accepts one or more input data streams, operates on
them in accordance with the logic implicit in the program, and then produces one or more output data
streams. All programs are maintained in a program
pool. Figure I illustrates the logical representation
of a program.
The primary characteristic of the Program String
Structure is the introduction of a Buffer File in the
path of each stream of data flowing from a output of
one program to an input of another program. A program is designed so that its input data streams are
taken from Buffer Files and its output data streams
go to Buffer Files. The program need not be concerned with where the data found in its input Buffer File
comes from (or how or when it got there), nor where
175

176

INPUT

Spring Joint Computer Conf., 1967
#

*" I

INPUT

2

1
PROGRAM A

!

OUTPUT

~

i

i
!

I

*"

OUTPUT 3

1
Figure I - Logical representation of a program in a
program string structure

the data it places in its output Buffer File goes to
(or when it will get there or what will be done with
it). The operation of a program is completely asynchronous with respect to any other program with
which it may be collectively used. The synchronization of the program with concurrently running programs and the coordination of access to common data
between itself and concurrently running programs,
are automatically performed by the Buffer File linkage mechanism. The Buffer Files thus completely
isolate a program from the programs with which it is
linked. Figure 2 illustrates the logical representation
of the use of Buffer Files as a program linkage
mechanism.
The use of Buffer files is a necessary but not sufficient condition for allowing sets of totally independent
programs to be used collectively. Each program
assumes a format and structure for all data on which it
operates which is inherently embedded in the logic and
code of the program. Hence, a program expects the
data at each of its inputs to be of a specific format and
structure. The program, in turn, generates data at
each of its outputs in a specific format and structure.
Consequently, the Program String Structure must provide a means for insuring that that data reaches a
program's input Buffer File in a form required by the
program.
To insure data is properly formatted and structured
when it reaches a program's input Buffer File, the format and structure specifications of the output and
input data streams which are to be linked are automatically compared and then adjusted for reasonable
format discrepancies. This implies that the descriptions which define the format and structure of

each of the output and input data streams of a program
must be explicitly stated and available for use by that
portion of the Program String Structure which compares and adjusts data formats. Reasonable adjustments can be accompiished by the automatic insertion
of a generalized reformatting program in the data
stream. The inputs to the generalized reformatting
program are the input and output data stream specifications, and the data in the streams to be reformatted.
The output of the generalized reformatting program is
a stream of data in the desired format. The generalized
reformatting program is a type of report generator
program. Since the outputs and inputs of the programs
being linked are isolated from each other by Buffer
Files, the introduction of the reformatting program in
no way influences the execution of either of these programs. Figure 3 illustrates the logical representation
of the use of the reformatting program. The case is
the same as shown in Figure 2, except that it is assumed here that the format specification of the third
output of Program A is not compatible with the first
input of Program C and must be adjusted by the use of
the Generalized Reformatting Program.
Another characteristic of the Program String Structure is the introduction of a variable time frame over
which program inputs are actually bound to the data
on which the program wi!! operate. At the time a program is designed, the programmer assigns symbolic
names by which each input and output is internally
referred to by the program. At this time, he also specifies the formats and structures of the data which are
required by the program at these inputs and outputs.
At linkage definition time, the user specifies which
programs are to be used collectively, and which outputs are to be ]jnked to which inputs. At this time, the
user may also bind some of the free-standing inputs to
data on which the linked programs will operate. A
free-standing input is one which is not connected to
any other program except the one for which it is an
input. The user may elect to defer the binding of some
of the free-standing inputs to data until the time the
linked programs are to be executed. If such is the case,
these unbound free-standing inputs may be specified
as part of the user's request to have the set of linked
programs executed. It is possible, however, that not
all the free-standing inputs have been bound to data
at the time the execution of the set of linked programs
has been initiated. If, as a result of the logic of a
program and the nature of the data being processed,
no data reference is made to an unbound free-standing
input, then the fact that the free-standing input has not
been bound does not affect the processing of the set
of programs. If, however, a point is reached in one of
the programs where a request is made for data from a

Inter-Prugram Communications

INPUT

177

it.

2
INPUT #1

PROGRAM

PROGRAM A

B

OUTPUT

GENERALIZED
REFOR MATTING
PROGRAM

INPUT#2
r-~--------------~'
PROGRAM C

OUTPUT ;:tl

Figure 2 - Logical representation of programs linked
via buffer files

previously unbound free-standing input, then the linkage mechanism causes the execution of that program
to be delayed until the monitor system can request the
user to supply the missing binding information, and
such information is provided by the user.
Finally, programs may be recursively defined in a
Program String Structure. This is possible to the
extent that a program representing a set of linked programs can itself be treated as a program building block
and maintained in the program pool to be used collectively with other programs. Figure 4 is an illustration of the recursive definition of a program in which
Programs R, Sand T are linked to yield Program A,
initially shown in Figure 1.
The primary result of the use of Program String
Structure techniques is the elimination of the need for
pre-planning on the part of the programmer during the
program design and implementation phase. The programmer may be totally indifferent to the characteristics of other programs with which the program he is

preparing may operate; the variations in structure and
source of data on which his program may be called on
to process; and any timing or coordination considerations with respect to other programs which may be
concurrently executed. The programmer is free
to design a particular program to optimize that program's performance solely with respect to the function
being implemented.
The elimination of the need for pre-planning means
that a set of programs can be designed, coded, debugged and modified by different programmers at
different points in time and still be capable of being
arbitrarily linked. This is the essential characteristic
of a true building block approach to the design of large
programming systems.
The construction of large programs by linking together as many already existent programs as possible
(and creating new programs only when necessary)
materially shortens the overall program preparation

178

Spring Joint Computer Conf., 1967
#"

IN PUT

PROGRAM A

I

PROGRAM

B

OUTPUTI"tf

OUTPUT 2

I
I
INPUTI=t,!

PROGAM

C

Figure 3 - Logical representation of automatic reformatting
capability

time at the expense of an increased overhead associated effecting the linkage of the smaller programs into
larger ones. In environments in which many of the
programs are executed on essentially a "one-shot"
basis, such a trade-off seems reasonable. Should any
of these programs eventually be used on a production
basis, however, thus tending to increase the significance of the overhead, the structures of these programs can be modified by removing the inter-program
linkages. Changing the overall program from a set of
linked programs to a single program eliminates the
overhead previously associated with the program. The
program restructuring, however, can be done at a
convenient time with respect to such considerations
as the availability of programmers, existing work loads
and priorities. In the meantime, the desired function
can be performed as a collection of smaller programs.
It is important to note that although the use of Program String Structures eliminates the need for preplanning, the programmer retains the ability to introduce pre-planning in the design of a set of programs
to any degree he wishes. Thus, in 'i.he design of a set
of programs which will be frequently used, the pro-

grammer may elect to carefully consider questions of
inter-program communications in order to improve the
performance of the set of programs. The programs
making up the set, however, may still be placed in
the program pool and collectively used with other
programs to perform other functions as well.
Buffer files - principles of operation

A conceptual representation of a Buffer File is
shown in Figure 5. The Buffer File shown is employed
in the linkage of the third output of Program A to
the first input of Program C, as illustrated in Figure
2. The data in the Buffer File is organized in fixed
length units called blocks. There are M computer
words per block and N blocks per Buffer ,File.
Only a unidirectional flow of data through a Buffer
File is permitted. As shown, Program C may only read
data from the Buffer File and Program A may only
write data to the Buffer File. Once the data has been
transferred from Program A to the Buffer File, that
data can no longer be accessed by Program A. Similarly, once Program C has read data from the Buffer
File, that data is erased from the Buffer File.

Inter-Program Communications

INPUT

..

I

II
INPUT Z

Figure 4 - Logical representation of a set of programs
linked to form a new program

In order that programs using a Buffer File be independent of both parameters M and N, the Buffer
File closes around itself, forming a ring structure.
Addition is performed on a modulo N basis, that is
(N-l) plus one equal zero. Two markers are associated with each Buffer File, one indicating the name of
the block to which data is to be written and the other
from where the data is to be read. In Figure 5, the
Write Buffer Marker is advanced each time a block of
data is placed in the Buffer File by the. third output
of Program A, and the Read Buffer Marker is advanced by one each time a block of data is read from
the Buffer File by the first input of Program C. If
the Read Buffer Marker and the Write Buffer Marker
should coincide and the two markers have recycled
the same number of times, no further data is available
in the Buffer File for Program C to read. Hence, any
read operation attempted by Program C under this
condition must be inhibited. Similarly, if the Read
Buffer Marker and the Write Buffer Marker should
coincide and the Write Buffer Marker has recycled
one more time than the Read Buffer Marker, no
further space is available for Program A to write in
the Buffer File. Hence, any write operation attempted
by Program A under this condition must be inhibited.
Finally, since only a unidirectional flow of data is
permitted through the Buffer File, any attempt at any
time by Program A to read data from the Buffer File
or Program C to write data to the Buffer File must be
inhibited. As soon as the presence of any of the inhibit conditions is detected by the linkage mechanism,
control is immediately transferred to the computer
monitor system, thus inhibiting the execution of the
read or write operation.
During the design and implementation phase of a
program, the programmer symbolically defines the
input and output Buffer Files to be used by the program. It is not, however, until that point in the exe-

179

cution of a program is reached where a request for
the creation of a Buffer File that the Buffer File is
generated. In this manner, although a programmer
may specify multiple outputs in this program to cover
mutually exclusive conditions. Buffer Files are created
only for those outputs which the program actually
selects on the basis of the data being processed.
The actual linkage between an output of one program and an input of a second program is effected
through the use of a Buffer File Control \Vord
(BFCW) generated by the linkage mechanism. One
BFCW is maintained by the linkage mechanism for
each Buffer File established. The BFCW contains
such information as the positions of the Buffer File's~
Read and Write Buffer Markers, the Buffer File's
size, location and a series of indicators reflecting its
condition and status.
Either of the two programs to be linked via a particular Buffer File may be the first to reach that point
in its execution where the request is made for the
creation of the Buffer File. In response to this request,
the linkage mechanism generates a BFCW and establishes a correspondence between the BFCW and the
symbolic name by which the Buffer File is referred to
in the program. When the other program to be linked
makes a request for a Buffer File, using a symbolic
name equated to the symbolic Buffer File reference in
the first program at linkage definition time, the linkage
mechanism establishes a correspondence between that
symbolic name and the same BFCW. The method by
which the correspondence between the BFCW and
the symbolic Buffer File references in the programs to
be linked is instrumented, is a function of the particular environment in which the linkage mechanism is
implemented.
The following types of commands are typical of
those which could be used in a programming language
to control the Buffer File mode of operation:
OPEN BUFFER FILE
* ALPHA, M, N
WRITE BUFFER FILE
* ALPHA
READ BUFFER FILE
* ALPHA
COMPLETE BUFFER FILE * ALPHA
The OPEN command is used by a program to request the linkage mechanisms for a Buffer File. InRROGAM

A

OUTPUP3

BL OCK ·0

Write

Buffer

MarkE'r

---

BL OCK

",

L-

Read Buff"r Marlier

BLOCK ·2

V

V

T

BLOCK #(N

BUFFER

/)

FILE.

J

Figure 5 - Conceptual representation of buffer file operation

t 80

Spring Joint Computer Conf., 1967

elusion of M and N enables the programmer to specify
preferred block and file sizes, respectively. The actual
transfer of data to or from a Buffer File is requested by
use of the WRITE and READ commands respectively. The COMPLETE command is used to make
the linkage mechanism aware of the end of the requirement for a Buffer File.
Although the flow of data through a Buffer File is
unidirectional, bidirectional communication between
two programs can be effected by the establishment of
separate Buffer Files whose direction of data flow
are in opposite directions. Figure 6 illustrates the
logical representation of the use of Buffer Files for
bidirectional inter-program communications.
Figure 6 also illustrates another important advantage derived from the use of the Buffer File linkage
mechansim. I n the event that Program Moduie Y
does not yield satisfactory results (accuracy, speed
or core space), it may be replaced by a different
program module Y', simply by defining a linkage between Wand Y', and requesting the execution of the
new set of linked programs. No re-assembling is
necessary to accommodate this change, which can be
effected in an "on-line" mode of computer operation.

Implications of the lise of buffer files
The characteristics exhibited by the Buffer Files
are such that their application as separate entities
apart from Program String Structures, for which they
were initially conceived, has considerable merit.
INPUT

#:

I

r
PROGRAM W

PROGRA M

With the exception of this synchronization, which
takes place as the data passes through the Buffer
File, the two programs can be executed completely
independently of one another. The computer monitor
system m
1.3
l.3.H.2
1.3.H.-1.H.l
2.2. l. H. (j
2.:l.2.H.2.H
2. -1. l. ({

Figure 3-3-Item position index directory

physical location of the data. For instance, the Index
Value data and R Value data will be in subordinate
directories of their own, linked to the main Item Position Index by addresses.

ARGUMENT
Item Class
Code (ICC)

FUNCTION
Term

Item Type

ORDER

FILE

1. 2.R

ORDER

RECORD

1. 2. R. 1

PONo.

10 CHAR

1.2

1. 2.R. 2

1. 2. R. 3

191

DUE DATE

REQUESTER

Index Values

Index
Code

R Values

5, 10, 12.
ALL

VALUE

0-1300

1,@,3, 7.

VALUE

1301-5000

4, 6, 8, 9, 11.

12 CHAR

SAME

VALUE

JAN 66

4, 6, 7, 11.

VALUE

FEB 66

1,O,3, 8, 9.

VARIABLE
VALUE

SAME
A. SMITH

O,4, 9, 11.

VALUE

H. ALT

1, 3, 7, 8.

VALUE

J. JONES

6.

1. 2.lt. 4

VENDOR No.

10 CHAR

NONE

1. 2.R. 5

VALUE

VARIABLE

NONE

1. 2.R. 6

ITEM LIST

FILE

1. 2.R. 6.R

ITEM LIST

RECORD

1. 2.R. 6.R.1

ITEM No.

6 CHAR

NONE

1. 2.R. 6.R. 2

QUANTITY

4 CHAR

NONE

1. 2.R. 6.R. 3

COST

10 CHAR

NONE

(Link to R1 Values)

Figure 3-4-Item position index

Figure 3-4 shows the logical relationships between
entries in the Item Position Index. For each ICC in
the argument, there are the following types of associated
information:
(1) Tenn. The term entry after the ICC makes the
Item Position Index the inverse table of the Term En'Coding Table and permits the conversion of an ICC

ture a:a other records in the same file (e.g., ORDER
Record; 1.2.R). A record may contain other files or
it may contain fields of three kinds. A variable field
(e.g., REQUESTER; 1.2.R.3) is one whose length
changes according to the length of the data in the
field. A fixed field (e.g., DUE DATE; 1.2.R.2) is
always the same length, and the length in characters

192

Spring Joint Computer Conf., 1967

is indicated in the function of the Item Position Index.
The Item Type also specifies the mode in which the
data of a field is stored, such as binary, octal, integer,
decimal, floating point, or alphanumeric.
(3) Index Values. It is anticipated that many data
fields will be indexed, thereby permitting searches for
specific fields without having to access large amounts
of data. When a field in a series of records is indexed,
all the different field values in the records are listed
under Index Values in the Item Position Index. If
values are repeated, they need be listed only once. Reference can be made to the values without having to
retrieve the records. An example in Figure 3-4 lists
the field value range of zero to 1300 under the field
caned PO No.
(4) Index Code. Three indexing options are available
to a program performing a file updating function. One
option is to index all values which occur in a given
field, whether similar values have been indexed or not
(e.g., ALL, after PO No.; 1.2.R.1). Another option is to
continue to index only those values which have already been indexed in the past (e.g., SAME, after
DUE DATE; 1.2.R.2). The final option is to not index
the field at all (e.g., NONE, after ITEM No.;
1.2.R.4.R.1).
(5) R Values. To give the indexing meaning, the
index values must be directly related to specific fields.
The relationship is provided by means of R Values
which can be substituted for the letter R in the ICC.
For example, Figure 3-4 shows that the term DUE
DATE has an ICC of 1.2.R.2 and that it is an indexed
fixed field. If one wanted to identify an item in this
class which contained the value FEB 66, any of the
R Values 1, 2, 3, 8 or 9 could be substituted in the
ICC 1.2.R.2 for R to give a unique series of integers
which would identify the exact relative (or logical)
position of such a field in the data structure. The
series of integers, with no letter R contained in it, is
called an Item Position Code (lPC).
To demonstrate the use of the Item Position Index
in locating specific fields of data, let us return to the
example started at the beginning of this section. The
ICC obtained from the Term Encoding Table is 1.2.R.3,
and the field desired is called REQUESTER. The value
of the field is specified by the Job Request as being
equal to J. JONES. Assume that the portion of the
Item Position Index given in Figure 3-4 is equal to
a segment. The program searches the argument for the
ICC equal to 1.2.R.3 and checks the term for consistency. The program notices that REQUESTER is
a variable-length field which is indexed. It searches
down the list of Index Values for J. JONES. When J.
JONES is found, the R Value associated with J. JONES
is extracted (in this case, the integer 6) and is sub-

stituted in the R of the record ICC to form the IPC
1.2.6. If more than one R Value exists, the other values
can be used in subsequent searches for more transistor records having REQUESTER fields with the
value J. JONES. The important fact to notice is that
the IPC is now unique within the whole DM-l data
structure, and it may now be used to point to the exact
data record desired by the user. (The IPC could have
been used to point to a specific field or bit in the
record. )
The problem of conducting Boolean searches for
records meeting certain criteria can now be discussed with some understanding of the mechanism
by which the searches may be conducted. Suppose
that a Job Request wants all Order Records which
have a purchase order number less than 1300, which
are due in February, 1966, and which were requested
by Mr. A. Smith. The program can examin.e the three
fields, PO No., DUE DATE, and REQUESTER, for
the desired Index Values. The list of R Values corresponding to these Index Values can be extracted and
compared for any integers in common. In the case
shown by Figure 3-4, the integer 2 is common to all
three desired values. Hence, the R of ICC 1.2.R. can
be replaced by 2, and the record identified by IPC
1.2.2 may be retrieved from random-access storage
with full assurance that it meets the criteria of the
Job Request Query. In this manner, the Item Position
Index can be manipulated to determine what records
are desired without having to fetch from storage any
more records than those which exactly fit the criteria.
DM-l files can be dynamic, with constant addition,
deletion, and change. The Item Position Index is the
logical place to keep track of how many records are
contained in each file and of what gaps may exist in
the logical structure of the file. Normally, an entry
occurs in the R Value column of the Item Position
Index only for indexed fields, but record fields are
an exception. Figure 3-4 shows three integers in the
R Values portion of the function for ORDER (1.2.R).
The last integer (12) gives the R Value which should
be used for the next record added to the file. Thus, the
number of records in the file may be calculated by
subtracting one from the last integer. The first (i.e., 5)
and the second (i.e., 10) integers indicate R Values
which were once part of the file but which have been
deleted and not reused. New additions to the file can
receive R Values for their IPC's by means of the entries
in this column.
Two sets of statistics are retained in the Item Position Index to keep track of system usage. The first
is a tally kept for each time a field value is used in a
conditional search. Periodic analyses of these tallies
permit the data base manager to unindex those values

DM-l
which are seldom used, thereby conserving storage
space. The second is a tally kept for each time a field
is accessed, whether conditionally or as a result of
serial processing. These tallies help to show the usage
relationships between data items and aid the data base
manager when he restructures data for more efficient
processing.
When files are placed within the records of other
files, multiple R's are found in the ICC's, and some
complexities arise. For instance, a single get of integers
is not sufficient to show the R Values for a single. ICC,
because the ICC now has multiple R's in it. Since each
R represents a multiple number of records, the possible
number of integer sets grows exponentially with each
new R in the ICC. The problem of organizing the
sets of R Value integers can be solved by linking with
addresses each integer of the first set to its appropriate
second level set, and so on down the hierarchy of R
levels in the ICC.
There are several outputs which can be derived from
the Item Position Index. The Item Position Code is
the major output because it may be used to point
directly to the data field being sought. The Item Type,
another output, is also important because it describes
the nature of the field being dealt with, such as the field
length in the case of a fixed field.
A number of possible error conditions may be encountered while manipulating the Item Position Index:
the desired IPC may not exist in the argument; the term
in the Item Position Index may not agree with its
counterpart in the Term Encoding Table; the field,
for which a value was given on input, may be found
to be unindexed; and many other possible internal inconsistencies. The output from the error conditions
will depend entirely on the operating policy of the
system at the time of implementation.
In this case, the output is an IPC with the value
1.2.6.

Segment name list
Looking up the name of the segment containing the
desired data is the next step in locating the desired
ORDER record. The names are kept in the Segment
Name List. The parameter required to use the Segment
N arne List is a single IPC, which is used to request
from the I/O Control Program the segment which contains the desired item.
As the data base grows, the Segment Name List
may become large enough to require its own Directory.
The Segment Name List Directory will be brought into
core memory, if it is not already there. The argument
of the Directory is a list of the first IPC in each segment of the Segment Name List (see Figure 3-5). The
function is the name for each segment of the Segment

193

Name List. The Segment Name List is brought into
core memory, just as the Ter mEncoding Table was,
selecting the segment with the next lower argument
closest to the IPC being sought.
SEGMENT NAME LIST DIRECTORY
ARGUMENT

FUNCTION

(First !PC in Each Segment
of the Segment Name List)

(Segment Name)

4968431
1.5.157.2

M268828

2.2.4.24.6

9206307

SEGMENT NAME UST
ARGUMENT
(First !PC in Each Sepnent
of the Data Bue)

0

----..

FUNCTION
(SelJDent Name)

6984320

1.1.2.5

7032694

1.2.4.1

8268215

1.2.11.4. 19.3

4394762

1.3.7.4

1147238

1.3.84.1

6468945

1.3. 112. 6.1

2325464

Figure 3-5-Segment name list directory and
segment name list

The Segment Name List is exactly like the Segment
Name List Directory, only much larger (see Figure
3-5). Whereas the Directory argument has the first
IPC of each Segment Name List segment, the Segment
Name List argument has the first IPC of each data
base segment. In essence, the Segment Name List is
an extension of its own directory. Only directories can
be ordered from the Local Control Program without
using the Segment Name List, and this ordering is
done through a directory which, in reality, is a small
Segment Name List.
In our test case, the IPC desired is 1.2.6. The routine
orders the first segment of the Segment Name List with
the Segment N arne of 4968431 (see the top arrow in
Figure 3-5). The Segment Name List Segment brought
into core memory looks something like the bottom table
in Figure 3-5. The Segment Name List is used to select
the data segment which contains IPC 1.2.6. In this
case, the segment begins with IPC 1.2.4.1 and has a
Segment Name of 8268215 (see the bottom arrow).
The Segment Name is transmitted to the I/O Control
Program, and an interpretive request is given the I/O
Control Program to retrieve the data segment.
The Segment Name List also contains a Usage field
to hold data on the number of times the segment has
been retrieved in the last statistical data period. Analysis
of this data will permit optimal use of the various
storage media of the computer center.

194

Spring Joint Computer Conf., 1967

Segment index
The final step in locating the data is made with the
help of the Segment Index at the head of the segment
containing the data. The major parameter for using the
Segment Index is the IPC which is being sought. Another parameter is the Item Type (showing the length of
the field, if it is a fixed field). A third parameter shows
the beginning address of the segment in core memory.
In actuality, the portion of the Item Position Index
already referred to is another parameter, because the
Segment Index and Item Position Index are used in
conjunction with each other to locate the data item.
A segment will be divided into four parts: a heading,
a segment index, data, and vacant space. Except for the
heading, the proportion of each part will vary, depending on how much data exist in the block and on how
much indexing data are required to access the data.
To illustrate how the search would proceed, let us
first consider what the string of data in the recently
retrieved segment might look like. Figure 3-6 uses some
symbols to show the various types of items and their
logical relationship in the data structure. Although the
symbols are shown on four lines, the items should be
considered as one continuous string of data. The IPC
for each item has been posted under the item, for
visual reference. It will be noticed that the data string
begins the segment and that the IPC value of 1.2.4.1
corresponds with the starting IPC of the segment just
retrieved by means of the Segment Name List.

r----------I)
}

Heading Data

[1.2.4.1]=A
[1.2.4.4]

=B

[1.2.4.4.1.1]

=C

--I\

_ _ _ _[1_.2_._4._4._1_.3_]=_D
___
[1.2.6.1] = E
1[1.2.6.4]

Segment Index

=F

VACANT = G
A

Data

Vacant

NOTE: A set of brackets represents an address of a location containing
the data named by the !PC in the brackets. A capital letter
represents a data address.

Figure 3-6--Graphic description of a data string

The DM-l design specifies that the Segment Index
consists of a list of addresses showing the starting position of data fields in the segment. Figure 3-7 shows a
Begmmngofse~ent

r(

PO No. I

Due Date

L (1.2.4. ~

1. 2. 4. 2

(1. 2. 4. 4.1.
PO No. I

<

~

Vendor No.

1)

~

1.2.6.2

[.........J>

/Requester
1.2.6.3

)])

(1.2.4.4.1.3)

1. 2. 4. 4.1. 2

Due Date

/Value
1. 2. 4. 5

1.2.3.4

/Quantity

Item No.
[(

/Requester

Vendor No.

/value

~

1. 2. 6. 5

.....J.

[

]

<

)

is a file
is a record
is a fixed field
is a fixed field series

I

is a variable field

Figure 3-7-Sample segment index

sample Segment Index. The first address always shows
the start of the data area (i.e., address A) and is
relative to the beginning of the segment. The following
addresses (i.e., B-F) point to subsequent data fields
and are relative to the beginning of the data area. The
final address in the Segment Index (i.e., address G) is
always the end of the data area or the beginning of the
vacant area. However, only those addresses that are
vital to the process of locating data are included in
the Segment Index. A series of fixed fields, for instance,
needs only the starting address of the series, because
the starting addresses of the rest of the fixed fields in
the series can be calculated from the Item Position
Index. Normally, only the end of variable or optional
fields need be indicated. In Figure 3-6, the IPC addresses needed to scan the data have been circled. The
other addresses need not be carried in any index, and
it will be noticed that in Figure 3-7 only the circled
addresses have been included in the Segment Index.
The basic logic for locating data in a segment is to
use the Item Position Index to calculate where the
desired address is in the Segment Index. The program
starts with the ICC in the Item Position Index which
corresponds to the IPC at the start of the segment. The
program steps through the Item Position Index, while
keeping count of how many addresses there should be

DM-l
in the Segment Index up to that point. When it gets
to the desired IPC, the program goes directly to the
Segment Index and counts down through the index the
same number of addresses to the desired address. This
address points to the data with the specified IPC,
thereby completing the retrieval function.
Normally, the program need go to the segment
itself only once to fetch the data. If an optional field
is discovered in the Item Position Index, however, the
program must go to the data to see if the field actually
exists.
To see how the process operates, let us follow the
logic of how the data for IPC 1.2.6 is retrieved. The
program knows from the Segment N arne List Directory that the segment begins with IPC 1.2.4.1 and
that the -first address of the Segment Index will point
to that data field. The program consults the Item
Position Index for the Item Class Code which corresponds with 1.2.4.1. It is found to be 1.2.R.1. The
R Values for the file ORDER show that the fourth
record is a legitimate member of the file because no
4 appears under R Values to show that the fourth
record is missing. The program notices that the first two
fields are fixed, followed by a variable field, and the
program deduces that a second address in the Segment
Index will be required to point to the end of the
variable field called REQUESTER or to the beginning
of a fixed field called VENDOR No. Further, the
program deduces that a third address will be required
to point to the end of a variable field called VALUE
or the beginning of a possible file called ITEM LIST.
A link to a subsidiary list of second level Rl Values (not
shown in Figure 3-4) supplies the information that
only one record exists in the ITEM LIST File when
the first R in the ICC is equal to 4. The program
deduces that a fourth address in the Segment Index
must indicate the end of the QUANTITY field and the
beginning of the COST field (lPC 1.2.4.4.1.3). A fifth
address is needed to signal the end of the COST field,
because it is variable, and the end of that inner file and
record. It is also known that the fifth address skips to
the beginning of record 1.2.6, because the Item Position Index R Values for ICC 1.2.R. state that record
1.2.5. does not exist in the file.
Since IPC 1.2.6 represents the desired record, the
program can now turn to the Segment Index and
select the fifth address in the index. The program can
go to the data location in the segment which has that
address, and the program will be positioned at the
start of the desired record. The end of the record
can be determined by finding the address which starts
the next record, using the same procedure as described
above. The intervening data may be retrieved, thereby
completing the search process.

1C\~

17J

IV. DM-l job requests
General
An important feature of DM-l is its ability to respond
to Job Requests, either immediately upon entry or
after they have been stored in the system for a period
of time. Much of the operational power of DM-l is
achieved by permitting users to sequence and link
generalized programs by means of Job Requests. The
remainder of this section covers a general concept of
what happens within the system when each of the five
job types is initiated.
Item definition request
An Item Definition Request can be used either to
add or to delete the definition of items in the file
structure. Changes are affected by means of a deletion
foIIowed by an addition which represents the correct
version. The input to the system from an Item Definition Request which adds a definition will originate on
a standard input form. The user wiI1 show the relationships between items and subitems by the use of indentations on the form, which may be tabbed. The item
definitions will be keypunched to show the number
of indentations for each entry.
Upon receipt of the definition data, the Supervisor
program begins executing the program in the Add
Item Definition job. The programs step through the
terms of the input and note the logical relationships
between terms. A series of records is created containing each term and its associated interim tree code,
along with other information intended for inclusion in
the Item Position Index, such as indexing code or
Fixed-Field Length. The items in the records will
automatically fall into order by tree code, because the
input of the Item Definition Job Request would be in
hierarchical order. The base node is checked to be
sure it exists in the directory and that it can be used
as a foundation for further expansion.
Separate records are prepared for each of the items.
They are sorted by term name for the purpose of updating the Term Encoding Table. The original set of
records is in ICC order, and it is used to update the
Item Position Index by means of a single insertion,
since the ICCs are in a cluster. A generalized print
routine can be called upon to print out both series of
records for manual accuracy checking and for updating
manual records of the Term Encoding Table and the
Item Position Index.
For deletions to the directories, a different process
is employed. The last item in the input of the Job
Request names the item to be deleted. In addition, all
other items which are subsumed by the named item
are to be deleted. The Term Encoding Table and the

196

Spring Joint Computer Com., 1967

Item Position Index are used to create the ICC of the
item named for deletion. The entry in the Item Position
Index is inspected for the item to be deleted and for
all lower items in the same tree code branch (i.e.,
having the same ICC root). If the index shows that data
exist in the data base for any of these items, an error
condition is considered to exist because the definition
for existing data must not be deleted. Data must
not be permitted to exist in the data base without
being properly defined. Thus, if data exist, the definition is not deleted, and a printout is prepared for the
person initiating the Job Request instructing him to
delete the data first if he wishes to delete the item
definition.
If no corresponding data are found to be associated
with the named item and its subsidiary items, the
entries for the items are deleted from the Item Position Index. Pertinent items are deleted from the
Term Encoding table, and a printed audit trail of deleted items is prepared.

Data Format:
User Inputs:

The Data Entry Request may be used either to add
data to or to delete data from the data base. With
additions, the data are not converted from one logical
structure to another, but they are translated from one
physical structure to the IMS physical structure so that
it can be incorporated into the data base. Data may be
added in anyone of four modes, as specified by the
Data Entry Request (see the top half of Figure 4-1).
The four modes are as follows:
(1) Defined-External Mode. This mode requires that
an Item Definition, describing the data to be entered,
has already been entered into the system and has been
incorporated in the system directory. The data are entered in externai format; that is, me data are manualiy
formatted and named by a data specialist using a
simple input worksheet.
(2) Undefined-External Mode. This mode has the
same external format as the Defined-External Mode, but
it does not contain a definition of the data being entered. Consequently, the definitions, in the form of an
item image, must precede the data on the input medium.
(3) Defined-Internal Mode. This mode requires that
a complete definition of the data be included in the
system directory before the data are entered, just as in
the Defined-External Mode. The format of the data,
however, is different. The internal format is defined as
being synonymous with the segment format used in the
data segments of DM-l. Internally formatted data come
in increments of a segment and have their own segment
index at the beginning of each segment. The data are
entirely dependent on the system directory for data
identification and processing.

I

I

I

I

I

1 )

ADD EXTERNAL

I

Internal

3

11)

Defined
I (In system I
directory)

I

ADD INTERNAL

I

I

I

I

Rem
Definition:
Undefin~

4)

2)

DEFINE AND ADD
EXTERNAL

(Entered
with the
data)

I

DEFINE AND ADD
INTERNAL

I

Data Format:
Processing Actions:
Internal

External

I
II

I

Item
Defin;ti()!l:

1)

De"'"..med
(In system
directory) I

II

I

3)

e Convert external data
to internal fermat

I

eGoto®-

I Console or tape I
!

Add internal data to
data base

~

Convert external item
Merge internal directory I
with system directory
I Undefined i e image
and data to
Add internal data to
I data)
with the
_-.m
data base
e Go to 0-I
tape
~
2

1 )

4)

- b

I

Data entry request

I

External

Figure 4-1-Data entry modes

(4) Undefined-Internal Mode. The last of the four
modes does not require that the system contain the
definition of the data to be entered, because, like the
Undefined-External Mode, it contains its own definition.
The data are in internal organization but the data also
have a local Term Encoding Table and Item Position
Index heading the blocks of data on the tape.

Program entry request
Compiled program code will be entered into the system according to established local conventions, and
these programs will be called at execution time by
means of the IOCS. Descriptions of the programs, however, are entered into the DM-l directory for the purpose of inventory control and for internal checking to
be certain that Job Descriptions are compatible with the
programs they call on. The task of the Program Entry
Request is to add or delete a Program Description from
the Program Description List.
For an example of how a Program Entry Request
might look, the reader is referred to the top portion of
Figure 4-2. The example says, in English, "I want to
enter two Program Descriptions into the system. My
name is Jones and my identification number is 87. The
deadline for entering the program is 9: 30 AM on February 13. I wish to add to the Program Description List,
and the Program Description will follow on the console.
The first program I wish to enter is called ORDER
SEARCH. The first input parameter of ORDER
SEARCH is called REQUESTER, and REQUESTER
must be an aiphanumeric which is of variable length.

Dl\r1-1

IPROGRAM ENTRY REQUEST: I
Job
.

l

(Program Descriptions)

PROGRAM ENTRY REQUEST, JONES 87, 0930-13-FEB;
ADD PROGRAM; CONSOLE.
JONES 87; ORDER SEARCH INPUT/A, V, REQUESTER/A, 10, VENDOR

Data

l

RESULTS (F, SEARCH PRODUCT);

VALUE ANALYSIS INPUT (F, ANALYSIS DATA)
RESULTS (F, ANALYSIS PRODUCT)

IJOB ENTRY REQUEST: I
j
Job

I

JOB ENTRY REQUEST, JONES 88, 0930-I3-FEB;
ADD JOB; CONSOLE.
JONES 88; JOB ONE: ORDER SEARCH
INPUT REQUESTER; *ALPHA, VENDOR; RCA
RESULT SEARCH PRODUCT; OUT

Data
VALUE ANALYSlS INPUT ANALYSIS DATA; OUT
RESULTS ANALYSIS PRODUCT; TOTAL VALUE/
(A, V, ALPHA).

IJOB RUN REQUEST: I
Job -

JOB RUN REQUEST, JONES 89, 0930-13-FEB; CONSOLE.

Data_ JONES 89; JOB ONE (ALPHA = "SMITH").

IGRAPmC ILLUSTRATION OF PROGRAM SEQUENCE: I

ANA LYSlS
PRODUCT

TOTAL
VALUE

Figure 4-2-Sample job requests

The second input parameter of ORDER SEARCH is
called VENDOR, and VENDOR must be an alphanumeric which is ten characters long. There is only one
result (i.e., output) parameter for ORDER SEARCH,
and it is a file called SEARCH PRODUCT. The second
program I wish to enter is called VALUE ANALYSIS
and it has only one input parameter which is a fil~
called ANALYSIS DATA. VALUE ANALYSIS has
only one result parameter, and it is a file called
ANALYSIS PRODUCT."
The basic functions of the Program Entry Request
Routine may be summarized as follows:
(1) To associate a name with a program so that it
may be called at a later time.
(2) To define the prerequisite parameters of a program so that the parameters given in any program
description which calls for the program may be
checked for format and completeness before the
program is run.

Job entry request
The basic functions of the Job Entry Request are as
follows:
(1) To check the consistency, accuracy, and completeness of an incoming Job Description by comparing it with the Program Descriptions to which
the Job Description has referred.

197

(2) To merge a valid Job Description with the Job
Description List so that it may be used at a later
time for running a job.
The basic functions of a Job Description are as follows:
(l) To name the programs which must be run in
order to accomplish the task assigned to the job.
(2) To specify the sequence in which the programs
should be run.
(3) To specify the values or names required by the
input parameters of the program to be used in
the job, or to specify that the values or names
will be given by the Job Run Request at a later
time.
(4) To specify the names of portions of data resulting
from the program so that these output parameters
may be referred to and used by subsequent programs that have the same names specified in
their input parameters.
(5) To specify the names of multiple program exits
so that programs may be linked by the Job Manager of the Supervisor Routine according to various contingencies.
The Job Entry Request provides the raw data for a
Job Description. An example of a Job Entry Request
may be seen in Figure 4-2. Aside from the usual header
information, the request says, "I would like to enter a
Job Description into the system via the console." The
job is called JOB ONE, and it calls for the running of
two programs. The first program is called ORDER
~EARCH. I do not wish to give a value at the present
tIme to the first input parameter of ORDER SEARCH
called REQUESTER. The value of TYPE will be
named at execution time (when a Job Run Request
calls for the job), so I will give it the job parameter
name of ALPHA, and I will put an asterisk in front of
the name to distinguish it from a value. I wish to assign
the value RCA to the second input parameter called
SEARCH PRODUCT. The second program is called
VALUE ANALYSIS. I want to assign the name OUT
to the input parameter, which the program VALUE
ANALYSIS has called ANALYSIS DATA. (This assignment will connect it to the result parameter of
ORDER SEARCH.) I want to assign the name TOTAL
VALUE to the job result parameter, which the program VALUE ANALYSIS has called ANALYSIS
PRODUCT. Since a value has not been supplied to the
job input parameter called ALPHA (the program parameter called REQUESTER), I will place a description of
the parameter requirements at the end of the Job Description for reference independent of the program. The
requirement is that the parameter be a six-character
alphanumeric.
The Job Entry Request processing requires that a11

198

Spring Joint Computer Conf., 1967

programs referred to by a Job Description be entered
into the system before the Job Entry Request is processed. Processing takes the following form:
( 1) The Program Descriptions associated with the
Job Description are retrieved from the Program Description List. Any missing programs signal an error
condition which terminates the routine. The Job Descriptions of both the Program ORDER SEARCH
and the Program VALUE ANALYSIS are brought
into core memory.
(2) The input and results parameters given in the
Job Description are compared with their counterparts
in the Program Descriptions to ensure that all parameters have been accounted for.
(3) At the same time, the limitations imposed on the
para.lJleters by the Program Descriptions are checked
against the nature and format of the parameters given
by the Job Description. For instance, the second parameter of the Program ORDER SEARCH, called VENDOR, must be an alphanumeric because the letter A is
given. On checking the Job Description for the Program ORDER SEARCH, the routine finds the value
RCA given. The value is an alphanumeric and satisfies
the limitation. A number of the subroutines used to
perform the above two tasks can be shared between
the Program Entry Request Routine and the Job Entry
Request Routine.
(4) One of the most important tasks of the routine
is to scan the Job Description parameters for consistency to be certain that the result parameters specified
match the input parameter requirements. For example,

the result parameter, SEARCH PRODUCT, from Program ORDER SEARCH is called OUT. The routine
scans for a matching input parameter which, in this
case, is the parameter, ANALYSIS DATA, of the Program VALUE ANALYSIS. Once the match is determined, the limitations are compared. Any result or
input parameters which require mates, but which do not
have them, or which have improperly written mates,
are printed out for subsequent correction.
(5) Any parameters which are unspecified at the time
of Job Description entry are formatted at the end of
the description for easy checking when they are specified by a Job Run Request.
Once the Job Description has been thoroughly
checked and has been found to be valid, the routine
calls in the proper segment of the Job Description List
so that the ne\v entry can be merged into the List, using
the Job Name as the primary sort key. The entered Job
Description is printed out for manual corroboration and
for use as an audit trail.
The deletion of a Job Description from the Job
Description List is a relatively simple task because no
other portion of the system is functionally dependent
upon it. Only a Job Run Request, as it is being introduced to the system, is dependent on a Job Description,
and the Job Run Request is rejected immediately if
the proper Job Description is not in the system.
Consequently, t.~e Job Entry Request Routine can delete a Job Description by retrieving it from the Job
Description List and restoring the List without the Job
Description. The name of the job must be deleted from
each Program Description that is referred to by the job.

File management on a small computer
the C-IO system*
by GILBERT STEIL, JR.
The MITRE Corporation
Bedford, Massachusetts

INTRODUCTION
C-10 is a general purpose file management system
that has been implemented by The MITRE Corporation for the IBM 1410. It is of interest for two reasons: first, it is one of the most flexible file management systems ever attempted for a machine the size
of the IBM 1410; and second, the conditions surrounding its implementation have produced a design
for a large system of programs that displays some uncommon and useful characteristics. These uncommon
characteristics include a strong affinity for redesign;
a framework for debugging that eliminates the need
for memory dumps, symbolic snapshots, and other
conventional debugging aids; and an adaptability to
machines of various memory sizes and configurations
without reprogramming.
Our purpose in presenting this paper, therefore,
is twofold: to describe the C-10 file management system, and to relate the experience of its unusual implementation.
Evolution

Work on the C-10 system was started in D.ecember
of 1964, and was originally slated to terminate six
months later in June of 1965. "C-10" originally stood
for "COLINGO-10" and was intended to be an improved version of a small general purpose file management system named "COLIN GO" which MITRE
had developed earlier. In return for a slightly larger
machine (the IBM 1410 instead of the IBM 1401,
on which COLIN GO operates), some increased
flexibility was expected. In particular, the design
goals for C-10 included the following capabilities
that COLINGO did not provide: cross-file referencing, multi-level files (files in which property values
may be filed), an improved means of generating new
*The material contained in this article has been approved for
public dissemination under Contract AFI9(628)--5165.

files, more elaborate facilities for generating formatted
reports, and increased speed for complex operations.' An important restriction at that time, which
must be noted now, was that the work was to be completed in no more than six months.
The designers examined the problems of achieving
these improvements within the COLINGO software
framework with the available manpower in the available time, and decided it was impossible. Several
other approaches to implementing an improved
COLIN GO on the IBM 1410 were then investigated. The adopted approach was to start from scratch
and build a LISP-like interpreter defined over a
single data structure, with the intent of programming
90 percent of the system in the language of the interpreter. This approach, while thought to be a long
shot, was made inviting by what appeared to be an
ideal data structure both for general system use and
as a basis for building files. This data structure is
now known as "streams" (see Appendix II). The
stream structure was thought to be suitable for modeling files because it is possible to take advantage of a
specialized instruction of the IBM 1410 (LLE:
Lookup on Less than or Equal) to impiement an important primitive operation in one instruction.
System analysis and design took place in two weeks.
A work schedule was drawn up, and work was begun.
F or the first six to eight weeks the schedule was
rigorously maintained. Mter a few weeks, the IOCS
module was operating, slightly later the disk allocator
was debugged, and soon the relocatable subroutine
controller was working. In the meantime, as a result
of other work, the bulk of the system had been coded
in the LISP-like interpretive language. Then, about
three months into the project, a large snag was encountered. At this time the LISP-like interpreter
became operational and some of the interpretive pro199

200

Spring Joint Computer Conf., 1967

grams were checked ouL Debugging the logical flow
of the interpretive programs went smoothly enough,
and if the only concern had been the logic of these
programs, the tight schedule could have been met.
But performance was also important, and unfortunately the performance of these programs was off by not
just a mere factor of two or three, but by several
orders of magnitude. For example, a subroutine in
one of the language translators consumed not an intended 10 milliseconds of time, but 3 or 4 seconds!
Soon it was realized that disruptions to the work
schedule due to the performance problem would not
allow a product to be delivered on time. But as hopes
for meeting the schedule were dimmed, considerable
interest in surmounting the performance problem,
and in the system design in general, was generated.
As a result, the C-I0 project evolved into an experiment in system design and modification which continued not only for the remainder of the originally
scheduled six months, but for an additional fourteen
months afterward. During this additional time the
system underwent many experiments in restructuring, which included: redesigning and recoding important primitive operations; replacing one data
structure with another; writing a compiler for translating the LISP-like language into machine language;
replacing LISP-like programs with machine-language
equivalents; and replacing machine language programs with LISP-like equivalents. At the end of this
period the performance of the system had been
brought up to a satisfactory level, and the system had
evolved into a flexible environment for file management based on several data structures and written in
several languages.
At the present time no further development work
is contemplated, but the system is being maintained
and used experimentally on both the IBM 1410
and the IBM 360/40 (under emulation).
File management
General purpose file management systems are
characteristically directed toward a user with routine
data processing problems involving large files of information. They are designed on the basis of a generalized file structure, and consist of a set of generalized file management functions, embedded within
an operating system, These generalized file management functions usually include:
(a) generation of structured files from any machinable data
(b) maintenance and updating
(c) retrievai of selected data
(d) generating formatted reports
(e) operations involving combinations of the
above

Thus, it is intended that users of the system need
not program their problems from scratch, but need
only supply an appropriate set of parameters to the
already existing generalized tools. Several gene;al
purpose file management systems have been implemented for machines of various sizes, or are now in
the implementation process. These include ADAMI
on the IBM 7030, LUCID2 on the AN/FSQ-32V,
and GIS3 on the IBM 360.
The C-l 0 generalized file structure can be described
as follows: A file is a linear sequence of objects.
Associated with a file is a set of properties common
to all objects. Each object contains a set of property
values. For exampie, a CUSTOMER ORDER fiie
might have associated with it the set of properties,·
ORDER NUMBER, CUSTOMER, TOTAL LIST
PRICE, and ITEM. Each object of the file contains
a property value for each of the properties; for example, 3246, SAMPSON, 3018.30, etc. (See Figure
1).

Each property has a value type, which remains
the same throughout the file. The type of a property
may be integer, string, floating, group, etc. If a
property has type group, the property values for that
property are themselves entire files (see, for example,
ITEM, in Figure 1). In this manner, files can be nested
within files to any level. This structure is sometimes referred to as an "N -level file structure."
Properties may have additional attributes, such as
length for stri~gs, formats for printing, etc. All C-IO
files reside on disk, although it is possible to save
them on tape.
Most file management systems are organized into
modules or phases along the lines suggested earlier,
that is, into generation, updating, retrieval, and so
forth. This frequently leads to inefficient processing
in the case that a task is not a simple generation,
update, or retrieval, but is some combination of these
operations. This is 'because each separate operation
involves at least one access to a file and sometimes
an entire pass through a file. In some systems, separate languages are even used to describe the separate
processes. In summary, the traditional approach to
file management systems is to pass the data base
over each procedural module as many times as are
necessary to achieve the desired operation.
C-IO file processing is a departure from this tradition. In C-l 0 it is possible to pass the entire procedure
base over each data module. Here is how this works:
In C-I0 a single language, PROFILE, is used to express all file management functions. The PROFILE
user can manipulate as many files as he wishes simui-

File Management On A Small Computer The C-IO System*

20 I

STRUCTURE DESCRIPTION OF THE CUSTOMER ORDER FILE:
CUSTOMER ORDER

ORDER NUMBER
(INTEGER)
ITEM NAME
(STR!NG)

INCREMENTAL COST
(FLOATING)

TABULAR DESCRIPTION OF THE CUSTOMER ORDER FILE, WITH VALUES GIVEN:
3246

SAMPSON

3018.30
2680 .00

2 DR. SEDAN

281 .50

AUTOMATIC
RADIO
3251

fLINGER

3042.45

56 .80
2640 .00

2 DR. COUPE
4 SPEED TRANSMISSION

290 .80

DISC BRAKES

81 .90

HEAVY DUTY SUSPENSION

13 .80

fAST MANUAL STEERING

12 .70

HEAVY DUTY STOCKS

3 .25

Figure 1 - Example of a C-l 0 file

taneously. The basic mechanism that he has available
to him is a position operation that selects an object of
a file for processing. Once an object is selected, its
property values may be extracted, changed, or deleted,
or an additional object may be inserted after it. Files
may be positioned forward or backward, or directly
to a specific object that is pointed to from an index
(which is itself a file). Data can be transferred directly between files. The same positioning mechanism
is also used within groups (subfiles). Data can be
transferred from any level to any level.
In a similar way, the PROFILE user directs data
from and to I/O devices. PROFILE allows the user
to manipulate data from (to) any input (output) device
as though it were a continuous stream of characters,
indexed by a pointer. The pointer may be moved
forward and backward, and data are extracted from
(entered into) the stream relative to the position of
the pointer. Thus, it is possible to write PROFILE
procedures that are quite flexible; for example, a
procedure may generate a new file from data contained in several old files as well as data supplied on
cards. The C-IO file management environment as
viewed from PROFILE is illustrated in Figure 2.
Here we see several streams of data flowing from

input devices and referenced with a pointer, several
files with particular objects selected for processing,
several streams of data flowing to output devices, a
collection of other data structures, a set of variables,
and a library of procedures.
File management problems are solved in PROFILE
by segmenting the task into several procedures and
writing and debugging each procedure separately.
Procedures are maintained in a library, and a procedure may appeal to any procedure in the library
(including itself) to have a subtask performed.
Finally, it should be pointed out that PROFILE
contains a set of statements specifically intended for
spontaneous on-line work. Of course, any PROFILE
procedure can be written, debugged, and added to
the procedure base on-line.
A detailed example of the use of PROFILE is
illustrated in Appendix I.
Implementation

In the previous section we discussed how C-IO
looks to a user involved in file management applications. In this section we will discuss how C-IO looks
to a C-IO systems programmer. Since there is no

202

Spring Joint Computer Conf., 1967

~

c:::::J-+11111 IIIII

OBJECT
2

OBJECT
3

OBJECT
4

OBJECT
2

OBJECT
3

OBJECT
4

OBJECT
5

OBJECT
6

IIIIIIIII~II-+

OBJECT
3

OBJECT
4

OBJECT
5

OBJECT
6

+
1111111111111-+

FILE A

OBJECT
I
FILE B

D

D

FILE C
VARIABLES

r=l

OTHER
DATA
STRUCTURES

Figure 2 - The C-IO file management environment as
viewed in PROFILE

distinction made between user procedures and system
procedures, * and therefore no distinction between
users and systems programmers, we are really discussing how C-I0 looks to a sophisticated user.
To the systems programmer, the C-I0 system offers a framework within which he can perform his
daily work. It allows him to define the pieces of his
program one procedure at a time, and it allows him
to save the state of the entire system from one session
to the next. It provides him with the following im:portant tools.
The system provides an expandable set of data
structures, which so far includes files, private stacks, f
streams, t and blocks. t All of these data structures
have the characteristic that they are virtually infinite in length, and all storage management problems
associated with space sharing of core and disk are
handled implicitly. This means that the systems programmer can create and use instances of any of these
data structures without consideration of a proliferat-

t Defined in Appendix

I I.

*Except when it comes to maintaining procedure libraries for
separate users.

ing maze of details and qualifications. It is also important to note that instances of any of these data
struc.tures are not tied to a specific procedure, as is
true In most programming languages. An instance of a
data structure may be created by one procedure, saved
by a system mechanism, and referenced later by a
second, independent procedure. Each of the system
data structures is defined over a set of data types
which are a subset of the data types known to the
system. The set of system data types is also expandable.
The system provides an expandable set of source
languages, which so far includes AUTOCODER,
STEP, and PROFILE. AUTOCODER is the assembly language of the IBM 1410; STEP is a language similar to LISP (but defined over streams instead of lists); PROFILE is the file manipUlation
language described above. A matrix showing which
data structures may be- referenced in each of the
languages is shown in Figure 3. The system provides
a generalized macro facility, TAP, which may be
used with any source language except A UTOCODER.
The system provides an expandable set of object
languages, which so far includes machine language

File rv1anagemeni On A SmaH Computer The C-I0 System*

203

DATA
STRUCTURES
DATA
TYPE

FILES PRIVATE

INTEGER

./

./

./

FILES

FLOATING POINT

./

./

./

STRING

./

./

POINTER

./

./

STAC~

STREAMS

BLOCKS

STEP

PRIVATE STACKS

./

./

./

./

STREAMS

./

./

./

.;

BLOCKS

~

./

I

./

BULK
BOOLEAN
I

MACHINE LANGUAGE
STEP INTERNAL

I

./

PROFILE)
./

AUTOCODER

I

I

AUTOCODER

STEP

./

./

j

I

I

~

PROFILE

./
Figure 3 - Relationships Among the Tools Provided by
C.,.) 0 For the Systems Programmer

and STEP internal; and, of course, the system provides a set of miscellaneous translators for translating source language procedures into object language
procedures. A procedure in either object language
may appeal to any procedure in the other object
language. Figure 3 also includes matrices showing
which source language-can be translated into each
of the object languages.
One thing the system does not automatically provide is an executive routine. This is because each
user tends to use the system in a different way, and
it was not considered reasonable to build a large
monolithic executive which anticipated the requirements of each user. What is provided instead is a set
of tools that permit the user to piece together his own
executive routine. All the basic modules of the system - an editor, translators, compilers, interpreters,
allocators - have simple interfaces and can be combined in an arbitrary way.
The system provides a set of debugging tools, the
mainstay of which is a dynamic, selective trace. This
trace interprets and prints the arguments and values
returned by each selected procedure. It is effective
because C-I0 programs consist of a large number of

small procedures. Memory dumps, patches, and symbolic snapshots are almost never used. All communication between procedures is accomplished through
an intermediate linkage routine, and it is here that the
tracing mechanism is housed. The intermediate linkage routine would also be an ideal place to house instrumentation concerned with timing, but unfortunately an adequate clock is not available on the IBM
1410.
The C-I0 system has been designed to adapt readily
to minor changes in the machine configuration. When
initially loaded from an arbitrary tape unit, it holds
a dialog with the operator to determine the current
machine configuration. It will operate with either a
1301,1302, or 1311 disk unit (2311 or 2302 on IBM
360).
Additional core storage does not necessitate any
reprogramming, and system operation speeds up as
core is added. C-I0 operates a little more than twice
as fast with an 80,000 character memory as with a
40,000 character memory.
Finally, the system allows the user access not only
to the large modules of the system (like the STEP
compiler, for example) but also to each of the individual procedures that constitute the large modules.

204

Spring Joint Computer Conf., 1967

Every procedure in the system has a simple interface, and is documented as though it were independent
of the rest. This is an advantage that we feel is important, and deserves more explanation.
Imagine that you have the job of writing a compiler
for a computer that comes from the manufacturer
equipped with a conventional operating system, and
ALGOL and COBOL compilers. In the construction
of your new compiler you will need subroutines that
manipulate character strings, subroutines that format
error messages, subroutines that prepare output,
etc. Doubtless, subroutines that perform these jobs
already exist in the software supplied with the machine. But do you have access to them? Definitely
not! Even if they wert.! separately documented and
maintained, it is unlikely that all the boundary conditions surrounding their use could be satisfied.
Things are very different in C-IO. Every module
consists of a large number of small procedures, and
each procedure is independent, with a necessarily
simple interface that is documented. As a result,
there is a great deal of sharing between modules that
perform similar functions. Because of the extensive
use of this feature, the C-IO system is relatively small.
The entire system - two compilers, one interpreter,
an editor, disk and core allocators, data structure
primitives, etc. - is composed of approximately 400
procedures, averaging 900 characters in length.
Commentary
The two most important factors responsible for
the uncommon characteristics of the C-IO system
are the size of the machine on which it was implemented (hence the title of this paper), and the unusual
conditions surrounding the development of the system
(hence the discussion of system evolution). The smaH
core size (40,000 characters) forced a design which
(I) assumes that things seldom fit into core, and (2)
provides an environment that allows the systems programmer to forget about the storage allocation problem (unless, of course, he is writing an allocator).
The magnitude of the task, and the short time in which
it originally was to be accomplished, motivated a design that attempted to trade off operating efficiency
for speed of construction and ease of debugging. This
trade-off succeeded too well, with the loss, initially,
of far more performance than could be afforded!
One of C-J O's important characteristics is an affinity for redesign unknown in our experience. During the course of improving the system every module
was programmed at least twice; more efficient data
structures were invented and the old ones were replaced with new ones; tools were added that helped
evaluate system performance. in one case, the rep-

resentation of files was changed drastically, and this
was done without severe interruption to the day-today use of the system.
Other ways in which this system differs from others
within the scope of our experience are that it is significantiy easier to document, it is easier to debug, and
it exhibits a good economy of programs. All of this
we trace to the enforced uniformity and simplicity
of procedure interfaces, the nearly exclusive use of
data structures of virtually infinite length, and the
emphasis on small, independent procedures. Perhaps C-J O's greatest contribution to program construction is its service as a discipline.
I n the long run, the attempted trade-off of ope rat ing efficiency for speed of construction failed. By
the time system performance was brought up to a
satisfactory level by redesign and tuning, the system
could have been constructed along more conventional
lines. The trade-off that was, in fact, accomplished
in the final product is one of operating efficiency
in exchange for an affinity for redesign, ease of documentation, ease of debugging, and economy of programs. Now it occurs to us that for the construction
of very large programs in an environment where the
cost of manpower is increasing while the cost of hardware is decreasing, trade-offs of this type are very
much desired.
The construction of a file management system like
C-IO surely should be, essentially, the construction
of an application program. Yet, looking back, it appears that only a small percentage of the total effort
was concerned explicitly with the problems of file
management. The remainder was spent solving
programming problems, that is, building the programming environment that we have described above.
This circumstance is not unique, and seems to come
up with the construction of almost every mediumsized or larger program. See, for example, the discussion of the implementation of ALPAK, and the
subsequent design of the programming environment,
OEDIPUS, in Reference 4.
The development of the PROFILE language was
an evolutionary process. Starting as a highly restrictive "near-English" query language, it was gradually
generalized to the point where it combines file generation, retrieval, updating, and report formatting
in one language. I n its present form it is a programming
language, although a simple one. The fact that it is
a programming language is met at first with some
grumbling on behalf of its users, but they find it easy
to Jearn and they are usually pleased with the flexibility it has over "near-English" languages.

Fiie Management On A Small Computer The C-I0 System*
If C-IO were to be designed again, two mistakes
would certainly be corrected. The first concerns
what we have come to call "system arrogance."
Although any procedure within C-IO can be appealed
to by a procedure within the system, the system itself
cannot be used as a subroutine of another system.
In this way the system is "arrogant." The second
mistake was in not building an assembler as an integral part of the system. Instead, all assemblies are
made off-line with an "arrogant" assembler that was
found impossible to incorporate into C-IO. The decision to use AUTOCODER was justified by the
original schedule, but it has led to some unfortunate
results. In particular, the system cannot be easily
used to maintain its own symbolic decks, and editing
and macro facilities which are otherwise general
purpose cannot be used on AUTOCODER source
statements.
Finally, one thing that was done correctly was the
strict adherence to configuration independence.
When operating the system at other installations,
it is a valuable asset to have the system automatically
adapt to any available disk unit and to take advantage
of increased core storage space.

The most important characteristic of C-IO as a
programming environment is that it is a nucleus of
an integrated software system that can be readily
changed and molded to fit the needs of a specific set
of users. It is not a large, complex, monolithic set of
programs which attempts to be all things to all men.
REFERENCE

2

3

4

5

CONCLUSIONS
C-I0 has been described as a file management system on a small computer. It is unusually flexible in
that it allows any number of files to be processed
concurrently, it allows file processing operations to
be combined with file generation and report generation, and it enables and encourages its users to break
their problems into small procedures.
C-I0 has been described as an environment for
programming that provides facilities not usually found
in an operating system, especially for a machine the
size of the IBM 1410. These facilities include:
(a) A framework that allows the programmer to
define and check out one procedure at a time,
within the system environment, and to save
the state of the system from one session to
the next.
(b) An expandable set of data structures characterized by virtually infinite length.
(c) A choice of three languages in which to express procedures, and the ability to appeal to
any procedure from any procedure.
(d) A set of debugging tools, which are made effective by a reliance on small procedures.
(e) Access to the subroutines of a module that is
already part of the system.
(0 The capability of adjusting to changes in configuration without reprogramming.

205

6

7

T L CON.NORS
ADAM - a generalized data management system
Proceedings AFIPS Spring Joint Computer Conference
Spartan Book Co Washington DC] 966
E E GRANT
The lucid users' manual
SDC TM-2354/001/00, System Development Corporation
Santa Monica California June 16 1965
J H Bryant P SEMPLE JR
GIS and file management
Proceedings
2] st National Conference of the ACM
Thompson Book Co Washington DC] 966
W S BROWN
An operating environment for dynamic-recursive computer
programming systems
Communications of the ACM
Volume 8 number 6 pp 37]-377 June ]965
C BAUM L GORSUCH eds
Proceedings of the second symposium on computer centered
data base systems
SDC TM-2624/l00/00 System Development Corporation
Santa Monica California
L A BACHOROWSKI
Phase II demonstration
MTR-93 Supplement 2
The MITRE Corporation ESD-TR 66-647
Bedford Massachusetts July 5 1966
G STEILJR
C-JO user's manual
MTR-35
The MITRE Corporation Bedford Massachusetts
ESO-TR 66-335 March 15 1966

APPENDIX I
A file management example
The Second Symposium on Computer-Centered
Data Base Systems 5 was held on September 20-21,
1965. Prior to the symposium, a data base problem
was submitted to the designers of five file management systems. The problem was divided into seven
parts, and C-IO solutions to all seven parts are presented in Reference 6. In this Appendix we summarize the C-I0 solution to two of the seven parts: the
production of two periodic reports, and the spontaneous generation of a demand report.
The periodic report problem concerns two files:
the PERSONNEL file and the ORGANIZATION
file (see Figure 4). Units within the organization are
either divisions, departments, groups, or sections.

206

Spring Joint Computer Conf., 1967

The periodic report request is stated as follows:
"Combine the Personnel information with the Organization information, so as to prepare two reports.
One report covers all sections in ascending organization unit number sequence, showing for each section
its authorized complement, actual complement and
deviation from budget. The second report presents
this same type of information for all groups."
The procedure, as illustrated, has two arguments.
The first argument designates the organizational level

for the report, that is, section, group, department, or
division. The second argument, a number, limits
the number of units to be processed, and was included
soleiy to make it possible to control processing time
during demonstrations,
This problem is not the most difficult of the problems posed at the symposium. It does, however, involve cross-file referencing, calculation, and the outputting of reports in a specific format. The C-IO
solution makes only one pass of each file for a report,
and is illustrated in Figure 5. Comments in the actual
program will help the interested reader get through it.
Sample output is shown in Figure 6.

STRUCTURE OF PERSONNEL FILE

Generating the demand report is simple, and can be
accomplished easily on-line. The problem asks that
the name, number, unit, code, and skill names be
retrieved of all personnel satisfying the following
criteria: more than two skills, not a head, male, birthdate between 1916 and 1935, and any skill code of
3340. The appropriate PROFILE statement is:

STRUCTURE OF ORGANIZATION FILE

SUBSET TITLE IS 'DEMAND REPORT';
GET PERSONNEL
IF [NO. SKILLS GT 2]
AND
[LEVEL NE 'HEAD']
AND
[SEX = 'M']
AND
[EXTRACT (BIRTHDATE, 7, 2)
GT 16 AND LT 35]
AND
[ANY [SKILL (CODE) = 334<1>]]:
NAME, NUMBER, UNIT, CODE, SKILL
(NAME);

Figure 4-Structure of the Personnel and Organization Files

PROCEDURE WRITE.HEADING
(ORG.UNIT, REPORTS. TO, ORG.NAME);
BEGIN;
FIELD = 'ORG UNIT';
SPACE OUTPUT 5;
FIELD ~ ORG.UNIT;
SPACE OUTPUT BLOCK;
FIELD = 'REPORTS TO';
SPACE OUTPUT 3;
FIELD = REPORTS. TO;
SPACE OUTPUT BLOCK;
SPACE OUTPUT BLOCK;
FIELD = 'ORG NAME';
SPACE OUTPUT 5;
FIELD = ORG.NAME,
SPACE OUTPUT BLOCK,
SPACE OUTPUT BLOCK;
FIELD = 'AUTHORIZED COMPLEMENT';
SPACE OUTPUT BLOCK;
SPACE OUTPUT BLOCK;
RETURN;
END;

"THIS PROCEDURE, WRITE.HEADING, HAS 3
, • ARGUMENTS.
,tIT FORMATS THE FIRST FOUR LINES OF THE
"PERIODIC REPORT, SUBSTITUTING ITS
"ARGUMENTS WHERE APPROPRIATE.
"THE OUTPUT DEVICE, AND THE DEFINITION
"OF A BLOCK HAVE BEEN DEFINED BY THE
"PROCEDURE WHICH CALLS IT.

,,

"THIS LINE IS TYPICAL OF A STATEMENT
"WHICH INSERTS THE VALUE OF AN EXPRESSION
"IN THE OUTPUT STREAM.

.,

,"THIS
,
,,

..,

LINE INSERTS 5 SPACES IN THE OUTPUT
STRe.:'AM.

"THIS LINE INSERTS AN ENTIRE
"

LIN~

OF

SPAC~S •

,

"THIS STATEMENT RETURNS TO
"

TH~

CALLING
PROCEDUQF.

Fiie Management On A Small Computer The C-IO System*

PROCEDURE WRITE. LINE
(KEY,CODE,TITLE,QUAN,SAL),
BEGIN;
~PACE OUTPUT 5 + KEY ~ 5,
FIELD 4 = CODE;
SPACE OUTPUT IS - KEY ~ 5;
FIELD 32 = TITLE;
SPACE OUTPUT 2;
FIELD 2
QUAN;
SPACE OUTPUT 8;
r=iELD 6 ~ SAL;
SPACE OUTPUT BLOCK;
RETURN;
END;

=

PROCEDURE WRITE. TOTALS
(Q.TOTAL, S.TOTAL);
BEGIN;
SPACE OUTPUT BLOCK;
SPACE OUTPUT 19;
FIELD = 'TOTAL';
SPACE OUTPUT 29;
FIELD 2 = Q.TOTAL;
SPACE OUTPUT 18;
FIELD 6 = S.TOTAL;
SPAC~ OUTPUT BLOCK;
SPACE OUTPUT BLOCK;
RETURN;
END;
PROCEDURE WRITE.AC ();
BEGIN;
'ACTUAL COMPLEMENT',
FIELD
SPACE OUTPUT BLOCK;
SPACE OUTPUT BLOCK;
RETURN;
END;

=

207

"THIS PROCEDURE, WRITE.LINE, IS SIMILAR
"TO THE PROCEDURE WRITE.HEADING.

,,

"IT HAS FOUR ARGUMENTS, AND FORMATS MOST
"OF THE DATA LINES IN A PERIODIC REPORT.

,,

"THREE OF THE ARGUMENTS ARE DATA TO BE
"INSERTED IN THE OUTPUT STREAM, BUT KEY
"IS AN ARGUMENT USED TO CONTROL SPACING.

"THIS PROCEDURF., WRITE.TOTALS, IS SIMILAR
,"TO
, THE PROCEDUQ~ WRITE.HEADING.
"IT HAS TWO ARGUMENTS, AND FORMATS THE
"LINE CONTAINING TOTALS

,,

"THIS PROCEDURE, WRITE.AC, HAS NO
"ARGUMENTS. IT WRITES THE TITLE
"ACTUAL COMPLEMENT

PROCEDURE WRITE.DEVIATION
"THIS PROCEDURE FORMATS THE DEVIATION
(DEVIATION);
"FROM BUDGET LINE.
BEGIN;
"IT HAS ONE ARGUMENT, THE DEVIATION.
SPACE OUTPUT 19;
FIELD
'DEVIATION FROM BUDGET';
SPACE OUTPUT 33;
FIELD 6
DEVIATION;
SPACE OUTPUT PAGE;
RETURN;
END;

=

=

PROCEDURE WRITE. TITLE
(REPORT.NAME);
BEGIN;
SPACE OUTPUT 5';
FIELD
REPORT.NAME;
FIELD
'REPORT';
SPACE OUTPUT BLOCK,
END;

"THIS PROCEDURE, WRITE.TITLE, WRITES A
"SIMPLE TITLE LINE.
"IT HAS ARGUMENT, THE NAME OF THE REPO~T.

PROCEDURE PERIODIC.REPORT
(LEVEL, N);

"THIS PROCEDURE, PERIODIC.REPORT, HAS TWO
"ARGUMENTS: LEVEL, INDICATING WHETH~R

=
=

208

Spring Joint Computer Conf., 1967

BEGIN;
"REPORT IS TO COVER DIVISIONS,DEPARTMENTS
VARIABLE Tl, T2, T.TITLE, T.QUANT", GROUPS, OR SECTIONS; AND N, INDICATING
, T.SAL, T.CODE, T.UNIT,"HOW MANY UNITS TO REPORT ON.
IND, TN, T3, INC, INCl, "
LIMIT, LIMITl, U.TITLE; "DECLARE VARIABLES.
,
IN!) = ~;
TN ::

.

,,

S!;

IF LEVEL = 'SECTION', INC =~,
"
IF LEVEL = 'GROUP';
"INITIALllE.
BEG I N, INC = 9, INC 1 = 1; END; "
IF LEVEL = 'DEPARTMENT';
"INCREMENTS HAVE TO DO WITH THE
BEGIN; INC = 99, INCI = 1~,ENDJ"ASSIGNMENT OF NUMBERS TO UNITS.
IF LEVEL = 'DIVISION',
"(PERSONNEL FILE HAS BEEN SORTED BY
BEGIN; INC = 999, INCl=I~~JEND,"
UNIT NUMBER)
OUTPUT TO PRINTER,
"DECLARE PRINTER AS OUTPUT DEVICE.
DEFINE PAGE FOR OUTPUT AS 33::132,"DEFINE SIlE OF PRINTER PAGE.
DO WRITE.TITLE(LEVEL),
"WRITE TITLE
READ PERSONNEL, ELSE RETURN,
"
ORG:READ ORGANIlATION; ELSE RETURN;
"FIND ORGANIlATION UNIT OF APPROPRIATE
IF ORG~LEVEL NE LEVELl GO TO ORG;"LEVEL IN ORGANIZATION FILE.
TN = TN+1;
"
IF TN > N; RETURN,
"RETURN IF ENOUGH UNITS PROCESSED.
LIMIT = ORG.UNIT+INC,
"
DO WRITE.HEADING(ORG.UNIT,
"WRITE HEADINGS. AUTHORIZED COMPLEMENT
REPORTS.TO, ORG.NAME);
"IS PRINTED FIRST.
T1 = ,;
.,
T2 = ,;
"INITIALIlE TOTALS.
T3 = ,;
"
O.JOB:READ JOB; ELSE GO TO O.UNIT;
"
DO WRITE.LINE (" JOB(CODE),
"WRITE LINE OF REPORT FOR EACH JOB.
JOB(TITLE), JOB(QUANT),
"
JOB(SALARY)),
"
T1 = Tl + JOB(SALARY);
"INCREMENT TOTALS.
T3 = T3 + JOB(QUANT);
"
GO TO O.JOB;
"
I.UNIT:READ UNIT; ELSE GO TO O.END,
"WRITE LINE OF REPORT FOR EACH
DO WRITE. LINE (1, UNIT(CODE),
"SURSIDIARY UNIT.
UNIT(TITLE), 1, UNIT(SALARY)); "
U.TITLE = UNIT(TITLE);
"
Tl = Tl + UNIT(SALARY);
"
GO TO O.UNIT;
"
O.END:IF LEVEL NE 'SECTION'jT3=' 'J"
DO WRITE.TOTALS(T3,Tl);
"WRITE TOTALS FOR AUTHORIlED COMPLEMENT.
DO WRITE.AC();
"
T3 = ,;
"BEGIN ACTUAL COMPLEMENT SECTION OF
MATCH:IF PERSONNEL(UNIT)=ORG.UNIT,
"REPORT.
GO TO P.JOB;
"FIND FIRST EMPLOYEE WHICH
READ PERSONNEL, ELSE GO TO P.END,"BELONGS TO THIS UNIT.
GO TO MATCHJ
"
P.JOB:T.TITLE = PERSONNEL(TITLE),
"
T.CODE = JOB.CODE;
"
T.QUANT = ,;
"
T.SAL = "
"
P.JOB1:T.QUANT = T.QUANT+1,
"
T.SAl = T.SAl+PERSONNEL(SALARY)j I I
READ PERSONNEL; ELSE GO P.JOB2j
"GATHER INFORMATION ON ALL EMPLOYEES
IF [PERSONNEL(UNIT)=ORG.UNIT)
"IN UNIT WITH SIMILAR JOBS.
AND [PERSONNEL(TITLE)=T.TITLE];"
GO TO P.JOB1;
"
P.JOB2:DO WRITE.LINE(', T.CODE,
"
T.TITLE, T.QUANT, T.SAL),
"WRITE LINE FOR THIS JOB.
T2 = T2 + T.SAL;
"
i3

= T3 + i.QUANi;

IF PERSONNEL(UNIT)=ORG.UNIT;
GO TO

P~JOBl

P.UNIT:IF PERSONNEL(UNIT»LIMIT;
GO TO P. END J

.t"DO NFXT JOe

"UPDATE TOTALS.

"
' ,

File Management On A Small Computer The C-10 System*

= .;
=

209

T.SAL
I'
T.UNIT = PERSONNEL(UNIT)J
I·SUMMARllF. DATA FOR SUBSIDIARY UNITS.
LIMITl
T.UNIT + INCl;
••
P.UNITl:T.SAL
T.SAL+PERSONNEL(SALARY)J
READ PERSONNELJ ELSE IND = IJ
••
IF PERSONNEL(UNIT)1
3,40
7320
3370

COATES w C. L.

fLETCHER,

~.

81130

w.

71475

GORTON, R. A.

175C}0

GREEN,. S. D.

34840

LEVITT, P. S.

32924

lITTLE, E. F.

42055

MILLER, F. L.

52467

~/ECH

TECHN

"'ACHI~E

OPK

MAIt\T TEC/-4 1 E )
PAI~Tlf\G CPR

2313

pt.ACHINF

OPR

~ILLlf\;G

,..ACH OPR

3340
3345
3360

HEAT

1365
3125
3340
7320

TrCL CESIGNER
TOCL t-'AI 1...·-----------1

(L1

)

E T ?

No

Append (Ll

)

I

to T

Figure 2-Prefix language; len-to-ngnt scan

new characters in the object alphabet. Our third
restriction limits the form of these explicit definitions
by demanding that the extended language category
be also complete. Let us see what this requires.
Suppose 'd' is the newly defined object character.
It will have to possess, by our first restriction, a fixed
stratification number, say n. If, then, aI, a2, ... , an
designate any good expressions of fY' :;I by our second
restriction f! rJ must also contain a good expression
of the form 'dala2 ... an'. Thus, the explicit definition
must have the 'form' f31 = f32, where the 'definiendf
dum' f31 must have the 'simple form' dala2···an,
and the 'definiens' f32 must not contain the character
'd' explicitly (no recursion), and must be an obvious
syntactic function of the syntactic variables a1, ... ,an

for all languages of the category. By the 'principle
of syntactic invariance' (see Gorn 10), the al must be
variables representing any good expressions throughout the category, because they are appropriate
'scopes' and the completeness of the category means
that all good 'scopes' are 'good words' and vice versa.
We must therefore be able to define and recognize
forms as well as expressions. This is easily done without too much work by introducing an alphabeT of
'scope variables': d y = {a1 a2, ... } having no characters in common with a, and each character of which
has stratification zero. If :;I' = d U d y , then.f! d is a
form language, representing a whole category of form
languages in which 'tree forms' can be ge>nerated,
recognized, and compared.

"Handling The Growth By Definition Of Mechanical Language*
For example, we have the following definition
throughout the category of languages of tree patterns:
Definition: The form f31 is said to be 'of the form
~o', and fJ.o js called 'an initial pattern of {3/ (we write
{3o:::;; (3t), if there is a compJete independent set of
scopes 0"1, ... , O"n of f31, where n is the number of endpoints of f3o, such that, if ai = aj in f3o, then Ui = O"j,
and such that f3t = f30 (~ah ... 'O"n~an). We can
also write: f3t =+f3oUI.·.U n.
If we think of the variables in d v as also referring
to some unspecified addressing system for the control of storage of expressions, then this definition is
effective; figure 2 presents the design of the processor
called a 'tree pattern recognizer' .
A number of other notations might be mentioned
as being convenient both in the theory and in the
construction of processors:
a. 'Ca{3/ to mean 'the character at (tree) address a
in tree (form) {31'.
b. 'Sa{3t' to mean 'the scope at (tree) address a
in tree (form) {3t' .
c. 'D{3/ to mean 'the domain of (tree) addresses
in tree (form) {3,'.
d. If ~ and a3 are tree addresses, then a1 = a2·a3
can be read as 'the tree address of· relative
address a3 with respect to address a2', and ~
is a 'tree-predecessor' of a l : ~ :::;; at. Similarly, if
Al and A2 are two sets of tree-addresses, At· A2
will be the set of tree-addresses of relative
address some A2 with respect to some AI; it is
to be interpreted as the null set A if either At or
A2 is null.
e. We can also permit the scope-operator 'S' to
refer to tree-domains as well as to trees. Thus,
if D is a tree domain and at E D, then there is a
tree domain Dl such that Sal D = al . D 1; also,
Sal . ~ D = a1 . S~Dl. This notation sets up a
primitive address computation facility (in fact
a semi-group with unit '*' meaning root-address)
for tracing and identifying the effects in expressions of growth by definition in the category.
f. "'an occurrence of the character c E A in f3' will
mean 'an address a such that c = C a {3', and the
set of ·such occurrences can be written 'C-l c {3'.
Thus 'a E C-l c {3' means 'a is an occurrence of
cin{3'.
It is now possible to recognize internal patterns as
well as initial patterns in trees: {3o is an internal pattern
of f32 occurring at the tree address a if f30 :::;; S a f32;
in this case we also write a E C-t{30f32, and speak of
'an occurrence of the form f30 within {32'. If {3o is deeper
than zero, i.e. is more than just one object character

2i7

at the root, then we say that the form f31 'dominates'
the form f32 with the intermediary f30 whenever f30
s a scope of (31 and the initial pattern of f32, but
f3o,
f31 and f32 are not all the same; if we replacea that
.
occurrence of f30 in f31 by f32, the result f3t(f32 ~ f3o)
if a E C-l f3of31' is a 'f31f32-domino'.
We now have the apparatus by which we can specify
an 'explicit definition', and trace its effect by means of
a primitive kind of computation with tree addresses.
EXPLICIT DEFINITIONS AND TREE MAPS
We have now fixed u1'on an appropriate definition
of 'explicit definition' for our categories of mechanical
languages. It is one in which:
a. The definiendum is a simple form, i.e. either of
depth zero (hence only the single new character),
or of depth one with only distinct variables at the endpoints,
b. the definiens is an arbitrary form 'Pd, at least as
deep as the definiendum (hence "# a), not containing
d explicitly, but each variable of which does occur
again in the definiendum.
Ordinarily explicit definitions are introduced in
order to say in less space something one will want to
repeat fairly often. In other words, a very common
motive for an explicit definition is the desire to have a
large family of abbreviations; each definition provides
an infinite set of abbreviations, all of the same form.
(Thus each definition is like an 'optional linguistic
transformation' .) Because the size of a tree can be
measured both in depth and in breadth, two of the
simplest types of explicit definition are the pure depth
reducer, and the pure breadth reducer:
An explicit definition, dal ... an = 'Pd, is a 'pure
df

depth reducer' if those end-points of CPel which are
variable are, reading from left to right, in p or ~ form,
exactly at, a2, ... ,an, and at least one variable has
depth greater than one. If n = 0, so that d = 'Pd where
df

no end-point of 'Pd is variable, we do not call it a depth
reducer, no matter how deep 'Pd may be. An example
of a pure depth reducer is data2 = ca1CCOa2.
df

An explicit definition is a 'pure breadth reducer'
if the depth of every variable in 'Pd is one, and those
end-points of 'Pd which are variable are, reading from
left to right, in p or ~ form and ignoring repetitions,
exactly ahah ... , an, and at least one variable occurs
more than once. The same interpretation is made if
n = 0 as before; no matter how broad 'Pd may be, it is
not a breadth reducer. An example of a pure breadth
reducer is data2 = catCCocOCOcoa2al0
More generally, if 'Pd is the definiens of an explicit
definition, let Adj = C-1aj'Pd (the occurrences, possibly

218

Spring Joint Computer Conf., 1967

Definicndum
address

character

Definicns
address

character
---~---

)!:

0

d
0'1-

.,'

c

0

0'2
C

'2
10

0'1-

11

0'2

Figure 3 - An explicit definition
n

null, of aj in CPd), and Ado=Dcpd - U Adi (the 'interior'
i=1

of CPd); let mi be the number of addresses in Adb
which we could call the 'breadth' or 'multiplicity' of
aj, and let d i be the maximum depth of aj in A di • Then
the definition does some breadth reduction if m!> I
for at least one i, and it does some depth reduction
if d i > ! for at least one i.
If m! = 0 for some i :::; n, the stratification of d, then
the definition is allowing arbitrary scopes to be introduced, and we say that the definition is a 'scopeexpander'. An example of a 'pure scope-expander',
i.e. one in which neither depth or breadth reduction
occurs, is dala2 = ca2, or dala2 = cco.
df

df

Finally, an explicit definition may be introduced
neither to 'expand scopes, nor to reduce depths or
breadths, but simply to permute scopes. In a pure
permuter' ill! = 1 and d i = 1 for i = 1, ... , n. Thus
da1a2 = ca2CCOCOCOal is a pure permuter.
df

Most definitions we might envision would be mixtures of these types, and for each such mixture we
might imagine ..:ach type of effect to be introduced by
a separate 'ideal definition', thereby 'factoring' the
definition into a sequence of pure types. For example,

the explicit definition da1a2 = ca2cala2 might be endf
visioned as the result of
1. a pure depth reducer d1ala2a:l = ca}ca2a3,
df

2. a pure breadth reducer d2ala2 = d1ala2al,
df

3. a pure permuter dala2 = d2a2al'
df

Figure 3 illustrates this definition.
We can now be precise about the meaning of such
expressions as:
a. The elimination of an occurrence of d in a form
{32: if a EC-1d{32, and the scopes  ( .:: ij)(a l ~ a 2 . au). Let the relation
1 ~ a 2 among addresses mean just this, so that our
condition reads: a l ~ a 2 => a l ~ a 2. This, then, is precisely the condition under which the 'elimination
functor ' exists; it is applicable to anyone of
the infinite number of expressions f3 with an occurrence of d at a2 and also at ~(a2;a}). We could similarlv validate and identify the 'elimination functor
F =  = Ed a I ···Edan' and restrict our·
selves to a primitive address computation as in Figure
5.
d O'~ 0'2 dc C 0'2 C 0'1 0'2

f

<* > {*, O} = (I 0 )
g

4(

*; a)

{

<* >

('~,

I) = {O. 1 I

J

{*,I,II} = {<*>{'~,l} U <*>(*,1' I}}

a

= <111,0> ( {O,II) U fO,Il)' I}

and the composItIon of d-maps can be reflected in
such notation as:
f31

DJ.

 {O.II,OI, Ill}

 ( (O,OI) U <0> (O,II,III))

E

~ f33 () (f2 0 f t ), or

f1
1-

f2
D2 - - . -

---...,,..- ~2

1

D3

------,-- f3 3

a

a

 {O' <*> (*,1) U (ll.lll})

= 
= 
= < Ill>

(0' fO,II) U {l1.lll}}
(OO,OII,ll,lll)
{Ill, 00, 0 II. II}

= {OO,OII,ll}

Figure 5 - An address computation for d-e1imination

a

If, furthermore, the explicit definition is not a scope
expander, and f32 ~ f31, the uniquely determined mapd

ping from f31 into f32 is a mapping 'onto'.
In any case, such mappings f are uniquely determinded by addresses only; i.e. by a computation which
given any aE Dl=Df31' yields f(a)E D 2=Df32'
Actually, an even stronger statement can be made;
these address maps are even independent of the particular trees. Eda is a functor applicable to any tree
f32 for which Caf32 = d, and it is possible to compute
gd(a;b) for any address without knowing anything
else about f31 beyond the fact that a E C-lCPd{31' We
can therefore talk, within the context of a fixed expiicit definition, of 'the elimination functor '.
Furthermore. Eda1Eda2 will be applicable, as a

The problem solved by the computation in figure 5
could be stated as follows: If we explicitly define d by
means of dlXllX2 = ClX2ClX)lX2, then we would like to
know what 'traces' are left from original occurrences
at {*, I,ll} in any word to which the following elimination functor is applicable; d is eliminated at *,
then at 0, and then at 1 1 I. According to the computation, the only traces will be at addresses 00, 011,
and 11. In particular, if d's occurred originally only
at *, 1, and 1 1, they would not be completely eliminated; there would still be occurrences of d at 00,
011, and 11.
A study of Figure 5 reveals that the address computation is driven to a conclusion by an algorithm which
applies the following rules:
Rule I: <*> {*} =
Rule 2: If i < s(d) (the stratification of d), then for
every address a < > {*, I " a} = l'~di . a
={ai! . a .... ,a.itj a}.

Handling The Growth By Definition Of Mechanical Language

221

( /I. ;:::, 0, I,ll}

Figure 6- The Hasse diagram of E (ao)

The address set is interpreted to be null if the multiplicity, mb is zero, i.e. if the definition is scope expandin~ at i.
Rule 3: If*EA l, then  {a . AI} =
{a . <*> AI}'
Rule 4: If a:::;;b, then{a,b }={b}.
Rule 5: (the first commutation rule) If a and bare
independent addresses (i.e. neither preceding the
other), then  = .
Rule 6: (the second commutation rule) If mi =1=
(i.e. if the definition is not scope expanding at i),
then  = . If the
multiplicity is zero, mi=O, then we can only say
 ~  (the functor  has in its
domain any expression with an occurrence of d at a'
the functor  is more restricted becaus~
it also reguires an occurrence at a·i·a').
Rule 7: (the distribution rule) If the d-elimination
functor F is applicable to the address sets Al and A 2 ,
then it is applicable to Al U A2 and
F(AI U A 2 )=FAI U FA2 •
Suppose we now represent the distribution of occurrences of d and 'Pd in an expression f3 by another
expression of the form {C- l d{3;C- l 'Pdf3}. Then, for the
definition of figure 3, the expressions in pa: dca2
al d a2 aj, c d a2 al d al c a2 aI, and ao = c c al c a2 al

°

c c a2 al c al c a2 ab will be represented by {*, 1; A},
{o,l;A}, and {A;*,O,l,ll} respectively. Moreover
these three expssions all belong to E(ao), consisting
of eight expressions in a partial ordering whose Hasse
diagram appears in Figure 6.
1. If f31 and f32 are forms over the extended alphabet
f3, then there exists another form f30 such
and f3l
that ~,du 130 and f32 d f30·
ThIs is a very special case of the Church-Rosser
theorem, which deals with the very general e~tension
of formal systems by definitions. See, for example,
Curry & Feys.6
2. Every expression f31 over the extended alphabet
determines a unique expression f30 over the original
alphabet such that f3l ~ f30·
In other words, evgry equivalence class of expressions contains one and only one expression over the
original alphabet, its unique 'normal form'.
3. For every expression f3, L(f3) is a lattice. Figure 6
shows that this need not be true of E(f3).
4. E(f3) can only be infinite if the definition is scope
expanding.
5. E(f3) can only fail to be a lattice if 'Pd is selfdominating, and f3 contains a 'Pd'Pd -domino.
For example, this is the case in figure 6 because the
occurrence of 'Pd at 1 in ao dominates the occurrence

=:

222

Spring Joint Computer Conf., 1967

CO'l CO'2 0'3

d,

I

0', O'~Q"

.:: II
_d_f__d_2_0'_2~
df

~

~

~

Figure 7 - The Hasse diagram of E (ao) when d is factored

at II and is. dominated by the occurrence at *.
6. A partial ordering is called modular if, whenever f32 ~ f31, any two complete chains between f32
and f31 have the same length. Figure 6 is not modular
because one complete chain between {*.I ;A} and
{A;* ,0, I,ll} is of length two and the other two are of
length three. This happens because the definition is
a breadth reducer, C-'a2c,od ={O,ll}, and C-lc,odao:2
{*,O, II}.
7. If we factored this definition into a pure depth
reducer, a pure breadth reducer, and a pure permuter,
as mentioned before, we separate their several effects
into three phases of extension, as one can observe by
studying Figure 7.
CONCLUSION
One could extend the very special theory of this paper
in a number of directions. For example. one could go

on to study the effects of sets of definitions; the
factorization into 'pure' types illustrated this. One
could relax the 'completeness' condition we were
using in our categories of languages, and consider
various kinds of incomplete categories. One could
relax the restrictions implied in our use of the word
'explicit' to permit definitions by cases, or suppression of variables, or even recursion. The fact that
there is such a theorem as the Church-Rosser theorem
means that some kind of light should emerge.
However, it seems to me that even our simple example has taught us some unexpected things.
First of all, the processing we have been discussing
can occur at meta-language level as well as at objectlanguage level.
For example, in Church's axiomatic system for the
propositional calculus the first axiom is
AI

: ~al:J (a 2 :J at)·

Handling The Growth By Definition Of Mechanical Language
The Name Al belongs to the meta-language just
as the punctuation, parentheses, and 'I -: do. We
can give Al several important types of interpretation
in the meta-language, all of which we would like to
use in the same system (see Gorn. 9 For example:
1. Al is an address in an addressing system for the
storage of axioms and theorems.
2. Al is an instruction representing an operation on
two expressions; Al6:1a2 will produce ~a2~al lX2
•
h
.
_u
.. :In
t ..
e 1.anguage f1',~ 0.1fa' .caLegol
y. .1 HI., "~IU(ll1L1'" ~llC\v
carries with it all the syntactic effects of the explicit
definition of figure 6 with Al for d and ~ for c. In
particular, the syntactic relation
'T't...:~ ~~---

_ct:'_~t

~~~~~~~~~~~~~~~~~

would also have the semantic consequence that both
expression's specify methods of deriving a o =~ ~al
~a2al ~ ~a2al ~al ~a2al' We also know, because of
the AlAl -domino in a o , that there can be no expression in the rI fJD from which both can be derived.
This means that much of the processing needed
in theorem proving is not essentially different, in
spite of the shift in level of interpretation, from the
processing at object level.
Moreover the introduction of explicitly defined
symbols, as in ~ ala2 dr V ~ala2' and the introduction
of systems of names of axioms and theorems are not
only similar to each other but also play the same role
in the meta-language as the introduction of new names
of instructions, or of macro-instructions in a programming language. All these new symbols can also
be interpreted as names of linguistic transformations
on the object language, and therefore as operators in
a meta-language over the object language.
This means that there is a second effect from our
study. A number of seemingly different problem areas
in information science, logic, and linguistics become
identified:
a. The growth of a mechanical language by the explicit defining of new characters: it can be controlled
if we have the definitional forms recorded, and use
such processors as form recognizers, recognizers of
the relation ~ no matter what the 'd', reducers to
normal form independent of d and 'Pd, equivalence
recognizers, etc. Each of these processors will permit one to vary the alphabets, the forms, and the definitions, of which there will be very many. But of the
basic processors there will be only a handful, and they
will be applicable at many levels as well as to many
alphabets and many definitions. The system should
also contain a number of the translators among the
language functions of the category.
b. A number of problems in artificial intelligence:
imagine that a language is specified for which a recognizer is either unknown or impossible; we want a

223

'heuristic' recognizer which will 'often' determine
whether an expression belongs to the language by
attempting to solve the problem of setting up . a
derivation tor it. If the processor is halted before thIS
happens, the recognition is left undecided. The inves~i­
gations of Newell, Shaw and Simon, such as the lOgIC
theorist,13 and the general problem solver14 can be
formulated this way, because the set of all 'true' expressions can be considered a language just as easily
as the set of all expressions. This is because the
axioms can be considered as ad hoc syntactic generators of good expressions, and such 'transformation
rules' as modus ponens, substitution, etc. can be considered as derivation rules in a generative graminar.
The heuristic program recognizes patterns of
applicability of these transformation rules in order to
set up the 'subgoals'. The p,vailability of our standard
form recognizers, as efficient processors rather than
heuristic ones, makes the main heuristics more efficient. See Boyer, 1 and Chroust. 4
c. The extension of formal systems by definition:
one considers the 'derivation rules' of the formal
system to be the 'transformation rules of the language',
ip the sense of Carnap, just as described in ~. This is
why the material in the first four chapters III Curry
& Feys,6leading up to the Church-Rosser theorem for
general formal systems had its counterpart in our
simplified and much more highly structured languages.
d. We handled an explicit definition as though it
were an addition to the grammar of the language which
permitted certain simple linguistic transformations
to be performed. Our classification into depth reducers
breadth reducers, etc. is a very primitive classification very much in the spirit of the much more complicated 'linguistic transformations' in the sense of
Chomsky and Harris. Can we not consider that anyone who defines a new expression in a language is
causing the language itself to change; is he not really
changing the grammar of the language, and not merely
adding new expressions?
e. Suppose we have two programming languages,
such as, for example, the assembly languages of two
different binary general purpose machines of the von
Neumann type. We can consider that each instruction
of either language is defined in terms of a common
'micro-language' of bit-manipulations. Some of these
definitions are recursive, but many can be made explicit. Among the difficulties of machine-to-machine
translation is the fact that many instructions, like
'ADD', do not really have the same definition in the
different machines.
The same problem arises if a community of users,
beginning with a common language, have the freedom

224

Spring Joint Computer Conf., 1967

of introducing macro-definitions independently of
one another. Sub-communities with common problems
will develop different sub-languages by different
systems of macro-definitions, and if these different
sub-communitities do not remain in constant communication, their distinct 'dialects' will, in effect,
grow into distinct languages, and the translations,
even with only explicitly defined macro-instructions,
will be come difficult because of what, in this paper,
is called the domino effect among definitions.
The non-lattice effect we remarked on for definitions related by dominance we can now interpret as
a danger of loss of communication; when the processors we have discussed are not available, the
different sub-communities will not even know when
they are saying the same things.
REFERENCES

2

3

4

5

6

M CHRISTINE BOYER
A tree structure machine for proving theorems
Moore School Master's Thesis August 1964
JOHN W CARR III
The growing machine
to be submitted to a computer publication
TECHEATHAM
The introduction of definitional facilities into
higher level programming languages
AFIPS Conference Proceedings Vol 29
Fall Joint Computer Conference 1966
GERHARD CHROUST
A heuristic derivation seeker for uniform prefix languages
Moore School Master's Thesis August 1965
A CHURCH
Introduction to mathematical logic
Vol I Princeton 1956
H B CURRY R FEYS
Combinatory logic
Vol I North Holland 1958

7 B A GALLER A J PERLIS
A proposal for definitions in A LG 0 L
to appear in Communications of ACM
8 SAUL GORN
Common Programming Language Task
Rep AD 236-997 July 1959 and
Rep AD 248-110 June 30 1960 U S Army
Signal Res and Develop Labs Fort Monmouth
N J Contract No DA-36-039-SC-75047
9 IBID
The treatment of ambiguity and paradox in mechanical
languages
Am Math Soc Proc Symposia in Pure Mathematics
Vol V (1962) Recursive function theory
Apr 1961
10 IBID
Mechanical pragmatics: a time motion study of a miniature
mechanical linguistic system
No 12 Vol 5 December 1962 pp 576 589
11 IBID
Language naming languages in prefIX form
Formal language description languages for
computer programming
North Holland 1966 pp 249-265
12 IBID
An axiomatic approach to prefix languages
Proceedings of the symposium at the international computation centre
Symbolic languages in data processing
Gordon and Breach 1962
13 A NEWELL J C SHAW H A SIMON
Emperical explorations of the Logic theory machine: a
case study in heuristics
Proceedings of the western joint computer conference
1957 pp 218-230
14 IBID
Report on a general problem-solving program
Information processing
UNESCO Paris 1959 pp 256-264
15 T J OSTRAND
An expanding computer operating system
Moore School Master's Thesis December 1966

An optical peripheral memory system
by R. L. LIBBY, R. S. MARCUS* and L. B.
un

~TAT T A
u .. 1 ... .L..J.L....I1 J.I.'-LJ

Itek Corporation

Lexington, Massachusetts

algorithmic (programmable), decision table, and tagassociative memory type of processing. This combination of processing appears to be typical of a broad
class of non-numeric information handling problems
that range from language translation to image pattern
analysis and recognition and proved to be a more
than adequate test vehicle for assessing the memory
technology.
Figure 1 is a picture of the final operating test
system. The photo-optical disc reading unit occupies
the two-bay cabinet to the left of the chain printer
and magnftic tape transport units. The memory search
logic is incorporated in the three-bay unit in the center
background, along with the general purpose computer
logic.

INTRODUCTION
The increasing extension of computer technology
to applications involving the accumulation and use
of large libraries of digitized data (1012 bits or greater)
has stimulated interest in new digital peripheral
memory techniques.1,2,3
Of the many characteristics and performance
parameters of interest related to peripheral memories,
achievable digital storage density is a fundamental
parameter since it contributes strongly (but not
uniquely) to the access time, data transfer rate, cost
per bit, and other important properties of digital
peripheral memories.
The particular peripheral memory described in
this report uses optical techniques for recording and
reading digital data. The search logic and general
purpose computer associated with this memory have
allowed practical demonstration of the recording and
reading of digitized information and the functional
use of the peripheral memory as a content addressable
store.
The use of optical techniques in the subject memory
demonstrated that many memory performance characteristics typical of magnetic technology can be
equalled or exceeded.
It would appear, however, that the promise- of
optical techniques in the peripheral memory area lies
in the area of storage and retrieval of digitized data
in capacities of 1011 or greater for either on-line or
off-line storage or retrieval applications. This paper
describes first, an operational prototype system and
then presents technical considerations for achieving
mass digital storage capabilities.

The system for evaluation of the
photo-optical memory technology
A complete computer system was designed around
the photo-optical memory and tailored for combined

Figure I - Overall view of memory test system

Figure 2 shows the Disc Writer U nit which is
fully automatic except for loading and unloading the
photographic disc.
An overall block diagram of the test system environment for the memory is shown in Figure 3.

*Currently with the Electronic Systems Laboratory, Massachusetts
Institute of Technology, Cambridge, Massachusetts.

227

228

Spring Joint Computer Conf., 1967
Mounting of the disc in the Disc Reader is as simple
as mounting a magnetic tape reel. Once mounted,
the photostore disc provides an on-line unit record
of 150 million bits which can allow access to randomly
located entries within it, in an average time of 15
milliseconds. When a desired entry is found, read-out
into the computer memory occurs at a 4 megabit rate.

Figure 2 - Disc writer unit

DISC WRITER

I

Exposed Discs

I

Finished Discs

SEARCH LOGIC
AND CctlPUTER

DISC READER

Figure 4- Photographic memory disc
Figure 3 - Test system block diagram

The magnetic tape unit is used primarily for the
input of source data to be recorded in the photographic unit record, or photostore disc, of the system.
The control computer buffers each track worth
(9,600 seven bit characters) of source data during
the memory writing operation to insure affirmative
parity checks before transferring the data to the Disc
Writer Unit. The data transfer and writing occurs
at a rate of 100,000 bits per second. The Disc Writer
records these data serially by bit on each concentric
track of the disc. Disc writing can terminate after
any of the 2350 total possible tracks are completed
but not during the writing of a track. The exposed
(recorded) disc is then removed (manually) from the
Writer and placed in a Developer Unit. After chemical
development, the recorded disc is either stored for
later use or manually placed in the Disc Reader Unit
for use in retrieval or dictionary look-up processing.

The photostore disc
The short random access time (15 miHiseconds),
high read out rates (approximately 4 megabits per
second), and high unit record capacity (150 million
information bits) achieved by the single reading station, results from the use of optical techniques for
data writing and a photographic film emulsion as the
storage medium. A glass disc, one-quarter inch thick,
and 10.5 inches in diameter is coated with Eastman
Kodak Type 649F high resolution emulsion. This is
an emulsion formerly used primarily by spectroscopists but recently a favorite in holographic work.
The information is recorded in a one-inch annular
region (centered at a 4.25 inch radius), in the form of
2,350 concentric tracks (see Figures 4 and 5). Each
track of information shares a transparent border and
an opaque border with its neighboring tracks (see
Figure 6). The stored information is recorded serially
by bit on each track and 67,000 bits are recorded on
each track, at a density on the inside track of approximately 2,850 bits per inch. The code used (Man-

An Optical Peripheral Memory System

229

code words which, with appropriate hardware, could
be used as special hardware recognizable operational
codes or data delimiters. The Disc Memory currently
uses the following five combinations:
Character
code
0080 ls
008028
00803 8
008048
008778

Figure 5 - Microphotograph of disc information tracks

DISC Q[AD[D
5£.LF TOACKINO PRINCIDL£

Function

Mnemonic

Detector Synchronizing
and Entry Delimiting
Argument -Function
Separator
Substitutes for 008 in
stored information
Delimiter introducing
Track Identification No.
Match Anything Code

a{3

Comment
Machine Detected

aT

Machine Detected

ay
a5

Machine altered to
008 upon read out
Machine Detected

av

Machine Detected

There is nothing fundamental restricting the use
of less dense codes in systems of this type, such as
8, 9, 10 bit, etc. code words, if one finds that either
the reserving of 008 from available data-representing
code words is too restrictive or the transforming of
008 into a double byte code prior to storage is cumbersome.
As noted above, the system uses a two-character
code (008 01 8 ) to delimit or bound the data entries
ih the memory, and another two-character code
(008 02 8) as an internal separator between the argument (look-up tag) and the function (read out) portion
of an entry on the storage disc. Entries may contain
one information character or up to 9,600.
Photos tore disc reading
In utilizing memories having on the order of 10
million information marks per square inch, one cannot rely on absolute mechanical positioning of the
read-out mechanisms. In the optical memory reader,

CDT5POT

OI~C

IlEADEU

Figure 6- Disc reader self tracking principle

chester), provides a short-time average light transmission that is independent of the information stored.
For example, each logical bit value recorded as an
opaque or clear mark is followed immediately by its
complement. Thus a string of logical zeroes consists of
an alternating sequence of opaque and transparent
5 micron square marks. The all zero code, 6 logical
zero bits plus 1 odd parity bit per character, is reserved for use as an operational code recognized by
circuitry. Thus, the sequence of bit marks representing the double character sequence (008 01 8 ) is
uniquely available as a detector synchronizing code.
The octal zero "shift" code, coupled with the other
characters provides 62 other possible double byte

INFOIMAlIOI
COMPUTY

....------r--~TO

Figure 7

230

Spring Joint Computer Conf., 1967

a reduced optical image of a Cathode Ray Tube
(5AUP24) spot is positioned on the emulsion containing the digital information mark pattern. As
depicted in Figure 6, the imaged CRT spot m.ay
wander from the track locus, as the photostore diSC
..r..tatoc at 3600 rpm. The generalized closed loop
~~;v~~echanism depicted in Figure 7 keeps the image
of the read-out spot centered on the information
marks by feed-back control of the radial deflection
of the CRT.
Since the "on track" condition is stable, track
stepping is accomplished by reversing the sense of
deflection on the CRT and simutaneously "nudging"
the spot in the radial direction desired (i.e., toward
the disc memory center, or toward its outside edge).
To make the tracking mechanism action independent
of the stored information, the Mane-hester e-ode is
used which provides an average "on track" light
transmission of 50%. The servo response is limited
by the 5.4 microsecond, short term, circuit-integrated
average of the output of the photomultiplier tube
(the PMT that reads the information-modulated CRT
light). A non-integrated version of this output g~es
to the search logic and control computer. Steppmg
of the reading spot is controlled either by computer
instructions or the automatic search logic. Total
"many-track" stepping time (averaged per track),
including instruction execution and servo settling
time, is estimated at 7 microseconds.
Since track stepping cannot proceed at a rate approaching the rate of occurrence of information m~rks
(when "on track") and it is desirable to assure tIm~
for the reading spot to "lock on" each track that It
passes, the radial velocity of the read-out spot is
set so that radial search time corresponds to an
equivalent velocity of about 61 inches per second.
Programmed track search and entry sampling reduces this to 50 inches per second. The tangential
motion of the information tracks relative to the readout spot (by disc rotation) is approximately 1700
inches per second.

Disc format optimization
It can be readily shown that the disc format has
about SO% of maximum capacity for the given mean
access time. The ratio of the two average coordinate
search velocities (random search) is about 80% of
the ratio of their corresponding coordinate dimensions. That is:
V tangential x 2 : V radial x. 3 = 22.7
II R: W= 2S.3
and

211 R : W=2S.3

where:
W = width of information annulus = 1 inch
R = average radius of information annulus = 4.5
inches
V radial = 50 inches/second
V tangential = 1700 inches/second
The factors 2 and 3 correspond to cyclic and
bilateral search motions in the tangential and
radial directions, respectively.
and:
(2 x V tangential) + (3 x V radial) : 2ll R!W = O.S

The disc memory unit functions
The two-bay Disc Memory Reader Unit contains
five major functional sub-assemblies and utilizes
seven control logic lines between it and the search
and control logic. These lines pertain to track step
commands, error flags, clocking, and entry delimiter
signals. The five major functional sub-assemblies
are:
1. CRT Light Source Generation: The 5AUP24
CRT is run at a beam power of 1.6 watts with a 0.012
inch diameter spot. Since this is a phosphor temperature-limited operation, the spot is kept moving on
the phosphor in a 2.5 inch diameter circle at 100 cycles
per second. Protection against loss of deflection is
provided. A reference PMT continuously views the
CRT and maintains constant CRT spot light output.
2. Lens Motor Assembly: The microscope lens used
to image the CRT spot is mounted on a "voice coil"
which is supported as an air bearing on the center
pole piece of a large cylindrical electromagnet. The
one inch radial motion of the field of view of the lens,
which statically encompasses about 100 data tracks,
has the necessary acceleration such that it does not
limit the track stepping time as determined by the
tracking servo settling time.
This lens motor is injected with a properly phased
component of the 100 cycle sig'hal that is used to generate the CRT spot circular motion, in order to cancel
any radial motion of the spot's image on the disc. The
100 cycle tangential motion (along the information
tracks) is tolerated.
3. Tracking Servomechanism: Both the CRT radial
deflection (radial with respect to the disc spindle
center) and the lens motor (lens position) are driven
by the amplified error signal generated as the integrated PMT output (see Figure 6) deviates from a
"grey level" reference value. The lens motor corrects
for all perturbations up to about 120 Hertz and the
CRT radial deflection for perturbations having frequency components from that cut-off point up to 150
to 200K Hertz which is well below the energy band
of the information being read out.

An Optical Peripheral Memory System
4. Signal Detection and Processing: .The analog
signal output from the disc reader PMT IS shaped .by
a delay line correlator and a detector clock ph.a~mg
signal is derived from the information mark transItIOns
(clear to opaque, etc.).
Since the disc output signal contains two pulses
of opposite polarity for each bit recorded on the disc,
this fact is utilized by incorporation of two detectors
whose detection sampling intervals are shifted in
iime by one information mark time interval. Detection of a parity error in say the "true" detector automatically causes selection and use of the character
in the "complement" detector. Circuit means are provided to prevent improper phasing of these detectors.
5. Air System: Approximately one-half of the Disc
Reader volume is occupied by an air compressor and
de-humidifier provided for the lens motor air bearing.
Experience has indicated that the de-humidifier unit
can probably be eliminated and the compressor and
air reservoir system reduced in size.
Photos tore disc memory searching
Finding an entry in the photostore memory to begin read out can be accomplished in two different
modes:
a. Content Addressing (track search followed by
entry search)
b. Vicinity Search (absolute track addressing) followed by Content Addressing
In the Content Addressing Mode, a string of characters (this can be several thousand characters long)
is placed in the Look-Up region of the memory of an
associated computer, or if the system is designed
for an entry of fixed length, it can be inserted in an
interface register and the Look-Up instruction executed. As soon as the CRT spot image, which may
be on any track of the photostore disc, encounters
an entry delimiter (00801 8) then each succeeding
character is matched sequentially with the corresponding sequential character in the Look-Up memory
region (or register). The moment an inequality of
character code match is encountered, the reading
spot steps up or down one track on the disc, based on
the sign of the inequality. The matching of characters
in an entry argument with those in Look-Up region
begins over again the moment an (008018) is again encountered. Since the arguments of the entries in the
dictionary are arranged in order by their code value
(as left justified fractions, with each character value
being a digit of the fraction) then this step track, attempt a sample match, and then step track sequence
continues until the sequence of track-sample matches
produces a "memory sample less than" to a "memory

23 J

sample greater than" transition. It will be noted that
during this "Track Search" phase, even an extra
match of an entry argument with the sequence of
characters being looked up, will not cause read out
of an entry's function. This prevents a match of a
shorter (hence lower valued) memory-entry argument
with a short sequence of symbols being looked up,
when a longer (higher valued sequence) may exist in
the photo-disc memory.
After the "less than" "greater than" track sampling
sequence criterion is sa~isfied, the "Entry Search"
phase of the Look-Up instruction occurs. The readout spot stays on a track during the Entry Search
phase until either an argument is found that matches
every character in the look up region as far as its
intra-entry deiimiter codes, or until an "end of track"
code word is encountered. In the latter case, the readout spot jumps to the next track containing lower argument code values and continues entry search, and so
forth, until a matching argument is found or end of
the memory is reached. When a matching argument
is found, all parts of the entry following the intraentry boundary between argument and function and
the (00801 8) function terminating code word are read
out into a memory field (staticizer region) of the attached computer.
The value of this "longest match", content addressable, search procedure in language processing
has been described in some detail. 4 The sampling of
one entry on each track in order to make the "sampled
comparison" can slow the content addressable search
procedure if the argument (or tag) of entries are long.
Accordingly, a means has been provided in this system
to perform a programmed "vicinity search" phase
prior to entering the "Track Search Phase" of the
Look-Up instruction. This is accomplished by automatically reading from a register the track number
of any track that the read-out spot is resting upon (by
employing a "track identify" instruction). These
track numbers may be recorded as frequently as desired on a memory track or as little as once at the beginning of each memory track. Preceding a look up
instruction, this track number is ascertained and compared with the approximate track location of the arguments having the first character value of the first character in the look-up region (this is determined from a
small table in the control computer's memory). The
program then gives a command to step the necessary
number of tracks in the proper direction prior to
giving the look-up instruction.
Absolute Track Addressing is accomplished by
use of the track number identification and programmed track step commands.

232

Spring Joint Computer Conf., 1967

Disc memory access time and capacity
relationship
The average timing of the accessing of randomly
located records on the photos tore disc can be approximateiy expressed in a quantitative manner. A
general relationship can be derived, relating the size
of a dictionary that is stored in the photo-disc memory
and the average random access time to an entry:
Relationship of total dictionary size and look-up
time:
D = dictionary size in bits
E = dictionary size in terms of the number of
entries
B = average number of bits per entry, including
delimiters (assume function and argument are
equally long)
Assumptions and fixed parameters:
(a) Servo settling time and step-track instruction
execution in track stepping is approximately 7
microseconds
(b) D = B x E
(c) T = average look-up time for each of a large
number of entries randomly located in memory
(d) K = redundancy (repetition) of entries (=1, 2,
3 ... etc.) in terms of repeated sectors on a
track
(e) C e = capacity of photos tore disc that is effectively used; C e = K x D bits
(f) NT = number of tracks utilized on disc, where:

(B/(2 x 4 x 106 )

Term 5:

+ 7 x 10-6 ) = 0.40 x 10-3

seconds for B = 100
Function read-out time - B/(2
=0.013 x 10-3 seconds

x 4 x 106 )

Since terms 3; 4; and 5 contribute about 1.2 millisecond, the access time (for entries where B = 100 bits)
can be approximated by the following expression:
T = 2.3 X 10-3 NT + 8.4 -;- K + 1.2(milliseconds)
where, again:
NT = total number of tracks of information on
photo memory disc
K = number of repeated information sectors per
track
The number of tracks (NT) can be expressed in terms
of the number of entries in the photo memory. The
expression for the average access time to randomly
located entries becomes:
T

= 0.033 x

10-6 K x B x E

+

1.2(milliseconds)

+ 8.4
K

I t should be noted that the last term of the above
access time expression is not very sensitive to the
length of an entry (B) for a given capacity. A tenfold increase in B (to 1000 bits per entry) would
change the final constant in the above expressions
from 1.2 milliseconds to 2.8 milliseconds.

Photos tore disc memory writing

or NT

KxD

= ...I "

1 Ad

;<.. 1 V'

tracks

(g) memory serial scan bit rate (along track)
4 X 106 bits per second
If vicinity search is used, the sum of the following
terms will equal the access time in seconds:
Term 1: Radial Track stepping time - 7/3 X NT
X 10-6 seconds
Term 2: Rotational latency time - 1/2 X 11K
X 16.7 X 10-3 seconds
Term 3: Vicinity track search; programmed file
search of a 64 entry table -(64/2) X 30
cycles x 0.8 x 10-6 seconds = 0.77 x 10-3
seconds
Note:
The control computer has a 0.8 x 10-6
second cycle time
Term 4: Fina! track stepping and entry sampling
within 20 tracks of desired track - 20

The use of non-erasable photo-optical phenomena
as a digital information storage method causes more
conceptual than actual operational difficulties. It
is to be noted that in many magnetic tape oriented
systems, erasibility features are used primarily to recover the use of the storage medium rather than as
an updating feature. The development program for
this system has shown that writing rates competitive
with 90 kilocharacter per second magnetic tape
transports would be easily achieved with long-life,
medium power, C-W lasers. The throwaway costs
of optical recording materials, if obsoleted by rewritten records, could be negligible compared to the
processing costs attendant to any large record updating task, using say a re-usable medium.
The photo-memory writing process starts with a
prepared batch of data on IBM-format compatible
magnetic tape. This data has been segmented approximately into 9,600-character blocks, since this
is the capacity of each of the 2350 tracks of a photodisc. The control computer memory writing program
reads one block of information into the core memory
and turns on a "Ready to Write" light on the control

An Optical Peripheral
panel of the Disc Writer unit. An operator has previously mounted an unexposed disc on a spindle in
the Writer and he presses the "Start-Write" button
when the computer signals "Ready to Write". The
block of information is transferred under program control, six characters at a time, to the Writer Unit. The
latter unit, serially by bit, by means of an electrooptical modulator, modulates a 25 milliwatt He-Ne
C-W laser beam with the information. The laser source
beam has been split into two beams (Figure 8). One
of these, moduiated by the information bits to be recorded, is imaged as a 1.2 by 5 micron slit image onto
the disc emulsion. The motion of the emulsion of the
moving disc with respect to the slit-like image and
the timing of the on-off sequencing of the electrooptical modulator produces a 5 micron square clear
(unexposed) and a 5 micron -square opaque (exposed)
sequence of areas on the disc for each logical "zero"
to be recorded. The opposite sequence of an opaque
and a clear area is used to record a logical "one".
The second portion of the beam forms a slit-like image
(the border image) which is left "on" continually
while writing information marks. By switching the
position of this border image every time a new track
is written, alternate clear and opaque track borders

~Y1emory

System

233

the overlapping of the beginning and end of a written
track. All track beginnings are approximately aligned
by means of a synchronizing magnetic pick-up on
the writer spindle but radial correlation of track to
track information at the bit level does not otherwise
exist intentionally.
The Disc Writer writes at instantaneous rates of
100,000 bits per second, but because of the interlaced track indexing motion (spindle radial indexing),
the effective writing rate is 50,000 bits per second or
about 7 kilocharacters (6 bits plus parity) per second.
A design for interruptible spiral track writing has been
completed which avoids this loss in effective writing
rate. A more detailed technical description of the
photo-optical aspects of the Disc Writer has been
presented. 5
When completion of the disc (or partial disc) is
indicated (by track number), the exposed disc is removed manually and placed in an automatic developer
unit (Figure 9). A standard photochemical development is carried out by this unit with the precaution
that all solutions are filtered (to 1 micron) immediately before their application. A completed dry disc,
with archival quality, is obtained in about 15 minutes.
This process probably could be reduced, by using
heated and special solutions, to a period of 3 minutes.

PJ!JC WIlIT(a
~ INDOiNO M01ToN

I~T

ATA

Figure 9 - Automatic disc developer unit

Figure 8 - Disc writer diagram

are obtained as illustrated in Figure 5. When one
track of information is written (9,600 characters and
one spindle revolution), the spindle containing the
disc is electromechanically indexed radially about
430 microinches (11 microns). During this indexing, the control computer is reading the next block
of source magnetic tape. At the start of the next
revolution of the disc spindle, the foregoing sequence
is repeated. Disc spindle rotation and modulator timing are derived from stable frequency sources and it
has been found that one or two characters of buffering (empty of significance) suffices to take care of

The search logic and photo memory
related instructions
Since dictionary type look-up operations were
expected to make up an important segment of the
memory test operations, a special search logic
comparator was added to the Disc Reader that allows
a set of single instructions or computer. commands to
address the 150 million bit photostore memory on a
content addressable basis. The folJowing instructions
facilitate search operations in the large memory:
Look up
This instruction locates the entry whose argument
(TAG) makes the longest exact match with the indefinitely long string of characters stored in fast
memory beginning at a specified location. When such

234

Spring Joint Computer Conf., 1967

.---..

-.--~.-.-.-

...-.."....... -.. .

---.-,..-~.".<.<-.--.--------------

an entry is found in the disc (argument match) its
function (this can be either data or program) is automatically read out into a designatable (settable by
manual switches) memory field (staticizer region) of
the control computer's memory.

code called the "match on anything" character. It is
used in the dictionary only, and it is equivalent to the
lowest valued character in the disc memory (that is,
it is the last character value on which a match is attempted during Look-Up instruction execution).

Retrieve
This instruction was devised to search the large
memory fur a pattern of symbols of variable length
and of uncertain character content. An octal code
that is to be recognized as a "mask" character is
manually set into a switch register. U sing the Greek
letter "w" for this value, and the letter "x" for any
alphanumeric character in the memory, and "XN"
being a particular specified alphanumeric character,
then all entries in the memory having a tag - or argument - such as X1 X2 XXX 3 X4 or XIX2XXX3X"X would be retrIeved by applying the RETRIEVE instruction to an
input character sequence such as XIX2WWX3X4W, This
device can be useful in circumventing common spelling errors in the input data to be processed and for
masking certain portions of character patterns that
are being looked up in information retrieval applications. It is especially useful in applications where it
is desired to retrieve information on a number of different keys but where it is not practical to presort the
information on each key individually. Read out of
matched information is accomplished into a staticizer
region as in the LOOK-UP case. This instruction
starts its matching memory scan at some specified
argument and it terminates when reaching the end of
the dictionary or when the staticizer region is filled.

character.

In a sense, it can be termed a "fail safe" matching

Dump instruction
The inclusion of this instruction recognizes that it
may frequently be desirable to bring sections consisting of many contiguous total entries of the photooptical memory contents into the computer's memory
where programmed search (or scanning) of total contents may be accomplished. The instruction operates
by first finding a matching argument of an entry for a
specified beginning point (entry) then it provides a
complete sequential read-out (arguments as well as
functions) of the photo-optical memory in a decreasing argument value direction until one of the special
superboundary codes that have been previously Inserted in the dictionary is encountered.
Masking features
The three basic content addressable memory search
instructions, described above, constitute the table or
dictionary look-up repertory of the system. An additional code masking feature is important since it
allows both economy and flexibility in the dictionary
make up. This masking feature uses a particular octal

I dentify track
This is a specific command that allows query by
the control computer of a special register which contains the track number identification of the track
currently being read. Since track identity codes can
be arbitrarily placed around a data track, latency
time for track identity can be arbitrarily reduced.
The operational code delimiting track identity numbers is uniquely recognizable (separably from recorded data) and this allows the updating of this register to be automatic if this is desired.
Track stepping instructions
Two commands are provided in the search logic
for stepping the read-out position of the Disc Reader
light spot image. These are the UP TRACK and
DOWN TRACK commands that cause the read-out
to occur on data tracks that are adjacent to the one
currently being read. These commands are capable
of being automatically sequenced and controlled.
Content addressable search
logic improvements
The programmers who have programmed the system have made good use of its distinctive operational
features. The experience has, however, "whet appetites" for inclusion of additional memory search
features. The following list of "improvements" has
been suggested for the disc search logic.
I. Allow the value of the masking code (w) to be
program settable. This would allow greater
flexibility with respect to masking the variety
of input code sets that can be handled by the
system.
2. Accomplish termination of the RETRIEVE
instruction by hardware determination of the
fact that no further search matches are possible.
This would save time in the completion of the
RETRI EV AL execution.
3. Achieve automatic read-out and conditional
storage (depending on subsequent match or no
match) of the argument. I n many applications
this would save repetition of the entry argument
in the function of the entry. I n cases where
match occurs on a v (match anything character)
in an argument, the characters involved can be
determined by program.

An Opticai Peripherai Memory System
4. Introduce a program controlled "Count Match"
so that the programmer can set threshholds for
the number of bit or character matches required
in a search (e.g., majority match). This would
be useful in pattern recognition operations.
5. Provide a capability for program setting of
several search logic registers such that certain
operational codes (derived from the "shift"
code) can cause skipping of the search match
operation across "sub-fields" of eitner entry
arguments or of the input data stream. This
would be useful for implementing syntactic
analysis rules and multifaceted record retrieval.
This feature would additionally allow numerically ordered super-entries to be incorporated in
unordered memory contents. Such a procedure
would allow use of the RETRIEVE operation
(serial search) with a key word which would
then yield a sentence number permitting normal
dictionary (random) look-up of the pertinent
sentence(s).
The general use of the content addressable features
of the optical memory in association with a general
purpose computer tailored for non-numerical information processing is described by the authors in a
separate paper. 6
The potential of optical memory techniques
Certain generalizations concerning the performance
potential of optical techniques for the storage of digital
information can be drawn from the experience of
the authors and from work recently reported in the
literature. These generalizations cover the three important aspects of a digital peripheral memory, namely
(1) Realizable maximum storage density, (2) Storage
media and (3) Storage formats.
Realizable maximum storage density
The three spatial dimensions and the light transmission variable (or density) of optical media can be
used in a variety of quantitative combinations for the
storage (and retrieval) of digital information. Two
well known extremes are the "discrete volume per
bit" and the "distributed volume per bit" techniques
characterized by the technique described in this paper
and by holography, respectively. In the discrete
volume case which is discussed here, the maximum
information capacity per unit volume of recording
material is determined by the minimum size of
elemental recording volume that can be achieved.
This is in turn determined by the numerical aperture
(or F number) of either the recording or read-out
lens.
If the memory system involves rapid relative motion
of the recording medium and the recording (or read-

235

ing) optical system then consideration must be given
not only to the size of the optically recorded image
element but also to the positioning of it with respect
to other recorded elements and with respect to the
read-out optical system as well. A lens having a numerical aperture of 0.5 (or an F-number of 1.0) was
used in the Disc Writer described in this report. The
"depth" of a "point" image for this lens is about 2
microns (one micron = one micrometer = one millionth of a meter), and tracking (or clamping) of readwrite optical planes with respect to some surface of
the recording material must be maintained to at least
this degree, thus increasing the depth dimension of
the elemental volume dedicated to a bit to say 4
microns. Similarly, the cross sectional area of the
image is about 1.2 microns in diameter. Here again,
an additional 1.2 microns should be reasonably
dedicated to allow for physical tracking requirements.
The elemental volume of recording material that is
dedicated to the recording of a bit of information (in
binary density form) now becomes, with these assumptions, about 18 cubic microns. If a recording
surface layer 4 microns thick were used with these
criteria then a reasonable maximum of 150 million
bits per square inch of recording material could be
stored and read out.
Photo-optical phenomena, and possibly thermooptical phenomena, offer the possibility that the
optical density of each elemental bit volume (in the
discrete volume per bit mode) can be quantized to a
greater extent than a binary mode. While this is true,
the tolerance on spatial tracking and read-write energy
levels may tighten to a degree that very little is gained
in an overall system sense. Holographic or diffraction
grating techniques represent a different trade-off of
the roles played by the variables of an optical system. The density variable is used to an extent that
quantizing levels are determined by the area average
"noise" of the recording medium and inter-symbol
noise, and a bit volume is distributed over a larger
part of the recording medium. The relative advantages
of these two techniques may well be determined by
system implementation factors rather than achievable
storage densities.
Storage media

Success in the use of thermal-optical effects in
the recording of information has been reported 1 ,7,8 and
a provocative proposal for optical writing in a magneto-optical memory has been published. 9 Since the
early pUblication concerning photo-optical techniques for information storage,lO tremendous improvements in optical energy generation, and in flexible media coating and manufacture, have been made.

236

Spring Joint Computer Conf., 1967

If a recording medium or base coating of suitable
cost, uniformity, physical-chemical and general environmental invulnerability is found and proven then
the thermal-optical memory phenomenon offers attractive system attributes. The single step recording
process (no latent image development) and the simultaneous read out during recording offer both reassurance and operational simplification to the user. Table
I presents a summary of some reported energies that
have been used (or proposed) to record digital information. Relative recording speeds with identical
writing source energy (and optics) are also indicated.
TABLE I
OPTICAL MEMORY WRITING ENERGY

Method
Photo-optical
(visible red)

Material

Approximate Relative
Ergs Writing
per Mark* Rate Source

Spectroscopic Film
Type E.K. 649F

Thermal-optical
(visible bluegreen)

Opaque coating on
Mylar base
(UNICON)

Thermal-optical
(visible red)

Evaporated metal
coating on glass
0.05 micron thick
(Iead,tantalum)

Thermal-optical
(visihle red)

Dyed plastic coating
on glass - one
micron thick

Thermal-optical
(visible red)

Developed aerial
photographic film
High Density
Low Density

Magneto-optical
(Ultra-violet)

Gadolinium-IronGarnet (theoretical)

10-5

3 x lOS

3

2

0.1

30

3

0.2

15

0.3
3
3

4

10-.1

memories then such a memory would require about
50 square feet of recordable surface. There appears
to be general consensus that libraries of digitized
information will continue to grow as will the need for
more economical and higher capacity peripheral digital
memory modules offering both automatic and manual
accessibility. If optical techniques are to play their
expected role in satisfying this need, consideration
must be given to both the unit record and storage
module format for the record material. A review of
the physical forms that magnetic technology has employed (drums, discs, strips, loops, cards, reels, etc.)
provide little guidance since erasability and re-usability
features of magnetic technology confuse possible
parallelisms. The use of low volume flexible media
in either reel or some segmented form is indicated,
however.
Flexible media are readily adaptable to the handling
required by optical systems. For example, the authors
have conceptually designed a mass memory system
employing both flexible disc and strip forms of unit
record. Figure 10 shows a view of an experimental
reading lens holder that has been retracted just prior
to radial withdrawal, to allow automatic disc changing. This lens holder is also an air bearing clamp that
holds the moving recorded emulsion surface (on a
flexible -medium such as disc or strip) at the focal
plane of the reading optics. Mass on-line storage
providing random access to 1012 bits in the one to
ten second access time range can be achieved by "juke
box" techniques for discs or self-threading cartridge
changing for reels. Since much of the mechanical
transport technology developed for magnetics is
applicable to optical memory media, progress in
productizing trillion bit (or greater) optical memories
would appear to be highly dependent on the nature
and magnitude of user requirements.

5

*Based upon a one square micron information Mark.
**Normalized at 100,000 marks/second for 30 milliwatt visible
light energy incideni on one square micron mark area.
SOURCES
I. Authors
2. Becker!
3. Carlson et al N
4. Chitayat 7
5. Forlani ei al 4

StoraRe formats
At the density of recording that is achieved in the
system described by this paper (6 million bits per
square inch) about 1000 square feet of a recording
surface would be required to hold a trillion bits (10 12 )
of information. If ) 50 million bits per square inch
represents a practical limit for discrete area optical

Figure 10- Flexible disc lens mount and air clamp

An Opticai Peripherai Memory System
REFERENCES

2

3
4

5

C H BECKER
UN/CON computer mass memory system
AFIPS Conference Proceedings Spartan Books Washington
DC vol 29 1966
R L LAMBERTS G C HIGGINS
A system of recordinR diRital data on photographic film using
superimposed grating patterns ibid
ibid
J D KUEHLER H R KERBY
A photo-digital mass storage system ibid
J L CRAFT E H GOLDMAN W B STROHM
A table look-up machi~e for processing of natural language
IBM Journal of Research and Development 5 3 1961
W DRUMM
Photo optical recording of digital information
presented at SPSE Symposium on Photography in Informa-

6

7

8

9

10

tion Storage and Retrieval Systems Washington D C 1965
Itek Corporation report 1965
R L LIBBY R S MARCUS L B STALLARD
A computer system for non-numerical information processing
Technical Report Itek Corporation February 1967
A K CHITAYAT
Means and Methods for Marking Films
U S Patent Number 3 266 393 August 16 1966
CO CARLSON E STONE H L BERNSTEIN W K
TOMITA W C MYERS
Helium-neon laser: thermal high-resolution recording
SCIENCE vol 1543756 p !550 23 December 1966
F FORLANI N MINNAJA
A proposal for a magneto-optical variable memory
Proceedings of the IEEE 54 4 p 711 1966
G W KING G W BROWN L N RIDENOUR
Photographic techniques for information storage
Proceedings of the IEEE 54 4 p 711 1966

A rugged militarily fieldable mass store
( MEM - BRAIN file)
w.

A. FARRAND, R. B. HORSFALL,
N. E. MARCUM and W. D. WILLIAMS

by

Autonetics, A Division of North American Aviation, Inc.
Anaheim, California

INTRODUCTION
Military systems * often operate on a data base larger
than is economically feasible for internal main store.
Therefore, they require the use of auxiliary storage.
There are many forms of auxiliary store. Each has
characteristics which make it the optimum choice for
certain tasks. Factors characterizing the domains of
utility of some auxiliary storage systems are:
Under 4 million bits
Fixed Head Drums
Magnetic Real Tape Systems Over 1/2 sec. average
random access/
block
Under 10 million bits
Woven Wire Systems
Tape Loop Systems
Under 50 million bits
Roving Head Drums
Under 50 million bits
Tape Strip Files
Over 1/2 sec. average
random access (unit
documents)
Disk Pack Systems
20 - 50 million bits/
pack (interchangeable data base)
Under 500 million bits
Fixed Head Disk Files
Under 100 ms average
Roving Head Disk Files
access and over 50
million bits
Military data systems studies at Autonetics show a
recurring need for a large-scale data file. The required
characteristics are: over 1,000,000,000 bits of storage,
high data rate, low weight, low volume, long MTBF,
and simple maintenance under military field conditions.
Our survey uncovered no equipment with these properties, or equipment whose inherent design characteris*Examples: Message Switching Centers, Tactical Data Systems,
Command and Control Systems, Combat Information Centers,
Military Supply Control Centers, Coastal Defense System Data
Nets, Air Traffic Control Centers, and other large-scale electronic Data Processing Systems (both military and civilian).

tics could be sufficiently upgraded. Therefore, Autonetics set out to develop a militarily fieldable auxiliary
store with a two gigabit data capaCity, a data rate of
1;3 million characters per second, and a maintenance
schedule of less than one hour per thousand hours of
operation, which would pass through a 24-inch square
opening. For this, a roving head disk file was chosen.
System
Major differences in electromechanical form with
respect to conventional disk files were necessary in
order to meet project requirements. In common with
conventional units, this device includes a rotating precision disk stack and moving arms carrying sets of heads
for access to the disks. However, the basic principle of
design is different in that maximum emphasis has been
placed on maximizing stiffness to mass ratios in the
mechanical structure and in the use of prestressing for
improvement in dynamic response and reduction in
weight. These principles have resulted in the adoption
of an inside-out design incorporating a new disk form
consisting of a thin annular foil in tension. Kinematic
principles of design have been stressed in the development of this file. Because of the disk form, the new
unit has been christened the "MEM-BRAIN File."
A number of fixed head tracks in various configurations are included as an integral part of the disk file.
Fixed head read/write techniques are used for various
processing operations and fOT interfacing with diverse
processing and peripheral units. Operations provided
include automatic and continuous on-line file maintenance, record manipulation, formatting, editing, sorting, merging and collating. Some tracks are used with
single read heads for timing and format control. Other
tracks provide short recirculating registers for temporary storage of record/request data and format control bands, precession loops for use as push-down reg239

240

Proceedings-Spring Joint Computer Conf., 1967

isters, and multi head tracks for internal buffering of
data.
System optimization studies showed that greater
through-put could be accomplished if certain bookkeeping and formatting features were included in the
file proper. By placing these under storage program
control, the master control program is freed for more
complex functions. Means have also been provided to
permit selective positioning of up to four sets of heads
simultaneously, while continuing to read or write on
other sets. Direct communication between MEMBRAIN and other peripheral devices may be accomplished without involving the central processor.
Very careful attention to system engineering techniques was needed to optimize the configuration of the
MEM-BRAIN File to meet the desired objectives, because of the intense. interaction of various design elements. For example, surface density of record cells
depends on lineal density along track, radial track
density, and zoning geometry. To avoid timing problems resulting from mechanical deflections under service conditions, low lineal density was desirable. The
maximum lineal track density (500 bits per inch) was
chosen to allow inexpensive exploitation of precession
loops and their inherent data manipulation efficiency.
Such operation would not be possible if self-clocking
data recording were used. Military vibration environments would require self-clocking to permit use of
higher lineal cell densities. Development of a trackseeking servo allowed the necessary compensating increase in track density, both by eliminating need for
intertrack separation, and by aIIowing use of smaller
track width. These factors reacted to reduce the size
and mass of the moving arm elements (among other
things) which in turn modified the criteria for lineal
density along the track, to "Close the Loop." Similar
interactions of design elements occurred at almost every
turn in the development of the MEM-BRAIN File.
Thus every design idea required checking not only for
its direct effect on the immediate problem, but for its
influence on every other facet of the entire system.

Mechanical design
The mechanical design of MEM-BRAIN centers
about the high stiffness to mass ratio of a pretensioned
membrane both for the disks and for the primary support structure of the rotating mass (the disk stack).
This principle leads to an inside-out form of the file.
The disks are axially stacked, mounted, and rotated
within a hollow shaft and accessed from the center,
as shown in Figure 1. The disks are thin annular sheets
of magnetically plated foil stretched taut on tensioning
hoops which are attached to the external tubular shaft.
The tensile preload established by this process causes

the plated membrane to act as a rigid surface of uniform flatness. This eliminates surface finishing operations. Such a membrane has tolerance to extreme thermal variations and aging without distortion out of plane
because the stress level remains positive and less than
the elastic limit. The disk has a mass two orders oi
magnitude less than a conventional disk and has very
low mechanical Q. These properties of the disk are
basic to the militarized qualities of the MEM-BRAIN
File.
The disk stack forms a cylinder which is closed
around the periphery. This disk stack is directly driven
by a synchronous motor which combines with the high
moment of inertia to mass ratio of the disk stack to
provide a highly uniform rate of rotation. The enclosed
disk periphery reduces air flow and the resultant noise
level in the vicinity of the file.
One end of the disk stack is supported by a pretensioned pair of shallow-coned metal sheets forming
a light end-bell which is extremely rigid, both axially
and radially. This end-bell is carried by a bearing supported by a similar conical pair. This structure is indicated in Figure 1. Three degrees of freedom are thus
constrained. The other end of the disk stack is supported by a bearing through a membrane structure to
complete a five degree of freedom constraint. The
sixth degree of freedom is the desired rotation.
A central, nonrotating rigid tubular member carries
the protruding head support arms. These arms include
a relatively massive and rigid fixed frame and a light
but stiff moving element which carries the read/write
heads. The frame and moving element are locked together during reading and writing operations, so that
the critical circumferential location of the heads is
maintained by the fixed frame. A set of eight heads per
arm are mounted in pairs on four gas-lubricated sliders,
to access two facing disk surfaces. The sliders are
forced toward the disk surface to maintain an essentially constant gas lubricated gap. These heads are radially spaced at a separation corresponding to the radial
width of recorded pattern (one band). They are constrained to move with the movable arm element. Thus,
the servo need only move through one band to reach
all records on a facing pair of disk surfaces.
The large taut-disk-stack, central tube, and clamped
arm comprise an extremely stiff, low-mass, low Q,
mechanical assembly. This can withstand shock and
vibration exceedingly well even while operating. The
unique kinematics and self-set head positions insure a
high quality information storage and retrieval system
in spite of environmental extremes. The total mechanical system described provides a mechanism having
high natural frequency and low vibration amplitude.
By judicious application of visoelastic coatings, the me-

MEM-BRAIN File 24)
therefore, independently positionable, and a positioningtranscribing interface can be set up with head sets giving a continuous flow of data. The positioning time is
never more than one disk revolution (50 milliseconds)
and, therefore, no a priori ordering of channel seeks
need be used. The arm positioning time reduces to 6
milliseconds for adjacent track positioning. The positioning time includes assignment of a servo electronic
set, release of the arm clamp, traverse to the proper
track, settling on the track center, verification of track
center, clamping of the arm, reverification of track
center, and release of servo electronics to other functions.

Figure I-Two gigabit MEM-BRAIN file

chanical Q of the total structure is kept below one.
To provide for control and processing functions, a
group of fixed heads are located at one end of the disk
stack. These are gas-bearing supported against the
exterior surface of the end disk. The head uriits are
supported by rigid structural members attached to the
central structure and are located and spaced to provide
rapid access and buffer loop capability as required for
file main.tenance and manipulation. In function, the
support for these fixed heads is equivalent to a solid
headplate such as has been used in Autonetics' computer memories.
Head arms
Each arm is capable of radially positioning a set of
eight heads. The positioning is done by a servo mechanism whose control signal includes track number and
track center data derived from the read head signals.
Therefore, the servo is guided by true head position to
track center instead of arm position. This permits the
use of a lighter (under one ounce) head transport
than is possible where the position signals are derived
at a remote portion of the arm structure. The head
servo is optimized by the minimum mass (therefore,
minimum inertia) design. Tolerance to temperature and
thermal gradients is also improved. To permit servo
switching, a passive mechanical clamp is provided to
hold each arm accurately at the selected track center
position.
The arm is light enough so that it can be driven by
a direct drive electric motor at force levels up to 40
G's, with negligible reaction on the central column.
This, coupled with the mechanical clamp on each arm,
allows reading or writing on any head set without concern for the motion of any other arm. Each arm is,

Electronic design
The basic storage function is accomplished on the
disks accessed by the positionable heads. The built-in
control functions are implemented by the fixed head
elements and associated electronics. The clock and
origin are unalterably recorded on fixed head tracks.
The fixed head elements with associated electronics
are used for implementing the control and processing
functions. Occasional coordinated use of the I/O buffers may also occur in executing certain of the internal
processing commands.

Except when they are in use for internal processing,
the I/O buffers provide for asynchronous data transfer
between MEM-BRAIN and other equipment, in such
serial or parallel form as may be required by the application.
Internally, all operations are synchronized by the
clock. Such operations are basically serial in nature, but
many may be carried out serial by character, rather
than serial by bit. Normal NRZ recording is used in the
fixed head area. A specially modified form of NRZ
recording is used in the movable arm (main storage)
area.
The electronics include all necessary elements to
carry out storage and processing functions short of
actual arithmetic operations. Such elements include read
and write amplifiers, multiplexing networks, comparison
logic, control registers, servo electronics, and buffers.
Four I/O control registers are used to direct internal
operations in response to commands as more fully
described later. Four sets of servo electronics are also
provided to control arm positioning operations. On an
"as available" basis, any control register may use any
servo unit to control any of the 60 arms, and may
make any required logical connections to transfer data
between that arm and any specified combination of its
I/O data channels. External data transfer normally
occurs on a ready-strobe basis.
The servo amplifiers respond to a signal developed
by detecting the phase difference between adjacent

242

Spring Joint Computer Conf., 1967

tracks. The effectiveness of this technique is improved
by a special form of NRZ recording. The arm is slewed
for gross movements by noting the tracks traversed.
Fine positioning is controlled by adjacent track nulling.
A track identification recorded in each sector (eight
bits) is used to verify track centering.
All circuitry consists of advanced state-of-the-art
replaceable microminiaturized circuit board assemblies
designed to withstand military environment with excellent MTBF and MTTR.

I/O control
The internal organization of the MEM-BRAIN File
is described in the functional schematic, Figure 2. Four
control registers, each associated with its I/O data
channel block, simultaneously control the positioning of
any head arm and additionally the switching of the
heads associated with any arm (8 heads) to the I/O
data channels normally via buffers. They also accept
and transmit the instructions in control of internal data
manipulation.
The controller acts upon discrete control lines to
commit instructions and data and to deliver MEM-

BRAIN status as required. A Security Code provision
is available as a part of the instruction word. When
used, this code requires a match to allow the function
to proceed.
Four I/O buffers each present digital inputs and
outputs to the duplex interface data channels. These
channels are capable of asynchronous repetition rates
considerably in excess of most CPU's. Therefore, instructions and data may be transferred at the maximum
rate of the CPU within the capacity of the static buffer.
The only other limitations on rate are the MEM-BRAIN
(337 KC) clock, and processing time if MEM-BRAIN
processing is involved.
Special factors such as busy conditions of head arms
and priorities by other connected CPU's, are determined internally and expressed indirectly through the
output control lines. The internally stored program of
the MEM-BRAIN provides for most adjustable control
functions. Differences in the discrete control line requirements of different CPU's need only the replacement of a card to provide compatibility of the MEMBRAIN File interface.
SERVO
ERROR
DETECTION
LOGIC jSERVO
ERROR
r1ETECTION
LOGIC
SERVO
ERROR
DETECTION
LOGIC
SERVO
ARM
SELECTOR

I/O
DATA
CHANNELS
(16)

I/O
DATA
CHANNELS
(16')

READ/WRITE
HEAD
SELECTION
NETWORK

I/O
CONTROL
REGISTER

-~~-.--I-l~

10

CONTROL
REGISTER

-----"~.....,.~

EXTERNAL FUNCTION

I/O

I-.!.:RE:::.Q~U::::..:E::.::S~T_ _ _ _ _-1 EXTERNAL

CONTROL
REGISTER _ _--++:::::t1r-1

~~'!"':::":::':":':';~-='=":":=--1 (TYPICALLY

I/O
CONTROL
REGISTER -

EXTERNAL FUNCTION

DEVICE

I-.:::.O..:::,U.:,;TP:.;l::...:'T:.-:D::;:A.:.:T:..:..;A;.;;R;::;E;..:::;Q:.::.U;;;;ES;;..;:T;..-·-1 THE C 1'642 B)

~ L--..:::O..:::U.:.;TP:.;U:..:T:.-:A:.:..;C~KN=O-,-W.=.LE;;;;DG~E----1
~1-~IN~T~E~R~R~u~n~RE~Q~U::.::E=ST~~
g~.!.:IN~T~E~R~R~un~_ _ _ _~

INPUT DATA RE UEST
INPUT ACKNOWLEDGE

'L..-_--

FILE !NTERRt;PT

Figure 2-Functional schematic of 60-arm digital disk file

MEM-BRAIN File
Design for reliability

Design principles embodied in the MEM-BRAIN
File have been selected with the ultimate reliability of
the device in a military environment as a paramount
consideration. Simplicity is always of extreme value in
eliminating failure modes and enhancing reliability of
any system. Consequently, at every point where a choice
between simple and complex solutions was available,
the simpler technique was chosen.
For any unit intended for military application, it is
desirable to assume the need for operation in a hostile
environment. Consequently, ruggedness is a necessary
feature in such a design. In the MEM-BRAIN development such ruggedness has been sought at every decision
point, but not by the brute force method of increasing
structural dimensions. Rather, the technique has been
one of reducing mass wherever possible and increasing
effective stiffness and structural damping to minimize
response to shock and vibration.
The electromechanical elements of such a device are
known to be sensitive to adverse environments related
to humidity, pressure, and temperature. In the MEMBRAIN File, therefore, the electromechanical package
has been designed as a hermetically sealed unit, and
care has been taken in the choice of materials and their
structural interconnection to minimize distubrance of
critical locations due to temperature or temperature
gradient.
The electronic elements of such a system, on the
other hand, may be more subject to deterioration in
performance by parameter drift or catastrophic failure.
To minimize the failure potential in the electronic
system, the background developed on the Minuteman
standard parts is used. Also, the electronic package
has been designed for ready access to permit maintenance by module replacement. Its enclosure is dustproof and drip-proof, but, not hermetically sealed.
SUMMARY
The objectives of the MEM-BRAIN File development
as it has been described were threefold: First, the fundamental target of military fieldability; second, the desire to provide exceptional operational capacity and
capability; third, to accomplish these in a light compact unit adaptable to mobile and airborne applications. These objectives were all met by consistent application of system engineering methods by team effort.
Table 1 summarizes the characteristics attained.
Table 1. Tabular summary of MEM-BRAIN
characteristics
A. Highlights
Militarized design
High data capacity

243

Small physical size
Low weight
Hermetically sealed magnetic recording
One complete package
Interface to any computer
Internal stored program control
Internal buffering
Easily programmed
Short access time
High data transfer rate
Multiple independent head access
Transcription permitted while a
different arm moves
Microelectronics
High MTBF
Excellent maintainability
B. DetaiLCharacteristics
Capacity (bits)
15 X 221 (approximately 2,000,000,000)
Size (inches)
23X23x41
Weight (lb)
.400
Power (watts)
1500
Head transports
60 independent
Maximum head transport 50 milliseconds
time
Adjacent track head
6 milliseconds
transport time
Disk rotation time50 milliseconds
nominal
Data cells per track
16,384
Tracks per band
256
Bands per surface
4
Heads per band
1
Surfaces per head
2
transport
Simultaneous head
4
transports
Simultaneous I/O
4
channels
Maximum cell density
500 bits/inch
Radial track density
200 tracks/inch
I/O channel rate327K bytes/seconds
nominal
Environment
MIL-E-5400, MIL-E16400
MIL-E-4158, FEDSTD-222
North American Aviation, Inc., provided support in
the development of the MEM-BRAIN concept and
the fabrication of a 30 megabit test and demonstration model. This model has demonstrated the basic
principles and design details needed for construction of
the full scale File. Complete design and fa~rication of a
2 gigabit unit is under way.

The "Cluster" -four tape stations in
a single package
l.._. ,""",

vy

'.,..1

JVfll"'l

'T'

1.

I'

An ,",'.,..Irn

Un.~LllI"'IC~

Burroughs Corporation
Pasadena, California

INTRODUCTION
The familiar shape of the magnetic tape transport has
undergone a dramatic change. As a result, space age
television shows may have to find convincing replacements for madly spinning banks of verticaHy placed
reels. The imagination of the public may suffer, but
the industry is provided with a new periphen'tl having
a most exciting future.
Details of a multi station Magnetic Tape Cluster are
presented in this paper to provide an insight into how
it was conceived, how it is built, and its capabilities.

very nicely· but the ability to share mechanical components was questionable. Figure 2b shows a folded
version of the above arrangement which improved the
possibility of sharing mechanical features.
An original design, Figure 2c, having a mUltiplicity
of vertical tape paths but with horizontal tape buffers,
received attention during the early development
period. It was apparent, however, that a "sandwich"
machine such as this would be plagued with severe
accessibility problems.
For each of the above designs there were advantages which could be cited, but one fact remained
abu~dantly clear: none of the arrangements represented the major step forward we were seeking. We
realized that the point had been reached where additional time spent in simply rearranging tape path
components was not justified, and a clear departure
from established custom was a "must" if our objectives were to be met.
What then could be done to break this impasse?
We were confident that the reels themselves were
the key factor and, since a simple rearrangement did
not fulfill our needs, the logical remaining possibility
was to stack the reels and operate them on a common
axis. This possibility proved to be the turning point
and has since become the foundation of the multistation Cluster design.
Stacked reels, in themselves, are certainly not
original with this design. They have been used in
the field of music reproduction and, to some extent, in
the digital field at very low or incremental tape speeds.
What is original with us is the design associated with
making the philosophy work on a multi station tape
transport operating at relatively high tape speeds and
recording densities.
Once the general approach had been determined,
the next step was to examine tape path configurations
capable of transporting tape which terminated at
two levels of spooling. Refinements came rapidly,

The Cluster concept
If we reflect for a moment to consider the scheme
generally used in digital tape drive design, one common characteristic becomes apparent; the tape path
formed by the reels, the transducer and the tape buffers lies in the same plane. This is the simplest and
most direct way to accomplish the objectives of a
single station machine. Of all the transports on the
market today, perhaps 80% are designed around the
formal vertical plane tape path as shown in Figure I a.
Another popular method places the tape path in a
horizontal plane such as shown in Figure 1b. This
design is advantageous in many respects and offers
convenient table height operation. Some forward
thinking designers have combined the two ideas to
provide two transports in the same box (Figure 1c).
Our earliest considerations for designing the multistation Cluster U nit contained several features which
have remained throughout the entire development.
These requisites included a four station package
which shared electronic and mechanical features to
achieve the best possible combination of performance, reliability and low manufacturing cost.
Naturally, the development group first took a hard
look at the commonly used vertical plane geometry.
I t was found that some improvement was possible
by rearranging reel positions similar to those shown
in Figure 2a. This arrangement could share electronics
245

246

Spring Joint Computer Conf., 1967

SUPPLY REEL

r
Ir

TAKEUP REEL

/;
/

1 (0)

/

,R/W HEAD

2 (a)

R/W HEAD
TAKEUP R·EEL

2 (b)

1 (b)

n

I

I
I
,

I

I I
. I

I

( )__________-.1'I
'--________1--..:.-c~single station units

i

21\c',

~I----------~~~--------------~
Figure 2-Conventionai tape path geometry for copJanar
multiple station units

The "Cluster" - Four Tape Stations In A Single Package
and one particular path emerged which seemed to
have superior characteristics over all others.
A series of preliminary layouts was made and,
much to our delight, the various pieces began to fit
together with remarkable solidarity. Within a month
we felt that sufficient understanding had been obtained to proceed with a full-fledged development program, and management gave its unqualified approval.
Thus, the multi station coaxial reel concept was
born. Three months later, a hurriedly constructed
experimental model, Figure 3, was providing operational data. It is gratifying to note that the tape path
shown here has stood the test of time and basically
is the same as that used in the machine as it exists
today. The current design is shown by Figure 4. It
is a four-station Cluster which operates at a tape speed
of 4S inches/sec. The Cluster is now in production
and will be available to industry within the next several months.
Geometric relationships
Before proceeding with a discussion of the finished
product, let us examine some of the geometric relationships associated with nonplanar tape paths.
We begin by considering two coplanar reels as
shown by Figure SA. This condition requires that
the reels be in a spaced-apart relationship and that
the axes of rotation be parallel. Desired convolutions

247

of the tape between the two reels are a function of
judiciously placed pivot points which are installed
normal to a plane of reference.
The plane of reference, for our needs, may be defined as a plane which passes through one edge of
the tape and is normal to the tape surface. It is particularly desirable to consider the tape as lying in
the plane of reference between the point of entry into
the supply reel buffer and the point of emergence
from the take-up reel buffer. For purposes of our discussion, this condition will be assumed for all cases.
We next introduce a modified condition which retains the parallel relationship of the reel axes but
repositions the reels such that they are no longer
coplanar. This condition is illustrated by Figure SB.
As can be seen, the pivot points now assume an
angular relationship to the reel axes. Convolutions
of the tape within the plane of reference (between
pivot points A and B) are removed from the scope
of our discussion by definition.
We continue our space relationships by repositioning one reel such that its axis becomes an extension
of the axis of the second reel as shown in Figure
SC. This move is for convenience only and no significant geometric changes are introduced when compared with Figure SB. However, a comparison of
Figures SA and SC leads to several important observations.

..~~
: ~·.~~~iVJS!~$.'R%~~,.

Figure 3 - Coaxial reel breadboard

248

Spring Joint Computer Conf., 1967

Figure 4 - Burroughs' four station Cluster

1. If the pivot points are cylindrical and fixed, they
will perform their intended function under either
condition. The relationship between the tape and
a fixed pivot is one of sliding contact between
the two surfaces but a variation in the contact
length of the tape as it proceeds around the pivot
will have no ill effects in guiding the tape.

To accomplish this, we introduce an angularity
between the axis of reel rotation and a plane of reference as illustrated by Figure 6A.
Now, consider the tape as it proceeds from the supply reel to rotatable pivot point A. Upon contact, the
tape proceeds around the roller without sliding contact. If 1800 were selected as the arc of contact, the
tape would simple be returned to the reel. Under this
condition the bottom edge of the tape would make a
"point" contact with the plane of reference.
Suppose we wish the tape to depart from the roller
in such a fashion that its lower edge were to continuously lie in the plane of reference. This is accomplished with the aid of an additional rotatable pivot
point C, which must be precisely located. The location must be such that a line drawn between pivots A
and C must lie on the intersection of the plane passing
through the bottom edge of the spooled tape and the
plane of reference.
Since by definition we must position the tape
surface normal to the plane of reference, we install
pivot point C such that its axis is normal to the plane
of reference rather than simply parallel to the axis
of pivot point A. Under these conditions, a small
twist is introduced in the tape over the distance
"L" . Note, however, that the rule stating that no
relative motion is permissible as the tape travels
around a rotatable pivot point has not been violated.

TAKEDP
REEL

5

2. if the pivot points are cylindrical and rotatable,
they will perform properly under condition 5A
only. Under condition 5C, we observe that a
variation in the contact length of the tape as it
proceeds around the roller must introduce relative motion between the two surfaces. The roller
will therefore migrate along its axis or, if restrained, an undesirable slippage is introduced
between the tape and roller.

(a.)

SUPPLY REEL

5(b)

To summarize our position at this stage, we find
that rotatable pivots cannot be used in conjunction
with coaxial reels unless some type of relationship
is established which prevents an angular contact
between the direction of tape travel and the rotation
of the roller. Since rotatable pivots are highly desirable for maintaining a low frictional drag, and
perhaps even more important, to keep the drag forces
constant, it is imperative that such a relationship be
found.

PIVOT

TAKEUP REEL

SUPPLY REEL
PIVOT A

I

V

,,--

PLiGE OF t;EFERE'!CE

Figure 5 - Geometric transition to non-coplanar
tape path - fixed pivots

The "Cluster" - Four Tape Stations In A Single Package

249

frame or floor oscillations which might be detrimental
to reliable operation. The pads on each arm of the
spider provide bearing surfaces for the coaxial reel
drive assembly.
One of the four coaxial reel drives is shown in
mounted position on the spider. The deck assembly
is also shown in mounted position attached to the
face of the tubular hub of the spider.
A close look will reveal the angularity (a) which
pvi~t~
""'L .... .aU ... U

PIVOT A

6 (bl

Figure 6 - Geometric relationships of non-coplanar tape
path and rotatable pivots

All that now remains to accomplish our geometric
objectives for coaxial reels and rotatable pivot points
is to reposition the two reels in a stacked attitude,
such as illustrated by Figure 6B. We know from the
foregoing discussion that this can be done without introducing any significant change to previously established relationships.
We find that for small values of (a), a reasonably
short distance "L" can be tolerated without difficulty. The magnitude of (a) is a function of the spacing between reels and the distance from the reel axis
to the location of pivot point A (or B). These relationships, as expressed in actual Cluster values, result
in a stress of approximately 40 psi at the outermost fibre of the tape. This figure is very low when
compared with the proportional limit of the mylar
material and a more meaningful comparison may be
made in terms of the strain profile introduced across
the width of the tape. Tension forces acting on the
tape will desirably approximate 9 ounces and the 40
psi fibre stress is found to be equivalent to 0.3 oz. of
tension. This results in a profile which has a variance
of about 3% across the tape width .

. Geometric implementation
At this point it would be well to examine the hardware and see how the geometrics have been reduced
to practice. Figure 7 shows the structural relationship between the frame and an unusual looking weldment called the spider. The spider is supported at
four points by vibration isolators to damp spurious

hptuTPpn
IIJ''''''''.,. ... "" ..... .1..1. thp
... .1..1."'"

r",,,,t rlri"", .::onrl th",
.I. ...... "" ... "", ... .1. 't' ..... ~.J..u.

"'1..1.,""

".::01"'1111""" 1"' .....

1. .......... "

T "'-' .......... 1..11. ,,",V1.UI..l.lI.l..:)

(plane of reference). Th!s angular relationship is obtained by machining the mounting pads of the reel
drive housing at precisely the proper angle. A vertical
adjustment is provided in the reel drive to correctly
align the height of the reels with the plane of reference.
Figure 8 shows the top of the four station Cluster
without covers. This provides a view of the various
component parts which lie in the plane of reference.
For purposes of clarity, Figure 9 has been prepared
to enable us to examine the elements which comprise
a single statien. Beginning with the supply reel, we
trace the tape path as follows:
1. Tape from the supply reel passes around rotatable pivot A (remembering the axis of pivot A
is parallel to the reel axis).
2. Between pivot A and rotatable pivot C the tape
undergoes a slight twist of about 3
3. Since the axes of pivots C and D are normal to
the plane of reference, the tape lies in. the same
0

•

Figure 7 - Hardware implementation

250

Spring Joint Computer Conf., 1967

Figure 8 - Deck assembly showing quad configuration

plane at every point in the path between these
two extremes.
4. The tape now proceeds in a fairly conventional
manner from the supply buffer, past the reverse
pinch roller driver, and over the left hand cleaner
guide. Here, the reference edge of the tape is
precisely aligned for passage over the head and
any loose oxide particles are scraped off and
vacuumed away.
5. Prior to reaching the read/write head, the tape
passes through the end of tape/beginning of tape
sensor. This sensor is also used to fix the exact
position of the tape leader latch when the tape
is to be unloaded.
6. As the tape passes over the read/write head,
it is held in close contact by a magnetic shield
supported by the lift-off arm. The shield not only
assures an optimum flux path but effectively
damps any vibrations which might be introduced
during startup. The lift-off arm rotates to lift the
tape completely off the head during rewind,
thereby preventing unnecessary wear.
7. The tape continues past the right hand cleaner
guide, past the forward pinch roller driver, and
into the take-up buffer. A slight twist of the
tape is again introduced between rotatable
pivot points D and B. At pivot B, the tape is
realigOf~d in the plane of the tape reel (remember-

ing that the axis of pivot B is parallel to the reel
axis) and finally is spooled onto the take-up
reel.
Cluster design features
Speed, size and weight
Each station of the Cluster operates independently
at a tape speed of 45 inches per second (forward
or reverse). The four stations are packaged in a
single box 43" high, 36" wide and 30" deep. This
compactness is further exemplified by the weight
of the unit which approximates 800 pounds.
Tape is moved by means of sealed pinch roller
drive modules which are extremely positive and quiet
in operation. Much of the c1ackety-c1ack is gone and,
once the internal adjustments have been correctly
made, further adjustment becomes essentially nonexistent. This condition arises from the fact that
metal-to-metal contact found in most electromagnetic
clapper devices has been eliminated by means of a
cushioning device of a proprietary nature.
The capstans for all four stations operate continuously at a synchronous speed of 900 RPM.
Power is .supplied by a single motor, and heavy tlywheels provide sufficient inertia to maintain tape
fluctuations at a minimum regardless of pinch roller
activity.
Tape guides are located on either side of the head
in the conventional manner. The design of the tape

The "Ciuster" - Four Tape Stations in A Singie Package

251

CAPSTAN
\ CLEANER GUIDE
BOT/EOT SENSOR

R/W HEAD

,
o

SUPPLY REEL
Figure 9 - Tape path and associated components

guides serves a dual function since the guides also
provide for efficient cleaning action. Particles removed by the cleaning action are not allowed to accumulate but are swept away in a high velocity air
stream.
The vacuum columns are assembled in the form of
a cross and receive vacuum pressure from a single
source. Vacuum pressure to each station is isolated
by means of a fail-safe check valve which closes
should tape failure occur. Other stations are thus
protected against loss of vacuum pressure and remain operational.
Of particular significance. is the fact that the entire tape chamber is a sealed compartment which

maintains this critical area dust free. Air within the
chamber is recycled 30 times per minute and passes
through a micronic filter element on each cycle. The
air temperature within the chamber is continuously
sensed and compared with room ambient temperature by means of a differential thermostat. A small
cooling unit maintains the temperature of the recycled
air within ± 1 C of the ambient temperature at all
times.
Cluster logic is a hybrid combination of discrete
components and integrated circuit chips. Normal
input power is approximately 2 KW at 208/230 V,
single phase, 50/60 cycle.
The read/write electronics accept either seven or
nine channels of information in any code combination.
0

252

Spring Joint Computer Conf., 1967

The external control (Central System) is switched to
anyone of the four stations by an appropriate exchange within the Cluster. Reading or writing at bit
densities of 200, 556 and 800 bits per inch (N RZ 1)
is provided as standard. At 800 bpi, the transfer rate
is 36KB. This capabiiity can be extended to 72KS
by installing the Phase Encoding option which is presently being offered at a density of 1600 bpi.
Terminology for a machine composed of one set
of read/write electronics, four active stations and nine
channel R/W heads is 1x4x9. Under these conditions,
anyone of the four stations can be independently
reading or writing at any given period of time under
the direction of a singie externai controL
Provision is made to install a second set of re~d/
write electronics if desired. I n this case, the above
terminoiogy becomes 2x4x9. Under these conditions,
any two of the four stations can be simultaneously
and independently operating under the direction of
two external controls.
If a user plans to use the Cluster with Burroughs'
B2000 systems, the ability to fully utilize its multiprocessing capability is a highly desirable feature.
Since mUlti-processing will generally require more
than four tape stations, the Cluster can also be obtained as a slave unit and will be equipped with two,
three or four stations to exactly respond to a user's
needs. The siave unit is identicai in design to the
master unit except for unneeded electronics.
The terminology 2x8x9 is used to define a master
and slave combination where any two of the eight
availahle stations are under the independent and
simultaneous direction of two external controls.
SUMMARY
The multistation coaxial reel concept is believed
to be a significant advance in the art of digital tape
transport design. In support of this belief are the many
new features of the 45 ips Cluster which have been
discussed in this paper. However, todays technology
is a hard task master and technical advances without appropriate economic advances are likely to be
lost in the shuffle. As most of us have learned, it is
no longer sufficient for the engineer to develop
"something better"; that "something better" must also
.cost less.
Economic studies of the Cluster's design are most
encouraging in this respect and major cost reductions
have accrued by sharing certain portions of the machine's makeup. This condition is also the result of

a program where assigned target costs have accompanied each design element almost from its inception.
Consider the two machines shown in Figure 1O.
The upright unit is typical of many single station
tape transports on the market today.
Externally, we note that a four to one savings is
directly applicable to the frame, skins, trim and
covers. Internally, the ventilation and vacuum subsystems represent the same four to one savings
potential. The power supply and capstan drive elements can be considered as a three to one savings.
Perhaps the most outstanding single factor of all is
the electronics themselves, here a savings of three
to one can be conservative Iv applied.
What does this all add up to? Although a direct
cost comparison between 'the two machines is not
completely fair, we do know that the Ciuster not
only represents something better, but that it also
satisfies the corollary that it must cost less.
We look forward to continued refinement of the
Cluster concept and foresee its advantages extended
to higher speed machines operating reliably at even
greater packing densities than heretofore considered
practical.

Figure 10- M ultistation Cluster and conventional
single station transport

The oscillating vein
by AUGUSTO H. MORENO, M.D.
Lenox Hill Hospital and New York University
School of Medicine
New York, New York

and
LOUIS D. GOLD, Ph.D.
Electronic Associates, Incorporated
Princeton, New Jersey

INTRODUCTION
In 1824 D. Barry inserted a glass bulb into the jugular
vein of a horse and observed that when the animal
was standing the blood flowed intermittently in jets
that were not synchronous with either respiratory
or heart rates (Brecherl ). Holt2 in 1941 arranged a
flow circuit where the fluid traversed an interposed
segment of collapsible tube and where he could vary
at will the ratio of internal pressures. He observed
that when the ratio approached zero the tube collapsed and began to pulsate. Brecher3 in 1952 examined
carefully this phenomenon by decreasing the downstream pressure in the vena cava of open chest dogs
and concluded that it originated in a momentary complete collapse of a segment of the vein when the extravascular ( atmospheric or ti~sular) pressure exceeded the intravascular pressure. The continuous
inflow of blood from the capillaries would then
elevate again the intravascular pressure forcing the
closed segment of vein to reopen. With repetition of
the cycle the vein oscillated at frequencies and amplitudes whose complex relationships he studied in
physical analogues made of collapsible rubber tubes.
Furthermore, he pointed out the clinical significance
of this "chatter" during cardiopulmonary bypass surgery when the collecting reservoir for venous return
is positioned at an excessively low level. In 1953
Robard and Saiki" and in 1955 Robard5 reported
detailed studies on flow through collapsible tubes and
on the clinical implications of its instabilities in relation to apparently anomalous flow-pressure patterns
in various vessels of the body. Our own studies6 on the
effect of quiet respiration in a two-chamber-hepatic
valve model of venous return indicate that in the intact (closed chest) dog and man the venae cavae
operate at the limits· of eqUilibrium and that instability
may develop during vigorous respirations.

It is of interest that all these authors recognized the
significance of the special dynamics of flow through
collapsible tubes in the body but complained, at the
same time, that the subject- has been almost neglected
by engineers and physicists. Thus Lambert's model,'
apparently developed in response to such a nee<\o
seems to be one of the first attempts at the mathematical description of flutter in distensible tubes when
fluid is driven by steady pressures.
The present report deals with a mathematical
formulation and an analog computer simulation of the
oscillating vein phenomena. In this paper a dynamic
mathematical model is presented and Lambert's
predictions8 of the flutter characteristics are corroborated by the analog computer simulation.
Mathematical description

Very flexible tubes carrying a steady flow of incompressible fluid may be caused to flutter or oscillate
when subject to specific steady ex~ernal pressures. We
observe this e~fect when we impose an external pressure of sufficient magnitude on a section of flexible
tubing. When this external pressure is greater than the
~teady state hydrostatic pressure, an acceleration of
fluid leaving this section of tubing occurs. Moreover,
the increased external pressure reduces the flow into
this section of tubing because of the decreased driving
force or pressure gradient for flow into the tube. The
net .result of these two phenomena is to sharply reduce
the volume of fluid contained within this section of
tubing. In decreasing the fluid volume within this
flexible tubing, the tube diameter also decreases,
which in turn acts as a valve, shutting off further
downstream flow. The section of tubing above the
constriction begins to fill again, due to the upstream
pressure. When the hydrostatic pressure at the constriction is equal to the external pressure the tube
opens, with a rush of flow downstream, causing an253

254

Proceedings-Spring Joint Computer Conf., 1967

other cycle in the oscillation. The idealized situation
is pictured below:
Collapsible

j'

Bigid

t

-I-

Al
I

t

"----i/

PI

Higid

---

Qin

Moreover, until the fluid flow has built up to a volume
V* in the collapsible section of tubing, the pressure
just downstream is less than the external pressure,
Px , or

P4 - P 4 ,ss when P 4,85 > p"
P4
P x when P4,SS < P x and V : : : :",. V*
(8)
P4
P s when P4• < P" and V < V*;
Equations (2-8) are a complete description of the
physical system under consideration. Figure 1 is the
analog computer diagram for the simulation of these
equations on an Electronic Associates, Inc. TR-48
analog computer.
SB

p

x

The pertinent mathematical equations which describe
the system are:

DISCUSSION OF RESULTS
According to Lambert's theory,9 the frequency of the
oscillation is proportional to:
dO out = klLAs [P4 dt
P 5

dV

-----at =

k2 [Oin -

P s]

-

R :)
PA s

Oout

(2)
(9)
(3)

Oout]

where V is volume in the colhlpsible section of tubing,
o is volumetric flow rate, P is pressure, and R is the
flow resistance.
Moreover, at steady state conditions, OlD
Oout
Qss, and

=

I

I
I

Ps
I +RLA
RsLsA)2
s ;; 21I
1
+ RILJA;;2
+ RILIA/ J
1

11

P4,ss = PI

=

1

1

(4)
where P 4 is the pressure just downstream from the
collapsible section of tubing. We may then formulate
the dynamic relationship of P 4 as follows:
P4 = P4,ss when P 4 ,ss : : : :",. p"
(5)
P4 = P x
when P4,ss < P"
where p" is the external pressure on the flexible tubing.
In addition, we observe from the physical description
of the system that the oscillation cycle regains its
energy from the constant upstream pressure, which
causes a fluid volume buildup and concomitant pressure buildup, until the pressure on the upstream side
of the valve equals the external pressure. To include
this phenomenom in the mathematical description,
we alter the system to include a pressure, P s , on the
upstream side of the valve. * Ps is a function of the
fluid volume in the collapsible section:
Ps

= P"ss when P4,ss > p,,; Ps = p" when p"

>

P 4,ss
(6)

This relationship is questionable since it neglects the
frictional resistance term and requires quite a few
approximations before the final form, Equation (9),
is obtained. However, if we follow Lambert's formula..
tion and include the frictional resistance, we obtain
essentially the same conclusions as are implied in
Equation (9), namely:
( 1) The frequency of oscillation increases as
the downstream cross-sectional tube area, As,
is increased;
and, (2) The frequency of oscillation is decreased
as the tube length of the downstream section,
L s, increases.
These predictions were verified when the mathematical
system describing the oscillating vein, Equation~ (1-8),
were simulated on an EAI TR-48; using the circuit
shown in Figure 1. Figures 2, 3 and 4 present the results of the simulation. From these results, it may be
concluded that the mathematical system postulated for
this phenomenon gives physically correct responses as
they compare favorably with Lambert's theoretical
and experimental findings.lO
SUMMARY AND CONCLUSIONS
This paper demonstrates once again the attractiveness
of the analog computer in the investigation of process
dynamics. Using the most salient feature of the analog
computer, namely simulation by (electrical) analogy,
we were able to "mathematize" an extremely complicated system merely by providing an accurate

Therefore, Equation (1) may be modified to:

dO. in
at

____

k1AI_ [DJ. 1 pLl

P3] -

Rl- Qjn ('7\J
pAl
I

*That is, when the portion of flexible tubing is collapsed, P3 is
the fluid pressure just upstream from the collapsed portion
of tUbing.

The Oscillating Vein

25 5

+10

+3V'

-10

+10

+3V
k, A5 P5

2.5x 104pl5,B

)-----10

-l
I
I

I
_I

+10

-10

Figure I-Analog computer circuit diagram

Time

Time

Figure 3-Increasing Px above P4 • and increasing the downstream tube length
SS

Figure 2-Increasing P x above P 4,8S

physical description of the phenomenon under consideration, and then simulating directly this physical
description. It is felt that this approach is particularly
valuable in the biomedical area where one often deals
with physical systems which are not amenable to
vigorous mathematical description.

REFERENCES
G. A. BRECHER Venous return
New York Chap. 1, p. 8 1956

Grune and Stratton,

2 J. P. HOLT The collapse factor in the measurement
of venous pressure Am. J. Phys. 134, 292 1941

256

Proceedings-Spring Joint Computer Conf., 1967
3 G. A. BRECHER Mechanism of venous flow under
different degrees of aspiration Am. J. Phys. 169, 423
1952
S. RODBARD and H. SAIKI Flow through collapsible
tubes Am. Heart J. 46, 715 1953
5 S. ROD BARD Fiow through coiiapsibie tubes: augmented flow produced by resistance at the outlet Circulation 11, 280 1955

4

Q
out

Time

Figure 4-Increasing P", above P 4."" and increasing the downstream tube cross sectional area

6

A. H. MORENO, A. R. BURCHELL, R. VAN DER
WOUDE and J. H. BURKE Respiratory regulation of
splanchnic and systemic venous return submitted for
publication Am. J. Phys.

7

J. W. LAMBERT Distensible tube flutter from steady
driving pressures: elementary theory paper presented at
ASCE, EMD meeting, Washington, D.C., October 13,
1966, Session on Biological Flows

8
9
10

Ibid.
Ibid.
Ibid.

Computer applications in biomedical
electronics pattern recognition studies
1___

vy

A
I
"TL'I £ ' l J ~_....I I
I
"L"TI~TL'
1""\.. J. YY D L v r I (lUU J. L • .l.JLY l1...,.L

The University of Texas

and
ROBERT G. LOUDON
The University of Texas
Southwestern Medical School
Dallas, Texas

INTRODUCTION
The University of Texas is fortunate in having excellent computational facilities available for utilization
in research. This paper is an applications survey dealing with how these facilities are used by the biomedical
electronics group in the Electrical Engineering
Department of the University.
Two computer systems are involved in the research
projects described in this paper. The majority of
computation is done on the University's Control
Data 6600 system, while a Scientific Data Systems
930 computer maintained by the Electrical Engineering Department provides facilities for data conversion
and pre-processing.
The Control Data 6600 system was installed at the
University during August, 1966. The center CDC
6601 computer consists of eleven independent, but
integrated computer processors. A single control
processor which contains ultra high-speed arithmetic
and logic functions operates in connection with ten
peripheral and control processors.
All eleven processors have access to the central
magnetic core memory. This central memory consists
of 131,072-60 bit words of storage, each word
being capable of storing data 17 decimal digits in
length, or two to four centred processor instructions.
A verage instruction execution time in the central
computer is less than 330 nanoseconds. Each of the
ten peripheral and control processors has an additional
4,096 work core storage. Information exchange is
possible between any of the processors and the
various peripheral devices.
Peripheral equipment connected to the 6601 at the
time of writing of this paper include a CDC 6602
operator console with twin CRT displays, six CDC
607 magnetic tape transports, two CDC 405 card
readers (which operate at 1200 cards per minute),

two CDC 501 line printers (1000 lines per minute),
one CDC card punch (250 cards per minute) and one
CDC 6603 disk (75 mega-character storage).
The CDC 6600 is operated by the Computation
Center at the University on a closed shop basis
while the Scientific Data Systems 930 digital computer maintained by the Electrical Engineering
Department is operated on an open shop basis.
The SDS 930 has an 8,192 - 24 bit word core storage memory. Peripheral equipment includes two tape
decks which operate at a tape speed of 75 ips with
bit density selectable at 200 bpi, 556 bpi and 800 bpi.
Additional equipment includes a twelve bit analogto-digital converter, eight bit digital-to-analog converters and a multiplexer (which in addition to providing coupling for the conyerters allows input and
output of parallel data words and single bit data at
logical levels). The AID converter may be operated
at rates in excess of 30 K conversions per second.
For this particular installation, a single inputoutput channel is available. It may be operated in an
interlaced mode (which allows time multiplexing with
central processor operation).
This input-output
channel is independent of the direct parallel inputoutput capability previously described.
A priority interrupt system is incorporated which
allows the computer to operate in a real-time environment. The basic machine cycle time is 1.75 microseconds, with fixed point addition requiring 3.5 microseconds and fixed point multiplication requiring 7.0
microseconds. Single precision floating point addition
and multiplication require 77 and 54 microseconds
respectively.
Programming languages included in the software
package are Fortran II, Real-Time Fortran II, Algol
and Symbol (an assembly language).
Real-Time Fortram II was evidently designed to
257

258

Spring Joint Computer Conf., 1967

allow the use of the priority interrupts, but because
of poor documentation and inherent weaknesses in
the soft-ware, it has been necessary to program most
of the conversion routines used in Symbol, either as
complete programs or as Fortran II subroutines.
A display scope is a part of the system, but the
memory location required by the priority interrupt
level which it utilizes is also required by the Fortran II
system, thereby effectively precluding its use. This
handicap has been overcome to some extent by the use
of the D/ A converters in conjunction with a conventional oscilloscope. This facility, used with a strip
chart recorder or X -Y plotter fills the gap left by lack
of a plotter or high-speed input-output equipment
(input-output is by means of an online teletype or
p~per tape).
A first step in the data reduction required by the
projects described in this paper is the digitizing of
recorded analog signals and subsequent storage on
digital tape. The SDS 930 provides this capability,
but its relatively slow floating point operations and
limited memory size make it desirable to use a more
powerful installation for actual computation. This
need is fulfilled by the CDC 6600 system.
Two projects presently in progress within the biomedical electronics group of the Electrical Engineering Department at the University typify the profitable
usage of the computational facilities available.
These are a chick dietary deficiency study and a study
of audio waveforms resulting from the cough reflex.
Both are concerned with time-varying signals and
have as a final objective the implementation of a
pattern classification algorithm. From a data-handling
viewpoint they represent extremes. The chick study
works with the electroencephalogram, a relatively
slowly varying signal which has a highest frequency
component in the vicinity of 150 hz. The cough
study operates on a waveform in which the highest
significant frequency is in the range of 8 khz. In the
first case a data sampling rate of 300 samples per
second will suffice to completely represent the waveform, while for the latter a rate in excess of 16000
samples per second will be required. In practice a
somewhat higher sampling rate than the Nyquist rate
quoted is employed. The quantities of data which
must be dealt with differ correspondingly.
Prior to outlining the particular research projects,
a brief review of the pattern classification techniques
common to both is in order.
Classification theory is divided broadly into statistical (or parametric) decision theory, which treats
the data to be classified as being probabilistic in
nature, and non-parametric decision theory, which
treats the data as being deterministic.
Statistical theory has the advantage that it is possi-

ble to obtain a rule for classification that is optimum
under stated conditions. These parametric methods
require knowledge or good estimates of the underlying
density functions and a priori probabilities of occurrence, or as in the case of optimum iinear filtering,
require statistical stationarity. These properties are
rarely known when one works with experimental data,
and the underlying joint probability density functions
are often so complex that they defy mathematical
manipulation unless simplifying assumptions are
made.
Most of the non-parametric classification methods
cannot be proved to be optimum and must stand by
virtue of their success in classifying data from a particular experiment.
In either of the above cases, a preliminary decision
must be made as to what parameters are to be measured and used in the classification process. Little
theory exists to indicate which parameters should be
chosen, and an educated intuitive choice based on the
preliminary data from the experiment is probably as
good a route as any. In the particular case of biomedical pattern classification studies, the physiological models of the phenomena point toward some
features which may logically be expected to contribute
to successful pattern classification.
Conversely,
successful implementation of pattern recognition
techniques utilizing measures suggested by the
physiological model tend to bolster the validity of
such a model.
A pattern classifier has as inputs the measures
gleaned from the experiment expressed as an ordered
sequency of d real numbers. This sequence is called
a "pattern" and may be conveniently thought of as a
vector extending from the origin to a point in d dimensional space. The pattern classifier sorts the patterns
into categories, for purposes of this paper, R in
number. The R point sets constituting categories are
separated by "decision surfaces" which may be
expressed implicitly as a set of functions containing.R members.
Let the "discriminant function" gl(X), g2(X), ... ,
gR(X) be scalar, single valued functions of the pattern
X continuous at the boundaries between the R classes.
These functions are chosen so that for all X in Ri :
i, j = 1, 2, ... ,R (l)
i # j
i.e., the ith discriminant function has the largest value
in region R i . The surface separating the contiguous
regions Ri and Rj is given by:

(2)

Computer Applications In Biomedical Electronics Pattern Recognition Studies

259

Chick Dietary Deficiency Data
Acquisition Block Diagram
EEG

)

Light Source
I

<11 ~<--Ch ic k
~I
1

'I

Shielded Chamber

/\

\/

Gra s s

./

"'

Ele c t ro enc epha log ra ph

\1

Time Base

........

6

Voice
Identification

j

./

.7

o

"'

~

Sync.
\1 ~1I

./-

Multichannel

"'

./

Tape Recorder "'

Recorded

Recorded Sync.

______________________ J

EE6\()I
__ _

\1
()

CRO
Computer of
Average Transients
CAT-Punch
Interface

Paper Tape
Punch

Figure 1 - Chick dietary deficiency data acquisition block diagram

When R=2 the division is termed a dichotomy and
categorization consists of determining the sign of a
single discriminant function:
d
g(X) = g}(X) - g2(X)
The decision rule is as follows:
g(X) > 0 --- classify X as belonging to R};
g(X) < 0 --- classify X as belonging to R 2.
N on-parametric training methods initially assume a
form for a discriminant function, an example of which
is given as equation (4):
g(X)=w}x} + W 2X 2+ ... +WdXd+Wd+l (4)
The Xi'S are the individual measures which con-

stitute the pattern and the w/s are adjusted by application of training procedure utilizing a representative group of training patterns.
Parametric classification assumes that each pattern
is known a priori to be characterized by a set of
parameters, some of which are unknown. Construction of the appropriate discriminant functions incorporates estimation of the parameter values from a
representative set of training patterns.
A parametric classification technique has been
applied with some success to the chick dietary study
while it is anticipated that non-parametric methods

260

Spring Joint Computer Conf., 1967

are more applicable in the case of the cough recognition study.
The chick diet deficiency study has as its objective
the development of EEG techniques for diagnosis and
classification of experimentally induced vitamin B6
(pyridoxine& deficiency states in the White Leghorn
chick. Chicks are initially assigned on a random basis
to three groups: control, short term deficient, and
long term deficient. The long and short term deficient
chicks are placed on a 98% pyridoxine deficient ration
on the first and tenth days, respectively.
Electrodes are implanted during an early state of
experimentation. Spontaneous and evoked EEG are
recorded at j 2 hour intervais starting when the chicks
are nine days old. The recording sessions continue
for two weeks, after which time anatomical histological confirmation of electrode position is made.
Figure 1 is a block diagram of the data acquisition
set-up for the study. Chicks are placed in a restraining
box in a roosting position. In this position they tend to
fall into a partial sleep, which is favorable for recording data. Ten seconds of spontaneous EEG and 200
evoked responses are recorded on magnetic tape.
The chick's head is held in position and the left profile
is exposed to the stimulating light source. The right
eye is covered to insure monocular viewing.
The electrocortigram from the implanted electrodes
is recorded on one channel of a multi-channel recorder
while identification, time reference and times of occurrence of photic stimuli are recorded simultaneously on
other tracks.
During recording the signal is monitored by the
CRO and ink recordings are made. The Computer of
A verage Transients is used in the real-time situation
to verify that acceptable data is being recorded.
The Computer of AVerage Transients contains 400
words of core storage. The memory is stepped sequentially at adjustable rates. The analog signal presented to the input is digitized in synchronization
with memory address changes and the digitized value
of the signal is added to the data contained in the
memory word. When a repetitive signa] is presented
to the CAT input with an appropriate synchronization signal (in this case the occurrence of the photic
event), a considerable enhancement of the signal to
noise ratio is obtained.
The memory contents are displayed by stepping the
memory sequentiaHy and performing a D/ A conversion on the contents of each address. The address
register is also subjected to D/ A conversion, yielding a
voltage which is proportional to the time of occurrence of the averaged amplitude with respect to the
synchronizing signal. These converted signals either
control a cathode ray tube display which is a part of

the CAT, or are available for use by an X -Y plotter.
Provision is additionally made for paralIel read out
of the memory in BCD form. An interface has been
constructed which synchronizes the CAT memory
and a paper tape punch so that the digitized data is
made available in a form compatible with the SDS 930
computer.
A cough recognition study is currently under way
which presents a contrast in data gathering and reduction techniques.
A group is conducting research on respiratory
ailments at Southwestern Medical School in DaHas,
Texas. One parameter of interest is the number of
times that a patient coughs during a given interval.
Microphones are placed in selected hospital rooms
and audio recordings are made.
Figure 2 is a block diagrarn of one chan~'1e! of the data
acquisition system. The tape recorders operate in a
start-stop mode, having been energized by a voice
controlIed relay. Sufficient delay is provided to
aHow the recorders to come up to speed by prerecording on a continuous tape loop. An adjustable
band-pass filter is interposed between the amplified
signal from the hospital rooms and the voice actuated
relay. Preliminary attempts to adjust the filter to
aHow recording only of coughs has not been successful. Various artifacts will also energize the system
when it is adjusted to record the majority of the
coughs.
I t is therefore necessary to etTect a more sophisticated approach to the cough recognition process.
The quantity of data, and the impending installation
of multichannel continuously operated recorders indicate that a mechanized recognition procedure wiB be
required.
In addition to the requirement to classify the audio
signal as cough or non-cough, the physiological model
of the cough indicates that decision theory may
profitably be applied to the waveform to identify the
cough as having emanated from individuals sutTering
from ditTerent broad classifications of respiratory
diseases.
It is anticipated that adaptive non-parametric
pattern recognition techniques wiB be applied to the
recorded data to effect separation into the pertinent
classes.
F or both studies outlined a first step in the data
reduction procedure is the digitizing of the recorded
analog signals and subsequent storage on digital
tape. The SDS 930 computer is used for this purpose.
The relatively low maximum frequency content of
the EEG recorded in the diet deficiency study allows
a conversion rate slow enough that a complete digitized signal segment may be stored in the computer

Computer Appiications In Biomedical Electronics Pattern Recognition Studies

261

Cough Recognition Study Data
Acquisition Block Diagram
I~Remote

Microphone

Audio . . . Continuous Loop
Signal ..,
Recorder

Tape

......

7"

Recorder
1\

Oelayed Audio Signal
Tope
Cont, 01
Sign 01

~ Amplifier

......
-,

Adjustable
Fi I te r

Voice

~ Actuated
Relay

Figure 2 - Cough recognition study data acquisition block diagram

memory prior to writing on tape. In the cough recognition studies the length of an individual signal may
be as long as two seconds. At a 20 K conversion per
second rate a file consists of some 40,000 conversions,
necessitating the simultaneous conversion and writing
of information on digital tape. The computer memory
acts as a buffer and the central processor controls
output format. The priority interrupt system (activated by a pulse generator) initiates a conversion.
Sampling time is controlled to within 3.5 microseconds.
Data from the AID converter is read into the computer memory in the twelve most significant bit positions of a word. The digital words are written in
binary mode on tape in a two character per word
format, 1000 conversions per record. The two character per word format records data from the 12 most
significant bit positions in the memory word.
When the data is read from the tape, it is read in a
four character per word mode. This effectively packs
two conversions into each memory word.
The final word in a file (a particular signal segment) is an identification word which characterizes
the number of records in the file, the number of
conversions contained in the file, the sampling rate
and the number of conversions in the last data record

(all others contain 1000 conversions). File identification is also included. Adjoining files are separated
by End of File marks.
Programs have been written to search the tape for a
particular file and to output the data contained therein
through the DI A con·verters. Two modes of operation
are available - repetitive output of a segment of the
file (the maximum length of segment being dependent
upon available computer memory) with indexing
capabilities so that a whole file may be scanned on a
CRO, or continuous output of an entire file for recording on a strip chart recorder. DI A conversion is
controlled by the priority interrupt system. The output is therefore adjustable for time base expansion by
decreasing the interrupt input pulse rate. The mode of
operation is controlled by sense switch operation and
the on-line teletype. Provision is made for output of a
calibration signal.
Programs have been written for the CDC 6600 to
provide the interface necessitated by the difference in
word length and internal representation between the
two computers.
As previously noted, one of the early decisions that
must be made in a pattern recognition study is which
measures are significant. The quantity of data that is
available in a file is formidable. The two second re-

262

Spring Joint Computer Conf., 1967

Plot of Linear Discriminant Separation
of 14-Day Deficient and 14-Day
. .
_...
l,;ontrol tsaoy ~nICKS

-

-.

Deficient
Centroid 0

KEY.·
-'Y Deficient (14 days)
o Long Term Deficient
(21 days)
ll. Cont r.ol
o Fasted

0-24 Hour Fasted:
Control Centroid 0

ll.
ll.

ll.0-24
Hour Fasted: #84
I
I
I

ll. ll. :
I
I
I

I

I

ll. ll.

+
0-72
I

Hour Fasted:
Same Chick,

* 84

Figure 3 - Plot of linear discriminant separation of i 4-day deficient and 14-day control baby chicks

cording mentioned in conjunction with the cough
recognition study would have 40,000 data points.
If each point is· considered as a dimension, direct
application of pattern recognition techniques to the
sampled amplitude data without pre-processing
would necessitate working with 40,000 dimensions.
It is necessary, therefore, to find an efficient means
to reduce the dimensionality of the pattern without
losing the means for classification.
One approach to this data reduction is to penorm
spectrum analysis of the time signal. Frequency
analysis of non-periodic records, such as those with
which this paper is concerned, can take several different forms. At one extreme is an evaluation of the
Fourier integral, which has as its solution a continuous
frequency spectrum for each signal analyzed. At the
other extreme is an estimation of the power spectrai
density of the entire class of signals by statistical

techniques. Intermediate between these extremes is
the possibility of obtaining a representation of the
behavior of the signal in the frequency domain in
terms of groups of frequencies. This suggests a bank
of band-pass filters (the impulse responses of which
are represented digitally and convolved with the
digitized experimental data).
Programs are in use which implement these three
approaches. The first, a Fourier analysis, is applied
in the case of the diet deficiency study where the band
of frequencies is relatively narrow. Power spectral
density estimates are useful in determining the frequency intervals of interest. The digital filters have
been applied to the audio data in the cough recognition
study.
In the case of the digital filters, one wishes to cover
the frequency band with as few fiiters as possible
without losing significant information. After once

Computer Applications In Biomedical Electronics Pattern Recognition Studies
having decided to use filters, counting zero crossings
of the output of the filter may be accomplished with
little added expense in computation time. The zero
crossing count should give an indication of the
highest amplitude frequency component present in the
filter output, at least on the average.
A normalized tabulation of the periods between
zero crossings indicates approximately how the
frequency content of the filter output is distributed.
The audio signa! under consideration may be viewed
as a signal modulating some carrier frequency. The
detection of the modulating signal would yield the
envelope of the signal. This may be done digitally
by application of Sterling's approximation from
numerical analysis. Differentiation and solving for
the time when the derivative of the approximation
is zero yields the time of maxima or minima. A
re-application of Sterling's formulation yields the
interpolated value of the amplitude of the signal at
that time. Sterling's approximation attempts to fit a
polynomial to the discrete points in the neighborhood
of the point of interest. Having evaluated the coefficients of the polynomial, one solves for the value of
the polynomial at the point of interest. This formulation has the advantage that relatively few time consuming multiplications are necessary.
Another measure which may find application is the
rate at which the maximum energy content varies from
one filter output in the bank to another.
Having obtained the measures which appear to be
pertinent, the next step is application of training
procedures (in the case of non-parametric recognition
techniques) or making estimations of the pertinent
statistical parameters (in the case of parametric
recognition techniques) to obtain the discriminant
function described earlier.
In the chick dietary deficiency study a preliminary

263

classification of deficient and control chicks has been
obtained by using a parametric linear discriminant
function on a fourteen point amplitude distribution.
The discriminant function, given as equation (5)
below, assumes that the points are normally distributed and that the covariance matrices for each
class are equal.
The amplitude measurements were obtained at a
time when the control and short term deficient chicks
did not have a significant weight difference. All
chicks were fourteen days old with the exception of
the long term deficient chick, which was 21 days old.
A plot of the linear discriminant separation is included
as Figure 3. The discriminant function separated
these groups at a 0.10 level of significance.
The applicable discriminant function is:
g(X)=Xt~-1(MI-M2)-V2Mlt~-lMl+Y2M2t~-lM2+log

(pl/P2)
(5)

where X is the pattern vector for each sample of data,
Mi is the mean vector for class i, ~ is the covariance
matrix and p(i) is the a priori probability for the ith
class.
The decision boundary given by setting
g(X) = 0 is normal to the line segment connecting the
transformed means ~-lMl and ~-lM2. Its point of
intersection with this line segment depends upon the
constant term:
-Y2MltL-lMl+V2M2t~-lM2+log(Pl/P2)

(6)

It is to be noted that at the time of writing of this
paper' the two research projects described are in progress and the results are necessarily incomplete. Although it would have been preferable to include final
results of the studies, the outline of the work to date
emphasizes that such research would not be feasible
without the aid of mechanized data handling and high
speed computation.

Experimental investigation of large
multilayer linear discriminatorsby W. S. HOLMES and C. E. PHILLIPS
CorneliAeronautical Laboratory, Inc.
Buffalo, New York

INTRODUCTION
Although proofs of convergence and general expressions for capability have been published to describe
the performance of linear discrimination pattern
recognizers, very little mathematical basis exists for
designing a specific system to perform a desired task.
Until these bases are developed, empirical studies are
important in order to establish bounds of performance
~d t.o find insights that may eventually be generalIzed mto mathematical descriptions of performance.
This study confines itself to perceptrons and· parametric modifications to perceptrons. The adaline. is
included in the study as a perceptron with only one
positive
. connection per A-unit and a threshold ' T ,
subject to OnC'l-:>t;n"

\oo.a.u..L..I...:J.I."-...... V.LI.

Truncated adalines
Elimination of connections to the retinal space reduces the size of the system, and hence its cost.
Elimination on the basis of an information analysis
of the training set permits a drastic reduction as shown
in Table II. The Type 2 pattern set was used in these
experiments.

Number of
A-Units
576
191
99
48

Posiitve
Class
100
98.5
93.5
82.5

Negative
Class
99.5
99.0
98.1
95.6

Truncation
%

99.7
98.3
96.6
91.3

0
67
83
92

16

12

:'"'

....

Pattern translation experiments

General
Noise presents a significant test of a recognition system's ability to generalize. Performance in the face of
linear transformations of patterns such as translation,
rotation, and scale changes presents a conceptually
different test of a system's ability to generalize. Fot
example, when considering generalization over translation, it is pertinent to inquire how performance deteriorates as tests are made using patterns located
farther and farther from the location of the training
set. Further, if the training set is divided between two
locations separated by one or more retinal points,
will the response to the testing set be better in the
bracketed locations than in correspondingly distant
locations outside the training bracket? Two translational experiments were performed seeking answers to
these and other generalization questions.
The experiments to investigate the translation transformational generalization capabilities of this class of
recognition system were all performed using Type 2
patterns. Thus, all patterns in the training and testing
set included noise and the sets were large enough to

.~"".I.'"'''''

...'''''"''

0:>

.&...1."'.1. ...1.

U.

r!o:>nC'_

'-JIu,u..-,-

I

I~

Although performance suffers some from truncation,
the deterioration is small compared to system savings
in terms of retinal units and weights in the linear discrimination function of the system.

"""'''''.1..1. t'u. ....."".I..I..I. ""1oJI

20

18

Overall

;" Ao:>,.h "'o:>t+A~ ",,'O:>C' C'A1A,.tAI'1 .f!~n""

.1..&..1.

sian distribution independent in Ixl and Iyl. The testing
set was similarly translated and the test results plotted,
as shown in Figure 5, as a function of the total translation calculated as follows:
T = Ixl +.IYI.

Table II-Truncated adalines
% Recognition

269

10

68 PROPERTY
GENERATORS

1'\
I\
I \
,'r',
I I,\\ \ \
\

I \

\

J

\

\

I

\

I
I

\
\

I

I
III'
I

\
\
\

\\ \\
\

\

\

\

\

\

\

\

\

\
\

,

Figure 5-Recognition error vs total translation

This experiment would appear to predict deteriorating performance as a function of increasing translation,
at least within the range of reasonable statistical significance. However, when one considers the nature
of the translational process, both for training and
testing, which would tend to concentrate patterns at
certain translational distances, and observes that the
number of possible locations for patterns increases with
increasing T, it is clear that the data require closer
examination. Table III shows the results of the experiment for 68 A-unit and 300 A-unit two-connection perceptrons together with information about the
number of patterns involved in the experiment in each
translational distance. Focusing attention on the
column "patterns per location," which is based on the

270

Spring Joint Computer Conf., 1967

total number of patterns at a fixed value of T and
the number of locations corresponding to that value of
T, we can see that this experiment tends simply to
reveal that the performance of the two perceptrons
tested deteriorates as the number of patterns per ioeation reduced. Although the data are a little sparse for
use in drawing general conclusions, Figure 6 shows

that they are suggestive of an inverse relationship in
number of patterns and that upwards of 50 to 100
patterns per location would be required to effectively
train such a device for translational efficiency. If one
econsiders a 100 X 100 retinal region, the problem of
training a machine using adequate samples at each
of the 104 locations becomes startling.

Table III-Recognition under training and testing translations
B
C
C/B
Total number
of patterns
Number of
patterns
in set with Average
misc1assified
translation patterns
(Two connections)
Number of as given in
per
% Error
68 A-units 200 A-units 68 A-units
locations
column A location
300 A-units
0.0
o
0
86
0.0
1
86
4
0
1.384
289
72
0.0
4
1.449
5
2
345
43
8
0.579
2]
12
259
3.088
8
2
0 ..772
133
8
13
3
9.774
16
2.255
59
3
11
2
3.389
18.664
20
12.5
0.6
2
2
24
16
12.5
o
1
0.0
28
10
0.4
10.0
o
0
0.0
32
3
0.1
0.0

A

+

Ixl
Iyl
Translation
0
1
2
3
4
5
6
7
8

10

systems to recognize patterns in locations adjacent to
the location of the training set. For this purpose, the
Type 3 pattern set was used. This set has 880 training
patterns located at positions zero, +2, and -2 resolution cells. Testing subsets are available with translations
zero, +1, +2, +3, and +4. The testing subset
translated 1 resolution cell is bracketed by the 0 and
+2 training subset locations. Testing subsets translated
by +3 and +4 are unbracketed by any subsets and
are progressively more remote from any location at
which training has taken piaee. It is also of interest
to examine the behavior of the machine at 0 and +2
locations in order to determine whether the influence
of the training at 2 and -2 has caused the machine
to be more capable as a recognizer at the 0 point
than at the +2 point. The data from this experiment
are presented graphically in Figure 7, plotting the number of errors as a function of translation of the test
set. The letter T in the diagram designates the locations at which training took place.

+

PERCENT

5

ERROR

+

'r

0'

o

I

!

10

20

I

!

!

!

[

!

30

110

50

60

70

80

0

I

90

!!UMBER OF PATTER!!S PER LOCATION

Figure 6-Relation between recognition performance and
number of samples per translation

Translational generalization
Since the pattern set required to train a perceptron
adaline with two-translational transforms over a reasonable size retinal space is prohibitive, an experiment
was run to determine the ability of such recognition

The data contain one mystery which needs resolution, but in general, suggests that a limited amount of
translational generalization is taking place. The mystery
relates to the behavior of the uniform random pointset selection device in its performance beyond +2.
Whereas we would expect the performance to deteriorate and, in fact, to deteriorate faster than for the 1
translational point, it, in fact, appears to improve.
Performance at 0 is better than at 2 both of which

+

+

Experimental Investigation of Large Mulitlayer Linear Discriminators
were subjected to training, the first of which, however,
was bracketed by +2 and -2.
100 A-UNITS-b--

= STATISTICAL

POINT SET
SElECTI ON OF CONN ECTI ON S

100 A-UNITS-o-- = RANDOM (UNIFORM)
SELECTION OF CONNECT ION S
AU WITH I CONNECTION FOR A-UNIT

sets must be determined by the number of discrete
points of transformation to be encompassed by the
final machine and the distribution of training points
over the transformations need not be as fine as the
distribution of resolution cells in the "retinal" space.
Even with this relaxation in requirements upon training,
the cost of training a recognition system over more
than one transformation, for example, translation,
would probably be prohibitive. Therefore, additional
constraints and / or onmnizational modifications to the
systems tested seem required in order to achieve economic recognition efficiency over a sizable spectrum
of transformations of the pattern set.
-

60
110

-2
T

- I

0
+I
+2
T
T
TRANSlATION OF TEST SET

+3

Figure 7-Two experiment example of translational
generalization

As mentioned in References 4 and 5, statistical point
set selection of connections tends to produce a machine which is "tuned" to the problem. We had anticipated that the performance of the statistical point set
selection machine would be relatively poorer in the
1 testing location than the random selection machine. This conjecture is not borne out by the data.
Therefore, we must conclude that the statistical point
set selection process, while tending to "tune" to the
data, still permits significant generalization relative to
random point-set selection machines. This relatively
good generalization probably arises because of the
great waste of connections in the randomly selected
machine.
This experiment suggests that a machine having
strong generalization capabilities might be constructed
by training in a matrix of resolution cells which are
two or three units separated from each other in every
direction. This would cut down the cost of training
such a device by a factor of 4 to 9. An experiment
to confirm this speculation has not yet been performed
so it is not possible to go beyond the speculation.

+

SUMMARY AND CONCLUSIONS
The experiments described in this paper suggest that
the number of connections per A-unit in perceptrons
should be reduced to the greatest extent possible and
the reduction to one connection per A-unit seems
economically optimum as long as statistical point set
selection techniques are employed. The size of training

27j

--. - - . - - - - - - -

------,

--

-

Q

ACKNOWLEDGMENTS
The contributions of C. W. Swonger, J. B. Beach, and
C. T. Phillips to the analysis of property information
relationships are acknowledged. The Type 1 patterns
employed in the reported recognition experiments were
generated under Contract No. Nonr 3161 (00), supported by the Geography Branch of the Office of
Naval Research. Generation of the Type 2 patterns and
performance of some of the experiments in this work
were accomplished under Contract No. AF33(615)] 451 supported by the Research and Technology Division, Wright-Patterson Aif Force Base.
REFERENCES
W. S. HOLMES, H. R. LELAND, and G. E. RICHMOND
Design of a photo-interpretation automaton
presented at the Fall Joint Computer Conference 4 December 1962
2 F. ROSENBLATT
Principles of neurodynamics
Cornel Aeronautical Laboratory, Inc. Report No. 1196G-8 (also published by Spartan Books, Washington,
D. C. 15 March 1961
3 W. S. HOLMES, H. R. LELAND and J. L. MUERLE
Recognition of mixed-font imperfect characters
presented at Optical Character Recognition Symposium
Washington, D. C. 16 January 1962
4 M. G. SPOONER, C. W. SWONGER, and J. B. BEACH
A n evaluation of certain property formation techniques
for pattern recognition
presented at WESCON, Los Angeles, California 25-27
August 1964
5 C. W. SWONGER and C. T. PHILLIPS
A report of property generation and utilization research
for pattern recognition
Cornell Aeronautical Laboratory, Inc. Report No. VG1860-X April 1965

A computer analysis of pressure and flow
in a stenotic artery*
by PETER M. GUIDA, M.D.
The New York Hospital-Cornell Medical Center
New York, New York

LOUIS D. GOLD, Ph.D.
Electronic Associates, Inc.
Princeton, New Jersey

and

S. W. MOORE, M.D.
The New York Hospital-Cornell Medical Center
New York, New York

INTRODUCTION

Materials and methods

There is a widespread assumption in the medical and
engineering communities that when a small decrease
in cross-sectional area is imposed upon an artery there
is a correspondingly small decrease in arterial flow
and pressure, and that when progressively larger increases in arterial stenosis are made there is a cor,;.
respondingly greater decrease in arterial pressure
and flow. That this is not so has been shown in earlier
studies1 ,2 in a qUalitative way. When a smaIl stenosis
is imposed upon an artery there is no change in arterial
pressure and flow until a rather large and significant
stenosis is produced. Recent studies3 •4 have attempted
to develop this concept even further. It has been the
object of this study to quantitate the effect on the pressure and flow in an artery that is subjected to an increasing stenosis. This has been done by drawing
from a background of numerous arterial flow and pressure determinations in both humans and dogs, and
then carrying this further to the development of a
mathematical model and subjecting the mathematical
model to computer analysis.

The basis for the construction of the mathematical
model was determined in the following manner:
Numerous blood flow measurements were made with
a square-wave electromagnetic blood flowmeter~*
Pressure measurements were made through No. 20gage needles inserted into the artery and connected
to short lengths of rigid wall nylon tubing which, in
turn, were connected to strain gages. ** These were
connected to strain gage pre-amplifiers t and displayed on a suitable oscilloscope. tt The data were
recorded on a 7-channel instrumentation tape recorder§ arranged in the FM mode of recording with a
frequency response flat from 0 to 2500 Hz. Photographs were made of the analog oscilloscope display
by using a Tektronix Model C-12 Polaroid Camera
that can take photographs directly from the face of
the oscilloscope tube. These data were then SUbjected
to qualitative analysis, reduced manually to digital
form, and the mathematical model which is described
here was developed. The requisite mathematical
• Avionics Research Products, Model MS-6000A.
··Statham Model P-23Db.
fTektronix Model Q Oscilloscope Plug-in.
tfTektronix Model RM-535A Oscilloscope.
§Ampex Model SP-300 Instrumentation Tape Recorder.

·Portion of this work was done during a tenure by Dr. P. M. Guida
as an Advanced Research Fellow of the American Heart Association. This work was supported by USPH Grant:# HE06846, the
Susan Greenwall Fund and the Charles Washington Merrill Fund.

""'1

':"fJ

274

Spring Joint Computer Conf., 1967

equations were solved and the results plotted out on a
Digital Computer.§§ The Computer Block Diagram
is presented in Figure 1.
DEFI~

these conditions, the continuity equation takes the
form:
Qout = Qin (p = constant)
(3)
therefore, by virtue of equation (3) we make equate
equations (1) and (2):

PAmlETERS

~:

AU'ERRA TO

CALCL"LATE

Qout; P4 ;
B s 0

Qout, P4

dQin= dQout. or
dt
dt
'

(4)

PRINT A.'1D
PWT oU'!'
RESULTS

~_ _ _ _ _ _=NO~

~ns~

Application of the Steady State Bernoulli equation
(i.e., Conservation of Energy) to section 2, 3 in Figure
2 yields:

________~

(5)

where v is the linear velocity, ev is the total energy
loss in the section under consideration, and kl is
a conversion factor. Then:

Figure I - Computer block diagram for computation of
distal flow and pressure in a stenotic artery

Mathematical model
In developing a mathematical model of the portion
of an artery in stenosis, we will idealize the artery
to the extent of considering only rigid wall tubing
of constant cross-section, except in the immediate
area of the stenosis. This idealized system is shown in
Figure 2.
P 1 in

2

vi _ Ev + P3 - P2
2kJ
2kJ
p

~

P

l*

Qin

3

I,

P
4

Qout

P
5

~

~I

0

(6)

ev

=

(7)

.45 (1-B)

A0
.L
-L-

where

IA
L

kl

We may evaluate ev for a sudden contraction5 as:

T
P2

+ 1/2 vi e v =

I--

L

.\

B = A/ Ao; thus,

Figure 2 - Schematic representation of an idealized stenosis in an
artery

A momentum balance between points 1 and 2 and
points 4 and 5 yields:

dQin = klAO (P _ P ) _ RQin
dt
pL
1
2
pAo
dQout = klAO (P _ P ) _ RQout
dt
pL
4
5
pAo

or
V3=V AO=v/B
A

(1)

Therefore, (6) becomes:

(2)

where Q is the volumetric flow rate, R is the resistance to flow, and p is the density of blood. Under
§§Electronic Associates Inc. Model 8400 Digital Computer.

or
o _

13 -

-

pv
2k

2

rL 18
1

1/

J

2

1

-

I

1 T

.45
W

(1

1 -

B)l

J

I

T

p

2

(

0\

71

A Computer Anaiysis Of Pressure And Fiow In A Stenotic Artery*
Similarly, applying Bernoulli's Equation to sections
3, 4 in Figure 2 yields:

P3 = 2: v 2 [1 - I/B2

+ (1/B -

1)2]

We may also determine the distal pressure, P4, by
considering equation (2) and noting that
dQout = 0
dt

+ P4
(10)

1

275

or
(11)

since ev for a sudden expansion is 6:
ev = (1/B - 1)2

(16)

Equating equations (9) and (10) gives:

Therefore
(17)

(12)
100

We may substitute the continuity relationship:

90
Q)
L.

80

::l

3
0

into equation (12) to give:
P2 =P~

+P~

+

~:2B2
1

~

u-

[(1 - B)2 + .45 (1 - B)]
(13)

a..
c

.-c .Q)
1Il

co

Substituting (13) into equation (1) yields:

1Il
1Il
Q)
L.

Q)
1Il

co

Q)
L.

Q)
L.

U

U

Q)

Q)

0

0

-I..J

-I..J

C
Q)

u

L.
Q)

a..

c

Q)

70
60
50
40
30
20

U
L.
Q)

10

a..

a
[(1 - B)2 +.45 (1 - B)]} -

~~n

(14)

Now, analysis of the actual experimental data and the
numerical values of the parameters in equation (14)
implies that there is no phase-lag in the pressureflow relationship, or:

Thus, we finally obtain from equation (14) the desired relationship:
Q 2 {(1 - B)2 + .45 (1 - B)}
2B2
2
B2
+ 2RLQ _ k 1A 02 (P _ P ) = 0
p

p

1

(15)

5

from which the flow rate, Q, may be determined.

10

20

30

40

50

60

70

80

90

100

Per Cent Decrease in Area
Figure 3 - A plot of the computer results of the effect of
increasing arterial stenosis upon flow and pressure.
Only one curve is shown since the flow and pressure
curves are identical

Results and discussion
Figure 3 presents the solutions to equations (15)
and (17) as plots of the distal flow, as a percentage
of the normal-unobstructed-flow, and the distal pressure difference, P4 - P5, as a percentage of the normal
pressure difference, against increasing stenosis in
the artery.
Figure 4 is a cross-plot of the percentage of unobstructed distal flow against the percentage of unobstructed distal pressure differential, with stenosis as
an implicit parameter. Note from Figure 3 the point
of critical stenosis at 75 per cent (i.e., where flow
and pressure drop precipitously), and from Figure 4
the expected linearity of the pressure-flow relationship, independent of stenosis, as predicted by equation (15).
Figure 5, a plot of flow and pressure against steno-

276 Spring Joint Computer Conf., 1967
100

Q)

20

of the aorta this value is 92 per cent. The renal artery
plot is shown between these two extremes. The value
for this artery is 82 per cent. The lower value for the
coronary artery is due, in part, to a lower, driving
pressure head (diastoiic pressure) and occurs at a
later time in the cardiac dynamic cycle. The parameters chosen for the mathematical model, (e.g.,
L, Ao, etc.), are not the same, however, as those implied in Figure 5. The two curves are quite similar,
supporting the mathematical model postulated here.
Neverthe'less, discrepancies ,between the present
results and actual physical responses may be expected
in regions of very large stenosis (almost 100 per cent
obstruction), since then the assumption of negligible

~

10

phase::-Iag (i.e.,

90
8°1

70
ro
E

60

0

50

I

L-

z

~

0

40

.j..J

c

Q)

u

L-

a..

30

~~ =

0) is likely to be in error. Indeed,

i..L

o

10

20

30

40

50

60

70

80

90

100

Per Cent Pressure Drop

1\_ -- - - -. . .

Figure 4 - Plot of pressure drop and flow in an increasingly
stenotic artery
\~

\
\
\
\
\

Qout

\~
;

:

70
E

'-

60

Coronary Art.:
ry \

o
Z

'0 ~

\

, .

Aorta

\
\
\
\
\

~ 40

u:::

Renal Artery \

~

'\:

\

20

\.

\!

r ~ro___20~I

l:L__

= Qin

to break down. Subsequent work will show how the
effect of elasticity at large stenosis may be determined.
This ·'will lead to a method for determining arterial
elastance 'under actual flow conditions by simple
measurements of flow and pressure.

,

ro

the very reason for this error is that in such situations
the elasticity of the arterial walls must be considered.
The effect of elasticity will cause the continuity relation:

~~1--~k---~~'--~~L-~fu--~M~'--~4~~~

___

% Decrease in Area
Figure 5 - Plot of actual in vivo measurements of the effect of
increasing arterial stenosis upon blood flow. The
point of critical decrease in cross-sectional area in
the descending thoracic aorta is 92 per cent; in the
renal artery, 82 per cent; in the anterior descending
branch of the left coronary artery, 45 per cent

sis, is derived from actual in vivo experimental
measurements. These curves are presented to illustrate that there are different values of critical
stenosis for different arteries. The lowest extreme
value is the anterior descending branch of the left
coronary artery where flow and pressure begin to fall
off precipitously at 45 per cent decrease in crosssectional area. For the descending thoracic portion

SUMMARY
It had been a previous, widespread assumption that
when an artery is subjected to a gradual, progressive,
stenosis there was an immediate, gradual, progressive,
fall in arterial blood pressure and flow, i.e., the relationship was linear. Experimental work over the
past seven years has shown that this is not so; the
relationship is not linear. Experimental observations
in the human and on the dog have shown that when an
artery is subjected to a decreasing cross-sectional
area, as produced by a stenosis, the flow throJIgh that
artery remains unchanged until a severe decrease in
cross-sectional area is attained. Prior to this point
there is no change in blood flow, i.e., it remains
normal. When this point of critical stenosis is reached,
there is a sudden, marked, and precipitous drop in
blood flow through the artery.
'
Application of the principles of conservation of
energy and momentum to the system under consideration have led to a mathematical system which accurately describes the phenomen~m. A computer
program has been written which ~escrib~s this system. The print-out of the computer results is presented
in Table 1.
It is further expected that this mathematical system
will enable one to determine experimentally the

A Computer Analysis Of Pressure And F!ow ! n A Stenotic Artery*

puur

!)r~NOSI~
• ~H;) lI10.c fll0'
o • !:\v; \1 ~I E ~11
~.lvhj0E j{)2
,~

, 15100 C 02
• ~{"'Z0r.; 0£
l1,~50:IJt k12
(1,JL11{)~c: k12

~.21Jl759'r:

03

~

~

• ? I :5288 <; E
vj • ? 12 f).~ 1 ~1 t:
vj.2/11316C

~ ~~

~,

~, 21~'~174f:
~.26Ud6Y6t:

0S
0S

0.9b5£7~YI::
0,97~H1c

k:l2

"'.~Vl0~E

[12

0,263~613E

(13

1£l,9711w9SI:: 02
o • 9? 9 Y4 ~ ~~ t: vJ2

~.~?1t0E

/(j?

VJ.

2'j9~3731::

~S

Vi.944!)~!;)8t:

~t6V:t01:
~ • 6~ila;1lt:

02

0.2~34776t:

~3

~, 7~~0~!'t:

~2
~2

0./~0~E:

02

2 4 ? 2 9 4 ~: f; . ~ ;5
e,2J3d121t: k13
r.2176922t: ~~~

k:l2
0.Y2321.57t: 02
o • b <; 3 4 ~J I b f; ~?
0.fi~15Hblt: 02
o ,7 <" 2 8 7 b .SE: 0?

~tlY518t3~t:

kij

0,71091.581:

~2

o t 1642"'781::

~3

0.~yo07~YI::

~tj2?'~3571::

Il?~

e.446~9b3t:

02
02

0.6~222Y?t:

"'~

rc

ro t:

~2

0. v1 V:1!100IcH1t:

1i:1~

J.

"'. tJv;v.1l't: k:,i £I
'" , tj ~ i~ 0 t: 02
It:') • c; t~ Ir:1IfJt: i'2
1O,9"v..H1t: 162
'" , 1 '.L~hjt: ~3

~j •

0. (1!lt1V'00iiHH:

'" If'

t

2A'8.~81

'1.

7/100~E

PPI:~CT
~3

Vi. 7/~)~91jE ~3

, 7 I ~ 9 8 £ 4 E o~~
0,7/k1968?E ~3
~)

~', 7/0<}4 9~IE

03

o .1~0kH~0·0t:

03

0,9~921t!0t:

~2

o , 9 Y8 4 ~~ 1 9 t:
"'~
13,9971368(: 102
H,995361':St: ~2

iI.l,7/fc1<}226E 03

~,9CJ29642t:

~~

~,7/0fj866E

L1 ,.98909061::
!(I,9iJ52737E
0,97927ic?2t:
0.9711k126t:
eJ.9:>99.3(j7c
0. 944~'407t:
o f 9232~~b6t:

0~

t1S

o , 7 I ~, J 9 ~ ~~ E 03
0.710155~E 03
~,769t3274E:

~3

vl .769J67 4 E 03
~), 76M7216E "'3
"',7618199E k13
~.766~787E 03
'1 • 7 0 4 <} '" 9 2 E 03
0. 7b27~~3.st: 0S
o , 7o;? ~ "HcH:1 E ~3

ir.12

k:)t!

02
1112
1112

02
02
0.8?1~d46t: 02
0.792~688E 0£
"',71'19"'41t: k12
0,8Y339~21::

"'.~Y8fl}6681:

02

0,4462BYlt: 02
0.24847971:: 02
"', 01{J0lt1V-1~t!l: 00

Table ] - Tabulation of computer results of the mathematical
model simulating the effect of stenosis upon blood flow
and pressure through an artery. Note that with increasing stenosis there is practically no change in
flow or pressure until the arterial cross-sectional
area is reduced 75 per cent

elastic properties of arterial walls under actual flow
conditions by measurement of just flow and pressure.
CONCLUSIONS
Numerous determinations of arterial flow and pressure have been made in the human and in the dog in
normal arteries and in arteries that have been subjected to stenosis, either by arteriosclerosis or by
physical stenosis produced by a circumferential
ligature about an artery. Data collected from this
source have shown that. when a stenosis is imposed
upon an artery, there is initially no change in pressure or flow within that artery, proximal to the stenosis, until a certain critical point is reached where
arterial flow and pressure simultaneously fall precipitously. This point of critical arterial stenosis is
different for different arteries.
Drawing upon a large experimental background,
a mathematical model has been developed to define
the effect of a gradual and progressive arterial stenosis
upon arterial flow and pressure.
Having once defined the mathematical model, the
computer model was developed. The computer results were shown to be identical with the actual
measurements made on the human and on the dog.
A recheck of the computer model results was then
done on the dog in several arteries, and the results

in the in vivo preparatiQn corroborated the computer
results.
A mathematical and computer model have been
developed as an approach to the study of the effect
upon arterial pressure and flow when that artery is
subjected to a progressive stenosis.
REFERENCES

2

3

4

5

6

F C MANN J F HERRICK HE ESSEX E J
BALDES
The effect on the blood flow of decreasing the lumen of a
blood vessel
Surgery 4:249-252 ] 938
T C GUPTA C J WIGGERS
Basic hemodynamic changes produced by aortic coarctation
of different degrees
Circulation 3:] 7-3] ] 951
A G MAY J A DE WEESE C G ROB
Hemodynamic effects of arterial stenosis
Surgery 53:513-524 ] 963
A G MAY L VAN DE BERG J A DE WEESE
CG ROB
Critical arterial stenosis
Surgery 54:250-259 1963
R B BIRD WE STEWART EN LIGHTFOOT
Transport Phenomena
John Wiley & Sons Chapter 8 New York ] 960
R B BIRD WE STEWART EN LIGHTFOOT
Transport Phenomena
John Wiley & Sons Chapter 8 New York ]960

Chairman's Introduction to the SJCC Session

Security and prIvacy In computer systems
by WILLIS H. WARE
The RAND Corporation
Santa Monica, California

INTRODUCTION

pionage attempts against resource-sharing systems.
Rather, it is assumed that the problem exists, at least
in principle if not in fact, and our papers will be
devoted to discussing technological aspects of the
problem and possible approaches to safeguards.
First of all, clarification of terminology is in order.
For the military or defense situation, the jargon is
well established. We speak of "classified information,"
"military security," and "secure computer installations." There are rules and regulations governing the
use and divulgence of military-classified information,
and we need not dwell further on the issue. In the nonmilitary area, terminology is not established. The
phrase "industrial security" includes such things as
protecting proprietary designs and business information; but it also covers the physical protection of
plants and facilities. For our purposes, the term is
too broad. In most circles, the problem which will
concern us is being called the "privacy problem."
The words "private" and "privacy" are normally
associated with an individual in a personal sense,
but Webster's Third New International Dictionary
also provides the following definitions:
Private: ... intended for or restricted to the use
of a particular person, or group, or
class of persons; not freely available
to the public
Privacy:. .. isolation, seclusion, or freedom from
unauthorized oversight or observation.
We are talking about restricting information within
a computer for the use of a specified group of persons; we do not want the information freely available to the public. W~ want to isolate the information from unauthorized observation. Hence, the
terminology appears appropriate enough, although
one might hope that new terms will be found that do
not already have strongly established connotations.
For our purposes today, "security" and "classified"

I nformation leakage in a resource-sharing
computer system

With the advent of computer systems which share
the resources of the configuration among several
users or several problems, there is the risk that information from one user (or computer program) will
be coupled to another user (or program). In many
cases, the information in question will bear a military
classification or be sensitive for some reason, and
safeguards must be provided to guard against the
leakage of information. This session is concerned with
accidents or deliberate attempts which divulge computer-resident information to unauthorized parties.
Espionage attempts to obtain military or defense
information regularly appear in the news. Computer
systems are now widely used in military and defense
installations, and deliberate attempts to penetrate
such computer systems must be anticipated. There
can be no doubt that safeguards must be conceived
which will protect the information in such computer systems. There is a corresponding situation
in the industrial world. Much business information
is company-confidential because it relates to proprietary processes or technology, or to the success,
failure, or state-of-health of the company. One can
imagine a circumstance in which it would be profitable for one company to mount an industrial espionage attack against the computer system of a
competitor. Similarly, one can imagine scenarios in
which confidential information on individuals which
is kept within a computer is potentially profitable to
a party not authorized to have the information.
Hence, we can expect that penetrations will be
attempted against computer systems which contain
non-military information.
This session will not debate the existence of es-

279

280

Spring Joint Computer Conf., 1967

RADIATION
RADIATION

RAD.IATION

TAPS

CROSSTALK

CROSSTALK

COMMUNICATION LI NES

1\W w/\ ~

,., ,HAR~WARE
' •",,"'" • ~

7,

Copying
Unauthorized access

proper Ime

/

HARDWARE
Failure 01 protection circuits
Bounds registers
Memory readlwrite protects
Priveleged mode
Etc.
Contribute to soltware failures

one having "ins"
Reveal protective measures

Provide private "ins" to system
Reveal protective measures
MAINTENANCE MAN

~

Failure 01 protection features
Access control
User iOentification
Bounds control
Etc.

I

fI,
(

IA\

V~

SWITCHING
CENTER

PROCESSOR

Theft

f
I

RADI~TlON

Disable hardware protective
devices
Use stand-alone utility
programs to access files
or to explore the system

~Q

____________REMOTE /
ACCESS
CONSOLES
Attac""'iiiiieiiiOi recorders
(~Iaten impressions, ink
USE R
ribbon, etc.1
-Bug planted by individual 01
Identification
low authorization level
Authentication
Subtle modifications
to soltware system

Figure I - Typical configuration of resource-sharing
computer system

will refer to military or defense information or situations; "private" or "privacy," to the corresponding
industrial, or non-military governmental situations.
In each case, the individual authorized to receive
the information will have "need to know" or "access
authorization. "
We will do the following in this session. In order to
bring all of us to a common level of perspective on
resource-sharing computer systems, I will briefly
review the configuration of such systems and identify
the major vulnerabilities to penetration and to leakage of information. The following paper by Mr. Peters
will describe the security safeguards provided for
a multi-programmed remote-access computer system.
Then I will contrast the security and privacy situations, identifying similarities and differences. The
final paper by Dr. Petersen and Dr. Turn will discuss
technical aspects of security and privacy safeguards.
Finally, we have 'a panel of three individuals who
have faced the privacy problem in real-life systerns; each will describe his views toward the problem, and his approach to a solution. In the end, it
will fall upon each of you to conceive and implement
satisfactory safeguards for the situation which concerns you.
A priori, we cannot be certain how dangerous a
given vulnerability might be. Things which are serious

for some computer systems may be only a nuisance
for others. Let us take the point of view that we will
not prejudge the risk associated with a given vulnerability or threat to privacy. Rather, let us try only to
suggest some of the ways in which a computer system
might divulge information to an unauthorized party
in either the security or the privacy situation. We'll
leave for discussion in the context of particular installations the question of how much protection
we want to provide, what explicit safeguards must
be provided, and how serious any particular vulnerability might be.
The hardware configuration of a typical resourcesharing computer system is shown in Figure 1.
There is a central processor to which are attached
computer-based files and a communication network
for linking to remote users via a switching center.
We observe first of all that the files may contain
information of different levels of sensitivity or
military classification; therefore, access to these
files by users must be controlled. Improper or unauthorized access to a file can divulge information
to the wrong person. Certainly, the file can also be
stolen - a rather drastic divulgence of information.
On the other hand, an unauthorized copy of a file
might be made using the computer itself, and the copy
revealed to unauthorized persons.

Security And Privacy In Computer Systems
The central processor has both hardware and software components. So far as hardware is concerned,
the circuits for such protections as bound registers,
memory read-write protect, or privileged mode might
fail and permit information to leak to improper
destinations. A large variety of hardware failures
might contribute to software failures which, in turn,
lead to divulgence. Since the processor consists of
high-speed electronic circuits, it can be expected
that large quantities of electromagnetic energy will
radiate; conceivably an eavesdropping third party
might acquire sensitive information. Failure of the
software may disable such protection features as
access control, user identification, or memory bounds
control, leading to improper routing of information.
Intimately involved with the central computer are
three types of personnel: operators, programmers,
and maintenance engineers. The operator who is
responsible for minute-by-minute functioning of the
system might reveal information by doing such things
as replacing the correct monitor with a non-protecting
one of his own, or perhaps with a rigged monitor which
has special "ins" for unauthorized parties. Also, he
might reveal to unauthorized parties some of the protective measures which are designed into the system.
A co-operative effort between a clever programmer
and an engineer could "bug" a machine for their
own gain in such a sophisticated manner that it might
remain unnoticed for an extended period. ("Bug"
as just used does not refer to an error in a program,
but to some computer equivalent of the famous
transmitter in a martini olive.) Bugging of a machine
could very easily appear innocent and open.
Operator-less machine systems are practical, and in
principle one might conjecture that a machine could
be bugged by an apparently casual passerby. There
are subtle risks associated with the maintenance
process. While attempting to diagnose a system
failure, information could easily be generated which
would reveal to the maintenance man how the software protections are coded. From that point, it might
be easy to rewire the machine so that certain instructions appeared to behave normally, whereas in
fact, the protective mechanisms could be bypassed.
While some of the things that I've just proposed
require deliberate acts, others could happen by
accident.
Thus, so far as the computing central itself is concerned, we have potential vulnerabilities in control
of access to files; in radiation from the hardware;
in hardware, software, or combined hardware-software failures; and in deliberate acts of penetration
or accidental mistakes by the system personnel.

281

The communication links from the central processor
to the switching center, and from the switching center
to the remote consoles are similarly vulnerable. Any
of the usual wiretapping methods might be employed
to steal information from the lines. Since some
communications will involve relatively high-frequency signals, electromagnetic radiation might
be intercepted by an eavesdropper. Also, crosstalk
between communication links might possibly reveal
information to unauthorized individuals. Furthermore, the switching central itself might have a radiation or crosstalk vulnerability; it might fail to make
the right connection and so link the machine to an
incorrect user.
A remote console might also have a radiation
vulnerability. Moreover, there is the possibility that
recording devices of various kinds might be attached
to the console to pirate information. Consideration
might have to be given to destroying the ribbon in the
printing mechanism, or designing the platen so that
impressions could not be read from it.
Finally, there is the user of the system. Since his
link to the computer is via a switching center, the
central processor must make certain with whom it
is conversing. Thus, there must be means for properly
identifying the user; and this means must be proof
against recording devices, pirating, unauthorized
use, etc. Even after a user has satisfactorily established his identity, there remains the problem
of verifying his right to have access to certain files,
and possibly to certain components of the configuration. There must be a means for authenticating
the requests which he will make of the system, and
this means must be proof against bugging, recorders,
pirating, unauthorized usage, etc. Finally, there is the
ingenious user who skillfully invades the software
system sufficiently to ascertain its structure, and to
make changes which are not apparent to the operators
or to the systems programmers, but which give him
"ins" to normally unavailable information.
To summarize, there are human vulnerabilities
throughout; individual acts can accidentally or deliberately jeopardize the protection of information in
a system. Hardware vulnerabilities are shared among
the computer, the communications system, and the
consoles. There are software vulnerabilities; and
vulnerabilities in the system's organization, e.g.,
access control, user identification and authentication.
How serious anyone of these might be depends on
the sensitivity of the information being handled, the
class of users, the operating environment, and
certainly on the skill with which the network has been
designed. In the most restrictive case, the network
might have to be protected against all the types of

282

Spring Joint Computer Conf., 1967

invasions which have been suggested plus many
readily conceivable.
This discussion, although not an exhaustive consideration of all the ways in which a resource-sharing
computer sysiem mighi be either accidentally or
deliberately penetrated for the purposes of unauthor-

ized acquisition of information, has attempted to outline some of the major vulnerabilities which exist in
modern computing systems. Succeeding papers in this
session will address themselves to a more detailed
examination of these vulnerabilities and to a discussion of possibie soiutions.

Security considerations in a
multi-programmed computer system
by BERNARD PETERS
National Security Agency
Fort Meade, Maryland

tribute, the following principles must be followed:
1. The computer must operate under. a monitor
approved by appropriate authority. This can provide
the authority for the expenditures which security
may require. The question of appropriate authority
is one not easily answered. For the individual business concern it obviously is corporate management.
F or contractors to the Armed Services it is a security
officer of the service. Who can tell who is in charge
in a University?

INTRODUCTION
Security can not be attained in the absolute sense.
Every security system seeks to attain a probability
of loss which is commensurate with the value returned
by the operation being secured. For each activity
.which exposes private, valuable, or classified information to possible loss, it is necessary that reasonable steps be taken to reduce the probability of
loss. Further, any loss which might occur must be
detected. There are several minimum requirements
to establish an adequate security level for the software of a large multi-programmed system with remote
terminals.

The computer must operate under a monitor because the monitor acts as the overall guard to the
system. It provides protection against the operators
and the users at the remote terminals. The monitor
has a set of rules by which it judges all requested
actions. It obeys only those requests for action which
conform to the security principles necessary for the
particular operation.

The management must be aware of the need for
security safeguards. It must fully understand and
be willing to support the cost of obtaining this security
protection. I t must be technically competent to judge
whether or· not a desired security level has been
reached. It is important that the management understand that no software system can approach a zero
risk of loss. It is necessary to reach an acceptable
degree of risk.
As any professional in the field of computers knows,
whether or not managment is sufficiently aware of
and willing to pay the cost of a given software feature
is not easy to determine. The costs of security are
not exorbitant provided security is needed. However,
they are not trivial or negligible. It is very important
that the management have an understanding of how
the security is gained and what administrative steps
must be taken to maintain and protect the security
level which has been gained. This paper will not fully
explore certain problems which affect security as, for
example, physical security which is protection of a
space against penetration, or communications security
or personnel security.
To obtain the security which software can con-

The discussion of what makes up an appropriate
monitor is rather involved. Therefore, a more complete discussion of the security aspects of a monitor
will be given after a summary of the overall security
principles.
2. The computer must have adequate memory
protect and privileged instructions. These are needed
to limit user programs which must be considered to
be hostile. Memory protect must be sufficient so
that any reference, read or write, outside of the area
assigned to a given user program must be detected
and stopped. There are several forms of memory
protect on the market which guard against out-ofbounds write, thus protecting program integrity,
but they do not guard against illegal read. Read
protect is as important as write protect, from a security standpoint, if classified material is involved.
The privileged instruction set must contain not only
all Input/Output (I/O) commands but also every
283

284

Spring Joint Computer Conf., 1967

command which could change a memory bound or
protection barrier. To have less would be to reduce
the whole system to a mockery. There can be no
exception to the restriction that only the monitor
can operate these privileged instructions.
3. The computer must have appropriate physical security protection to prevent local override of the
monitor. It includes the obvious requirement that the
computer can not be mounted in a subway car, subject to public tampering. The computer must be in an
appropriately secure environment and not subject to
intrusion by random individuals. But this is not sufficient. Certain key switches, such as those which
affect the continued running of the equipment and
the maintenance panel, must have simple physical
barriers to prevent undetected intrusion from occurring. The senior operator provides protection against
local override, but he cannot be expected to watch
every switch continuously. Simple key-locks provide
protection to supplement his attention span.
4. Electrical separation of peripheral devices is not
necessary, provided the monitor has been approved
by an appropriate authority. This reduces the probability of failure by eliminating troublesome separation hardware. It has been proposed by people who
are first inquiring into security, that the peripheral
devices be separated from the computer. A properly
designed monitor for a multi-programming system will
provide sufficient logical separation of peripheral
devices to make electrical separation unnecessary.
If the monitor is insecure and beyond securing, the
system should not be used with the expectation that
security will be provided.
5. The computer may operate in a multi-programmed or a multi-processor mode provided the
monitor has been approved for use under such modes.
In fact, to provide proper security it seems that the
computer must be designed for the multi-programmed
mode. In the rare case, when only one program is
running, it is multi-programming with a single program. Multi-processors, for the purposes of this
paper, are assumed to be a variant of multi-programming. It is obvious that this isn't true; however,
it is felt that simple, logical extensions will carry
the mUlti-programming philosophy into the multiprocessor mode and still provide adequate protection.
6. Operating personnel must be cleared to appropriate levels. Trustworthy personnel must be available to enforce the rules against intrusion at the computer. This does not mean that every operator ill
the installation need be cleared, but it does mean

that on every shift there must be at least one individual who is fully aware of the requirements of
the operating doctrine which is needed to protect
the secure data. He must completely understand
what it takes to utilize the system appropriately
and securely in any circumstance. All other operators
must understand that there exists a protection philosophy. They must be subject to some form of discipline, such as termination or suspension for failure
to obey regulations. On the other hand, the operating
doctrine must be made clear and precise so that it
can be obeyed. Specification of the operating doctrine
is a nontrivial problem and can be very difficult
depending upon the complexity of the tasks assigned
to the operator. In the interest of keeping the operating
doctrine under control it is proposed that the operator
be designed out of the operation as much as possible.
7. A log of all significant events should be maintained both by the computer and the operating personnel. The form and contents of these logs should
be apprQved by appropriate authority. The log is the
ultimate defense against penetration. The question
of whether or not some data have gone astray must
be answered by the log. The log ascertains who does
what, and to what extent he has attempted to do
something illegal. It also records the utilization of
files. It indicates whether or not some security restriction is significantly interferring with the production of the system. The log will provide the review
and feed-back which will make it possible to relax
security where it is overly stringent and it will provide
the factual basis for increasing security where it has
failed to' prove a sufficient level of confidence.
8. Every user should be subject to common discipline and authority. He shall know and understand the conventions which are required of him to
support the security system; it is particularly import"ant that everyone who has access to the more
highly classified levels of material fully understand
his part in the protection of the data and the system.
The remote terminals must also be electrically identithe station by its permanent connection to a specific
set of hubs in the machine. Station identification can
not be dependent upon the action of the user unless
this "action has been carefully considered for its
security connotation.
9. It is possible that design considerations for the
system require that an individual remote terminal
change its particular security level upward at one
time or another. It is necessary that this change be
accomplished in a secure fashion. An acceptable
method would be to issue the user of such a remote
terminai a one-time list of five ietter groups. The

Security Considerations In A Muiti-Programmed Computer System
user would be required to use each group, in turn,
once and only once. This would make observing of
the particular procedure for raising the station
security level valueless to an observer. It has the
further effect that should an observer obtain and use
the next available five letter group, such use would
cause a conflict with the legitimate user's call. Thus
there would be detection of illegal use.
Let us now return to a discussion of the attributes
of an acceptable monitor. The monitor is the key
defense, ihe key securiiy eiement in the system. It
must be properly designed.
The cost of a properly designed monitor is probably
not more than 10% greater than that of a monitor
which is minimally acceptable for mUlti-programming.
Monitors for mUlti-programming need a high degree
of program and file integrity to be effective. Improvement of such a monitor to the point where it is
acceptable for handling material in a secure fashion,
is an achievable goal.
The monitor must perform all input/output (I/O)
without exception. No user program can be permitted
to utilize any I/O device, except via a call to the
monitor. It is very important that the monitor control
all I/O which could provide large amounts of information to a penetrating program. The monitor must
manage the system clocks and the main console. If
the maintenance panel is beyond management by the
monitor, it must be secured.
The monitor must be carefully designed to limit the
amount of critical coding. When an interrupt occurs,
control is transferred to the monitor and the core is
unprotected. The monitor must, as soon as reasonable,
adjust the memory bounds to provide limits on even
the monitor's own coding. This requires that the
coding which receives interrupts be certified as error
free for all possible inputs and timing. The greater
portion of the coding of the monitor need not be certified error free to the same degree because it is operated under the same restraints as a user program. By
keeping the amount of coding that can reference any
part of core without restriction to a few well-tested
units, confidence in the monitor can be established.
The monitor must be adequately tested. I t is certainly necessary to adequately demonstrate the security capability to the governing authority. In
addition to passing its initial acceptance the monitor
must also test itself continuously. For instance, the
memory bounds protection can be expected to fail
with some probability. Every user program which
conforms with the security safeguards will be expected to run without violating the memory bounds
protection and therefore will not test such a feature.
It is necessary, therefore, that some special program,

285

or some part of the monitor deliberately and periodically violate the memorYbouiidsproieCtlOn-io~v~rlff.
that'the bounds protection checker is, in fact, working.:,.
I t is extremely important that tests for all significant
safeguards built into a monitor be periodically and
deliberately verified. The confidence which management has in the security safeguards will, in part, rest
on the evidence furnished by such self-tests.
The monitor must keep the user programs bounded
by memory protect while they are operating. The
individual user program must be free to reference its
assigned area of core, but nowhere else. All I/O action, and any out-of-area reference by user programs,
must be via calls to the monitor. This will protect
information concerning the security levels and authorized users, files, and outputs from access by the operating elements of the monitor, such as loaders and
terminators to be treated as though they were individual user programs, thus reducing the amount
of coding that is outside the safeguards.
Authority to reference random access peripherals
must be established by the monitor and all references
must be checked for validity and authority. It is a
small cost in a random access I/O routine to determine if a supplied address is legal and within bounds.
What is the monitor to do if there is a violation? If
there is a violation of the memory bounds or the use
of a privileged instruction by a user program, the
monitor must immediately suspend the offending program and must make log entries. !t"must also prohibit the further use of the offending program by..!.~~.,
user submitting ,t~e violating progr(l.m ~_I]_~~~ ~,p~~,~~icallyauthorizedby'~supervisor. -~~ ~"
,.
The"~uspensfon 'o{'vloiating program requests must
be thorou~~.E2.!!!£!~te. Ir~rfie·-taSknasl)een
divided into multiple concurrent operating activities,
all such activities must be terminated. If the task
has resulted in a chain of requests, all such requests
must be removed from the queue. Violation of security rules by any activity must result in a complete abort_,
of all parts of that request. This is necessary to prevent a use{program from makmg ~~!tipre-'~Ies agaJ"~_st ._,
-the secunty sysfem.'
Se~ity"rldes cannot be suspended for debugging
or program testing. It is clear that §~_~!lr!ty rul~s cannot,
be suspended for debugging programs because the new
program-is the one'''most lik~lytoviorate-s~cur"ty ~ "~
The debugging system"-mil"st" TIve-~w1ih-the"'seciI;fiY-' ~.
restrictions although some concessions can be made
for debugging. For example, one can flag a program
that is in a debugging state. Then if a bounds violation occurs, the system could merely log it and send
a dump of the program to the user rather than sounding
a major alarm.

286

Spring Joint Computer Conf., 1967

Tests of security flags must be fail safe. If a flag,
when it referenced, is inconsistent or ambiguous it
must fail to qualify. Thus security flags must be adequate. As an example, onecolll~ .1l~_:._~~~~gl~~1ilt~but
then an err,or cou!.~ c~.<:tl!g~ihls brt indicate adifferent but still valid combination; CLASSIFIED could
to~ ~~sIly"-'~~come UNCLASsIFIED. Therefore,
single bits are Jt()t C:l~c,~p!@J~_ anJi the question then
becomes "How~-man)7 bits'...·shouid one utilize?"
The specific configuration of bits is dependent
upon the goals ~and requirements of the particular
security system and the machine or bit handling capability of the individual machine. The author has used
a 60 bit flag in a machine which has 30 bit words

to

with half word capability. This led to four 15 bit configurations which were complementary to give verification. Forty bits would have been sufficient for the
particular application, so the next higher multiple
of word size was chosen.
Software security is derived by the proper application of a few sound principles which must be consistently applied in many small actions. With a proper
understanding and careful review, software security
can be maintained so long as physical and personnel
security are assumed. The principles set forth in
this paper have been generalized from the specific
development of a specific system which dealt with
multi-levels of classified information.

Security and privacy: similarities
and differences
by WILLIS H. WARE
The RAND Corporation
Santa Monica, California

F or the purposes of this paper we will use the term
"security" when speaking about computer systems
which handle classified defense information, and
"privacy" in regard to those computer systems which
handle non-defense information which nonetheless
must be protected because it is in some respect sensitive. It should be noted at the outset that the context
in which security must be considered is quite different
from that which can be applied to the privacy question.
With respect to classified military information there
are federal regulations which establish authority, and
discipline to govern the conduct of people who work
with such information. Moreover, there is an established set of categories into which information is
classified. Once information is classified Confidential,
Secret, or Top Secret, there are well-defined requirements for its protection, for controlling access to it,
and for transmitting it from place to place. In the
privacy situation, analogous/conditions may exist
only in part or not at all.
There are indeed Federal and State statutes which
protect the so-called "secrecy of communication."
But it remains to be established that these laws can
be extended to cover or interpreted as applicable to
the unauthorized acquisition of information from computer equipment. There are also laws against thievery;
and at least one case involving a programmer and
theft of privileged information has been tried. The
telephone companies have formulated regulations
governing the conduct of employees (who are subject
to "secrecy of communicatioll" laws) who may intrude
on the privacy of individuals; perhaps this experience
can be drawn upon by the computer field.
Though there apparently exist fragments of law and
some precedents bearing on the protection of information, nonetheless the privacy situation is not so
neatly circumscribed and tidy as the security situation. Privacy simply is not so tightly controlled. Within
computer networks serving many companies, organi-

zations, or agencies, there may be no uniform governing authority; an incomplete legal framework; no
established discipline, or perhaps not even a code of
ethics among users. At present there is not even a
commonly accepted set of categories to describe levels
of sensitivity for private information.
Great quantities of private information are being
accumulated in computer files; and the incentives to
penetrate the safeguards to privacy are bound to increase. Existing laws may prove inadequate, or may
need more vigorous enforcement. There may be need
for a monitoring and enforcement establishment
analogous to that in the security situation. In any
event, it can not be taken for granted that there now
exist adequate legal and ethical umbrellas for the protection of private information.
The privacy problem is really a spectrum of problems. At one end, it may be necessary to provide only
a very low level of protection to the information for
only a very short time; at the opposite end, it may be
necessary to invoke the most sophisticated techniques
to guarantee protection of information for extended
periods of time. Federal regulations state explicitly
what aspect of national defense will be compromised
by unauthorized divulgence of each category of classified information. There is no corresponding particularization of the privacy situation; the potential
damage from revealing private information is nowhere
described in such absolute terms. I t may be that a
small volume of information leaked from a private
file may involve inconsequential risk. For example,
the individual names of a company's employees is
probably not even sensitive, whereas the complete
file of employees could well be restricted. Certainly
the "big brother" spectre raised by recent Congressional hearings on "invasion of privacy" via massive
computer files is strongly related to the volume of
information at risk.

287

288

Spring Joint Computer Conf., 1967

Because of the diverse spread in the privacy situation, the appearance of the problem may be quite
different from its reality. One would argue on principle
that maximum protection should be given to all information labeled private; but if privacy of information is not protected by law and authority, we can expect that the owner of sensitive information will require a system designed to guarantee protection only
against the threat as he sees it. Thus, while we might
imagine very sophisticated attacks against private
files, the reality of the situation may be that much
simpler levels of protection will be accepted by the
owners of the information.
In the end, an engineering trade-off question must
be assessed. The value of private information to an
outsider will determine the resources he is willing to
expend to acquire it. In turn, the value of the information to its owner is related to what he is willing to pay
to protect it. Perhaps this game-like situation can be
played out to arrive at a rational basis for establishing
the level of protection. Perhaps a company or governmental agency - or a group of companies or agencies,
or the operating agent of a multi-access computer
service - will have to establish its own set of regulations for handling private information. Further, a
company or agency may have to establish penalties
for infractions of these regulations, and perhaps even
provide extra remuneration for those assuming the
extraordinary responsibility of protecting private
information.
The security measures deemed necessary for a
multi-processing remote terminal computer system
operating in a military classified environment have
been discussed in the volume. * This paper will compare the security situation with the privacy situation,
and suggest issues to be considered when designing a
computer system for guarding private information.
Technology which can be applied against the design
problem is described elsewhere. t
First of all, note that the privacy problem is to some
extent present whenever and wherever sharing of
the structures of a computer system takes place. A
time-sharing system slices time in such a way that
each user gets a small amount of attention on some
periodic basis. More than one user program is resident
in the central storage at one time; and hence, there
are obvious opportunities for leakage of information
from one program to another, although the problem
is alleviated to some extent in systems operating in
an interpretive software mode. In a multi-programmed
"'Peters, B., "Security Considerations in a Multi-Programmed Sysiem".
tPetersen, H. E., and R. Turn, Systems Implications of Privacy."

computer system it is also true that more than one
user program is normally resident in the core store
at a time. Usually, a given program is not executed
without interruption; it must share the central storage
and perhaps other levels of storage with other programs. Even in the traditional batch-operated system
there can be a privacy problem. Although only one
program is usually resident in storage at a time, parts
of other programs reside on magnetic tape or discs;
in principle, the currently executing program might
accidentally reference others, or cause parts of previous programs contained on partially re-used magnetic
tape to be outputed.
Thus, unless a computer system is completely
stripped of other programs - and this means clearing or removing access to all levels of storageprivacy infractions are possible and might permit
divulgence of information from one program to another.
Let us now reconsider the points raised in the
Peters* paper and extend the discussion to include
the privacy situation.
(1) The problem of controlling user access to the
resource-sharing computer system is similar in both
the security and privacy situations. It has been suggested that one-time passwords are necessary to
satisfactorily identify and authenticate the user in
the security situation. In some university time-sharing systems, permanently assigned passwords are
considered acceptable for user identification. Even
though printing of a password at the console can be
suppressed, it is easy to ascertain such a password by
covert means; hence, repeatedly used passwords
may prove unwise for the privacy situation.
(2) The incentive to penetrate the system is present
in both the security and privacy circumstances.
Revelation of military information can degrade the
country's defense capabilities. Likewise, divulgence
of sensitive information can to some extent damage
other parties or organizations. Private information
will always have some value to an outside party, and
it must be expected that penetrations will be attempted against computer systems handling such information. It is conceivable that the legal liability
for unauthorized leaking of sensitive information
may become as severe as for divulging classified
material.
(3) The computer hardware requirements appear
to be the same for the privacy and security situations.
Such features as memory read-write protection,
bounds registers, privileged instructions, and a
privileged mode of operation are required to protect
*Peters, B., loe cit.

Security And Privacy: Similarities And Differences
information, be it classified or sensitive. Also, overall software requirements seem similar, although certain details may differ in the privacy situation because of communication matters or difference in user
discipline.
(4) The file access and protection problem is
similar under both circumstances. Not all users of a
shared computer-private system will be authorized
access to all files in the system, just as not all users
of a secure computer system will be authorized access
to all files. Hence, there must be some combination
of hardware and software features which controls
access to the on-line classified files in conformance
with security levels and need-to-know restrictions
and in conformance with corresponding attributes
in the privacy situation. As mentioned earlier, there
may be a minor difference relative to volume. In
classified files, denial of access must be absolute,
whereas in private files access to a small quantity
of sensitive information might be an acceptable risk.
(5)"The philosophy of the overall system organization will probably have to be different in the privacy
situation. In the classified defense environment,
users are indoctrinated in security measures and their
personal responsibility can be considered as part of
the system design. Just as the individual who finds
a classified document in a hallway is expected to
return it, so the man who accidentally receives classified information at his console is expected to report
it. The users in a classified system are subject to the
regulations, authority, and discipline of a governmental agency. Similar restrictions may not prevail
in a commercial or industrial resource-sharing computer network, nor in government agencies that do
not operate within the framework of government
classification. I n general, it would appear that one
cannot exploit the good wiIJ of users as part of a privacy system's design. On the other hand, the co-operation of users may be part of the design philosophy if it
proves possible to impose a uniform code of ethics,
authority, and discipline within a multi-access system. Uniform rules of behavior might be possible if
all users are members of the same organization, but
quite difficult or impossible if the users are from many
companies or agencies.
(6) The certifying authority is certainly different
in the two situations. I t is easy to demonstrate that
the total number of internal states of a computer is
so enormous that some of them will never prevail in
the lifetime of the machine. It is equally easy to
demonstrate that large computer programs have a
huge number of internal paths, which implies the
potential existence of error conditions which may appear rarely or even only once. Monitor programs

289

governing the internal scheduling and operation of
mUlti-programmed, time-sharing or batch-operated
machines are likely to be extensive and complex;
and if security or privacy is to be guaranteed, some
authority must certify that the monitor is properly
programmed and checked out. Similarly, the hardware must also be certified to possess appropriate
protective devices.
In a security situation, a security officer is responsible for establishing and implementing measures
for the control of classified information. Granted
that he may have to take the word of computer experts or become a computer expert himself, and
granted that of itself his presence does not solve the
computer security problem, there is nonetheless at
least an assigned, identifiable responsible authority.
In the case of the commercial or industrial system,
who is the authority? Must the businessman take the
word of the computer manufacturer who supplied
the software? If so, how does he assure himself that
the manufacturer hasn't provided "ins" to the system that only he, the manufacturer, knows about?
Must the businessman create his own analog of defense security practices?
(7) Privacy and security situations are certainly
similar in that deliberate penetrations must be anticipated, if not expected; but industrial espionage against
computers may be less serious. On the other hand,
industrial penetrations against computers could be
very profitable and perhaps safer from a legal viewpoint.
It would probably be difficult for a potential pene-

trator to mount the magnitude of effort against an
industrial resource-sharing computer system that
foreign agents are presumed to mount against secrecy
systems of other governments. To protect against
large-scale efforts, an industry-established agency
could keep track of major computing installations
and know where penetration efforts requiring heavy
computer support might originate. On the other hand,
the resourceful and insightful individual can be as
gn~~t a threat to the privacy of a system. If one can
estimate the nature and extent of the penetration
effort expected against an industrial system, perhaps
it can be used as a design parameter to establish the
level of protection for sensitive information.
(8) The security and privacy situations are certainly similar in that each demands secure communication circuits. For the most part, methods for assuring the security of communication channels have been
the exclusive domain of the military and government. What about the non-government user? Could
the specifications levied on common carriers in their

290

Spring Joint Computer Conf., 1967

implied warranty of a private circuit be extended?
Does the problem become one for the common
carriers? Must they develop communication security
equipment? If the problem is left to the users, does
each do as he pleases? Might it be feasible to use the
central computer itself to encode information prior
to transmission? If so, the console will require special
equipment for decoding the messages.
(9) Levels of protection for communications are
possibly different in the two situations. If one believes that a massive effort at penetration could not
be mounted against a commercial private network,
a relatively low-quality protection for communication
would be sufficient. On the other hand, computer
networks will inevitably go international. Then what?
A foreign industry might find it advantageous to tap
the traffic of U.S. companies operating an international and presumably private computer network.
Might it be that for reasons of national interest we
will someday find the professional cryptoanalytic
effort of a foreign government focused on the privacyprotecting measures of a computer network?
If control of international trade were to become an
important instrument of government policy, then any
international communications network involved with
industrial or commercial computer-private systems
will need the best protection that can be provided.
This paper has attempted to identify and briefly
discuss the differences and similarities between
computer systems operating with classified military
information and computer systems handling private
or sensitive information. Similar hardware and software and systems precautions must be taken. In most
respects, the differences between the two situations
are only of degree. However, there are a few aspects
in which the two situations genuinely differ in kind,
and on these points designers of a system must take
special note. The essential differences between the
two situations appear to be the following:
( 1) Legal foundations for protecting classified
information are well established, whereas in

the privacy situation a uniform authority over
users and a penalty structure for infractions
are lacking. We may not be able to count on the
good will and disciplined behavior of users as
part of the protective measures.
(2) While penetrations can be expected against

both classified and sensitive information, the
worth of the material at risk in the two situations can be quite different, not only to the
owner of the data but also to other parties and
to society.
(3) The magnitude of the resources available for

protection and for penetration are markedly
smaller in the privacy situation.
(4) While secure communications are required in
both situations, there are significant differences
in details. In the defense environment, protected
communications are the responsibility of a
government agency, appropriate equipment is
available, and the importance of protection
over-rides economic considerations. In the
privacy circumstance, secure satisfactory communication equipment is generally not available,
and the economics of protecting communications is likely to be more carefully assessed.
(5) Some software detaiis have to be handled differently in the privacy situation to accommodate
differences in the security of communications.
It must be remembered that since the Federal
authority and regulations for handling classified military information do not function for private or sensitive information, it does not automatically follow that
a computer network designed to safely protect classified information will equally well protect sensitive
information. The all important difference is that the
users of a computer-private network may not be subject to a common authority and discipline. But even
if they are, the strength of the authority may not be
adequate to deter deliberate attempts at penetration.

System implications of
information privacy
by H. 'E. PETERSEN and R. TURN
The RA N D Corporation
Santa Monica, California

classified as either passive or active.
Passive infiltration may be accomplished by wiretapping or by electromagnetic pickup of the traffic
at any point in the system. Although considerable
effort has been applied to counter such threats to
defense communications, nongovernmental approaches to information privacy usually assume that
communication lines are secure, when in fact they
are the most vulnerable part of the system. Techniques for penetrating communication networks may
be borrowed from the well-developed art of listening
in on voice conversations. 5 ,6 (While the minimum investment is equipment is higher than that required to
obtain a pair of headsets and a capacitor, it is still
very low, since a one-hundred-dollar tape recorder
and a code conversion table suffice.) Clearly, digital
transmission of information does not provide any
more privacy than, for example, Morse code. Nevertheless, some users seem willing to entrust to digital
systems valuable information that they would not
communicate over a telephone.
A ctive infiltration - an attempt to enter the system
to directly obtain or alter information in the files - can
be overtly accomplished through normal access procedures by:
• Using legitimate access to a part of the system
to ask unauthorized questions (e.g., requesting
payroll information or trying to associate an individual with certain data), or to "browse" in unauthorized files.
• "Masquerading" as a legitimate user after having
obtained proper identifications through wiretapping or other means.
• Having access to the system by virtue of a position with the information center or the communication network but without a "need to know"
(e.g., system programmer, operator, maintenance,
and management personnel).

INTRODUCTION
Recent advances in computer time-sharing technology
promise information systems which will permit simultaneous on-line access to many users at remotely
located terminals. In such systems, the question
naturally arises of protecting one user's stored programs and data against unauthorized access by others.
Considerable work has already been done in providing protection against accidental access due to
hardware malfunctions or undebugged programs. Protection against deliberate attempts to gain access to
private information, although recently discussed from
a philosophical point of view,1-4 has attracted only
fragmentary technical attention. This paper presents
a discussion of the threat to information privacy in
non-military information systems, applicable countermeasures, and system implications of providing
privacy protection.
The discussion is based on the following model of
an information system: a central processing facility
of one or more processors and an associated memory
hierarchy; a set of information files - some private,
others shared by a number of users; a set of public or
private query terminals at geographically remote
locations; and a communication network of common
carrier, leased, or private lines. This time-shared,
on-line system is referred to throughout as "the
system."
Threats to information privacy
Privacy of information in the system is lost either
by accident or deliberately induced disclosure. The
most common causes of accidental disclosures are
failures of hardware and use of partially debugged
programs. Improvements in hardware reliability and
various memory protection schemes have been
suggested as countermeasures. Deliberate efforts
to infiltrate an on-line, time-shared system can be
291

292

Spring Joint Computer Conf., 1967

Or an active infiltrator may attempt to enter the system covertly i.e., avoiding the control and protection
programs) by:
• Using. entry points planted in the system by unscrupulous programmers or mamtenance engineers, or probing for and discovering "trap
doors" which may exist by virtue of the combinatorial aspects of the many system control
variables (similar to the search for "new and
useful" operation codes - a favorite pastime of
machine-language programmers of the early
digital computers).
• Employing special terminals tapped into communication channels to effect:
- Hpiggy back" entry into the system by selective
interception of communications between a user
and the processor, and then reieasing these with
modifications or substituting entirely new
messages while returning an "error" message;
- "between lines" entry to the system when a
legitimate user is inactive but still holds the communication channel;
-cancellation of the user's sign-off signals, so
as to continue operating in his name.
In all of these variations the legitimate user provides procedures for obtaining proper access.
The infiltrator is limited, however, to the legitimate user's authorized files.
More than an inexpensive tape recorder is required
for active infiltration, since an appropriate terminal
and entry into the communication link are essential.
In fact, considerable equipment and know-how are
required to launch sophisticated infiltration attempts.

The objectives of infiltration attempts against information systems have been discussed by a number
of authors 1-3. 7 from the point of view of potential
payoff. We will merely indicate the types of activities
that an infiltrator may wish to undertake:
• Gaining access to desired information in the fiies,
or discovering the information interests of a
particular user.
• Changing -information in the files (including
destruction of entire files).
• Obtaining free computing time or use of proprietary programs.
Depending on the nature of the filed information,
a penetration attempt may cause no more damage than
satisfying the curiosity of a potentially larcenous programmer. Or it may cause great damage and result in
great payoffs; e.g., illicit "change your dossier for a
fee," or industrial espionage activities. (See Table I for
a summary of threats to information privacy.)
More sophisticated infiltration scenarios can be conceived as the stakes of penetration increase. The
threat to information privacy should not be taken
lightly or brushed aside by underestimating the resources and ingenuity of would-be infiltrators.

Countermeasures
The spectrum of threats discussed in the previous
section can be countered by a number of techniques
and procedures. Some of these were originally introduced into time-shared, multi-user systems to
prevent users from inadvertently disturbing each
other's programs,8 and then expanded to protect
against accidental or deliberately induced disclosures

TABLE L Summary of Threats to Information Privacy
Nature of
Infiltration

Means

Effects

Accidental

Computer malfunctioning; user errors; undebugged programs

Privileged information dumped at
wrong terminals, printouts, etc.

Deliberate
Passive

Wiretapping, electromagnetic pickup,
examining carbon papers, etc.

User's interest in information
revealed; content of communications revealed

Deliberate

Entering file s by:
"Browsing" ;
"Masquerading" ;
"Between lines";
"Piggy-back" penetration

Specific information revealed or
modified as a result of infiltrator's actions

Active

System Implications Of Information Privacy
of information. 8 ,9 Others found their beginning in
requirements to protect privacy in communication
networks. lO In the following discussion, we have
organized the various countermeasures into several
classes.
Access management
These techniques are aimed at preventing unauthorized users from obtaining services from the
system or gaining access to its files. The procedures
invoived are authorization, identification, and authentication. A uthorization is given for certain users to
enter the system, gain access to certain files, and
request certain types of information. For example,
a researcher may be permitted to compile earnings
statistics from payroll files but not to associate names
with salaries. Any user attempting to enter the system
must first identify himself and his location (i.e., the
remote terminal he is using), and then authenticate
his identification. The latter is essential if information
files with limited access are requested; and is desirable to avoid mis-charging of the computing costs.
The identification-authentication steps may be repeated any number of times (e.g., when particularly
sensitive files are requested).
Requirements for authentication may also arise in
reverse, i.e., the processor identifie$ and authenticates itself to the user with suitable techniques. This
may satisfy the user that he is not merely conversing
with an infiltrator's console. Applied to certain messages from the processor to the user (e.g., error
messages or requests for repetition) these could be
authenticated as coming from the processor and not
from a piggy-back penetrator. (Since various specific
procedures are applied to different parts of the system,
a detailed discussion of their structures and effectiveness is presented in Sec. IV.)
Processing restrictions

Although access control procedures can eliminate
the simple threats from external sources, they cannot
stop sophisticated efforts nor completely counter
legitimate users or system personnel inclined to
browse. An infiltrator, once in the system will attempt
to extract, alter, or destroy information in the files.
Therefore, some processing restrictions (in addition
to the normal memory protection features) need to be
inposed on files of sensitive information. For example, certain removable files may be mounted on
drives with disabled circuits, and alterations of data
performed only after requests are authenticated by
the controller of each file. Copying complete files
(or large parts of files) is another activity where processing control need to be imposed - again in the
form of authentication or tile controllers.

293

In systems where very sensitive information is
handled, processing restrictions could be imposed on
specific users in instances of "suspicious" behavior.
For example, total cancellation of any program
attempting to enter unauthorized files may be an
effective countermeasure against browsing. 9
Threat monitoring
Threat monitoring concerns detection of attempted
or actual penetrations of the system or files either
to provide a reai-time response (e.g., invoking job
cancellation, or starting tracing procedures) or to
permit post facto analysis. Threat monitoring may
include recording of all rejected attempts to enter the
system or specific files, use of illegal access procedures, unusual activity involving a certain file,
attempts to write into protected files, attempts to perform restricted operations such as copying files, excessively long periods of use, etc. Periodic reports
to users on file activity may reveal possible misuse
or tampering, and prompt stepped-up auditing along
with a possible real-time response. Such reports
may range from a page by page synopsis of activity
during the user session, to a monthly analysis and
summary.
Privacy transformations

Privacy transformations 10 ,11 are techniques for
coding the data in user-processor communications
or in files to conceal information. They could be
directed against passive (e.g., wiretapping) as well
as sophisticated active threats (e.g., sharing a user's
identification and communication link by a "piggyback" infiltrator), and also afford protection to data
in removable files against unauthorized access or
physical loss.
A privacy transformation consists of a set of
reversible logical operations on the individual characters of an information record, or on sets of such
records. Reversibility is required to permit recovery
(decoding) of the original information from the encoded form. Classes of privacy transformations include:
• Substitution -replacement of message characters
with characters or groups of characters in the
same or a different alphabet in a one-to-one manner (e.g., replacing alphanumeric characters with
groups of binary numerals).
• Transposition - rearrangement of the ordering of
characters in a message.
• Addition-using appropriate "algebra" to combine characters in the message with encoding
sequences of characters (the "key';) supplied.
by the user.
Well-known among a number of privacy transfor-

294

Spring Joint Computer Conf., 1967

mations of the "additive" type l l are the "Vigenere
cipher," where a short sequence of characters are
repeatedly used to combine with the characters of
the message, and the "Vernam system," where the
user-provided sequence is at ieast as iong as the
message. Successive applications of several transformations may be used to increase the complexity.
In general, the user of a particular type of privacy
transformation (say, the substitution of characters
in the same alphabet has a very large number of
choices of transformations in that class (e.g., there
are 26 factorial- 4 x 1026 - possible substitution
schemes of the 26 letters of the English alphabet).
The identification of a particular transformation is
the '"key" chosen by the user for encoding the
message.
Any infiltrator would naturaiiy attempt to discover
the key - if necessary, by analyzing an intercepted
encoded message. The effort required measures the
"work factor" of the privacy transformation, and indicates the amount of protection provided, assuming
the key cannot be stolen, etc. The work factor depends on the type of privacy transformations used,
the statistical characteristics of the message language,
the size of the key space, etc. A word of caution
against depending too much on the large key space:
Shannon 11 points out that about 3 x 10 12 years would
be required, on the average, to discover the key used
in the aforementioned substitution cipher with 26
letters by an exhaustive trial-and-error method
(eliminating one possible key every microsecond).
However, according to Shannon, repeatedly dividing
the key space into two sets of roughly an equal number of keys and eliminating one set each trial (similar
to coin-weighing problems) would require only 88
trials.
The level of work factor which is critical for a
given information system depends, of course, on an
estimate of the magnitude of threats and of the value
of the information. For example, an estimated work
factor of one day of continuous computation to break
a single key may be an adequate deterrent against a
low-level threat.
Other criteria which influence the selection of a
class of privacy transformations are: l l
• Length of the key - Keys require storage space,
must be protected, have to be communicated to
remote locations and entered into the system,
and may even require memorization. Though
generally a short key length seems desirable,
better protection can be obtained by using a key
as long as the message itself.
• Size of the key space- The number of different
privacy transformations available shouJd be

as large as possible to discourage trial-and-error
approaches, and to permit assignment of unique
keys to large numbers of users and changing of
keys at frequent intervals.
• Complexity - Affects the cost of implementation
of the privacy system by requiring more hardware or processing time, but may also improve
the work factor.
• Error sensitivity - The effect of transmission
errors or processor malfunctioning may make decoding impossible.
Other criteria are, of course, the cost of implementation and processing time requirements which
depend, in part, on whether the communication
channel or the files of the system are involved (see
Sec. IV).
Integrity management
I mportant in providing privacy to an information
system is verification that the system software and
hardware perform as specified-including an exhaustive initial verification of the programs and hardware, and later, periodic checks. Between checks,
strict controls should be placed on modifications of
software and hardware. For example, the latter may
be kept in locked cabinets equipped with alarm
devices. Verification of the hardware integrity after
each modification or repair should be a standard
procedure, and inspection to detect changes of the
emissive characteristics performed periodically.
Integrity of the communication channel is a far
more serious problem and, if common carrier connections are employed, it would be extremely difficult to guarantee absence of wiretaps.
Personnel integrity (the essential element of privacy
protection) poses some fundamental questions which
are outside the scope of this paper. The assumptions
must be made, in the interest of realism, that not
everyone can be trusted. System privacy should depend on the integrity of as few people as possible.

System aspects of information privacy
As pointed out previously, not all parts of an information system are equally vulnerable to threats to
information privacy, and different countermeasures
may be required in each part to counter the same
level of threat. The structure and functions of the information processor, the files, and the communication
network with terminals are, in particular, sufficiently
different to warrant separate discussion of information privacy in these subsystems.
Communication lines and terminals
Since terminals and communication channels are
the principal user-to-processor links, privacy of

System Implications Of Information Privacy
information in this most vulnerable part of the system
is essential.
Wiretapping: Many users spread over a wide area
provide many opportunities for wiretapping. Since
the cost of physically protected cables is prohibitive,
there are no practical means available to prevent this
form of entry. As a result, only through protective
techniques applied at the terminals and at the processor can the range of threats from simple eavesrtronnlna
-- '-" r .1"' ........ 0 to
...........

,"onhl'"tlr~tprt
.....r.&.& ............·_-.... _-

pntrv
_ .......... J throllah
........
-,0.'&
.a

.a ... - -

,"nprl~l
__ .a_.a

..... y

tpr_
.... _ ...

minals be countered. While a properly designed password identification-authentication procedure is
effective against some active threats, it does not provide any protection against the simplest threat - eavesdropping-nor against sophisticated "piggy-back"
entry. The only broadly effective countermeasure is
the use of privacy transformations.
Radiation: In addition to the spectrum of threats
arising from wiretapping, electromagnetic radiation
from terminals must be considered. 12
Electromagnetic radiation characteristics will depend heavily on the type of terminal, and may in some
cases pose serious shielding and electrical-filtering
problems. More advanced terminals using cathode
ray tubes for information display may create even
greater problems in trying to prevent what has been
called "tuning in the terminal on Channel 4. "
Use of privacy transformations also· helps to reduce
some of the problems of controlling radiation. In
fact, applying the transformation as close to the
electromechanical converters of the terminal as possible minimizes the volume that must be protected, and
reduces the extent of vulnerable radiation characteristics.
Obviously, the severity of these problems depends
upon the physical security of the building or room in
which the terminal is housed. Finally, proper handling
and disposal of typewriter ribbons, carbon papers,
etc., are essential.
Operating modes: Whether it would be economical
to combine both private and public modes of operation
into a single standard terminal is yet to be determined;
but it appears desirable or even essential to permit
a private terminal to operate in the public mode,
although the possibility of compromising the privacy
system must be considered. For example, one can
easily bypass any special purpose privacy hardware by
throwing a switch manually or by computer, but these
controls may become vulnerable to tampering. The
engineering of the terminal must, therefore, assure
reasonable physical, logical, and electrical integrity
for a broad range of users and their privacy requirements.
Terminal identification: An unambiguous and
authenticated identification of a terminal is required

295

for log-in, billing, and to permit system initiated callback for restarting or for "hang-up and redial"13
access control procedures. The need for authentication mainly arises when the terminal is connected
to the processor via the common-carrier communication lines, where tracing of connections through
switching centers is difficult. If directly wired connections are used, neither authentication nor identification may be required, since (excluding wiretaps)
on1v
--"'-J onp.
_ ....... -

tp.rmln~1
hp
- _ ...................... _ ... r~n
- _ ..............
-

on

_.&&

~

-

l1np

.&.& . . . . _ .

Identification of a terminal could involve transmission of an internally (to the terminal) generated
or user-entered code word consisting, for example,
of two parts: one containing a description or name of
the terminal; the other, a password (more about these
later) which authenticates that the particular terminal
is indeed the one claimed in the first part of the code
word. Another method suggested for authenticating
the identity of a terminal is to use computer hang-up
and call-back procedures. 13 After terminal identification has been satisfactorily established, the processor may consult tables to determine the privacy
level of the terminal; i.e., the users admitted to the
terminal, the protection techniques required, etc.
User identification: As with a terminal, identifying
a user may require stating the user's name and account
number, and then authenticating these with a password from a list, etc.
If the security of this identification process is adequate, the normal terminal input mechanisms may be
used; otherwise, special features will be required.
F or example, hardware to accept and interpret coded
cards might be employed, or sets of special dials or
buttons provided. Procedures using the latter might
consist of operating these devices in the correct
sequence.
In some instances, if physical access to a terminal
is appropriately controlled, terminal identification
may be substituted for user identification (and vice
versa).
Passwords: Clearly, a password authenticating a
user or a terminal would not remain secure indefinitely. In fact, in an environment of potential wiretapping or radiative pickup, a password might be
compromised by a single use. Employing lists of randomly selected passwords, in a "one-time-use"
manner where a new word is taken from the list each
time authentication is needed has been suggested as
a countermeasure under such circumstances. 9 One
copy of such a list would be stored in the processor,
the other maintained in the terminal or carried by
the user. After signing in, the user takes the next
work on the list, transmits it to the processor and then
crosses it off. The processor compares the received
password with the next word in its own list and

296

Spring Joint Computer Conf., 1967

permits access only when the two agree. Such password lists could be stored in the terminal on punched
paper tape, generated internally by special circuits,
or printed on a strip of paper. The latter could be
kept in a secure housing with only a single password
visibie. A speciai key iock wouid be used to advance
the list. Since this method of password storage precludes automatic reading, the password must be
entered using an appropriate input mechanism.
The protection provided by use of once-only
passwords during sign-in procedures only is not adequate against more sophisticated "between lines"
entry by an infiltrator who has attached a terminal
to the legitimate user's line. Here the infiltrator can
use his terminal to enter the system between communications from the legitimate user. I n this situation
the use of once-only passwords must be extended
to each message generated by the user. Automatic
generation and inclusion of authenticating passwords
by the terminal would now be essential for smoothness of operation; and lists in the processor may have
to be replaced by program or hardware implemented
password generators.
Privacy transformations: The identification procedures discussed above do not provide protection
against passive threats through wire-tapping, or
against sophisticated "piggy-back" entry into the
communication link. An infiltrator using the latter
technique would simply intercept messages - password and all-and alter these or insert his own (e.g.,
after sending the user an error indication). Authentication of each message, however, will only prevent a
"piggy-back" infiltrator from using the system after
cancelling the sign-off statement of the legitimate user.
Although it may be conceivable that directly wired
connections could be secured against wiretapping, it
would be nearly impossible to secure commoncarrier circuits. Therefore, the use of privacy transformations may be the only effectiv.e countermeasures
against wire-tapping and "piggy-back" entry, as they
are designed to render encoded messages unintelligible to all but holders of the correct key. Discovering the key, therefore, is essential for an infiltrator.
The effort required to do this by analyzing intercepted
encoded messages (rather than by trying to steal or
buy the key) is the "work factor" of a privacy transformation. It depends greatly on the type of privacy
transformations used, as well as on the knowledge
and ingenuity of the infiltrator.
The type of privacy transformation suitable for a
particular communication network and terminals
depends on the electrical nature of the communication links, restrictions on the character set, structure
and vocabulary of the query language and data, and

on the engineering aspects and cost of the terminals.
For example, noisy communication links may rule
out using "auto key" transformation 11 (e.e., those
where the message itself is the key for encoding);
and highly structured query languages may preciude
direct substitution schemes, since their statistics
would not be obscured by substitution and would permit easy discovery of the substitution rules. Effects
of character-set restrictions on privacy transformations become evident where certain characters
are reserved for control of the communication net,
terminals, or the processor (e.g., "end of message,"
"carriage return," and other control characters).
These characters should be sent in the clear and
appear only in their proper locations in the message, hence imposing restrictions on the privacy
transformation.
A number of other implications of using privacy
transformations arise. For example, in the private
mode of terminal operation the system may provide
an end-to-end (terminal-to-processor) privacy transformation with a given work factor, independently
of the user's privacy requirements. If this work factor
is not acceptable to a user, he should be permitted
to introduce a preliminary privacy transformation
using his own key in order to increase the combined
work factor. If this capability is to be provided at
the terminal, there shouid be provisions for inserting
additional privacy-transformation circuitry.
Another, possibly necessary feature, might allow
the user to specify by appropriate statements whether
privacy transforms are to be used or not. This would
be part of a general set of "privacy instructions"
provided in the information-system operating programs. Each change from private to public mode,
especiaHy when initiated from the terminal, should
be authenticated.
Files

While the above privacy-protection techniques
and access-control procedures for external terminals
and the communication network may greatly reduce
the threat of infiltration by those with no legitimate
access, they do not protect information against (1)
legitimate users attempting to browse in unauthorized
files, (2) access by operating and maintenance personnel, or (3) physical acquisition of files by infiltrators.
A basic aspect of providing information privacy to
files is the right of a user to total privacy of his
files - even the system ntanager of the information
center should not have access. Further, it should be
possible to establish different levels of privacy in
files. That is, it should be feasible to permit certain
of a group of users to have access to all of the com-

C" ......... 4- _ _ T ____

1~

__

.L·

,.......1"' .....

,.

•

_

...

":>YMt:U1lIupucauons VI InIormatlon Pr.IVacy
pany's files, while allowing others limited access to
only some of these files.
In this context certain standard file operationssuch as file copying - would seem inappropriate, if
permitted in an uncontrolled manner, since it would
be easy to prepare a copy of a sensitive file and maintain it under one's own control for purposes other than
authorized. Similarly, writing into files should be
adequately controlled. For example, additions and
deletions to certain files should be authorized only
after proper authentication. It may even be desirable
to mount some files on drives with physically disabled
writing circuits.
Access control: Control of access to the files would
be based on maintaining a list of authorized users
for each file, where identification and authentication
of identity (at the simplest), is established by the
initial sign-in procedure. If additional protection is
desired for a particular file, either another sign-in
password or a specific file-access password is requested to reauthenticate the user's identity. The
file-access passwords may be maintained in a separate
list for each authorized user, or in a single list. If
the latter, the system would ask the user for a password in a specific location in the list (e.g., the tenth
password). Although a single list requires less storage
and bookkeeping, it is inherently less secure. Protection of files is thus based on repeated use of the
same requirements - identification and authentication - as for initial access to the system during signin. This protection may be inadequate, however, in
systems where privacy transformations are not used
in the communication net (i.e., "piggy-back" infiltration is still possible.)
Physical vulnerability: An additional threat arises
from possible physical access to files. In particular,
the usual practice of maintaining backup files (copies
of critical files for recovery from drastic system failures) compounds this problem. Storage, transport, and
preparation of these files all represent points of
vulnerability for copying, theft, or an off-line print
out. Clearly, gossession of a reel of tape, for example,
provides an interloper the opportunity to peruse the
information at his leisure. Applicable countermeasures are careful storage and transport, maintaining
the physical integrity of files throughout the system,
and the use of privacy transformations.
Privacy transformations: As at the terminals and
in the communication network, privacy transfermations could be used to protect files against failure
of normal access control or physical protection procedures. However, the engineering of privacy transformations for files differs considerably:
• Both the activity level and record lengths are
considerably greater in files;

297

• Many users, rather than one, may share a file;
• Errors in file operations are more amenable to
detection and control than those in communication links, and the uncorrected error rates
are lower;
• More processing capability is available for the
files, .hence more sophisticated privacy transformations can be used;
• Many of the files may be relatively permanent
and sufficiently large, so that frequent changes
of keys are impractical due to the large amount of
processing required. Hence, transformations
with higher work factors could be used and keys
changed less frequently.
It follows that the type of privacy transformation
adequate for user-processor communications may be
entirely unacceptable for the protection of files.
The choice of privacy transformations for an information file depends heavily on the amount of file
activity in response to a typical information request,
size and structure of the file (e.g., short records,
many entry points), structure of the data within the
file, and on the number of different users. Since each
of these factors may differ from file to file, design of
a privacy system must take into account the relevant
parameters. For example, a continuous key for en,.
coding an entire file may be impractical, as entry at
intermediate points would be impossible. If a complex
privacy transformation is desired additional parallel
hardware may be required, since direct implementation by programming may unreasonably increase the
processing time. In order to provide the necessary
control and integrity of the transformation system,
and to meet the processing time requirements, a
simple, securely housed processor similar to a common input-output control unit might be used to implement the entire file control and privacy system.
The processor
The processor and its associated random-access
storage units contain the basic monitor program,
system programs for various purposes, and programs
and data of currently serviced users. The role of the
monitor is to provide the main line of defense against
infiltration attempts through the software system by
maintaining absolute control over all basic system
programs for input-output, file access, user scheduling, privacy protection, etc. It should also be able to
do this under various contingencies such as system
failures and recovery periods, debugging of system
programs, during start-up or shut-down of parts of
the system, etc. Clearly, the design of such a fail-safe
monitor is a difficult problem. Peters 9 describes a
number of principles for obtaining security through
software.

298

Spring Joint Computer Conf., 1967

------~--------------------------------------------

Penetration attempts against the monitor or other
system programs attempt to weaken its control,
bypass application of various countermeasures, or
deteriorate its fail-safe properties. Since it is unlikely
that such penetrations could be successfuHy attempted
from outside the processor facility, protection relies
mainly on adequate physical and personnel integrity.
A first step is to keep the monitor in a read-only store,
which can be altered only physically, housed under
lock and key. In fact, it would be desirable to embed
the monitor into the basic hardware logic of the processor, such that the processor can operate only under
monitor control.
Software integrity could be maintained by frequent
comparisons of the current systems programs with
carefully checked masters, both periodically and
after each modification. Personnel integrity must, of
course, be maintained at a very high level, and could
be buttressed by team operation (forming a conspiracy involving several persons should be harder
than undermining the loyalty of a single operator or
programmer).
Integrity management procedures must be augmented with measures for controlling the necessary
accesses to the privacy-protection programs; or devices for insertion of passwords, keys, and authorization lists; or for maintenance. These may require
the simultaneous identification and authentication of
several of the information-center personnel (e.g., a
system programmer and the center "privacy manager"), or the use of several combination locks for
hardware-implemented privac