I conjecture the following based on our experience in building KeyKos and observations at Agorics.

Component Specs as an Implementation Tool

In KeyKos we did virtually nothing in the line of code reviews. Yet we produced very reliable software some of which had to run for years without a single failure. I see two explanations that seem significant here: Here I mention some important variances in KeyKos practice, from the above idealization.

We were most fortunate to have Doug Englebart's group join Tymshare about the time that real Gnosis development began. The Augment hyper-text technology came to Tymshare with him. From my previous experience on the 940 operating system I had already gained respect for a clear description of the operating system interface to support the far-flung 940 developers.

IBM's Principles of Operation for the 370 was an exceptionally clear interface description which we per-force became closely acquainted with. It seemed natural that we should aspire to the same degree of clarity and completness in the function that we were building. Indeed we considered Gnosis to an extension of the hardware.

I think that we approached the precision of the POP but not the clarity. Experienced Gnosis programmers would seldom disagree about the meaning of a specification. It was seldom necessary to specify that some feature was unspecified. (The 370 would go to great lengths to specify the bounds within which unspecified results could vary!) It is the only machine specification that I have seen that spells out that the noise produced by indeterminate user mode instructions, is not some else's secrets!