Next / Previous / Contents / Shipman's homepage


Describes how the Cleanroom software development methodology can be applied to programs in the Python language.

This publication is available in Web form and also as a PDF document. Please forward any comments to

Table of Contents

1. Origins of the Cleanroom methodology
1.1. Are we serious about attaining zero defects?
2. The contract-based approach to program construction
2.1. Skills you will need
3. Stepwise refinement
3.1. The HIPO model: nested black boxes
3.2. Design factoring and separation of concerns
4. Cleanroom overview
5. Intended function notation
5.1. Simple intended functions
5.2. Preconditions: The other side of the contract
5.3. Compound intended functions
5.4. Useful metaphors: identity and “anything”
5.5. Special forms for intended functions
5.6. Intended function examples
5.7. The “let” convention
5.8. Specification functions
6. Proof rules and the stepwise refinement process
6.1. The sequence rule
6.2. The alternation rule
6.3. The definite iteration rule
6.4. The while loop rule
7. Standards for the review of intended functions
8. Trace tables
8.1. Trace table for sequence
8.2. Trace table for alternation
8.3. Trace table for definite iteration
8.4. Trace table for while loops
8.5. Insuring case coverage
9. Additional principles for object-oriented programming
10. The peer review process
10.1. Guidelines for reviewers
10.2. Peer review guidelines for the author
11. Testing
11.1. Treasure your mistakes, don't bury them!

1. Origins of the Cleanroom methodology

The idea of zero-defect development addresses quality issues by seeking to prevent the initial introduction of defects into a design, rather than trying to find and repair them later.

Cleanroom software engineering is a zero-defect methodology developed by IBM Federal Systems Division for use in the project that developed onboard software for the Space Shuttle.

The author learned the method from Dr. Allan M. Stavely, whose book Toward Zero-defect Programming describes the method in general. This work describes how the author has applied this methodology to the construction of programs in the Python programming language.


If you want more effective programmers, you will discover that they should not waste their time debugging, they should not introduce the bugs to start with.

 -- Edsger J. Dijkstra, Comm. ACM 15(10), Oct. 1972: pp. 859–866.

The term “cleanroom” is an analogy to the cleanrooms used in integrated circuit fabrication: it is better to write the code without defects than to try to find and remove them later.

1.1. Are we serious about attaining zero defects?

Zero defects is a goal. Where humans are involved, though, we can hope only to come close. Our defect rates will never be zero. We would, however, like them to be asymptotic to zero.