Engineering Philosophy: Margaret Hamilton

Margaret Hamilton, lead Apollo flight software engineer

Key Takeaways

She coined the term “software engineering” to win the discipline its legitimacy. While leading the Apollo flight-software effort at the MIT Instrumentation Laboratory, Margaret Hamilton began calling the work “software engineering” – deliberately, to argue that writing the code that flew people to the Moon deserved the same rigor and respect as hardware and systems engineering, at a time when software was treated as an afterthought.¹²
Her software saved the Apollo 11 landing when the guidance computer threw the 1202 and 1201 alarms. During final descent, a misconfigured rendezvous-radar switch fed the Apollo Guidance Computer spurious work it should never have had, and the executive ran out of memory to schedule it – the famous 1202 (“no core sets”) and 1201 (“no VAC areas”) alarms. Because Hamilton’s team had built the software with priority scheduling and restart protection, the computer shed the low-priority radar jobs, kept the landing-critical guidance running, and the landing succeeded.³⁴⁵
Her defining commitment is defensive design: engineer for the failure case, because there is no second chance. “There was no second chance. We knew that,” she said of Apollo.² Error detection, recovery, asynchronous priority scheduling, and human-in-the-loop displays were not features bolted on after the happy path worked – they were the design center, the reason the software degraded gracefully instead of crashing.⁶
She built correctness in from the start – “Development Before the Fact.” After Apollo she founded Higher Order Software (1976) and Hamilton Technologies (1986), developing the Universal Systems Language (USL) and a methodology for designing systems so that whole classes of error are impossible by construction rather than caught by testing. She received the NASA Exceptional Space Act Award (2003) and the Presidential Medal of Freedom (2016).¹⁶

The Principle

“There was no second chance. We knew that. We took our work seriously, many of us beginning this journey while still in our 20s.” – Margaret Hamilton, on the Apollo flight software²

Most engineering optimizes for the case where everything works. You build the happy path, handle a few errors you can imagine, and ship – and when something breaks in production, you patch it and redeploy. That loop is the comfort that almost all software lives inside: the failure is recoverable because there is always a next chance. Hamilton’s work started from the opposite premise. The software she led was going to fly three people a quarter-million miles from Earth and land two of them on the Moon, and there was no patch, no redeploy, no next chance. It had to work the first time, under conditions no one could fully rehearse, on a computer with less memory than a greeting card that plays a tune.² When the cost of a single uncaught error is the crew, “engineer for the failure case” stops being good advice and becomes the entire job.

The principle that follows is defensive design as the design center, not the cleanup. If the software must survive the unexpected, then detecting errors, recovering from them, and degrading gracefully cannot be features you add once the working path is done – they have to be the skeleton the working path hangs on. Hamilton’s team built the Apollo software so that the computer could notice it was being asked to do more than it could, throw out the work that did not matter, restart cleanly into a known-good state, and keep doing the one thing that would kill the crew if it stopped. The system was not built to avoid every failure – on a machine that small, against a mission that unforgiving, you cannot. It was built so that when failure came, the failure was survivable.³⁶

There is a second half to the principle, and it is the one that makes the first half real: build correctness in from the start rather than testing bugs out at the end. Detecting and recovering from an error at runtime is the last line of defense; the deeper discipline is designing the system so that whole categories of error cannot occur in the first place. Hamilton spent the second half of her career formalizing exactly this – a methodology she called “Development Before the Fact,” and a language built to make interface errors structurally impossible.⁶ The two halves are one idea seen from two distances: when there is no second chance, you defend at runtime and you make the failure unrepresentable at design time, because the only error you can fully trust is the one the system was never able to make.

Context

Margaret Hamilton was born Margaret Heafield on August 17, 1936, in Paoli, Indiana.¹ She studied mathematics at Earlham College, earning her degree in 1958 with a minor in philosophy – a combination that shows up later in how she thought about systems as much as code.¹ She did not arrive at Apollo through a computer-science pipeline, because in the late 1950s there was no such thing; she arrived through mathematics and through the work itself.

Her first programming was real-world and high-stakes from the start. In 1959 she began working in MIT’s meteorology department with Edward Lorenz – the founder of chaos theory – writing weather-prediction software on the LGP-30 and PDP-1.¹ From roughly 1961 to 1963 she worked on the SAGE project at MIT Lincoln Laboratory, writing software for the AN/FSQ-7 computer that the U.S. Air Force used to detect incoming aircraft.¹ SAGE was one of the first large real-time, fault-sensitive software systems ever built, and the reputation she earned there – for taking on the hardest, most failure-prone code – is what brought her to Apollo.

In 1965 she joined the MIT Instrumentation Laboratory (later Draper Lab), which held the contract to build the onboard flight software for NASA’s Apollo program. She rose to direct the Software Engineering Division, leading the team responsible for the on-board flight software that ran on the Apollo Guidance Computer in both the command module and the lunar module.¹ It was here, in the middle of that work, that she began using the term “software engineering” – not as a buzzword but as an argument. As she put it, she used the term “to distinguish it from hardware and other kinds of engineering, yet treat each type of engineering as part of the overall systems engineering process.”¹ Software, she insisted, was a discipline that deserved a name and the rigor that came with one. After Apollo she founded Higher Order Software in 1976 and Hamilton Technologies in 1986, where she developed the Universal Systems Language and the “Development Before the Fact” methodology.¹⁶

The Work

The Apollo 11 1202 alarm: priority scheduling and restart protection

Start here, because it is the principle made mechanism under the worst possible pressure. The Apollo Guidance Computer was a tiny machine – a few tens of kilobytes of memory, no operating system in the modern sense – running a real-time executive that Hamilton’s team designed. To run a job, the executive had to find free memory: a “core set” (a small block for the job’s state) and, for jobs that did floating-point work, a “VAC area.”⁴ If a job was scheduled and no core set was free, the executive branched to its alarm routine and raised alarm 1202; if no VAC area was free, it raised 1201.⁴ These were not crash codes. They were the executive announcing that it had been asked to do more than it had capacity for – and then doing something about it.

During the final minutes of the Apollo 11 descent, that is exactly what happened. The astronaut checklist had the crew leave the rendezvous radar switch in the wrong position, which caused the radar to steal processor cycles and made the executive repeatedly schedule data-processing jobs that should never have been running.³⁴ The spurious work consumed all the free memory, and the 1202 alarm fired – then fired again, and the 1201 alarm too, four times in the seconds before touchdown. A naive computer asked to do everything would have tried to do everything, fallen behind on the one job that mattered, and frozen. Hamilton’s did not.

Two design decisions saved the landing. The first was priority scheduling: the executive ran jobs by priority and could shed the lowest-priority work, so the landing-critical guidance and the crew display (DSKY) always ran while the junk radar jobs got starved.³⁵ The second was restart protection: each alarm triggered a software restart that cleared the overloaded job queue and rebooted into a known-good state, restarting “the important stuff, like steering the descent engine and running the DSKY,” but not restarting the erroneously-scheduled radar jobs.⁴⁵ The computer effectively threw away the noise, kept flying the spacecraft, and told the crew it was handling it – which is why Mission Control could call “go” on an alarm that, on a lesser design, would have meant abort.

Interactive Apollo priority-scheduler demo (requires JavaScript). During the Apollo 11 landing the guidance computer was suddenly flooded with work it should not have had -- a misconfigured rendezvous radar stole cycles -- and it threw the famous 1202 alarm. A naive computer would have tried to do everything, fallen behind on the one job that mattered, and frozen. Margaret Hamilton's software was built differently: an asynchronous executive that scheduled by priority and could restart, shedding low-priority work so the landing-critical guidance task always ran. Toggle between a naive scheduler and Hamilton's priority executive, trigger the radar overload, and watch one freeze while the other sheds the noise and keeps flying.

Why it matters as engineering: the alarm was not the failure – it was the failure handling working as designed. The team had built the executive to expect overload, to triage under it, and to recover from it, and they had tested that recovery so thoroughly that controllers trusted it under the most pressure any software has ever been under. That is the whole doctrine in one moment: failure was assumed, the failure case was the design center, and the system degraded to “do only the thing that keeps the crew alive” instead of falling over. The same instinct lives today in every priority queue that sheds load, every supervisor that restarts a crashed worker into a clean state, every system that is built to survive being overwhelmed.

Coining “software engineering” and the fight for legitimacy

The 1202 story is famous; the naming is arguably more consequential. In the 1960s, software was widely treated as the soft, unserious sibling of “real” engineering – something you figured out after the hardware was designed, not a discipline with its own rigor. Hamilton refused that framing. Inside Apollo she began deliberately calling the work “software engineering,” and she was explicit about why: to “distinguish it from hardware and other kinds of engineering, yet treat each type of engineering as part of the overall systems engineering process.”¹ The point was not vocabulary. The point was standing. If the code that flew the mission was engineering, then it deserved engineering’s discipline: specifications, reviews, testing, traceability, and the expectation that it be made correct, not merely made to run.

She has said the term was met with amusement at first – the idea that software could be “engineering” struck people as a stretch.¹ But the legitimacy she was fighting for was load-bearing. You cannot demand that a team design for the failure case, build error recovery into the bones of a system, and treat correctness as non-negotiable if the work is regarded as casual scripting that someone will clean up later. Naming the discipline was the precondition for holding it to a standard. By the end of the decade the term had escaped MIT and become the name of a field; today “software engineering” is so ordinary it is invisible, which is the surest sign the argument was won.¹²

Margaret Hamilton in the Apollo command module mock-up at MIT, 1969

Defensive design: the “Lauren bug” and engineering against the human

If you want the clearest window into how Hamilton thought, it is the “Lauren bug.” Her young daughter Lauren sometimes came to the lab and played astronaut on the command-module simulator, and one day she crashed it – by selecting P01, the prelaunch program, while the simulated spacecraft was already mid-flight to the Moon.⁷ Loading prelaunch initialization in mid-course wiped the navigation data and left the computer lost. Hamilton’s instinct was not “no astronaut would ever do that.” It was: if the simulator let a child do it, the software permitted it, and anything the software permits will eventually happen. She proposed adding error-detection code to guard against selecting P01 in flight.⁷

She was overruled – told that astronauts were trained professionals who would never make such a mistake – and allowed only to add a note to the documentation.⁷ Then, on the very next mission, Apollo 8, Jim Lovell did exactly what Lauren had done, selecting P01 mid-flight and wiping the navigation data on humanity’s first trip around the Moon.⁷ After that, the fix went in. The lesson Hamilton drew, and repeated, is the heart of defensive design: you cannot decide a failure “can’t happen” and design as if it won’t. The astronaut, the radar switch, the operator at 3 a.m. – the system has to be robust against the human in the loop, not protected from blame by assuming the human will be perfect. Her priority displays embodied the same idea from the other direction: keep the human informed and in control, so that when the computer triaged under overload, the crew understood what it was doing and could decide.⁶

Margaret Hamilton receiving the Presidential Medal of Freedom in 2016

Higher Order Software, USL, and “Development Before the Fact”

Apollo taught Hamilton where errors come from, and she spent the rest of her career attacking them at the root. Studying the Apollo errors, she observed that a large share of them lived not inside individual modules but in the interfaces between them – the places where one piece of software handed data to another and the assumptions did not quite match. At Higher Order Software (1976) and then Hamilton Technologies (1986), she built a body of work around eliminating those errors by construction rather than catching them by test.¹⁶

The methodology is called “Development Before the Fact.” The name is the thesis: instead of building a system and then hunting for defects after the fact, you define it – using a formal system, the Universal Systems Language (USL) – so rigorously that whole classes of error, especially interface and integration errors, are structurally impossible. The model is provably consistent, and correct code can be generated from it, so the defect is prevented at design time instead of discovered at runtime.⁶ It is the same conviction as the Apollo executive, pushed one level deeper: runtime recovery is the safety net, but the real win is a system that was never able to make the error in the first place. Most of the industry still runs the opposite loop – ship, find bugs, patch – which is exactly the loop Hamilton spent thirty years arguing was backwards when correctness actually matters.

The Method

Read across the Apollo executive, the coinage of “software engineering,” the Lauren bug, and Development Before the Fact, and the same commitments recur. Hamilton’s method is less a slogan than a set of standing habits.

Design for the failure case first – there is no second chance. The Apollo executive was not a scheduler with overload handling bolted on; surviving overload was the design, because a frozen computer over the Moon killed the crew.³⁴ The lesson transfers far past spaceflight: enumerate how the system fails before you write the path where it works, and let the working path fall out of a structure that already survives the failures. It is the evidence gate applied to reliability – “it works in the simulator” is not evidence; “it sheds load and keeps flying when the radar floods it” is – the same standard for graceful degradation that Werner Vogels made the founding premise of the cloud decades later.

Assume the human will do the impossible thing. The Lauren bug is the rule in miniature: if the system permits a dangerous action, someone – a child, an astronaut, a tired operator – will eventually take it, so “no one would ever do that” is not a defense.⁷ The standing habit is to guard the boundary against the input you were assured could never arrive, because the failures that hurt most are the ones you decided in advance could not happen. This is the same robustness-against-the-adversary instinct Radia Perlman built into routing that stays correct even when nodes lie.

Triage under load – shed the unimportant, protect the critical. When the executive ran out of memory, it did not try to serve every request; it ran the highest-priority jobs and starved the rest, then restarted clean.³⁵ The discipline is to decide in advance what the one thing is that must never stop, and to build the system so that under pressure it sacrifices everything else to keep that one thing running. A system with no priority is a system that fails at the worst moment because it treated the crew display and the junk radar job as equals.

Build correctness in, do not test it in. Development Before the Fact is the refusal of the ship-then-debug loop: define the system so the error cannot be expressed, rather than building it and hunting the error afterward.⁶ The lesson is that the cheapest, most trustworthy defect is the one the design made impossible – the same conviction that Barbara Liskov turned into type discipline and abstraction, and that Leslie Lamport turned into specifying correctness precisely before writing the code. It is quality is the only variable made into a workflow: correctness is not a phase at the end, it is the shape of the thing from the start.

Name the discipline so you can hold it to a standard. Calling the work “software engineering” was the act that licensed everything else – specifications, reviews, the expectation of rigor.¹ The standing habit is to insist that the work has a name and a standard, because you cannot demand craft of something the organization regards as disposable. It is the spirit of minimum worthy product: the thing is worth doing properly, so you do it properly, and you make the case out loud that properly is the only acceptable way.

Influence Chain

Who Shaped Her

The mathematics-and-real-time tradition at MIT. Hamilton came up through mathematics and through SAGE – one of the first large real-time, failure-sensitive software systems – and through weather modeling with Edward Lorenz, the founder of chaos theory.¹ That grounding shows: she thought about software as a system that had to stay correct under conditions no one could fully predict, long before she got to Apollo. (Formative influence)

The unforgiving discipline of spaceflight itself. The Apollo mission was the teacher as much as any person. A domain where a single error costs the crew, where there is no patch and no second chance, forces a way of working – defend the failure case, recover at runtime, prevent the error at design time – that ordinary software never demands.² The constraint shaped the philosophy. (Direct influence)

The systems-engineering culture of the Apollo program. Working inside a program where her software had to integrate with hardware, mission control, and human procedure pushed her to see software as one engineering discipline among several – which is precisely the framing behind her coinage of “software engineering” as part of “the overall systems engineering process.”¹ (Formative influence)

Who She Shaped

The discipline of software engineering itself. By naming the field and arguing for its rigor from inside the highest-stakes software project of its era, Hamilton helped turn programming from an afterthought into an engineering discipline with specifications, reviews, and the expectation of correctness.¹²

Every fault-tolerant real-time system. Priority scheduling, load shedding, restart-into-known-good-state, and human-in-the-loop displays – the patterns the Apollo executive used to survive the 1202 alarm – are now the standard vocabulary of resilient systems, from flight control to the supervisors that keep web services alive under overload.³⁶

Formal, correct-by-construction methods. Development Before the Fact and the Universal Systems Language are part of the lineage that argues correctness should be designed in and provable, not tested in after the fact – an argument that runs through formal methods and model-driven development to this day.⁶

The Throughline

Hamilton is the origin point of the reliability lineage in this series – the place where “engineer for the failure case” stopped being a preference and became a non-negotiable, because lives rode on it, decades before the rest of the field caught up. Werner Vogels built the cloud on “everything fails all the time” and designed for graceful degradation at planetary scale; Hamilton designed for graceful degradation on a computer the size of a briefcase, with a crew on top of it, and proved the doctrine works when there is genuinely no second chance.³ Radia Perlman built networks that heal themselves and stay correct even when nodes lie; Hamilton’s executive healed itself in real time over the Moon, restarting clean and shedding the lies the broken radar fed it.⁴ And Leslie Lamport made correctness something you define precisely and prove before you build – which is exactly what Development Before the Fact reaches for, a generation earlier and aimed at the same target.⁶ Where Vogels says everything fails, so stay available through it and Perlman says build it to heal itself, Hamilton said it first and hardest: there is no second chance, so engineer for the failure before it happens, recover from it when it does, and build the system so the worst errors were never possible at all. (Series bridge)

What I Take From This

The lesson I keep from Hamilton is to build as if there is no second chance, even when there obviously is one. Almost everything I ship lives inside the comfort she did not have: if it breaks, I push a fix. That safety net is real, and it quietly lowers the bar – it lets me ship the happy path and tell myself I will handle the failure case later, because later exists. Apollo is the rebuke. When you genuinely cannot patch it, you discover that “handle the failure later” was never engineering at all; the failure case is the engineering, and the working path is just what is left over once the system already survives being broken. So when I build something now – a job that can be flooded, an API that can be called wrong, a path that can be taken at the wrong time – I try to ask “what is the radar switch in the wrong position here, and does this shed it and keep flying?” before I ask whether the happy path works. A system that only survives correct input is a system I have not finished.

The second lesson is that the most trustworthy error is the one the design made impossible. The Lauren bug stays with me because Hamilton was right and was overruled by “no one would ever do that” – and the universe immediately did that, on the next mission. My instinct is to catch errors at runtime, to wrap the dangerous call in a guard and move on. Hamilton’s deeper move, the one she spent thirty years on, is to design the system so the dangerous call cannot be made – to make the bad state unrepresentable rather than merely detected. Runtime recovery is the net; building correctness in is the floor you stand on so you do not need the net. I cannot always reach that bar, but it reframed the goal: the question is not only “will I catch this when it goes wrong?” but “can I shape this so it cannot go wrong in the first place?” – and the second question, when I can answer it, is always the better one.

FAQ

Did Margaret Hamilton coin the term “software engineering”?

Margaret Hamilton is widely credited with coining – or at least popularizing – the term “software engineering,” which she began using while leading the Apollo flight-software effort at the MIT Instrumentation Laboratory in the 1960s.¹² She used it deliberately to argue that writing software deserved the same legitimacy and rigor as hardware and other engineering disciplines, explaining that she wanted “to distinguish it from hardware and other kinds of engineering, yet treat each type of engineering as part of the overall systems engineering process.”¹ At the time the idea that software could be “engineering” was met with some amusement; today the term is so standard it is invisible, which is the measure of how thoroughly the argument was won.¹

What were the 1202 and 1201 alarms during Apollo 11?

They were program alarms raised by the Apollo Guidance Computer’s executive during the final minutes of the lunar descent. A misconfigured rendezvous-radar switch caused the radar to steal processor cycles and made the executive repeatedly schedule data-processing jobs that should not have been running, which consumed all the free memory.³⁴ When no memory “core set” was available the executive raised alarm 1202; when no “VAC area” was available it raised 1201.⁴ The alarms were not crashes – they were the executive reporting it had been asked to do more than it could and then triaging. Because the software used priority scheduling and restart protection, it shed the spurious radar jobs, restarted into a known-good state, kept the landing-critical guidance and crew display running, and the landing succeeded.³⁵

What did Margaret Hamilton do for the Apollo program?

Hamilton joined the MIT Instrumentation Laboratory in 1965 and rose to direct the Software Engineering Division responsible for the on-board flight software that ran on the Apollo Guidance Computer in both the command module and the lunar module.¹ Her team designed the real-time executive with asynchronous priority scheduling, restart protection, error detection and recovery, and priority displays that kept the astronauts informed and in control – the architecture that allowed the Apollo 11 computer to survive the 1202 alarm and complete the landing.³⁶ Her Presidential Medal of Freedom citation credits her with contributing “concepts of asynchronous software, priority scheduling and priority displays, and human-in-the-loop decision capability, which set the foundation for modern, ultra-reliable software design and engineering.”⁶

What is “Development Before the Fact”?

“Development Before the Fact” is the systems methodology Hamilton developed at Higher Order Software and Hamilton Technologies after Apollo, built around her Universal Systems Language (USL).¹⁶ Its thesis is that instead of building a system and then hunting for defects “after the fact” through testing, you define the system so rigorously and formally that whole classes of error – especially the interface and integration errors she found dominated the Apollo defects – are structurally impossible by construction.⁶ The model is provably consistent and correct code can be generated from it, so the defect is prevented at design time rather than discovered at runtime. It is the formal-methods expression of her Apollo conviction: the most trustworthy error is the one the system was never able to make.

Sources

“Margaret Hamilton (software engineer),” Wikipedia. Born Margaret Heafield, August 17, 1936, in Paoli, Indiana; BA in mathematics (minor in philosophy) from Earlham College, 1958. Began programming in 1959 in MIT’s meteorology department with Edward Lorenz (LGP-30, PDP-1); worked on the SAGE project at MIT Lincoln Laboratory (~1961-1963) writing software for the AN/FSQ-7. Joined the MIT Instrumentation Laboratory in 1965; directed the Software Engineering Division developing the on-board flight software for NASA’s Apollo program (Apollo Guidance Computer, command and lunar modules). Credited with coining/popularizing the term “software engineering,” which she used “to distinguish it from hardware and other kinds of engineering, yet treat each type of engineering as part of the overall systems engineering process.” Founded Higher Order Software (1976) and Hamilton Technologies (1986); developed the Universal Systems Language (USL) and the “Development Before the Fact” methodology. Received the NASA Exceptional Space Act Award (2003) and the Presidential Medal of Freedom (2016). ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
“Scene at MIT: Margaret Hamilton’s Apollo code,” MIT News, August 17, 2016. Discusses the iconic 1969 photograph of Hamilton standing beside the stack of Apollo flight-software listings (taken by an Instrumentation Laboratory staff photographer; the listings were the LM and CM on-board flight software her team produced), and notes she “has been credited with popularizing the concept of software engineering.” Quotes Hamilton on the stakes of the work: “There was no second chance. We knew that. We took our work seriously, many of us beginning this journey while still in our 20s.” ↩↩↩↩↩↩↩↩
“Margaret Hamilton,” NASA Science. Describes Hamilton’s leadership of the Apollo on-board flight software at the MIT Instrumentation Laboratory and the Apollo 11 landing: during final descent the guidance computer became overloaded and threw the 1202 (and 1201) alarms because a misconfigured rendezvous-radar switch fed it spurious work; because the software was designed with priority scheduling that could identify the most important tasks and let them run uninterrupted while shedding lower-priority work, the computer recovered and the landing succeeded. ↩↩↩↩↩↩↩↩↩↩↩
“Apollo 11 Lunar Surface Journal: Program Alarms,” NASA Apollo Lunar Surface Journal. Technical account of the 1201/1202 alarms during the Apollo 11 descent. The Apollo Guidance Computer executive scheduled jobs by finding free “core sets” (12-word blocks) and “VAC areas” (44-word blocks); “if there were no VAC areas available, the program would branch to the Alarm/Abort routine and set Alarm 1201. Similarly, if no core sets were available, the program would branch to Alarm/Abort and set Alarm 1202.” A misconfigured rendezvous-radar switch caused spurious radar jobs to be scheduled repeatedly, exhausting the available scheduling memory. Rather than crash, the computer rebooted and “restarted the important stuff, like steering the descent engine and running the DSKY to let the crew know what was going on, but did not restart all the erroneously-scheduled rendezvous radar jobs.” ↩↩↩↩↩↩↩↩↩
“Margaret H. Hamilton: Apollo Computer Programmer,” Space.com. Account of Hamilton’s Apollo work and the 1202/1201 alarms: the rendezvous-radar switch left in the wrong position overloaded the CPU during the landing, but the software, intentionally designed with priority scheduling and restart capability, cleared its job queue and restarted, running only the highest-priority tasks (guidance, descent-engine steering, crew display) until the landing completed. ↩↩↩↩↩
“President Obama Names Recipients of the Presidential Medal of Freedom,” The White House (Office of the Press Secretary), November 16, 2016. Margaret Hamilton’s citation: “Margaret H. Hamilton led the team that created the on-board flight software for NASA’s Apollo command modules and lunar modules.” It credits her contributions to “concepts of asynchronous software, priority scheduling and priority displays, and human-in-the-loop decision capability, which set the foundation for modern, ultra-reliable software design and engineering.” (Her post-Apollo work – Higher Order Software, Hamilton Technologies, the Universal Systems Language, and the “Development Before the Fact” methodology of building correctness in by construction – is documented in the Margaret Hamilton Wikipedia article cited above.) ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
“In Their Own Words: Margaret Hamilton on Her Daughter’s Simulation,” Hack the Moon (MIT / Draper). Hamilton’s account of the “Lauren bug”: her young daughter Lauren, playing on the command-module simulator, crashed it by selecting P01 (the prelaunch program) during a simulated mid-course flight to the Moon, which wiped the navigation data. Hamilton proposed adding error-detection code to prevent selecting P01 in flight but was overruled on the grounds that trained astronauts would never make such an error; she was permitted only to add a note to the documentation. On the next mission, Apollo 8, Jim Lovell selected P01 in flight and wiped the navigation data, after which the fix was incorporated. Hamilton called it “the Lauren bug.” ↩↩↩↩↩