Established 1845 SCIENTIFIC Volume 253 Number 6 The Development of Software What some call a "Star Wars" defense would depend on computers to control an unprecedentedly complex array of weapon systems. Developing reliable software for such a defense may be impossible by Herbert Lin "T The ultimate goal of the Strategic Defense Initiative (SDI) is to eliminate the threat posed by nuclear ballistic missiles," according to the interim charter of the Strategic Defense Initiative Organization. To achieve the goal of comprehensive defense, the organization is empowered by the Department of Defense to manage research programs that examine the feasibility of developing technology for a ballistic-missile defense (BMD) to protect cities and military assets. Such a defense would destroy or incapacitate nuclear-warhead delivery systems on the way to their targets. A wide variety of defensive weapons might be employed. They include lasers, particle beams, electromagnetic railguns and nonexplosive "kinetic kill" vehicles. The Strategic Defense Initiative Organization recognizes that the computer technology that would control individual weapons and coordinate their operation is of comparable importance to the development of the critical new interception technologies. The command-and-control system for a comprehensive ballistic-missile defense must be capable of flawlessly receiving and acting on information pertaining to thousands of missile launches, tens of thousands of warheads and hundreds of thousands of decoys. It must do all this within the half hour it would take for an intercontinental ballistic missile (ICBM) to travel from a launch site in the Soviet Union to a target in the U.S. Because the sys tem must be highly automated, there Before the U.S. makes a serious ef- The comprehensive defense system most often discussed by Strategic Defense Initiative Organization officials (and the system's critics) consists of four tiers. That is, the ballistic-missile defense would attack hostile missiles in each of the four phases of their flight. The phases are the boost phase, during which a multistage launch vehicle carries the payload through the atmosphere; the postboost phase, during which nuclear warheads in reentry vehicles and "penetration aids" such as decoys are sequentially released above the earth's atmosphere by a maneuverable "bus"; the midcourse phase, during which the reentry vehicles and decoys traverse the greater part of their trajectory, and the terminal phase, during which the warheads in their reentry vehicles penetrate the atmosphere and detonate at their assigned targets. A four-tiered ballistic-missile defense gives the interceptors several opportunities to destroy the offensive weapons. Within each tier a defensive system must successfully detect and track targets before it can destroy them [see "Space-based Ballistic-Missile Defense," by Hans A. Bethe, Richard L. Garwin, Kurt Gottfried and Henry W. Kendall; SCIENTIFIC AmeriCAN, October, 1984]. Computers and appropriate software are needed to coordinate operation of the defense and evaluate its effectiveness. This coordination process is called battle management. Although experts are still undecided as to how a battle-management system should be organized, a hypothetical structure might include "local" computers and software that are responsible for battle management within each defensive tier. Each tier's system would then be connected with the other tiers through a global battlemanagement system. The software guiding battle management within a given defensive tier would control the local sensors and weapons. These sensors would locate and track potential targets and distinguish actual targets from decoys. This part of the software might create a "track file" that contains all the known information about each target. The software could then allocate defensive resources in a specific tier by coordinating the track-file information with the available weapons and the programmed rules of engagement, rules that determine under what circumstances targets are to be attacked. The global battle-management system would assess the extent and nature of an attack in progress and specify the rules of engagement for each tier. In order to prepare a local battle-management system to engage warheads that have leaked through preceding tiers, the global system might pass on track-file and sensor information obtained in the boost-phase tier to each succeeding defensive tier. A ballistic-missile defense depends heavily on the software controlling it; defective software might lead to failure. Hence software development is a critical factor in attaining the objectives for which the system is designed. Software development is an intellec tual process that can be divided into distinct conceptual phases. These include planning, design, implementation, testing and debugging. In actual software-development projects the phases are not always carried out sequentially; for example, plans can change after a project has begun. Consequently developers may have to redesign a piece of software. The first crucial area of software development is planning: the developer needs to determine what functions the software is to perform and to envision the different situations to which the software must respond. Specification, or deciding what action should be taken and at what time, becomes more difficult as a task grows in complexity. A simple example from everyday life makes the point. If the task is to count the number of people in a small audience, it is intuitively obvious how to proceed. If the audience consists of tens of thousands of people in a football stadium, the counting task requires much greater elaboration. For example, what defines the boundary of the stadium? How does one define a person? (Should the fetus in a pregnant woman be counted as a person?) Clearly, factors that appear infrequently and are therefore irrelevant in the first case may complicate the specification of a task as it grows in size. The precise specification of what a ballistic-missile defense must do is a complicated task. For instance, the statement "Shoot down all Soviet missiles" is sufficient if the world contains only Soviet missiles and every Soviet missile should be shot down under all circumstances. But the world is not so simple. How can Soviet missiles be distinguished from non-Soviet missiles? What if a Soviet missile is headed for a target in East Germany? While these questions only scratch the surface of specification, they broach a fundamental problem developers will encounter, namely that it is often difficult to decide whether some particular aspect of LEVEL OF EFFORT required for each of four stages in the development of software for a ballistic-missile defense (which would amount to some 10 million lines of programming code according to a Government study) is contrasted with the effort needed to produce the controlling software for a mainframe computer (500,000 lines of code). The stages are not strictly sequential; in actuality there is some overlap. Also, the final stage refers to testing and debugging before the product is delivered; once the system is "on line" further testing and debugging would be necessary. For each software-development project the bar at the left represents estimates based on highly optimistic assumptions; the bar at the right represents estimates based on less optimistic assumptions. The scaling function relating level of effort to program size is taken from Software Engineering Economics, by Barry W. Boehm. be found and confidence in the operation of the system be assessed? Tw "wo techniques are effective for assessing the trustworthiness of a software system. One technique is analytical. It requires that the program's correctness be proved by mathematically certifying that its output conforms to certain formally specified criteria when expected input data are received. Although proofs of program correctness help to ensure that a software system meets its theoretical specifications, they do not ensure that the system will fulfill its mission. Complete proofs are at least comparable in size to the programs they are trying to verify; analysts are thus faced with understanding a proof that is as complicated as the program itself. A program proof cannot guarantee the amount of time it will take for a system to com plete "real-time computations" (a critical factor that will be discussed below), nor can it reveal the nature of the output when the system receives unanticipated input data. Finally, proofs of correctness cannot provide any promise that the actual program specifications themselves are correct. A more important assessment technique is empirical testing. Clearly a ballistic-missile defense cannot be subjected to a large-scale empirical test under realistic conditions. The cost of such a test would be staggering. Of greater concern, however, is the fact that the Soviet Union could not confidently distinguish between the launching of a large number of test missiles and an actual U.S. nuclear attack. System developers must therefore fall back on more limited types of empirical testing: small-scale testing, in which a BMD system would be tested against a few missiles, and simulation testing, in which a computer would mimic large-scale threats to the targets a BMD system protects. Some experts maintain that such tests make actual large-scale ones unnecessary. Although such tests do increase confidence, they cannot ensure that the mission of a comprehensive ballistic-missile defense will be accomplished. Problems that arise from integrating individual components into an effective system often appear only when the complete system is tested near its limits, something that cannot be done in small-scale tests. A case in point is the World Wide Military Command and Control System (WWMCCS), a communication network used by civilian and military authorities to coordinate and transmit information to and from U.S. military forces in the field. During routine operations, when the message COMMUNICATION LINKS between sensors, weapons and computers are crucial in a ballistic-missile-defense (BMD) battle-management system. The sensors and weapons that constitute a "layer" of defense would be placed under the control of a "local" battlemanagement computer. Such a battle-management system would locate and track potential targets, identify actual targets among the debris and decoys, assign its weapons to specific targets at specific times and assess whether the target was successfully destroyed. All relevant information concerning the targets that have been engaged would then be placed on a "track file" and passed on to the next lo cal battle-management system as well as a global battle-management system. The global system would be in constant communication with all local systems. For each of them it would specify the precise circumstances under which given targets could be attacked, transmit track-file information and coordinate actions to protect the BMD system itself. In addition the global battle-management computer would receive the first warning that an attack was under way. The network diagrammed here could be severely disrupted by an attack on the single vertex: the global battle-management system. Such vulnerability could be minimized through redundancy. |