DO-178B certification challenges for real-time Java applications

By John McHale

 

Every software engineer working on avionics systems has to deal with certifying their code to the Federal Aviation Administration's DO-178B safety certification standard. The process is required for any aircraft that flies in civilian airspace and can be quite costly.

 

Real-time operating system (RTOS) designers at companies such as Green Hills Software in Santa Barbara, Calif., LynuxWorks in San Jose, Calif., and Wind River Systems in Alameda, Calif., have been successful at certifying respective RTOSes to DO-178B, but certifying real-time Java to DO-178B still has challenges.

 

"DO-178B has not offered a straightforward path for certifying Java or any other object-oriented code," says Nat Hillary, field applications engineer at LDRA. "DO-178C, scheduled to be released in quarter 1 of 2011, offers guidance for certifying object-oriented code to the DO-178C standard. The maturity of Java for embedded devices and the soon-to-be-released standard offered good timing for LDRA to announce a Java version of its tool suite.

 

"There are two fundamental challenges to certifying Java," Hillary says. "The first is the fact that it is dependent on a run-time environment, so it is not possible to certify the program itself; the program needs to be certified in concert with the Java run time. The second is the standard issues of verifying and documenting the actual source code of the program under development. LDRA can specifically help with the latter aspect."

 

"The biggest challenge is that standard Java, as a modern programming language, supports very high levels of abstraction," says Kelvin Nilson, chief technology officer for Java technology at Atego in San Diego. "While this abstraction makes it easy for developers to create and maintain data processing software, the abstraction complicates safety certification because each line of Java code can represents a large amount of functionality, all of which needs to be carefully scrutinized in the certification effort. 

 

"The JSR-302 expert group is defining a simpler subset of Java that enables more economical certification of safety-critical Java applications," Nilson continues. "Intended to decrease impact on mainstream Java developers, the key changes from traditional Java are no automatic garbage collection because all temporary objects will be allocated on a run-time stack instead of from a garbage collected heap; significant pruning of the standard Java libraries available to developers of safety-critical Java applications; no dynamic class loading; and precise semantic requirements on task scheduling and task synchronization. 

 

"As with C, C++, and Ada, any Java implementations used in avionics systems has to go through the same level of testing rigor, including the use of coverage analysis to assess overall test effectiveness," Hillary says. "This is complicated by the object oriented data types and constructs that are available within Java, so it is imperative that any verification and/or coverage analysis process and/or solution have full awareness of the language and object-oriented concepts. To date, there's no official safety-critical Java standard. A standard is under development for safety-critical Java which will complement well the DO-178C object-oriented guidelines."

 

"The safety-critical Java specification also introduces certain capabilities not supported by traditional Java, such as the ability to directly read and write I/O ports, and the ability to implement first-level interrupt handlers in Java," Nilson says. "However, the key challenges in certifying Java for DO-178B are that it is too big and too abstract, and these challenges are being effectively addressed in the emerging JSR-302 standard."

 

"Atego's PERC Pico product is based on the anticipated JSR-302 standard for safety-critical development with Java," Nilson says. "As such, it uses safe stack allocation instead of a garbage collected heap, has a small subset of the standard Java libraries, and implements enhanced capabilities such as interrupt handling and access to device I/O registers. Because of its simpler execution model, PERC Pico runs over twice as fast as traditional Java on common benchmarks, and in less than a tenth the memory. The initial commercial release of PERC Pico was in 2007, long in advance of the JSR-302 standard which is still yet to be finalized. Once the JSR-302 standard is announced, Atego intends to refine the capabilities of the PERC Pico product to offer full compliance with that standard."

 

Certifying for NextGen applications

 

Other certification challenges may loom as avionics systems become more complex, especially with the move toward the FAA's Next Generation Transportation System (NextGen).

 

"As avionics systems become larger and more complex, the community of safety-critical developers is required to adopt modern software engineering practices that they had previously rejected as inappropriate for the domain of safety-critical software," Nilson says. "In past decades, it was common for all of the software for each safety-critical system to be developed and certified entirely within the context of a particular application. However, modern safety-critical systems are so large that this is no longer practical. Much of the software deployed in each modern safety-critical system was originally developed for a different application and is repurposed for each new application in which it is deployed. This requires that developers of safety-critical software pay increasing attention to issues of portability, modularity, scalability, customizability, and maintainability."

 

"Boeing and Airbus have both publicly stated that certification costs are becoming exorbitantly high," Hillary says. "The only way for the industry to reduce this increasingly excessive cost factor is by better management of the software development process. Java offers many time-savings features as well as having additional rigor as a language, which ensures that programmers do not make some of the errors that are quite easily made in C. Better quality code leads to fewer errors and less debug time.

 

"The scale of avionics systems is pushing the limits of time and resource availability to prove the system correctness, so in addition to the use of object-oriented technologies and techniques as a means of improving productivity, formal methods are increasingly being called on as a means of handling the proof of correctness of complex systems," Hillary says.

 

LDRA's tool suite for Java ensures that any Java written code can be fully analyzed, tested, and verified per DO-178C standards, says John Greenland, vice president of business development at LDRA. "The LDRA tool suite interprets Java code as object-oriented code, and analyzes it with these concepts in mind, preventing any object-oriented concepts implemented in the program from being skipped during analysis and verification. LDRA also recently announced Embed-X, an ALM (application lifecycle management) solution targeting critical software development processes. This solution provides requirements traceability -- a key DO-178B factor -- from design through coding, analysis, testing, and verification. Developers using LDRA will be able to apply the same solution to all parts of their code whether written in C, C++, Java, or Ada -- a distinct advantage over other solutions," Greenland notes.

 

RTOS DO-178B offerings

 

Green Hills Software offers INTEGRITY-178B, a securely partitioned RTOS for safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor, according to the Green Hills web site..

 

Wind River's VxWorks DO-178B Platform offers DO-178B certification evidence and is based on Wind River's VxWorks 6.x operating system and includes more than 240 VxWorks 6 application programming interfaces (APIs), selected for exact compliance to DO-178B safety standards, according to the Wind River web site. This common set of API calls has substantial functionality, including cache, clock, event flag, interrupt, memory management, message queue, ring buffer, semaphore, signal, and task management calls, along with an array of C library functions.

     

LynuxWorks offers the LynxOS-178 RTOS, which provides DO-178B level A certification with the benefits of POSIX with support for the ARINC 653 Application Executive (APEX). The LynxOS-178 RTOS is also time- and space-partitioned and supports Intel Pentium and PowerPC platforms, according to the LynuxWorks web site.

 

 

 

 

Easily post a comment below using your Linkedin, Twitter, Google or Facebook account.


The Innovation That Matters™ Quiz

Innovation is one of the key drivers in the Defense industry. View this short video of Leon Woo, VP of Engineering at Mercury Systems, on the role of innovation. Then, answer 3 simple questions correctly to be entered into a drawing to win an Eddie Bauer fleece jacket!

CONGRATULATIONS TO OUR TWO MOST RECENT WINNERS. "Nick from SPARWAR" and "Bridget from AOC."


Military & Aerospace Photos

Related Products

F-SIM-LDR ARINC 615A Data Loader

AIT's F-SIM-LDR, or Flight Simulyzer Loader, is a complete ARINC-615A Data Loader development kit...

cPCI-1760-SW-4

AceXtreme® Bridge Device - Smart Protocol Converter

DDC’s AceXtreme Bridge Device converts avionics messages in real time between Ethernet, MIL-STD-1...

Related Companies

CES - Creative Electronic Systems SA

Has been designing and manufacturing complex high-performance avionics, defense and communication boards, subsystems ...

Boker's Inc

Boker's, Inc. can manufacture your flat washers, spacers and shims with an outside diameter from 0.080" to 12" and ma...

DLS Electronic Systems Inc

Provides EMC/EMI & Environmental testing to MIL-STD 461-A-F, MIL-STD 810 & RTCA DO-160-C-G, Boeing, Airbus FAA AC20-1...
Wire News provided by   

Most Popular Articles

Webcasts

Digital signal processing for signals intelligence and electronic warfare

Military & Aerospace Electronics presents an expert Webcast on the design considerations for blending general-purposes processors (GPUs), general-purpose graphics processors (GPGPUs), field-programmable ...
Sponsored by:

Advantages of Intel Architecture Products and Wind River Solutions in Military & Aerospace Applications

This webinar explains the individual advantages of the Intel Architecture hardware, available for long-life supply, and the WRS software portfolio.  There are extraordinary advantages of combining such ...
Sponsored by:

social activity

All Access Sponsors


Mil & Aero Magazine

February 2014
Volume 25, Issue 2
file

Download Our Apps



iPhone

iPad

Android

Follow Us On...



Newsletters

Military & Aerospace Electronics

Weekly newsletter covering technical content, breaking news and product information
SUBSCRIBE

Defense Executive

Monthly newsletter covering business news and strategic insights for executive managers
SUBSCRIBE

Embedded Computing Report

Monthly newsletter covering news on embedded computing in aerospace, defense and industrial-rugged applications
SUBSCRIBE

Unmanned Vehicles

Monthly newsletter covering news updates for designers of unmanned vehicles
SUBSCRIBE