DO-178B certification challenges for real-time Java applications

By John McHale


Every software engineer working on avionics systems has to deal with certifying their code to the Federal Aviation Administration's DO-178B safety certification standard. The process is required for any aircraft that flies in civilian airspace and can be quite costly.


Real-time operating system (RTOS) designers at companies such as Green Hills Software in Santa Barbara, Calif., LynuxWorks in San Jose, Calif., and Wind River Systems in Alameda, Calif., have been successful at certifying respective RTOSes to DO-178B, but certifying real-time Java to DO-178B still has challenges.


"DO-178B has not offered a straightforward path for certifying Java or any other object-oriented code," says Nat Hillary, field applications engineer at LDRA. "DO-178C, scheduled to be released in quarter 1 of 2011, offers guidance for certifying object-oriented code to the DO-178C standard. The maturity of Java for embedded devices and the soon-to-be-released standard offered good timing for LDRA to announce a Java version of its tool suite.


"There are two fundamental challenges to certifying Java," Hillary says. "The first is the fact that it is dependent on a run-time environment, so it is not possible to certify the program itself; the program needs to be certified in concert with the Java run time. The second is the standard issues of verifying and documenting the actual source code of the program under development. LDRA can specifically help with the latter aspect."


"The biggest challenge is that standard Java, as a modern programming language, supports very high levels of abstraction," says Kelvin Nilson, chief technology officer for Java technology at Atego in San Diego. "While this abstraction makes it easy for developers to create and maintain data processing software, the abstraction complicates safety certification because each line of Java code can represents a large amount of functionality, all of which needs to be carefully scrutinized in the certification effort. 


"The JSR-302 expert group is defining a simpler subset of Java that enables more economical certification of safety-critical Java applications," Nilson continues. "Intended to decrease impact on mainstream Java developers, the key changes from traditional Java are no automatic garbage collection because all temporary objects will be allocated on a run-time stack instead of from a garbage collected heap; significant pruning of the standard Java libraries available to developers of safety-critical Java applications; no dynamic class loading; and precise semantic requirements on task scheduling and task synchronization. 


"As with C, C++, and Ada, any Java implementations used in avionics systems has to go through the same level of testing rigor, including the use of coverage analysis to assess overall test effectiveness," Hillary says. "This is complicated by the object oriented data types and constructs that are available within Java, so it is imperative that any verification and/or coverage analysis process and/or solution have full awareness of the language and object-oriented concepts. To date, there's no official safety-critical Java standard. A standard is under development for safety-critical Java which will complement well the DO-178C object-oriented guidelines."


"The safety-critical Java specification also introduces certain capabilities not supported by traditional Java, such as the ability to directly read and write I/O ports, and the ability to implement first-level interrupt handlers in Java," Nilson says. "However, the key challenges in certifying Java for DO-178B are that it is too big and too abstract, and these challenges are being effectively addressed in the emerging JSR-302 standard."


"Atego's PERC Pico product is based on the anticipated JSR-302 standard for safety-critical development with Java," Nilson says. "As such, it uses safe stack allocation instead of a garbage collected heap, has a small subset of the standard Java libraries, and implements enhanced capabilities such as interrupt handling and access to device I/O registers. Because of its simpler execution model, PERC Pico runs over twice as fast as traditional Java on common benchmarks, and in less than a tenth the memory. The initial commercial release of PERC Pico was in 2007, long in advance of the JSR-302 standard which is still yet to be finalized. Once the JSR-302 standard is announced, Atego intends to refine the capabilities of the PERC Pico product to offer full compliance with that standard."


Certifying for NextGen applications


Other certification challenges may loom as avionics systems become more complex, especially with the move toward the FAA's Next Generation Transportation System (NextGen).


"As avionics systems become larger and more complex, the community of safety-critical developers is required to adopt modern software engineering practices that they had previously rejected as inappropriate for the domain of safety-critical software," Nilson says. "In past decades, it was common for all of the software for each safety-critical system to be developed and certified entirely within the context of a particular application. However, modern safety-critical systems are so large that this is no longer practical. Much of the software deployed in each modern safety-critical system was originally developed for a different application and is repurposed for each new application in which it is deployed. This requires that developers of safety-critical software pay increasing attention to issues of portability, modularity, scalability, customizability, and maintainability."


"Boeing and Airbus have both publicly stated that certification costs are becoming exorbitantly high," Hillary says. "The only way for the industry to reduce this increasingly excessive cost factor is by better management of the software development process. Java offers many time-savings features as well as having additional rigor as a language, which ensures that programmers do not make some of the errors that are quite easily made in C. Better quality code leads to fewer errors and less debug time.


"The scale of avionics systems is pushing the limits of time and resource availability to prove the system correctness, so in addition to the use of object-oriented technologies and techniques as a means of improving productivity, formal methods are increasingly being called on as a means of handling the proof of correctness of complex systems," Hillary says.


LDRA's tool suite for Java ensures that any Java written code can be fully analyzed, tested, and verified per DO-178C standards, says John Greenland, vice president of business development at LDRA. "The LDRA tool suite interprets Java code as object-oriented code, and analyzes it with these concepts in mind, preventing any object-oriented concepts implemented in the program from being skipped during analysis and verification. LDRA also recently announced Embed-X, an ALM (application lifecycle management) solution targeting critical software development processes. This solution provides requirements traceability -- a key DO-178B factor -- from design through coding, analysis, testing, and verification. Developers using LDRA will be able to apply the same solution to all parts of their code whether written in C, C++, Java, or Ada -- a distinct advantage over other solutions," Greenland notes.


RTOS DO-178B offerings


Green Hills Software offers INTEGRITY-178B, a securely partitioned RTOS for safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor, according to the Green Hills web site..


Wind River's VxWorks DO-178B Platform offers DO-178B certification evidence and is based on Wind River's VxWorks 6.x operating system and includes more than 240 VxWorks 6 application programming interfaces (APIs), selected for exact compliance to DO-178B safety standards, according to the Wind River web site. This common set of API calls has substantial functionality, including cache, clock, event flag, interrupt, memory management, message queue, ring buffer, semaphore, signal, and task management calls, along with an array of C library functions.


LynuxWorks offers the LynxOS-178 RTOS, which provides DO-178B level A certification with the benefits of POSIX with support for the ARINC 653 Application Executive (APEX). The LynxOS-178 RTOS is also time- and space-partitioned and supports Intel Pentium and PowerPC platforms, according to the LynuxWorks web site.





Get All the Military Aerospace Electronics News Delivered to Your Inbox or Your Mailbox

Subscribe to Military Aerospace Electronics Magazine or email newsletter today at no cost and receive the latest information on:

  • C4ISR
  • Cyber Security
  • Embedded Computing
  • Unmanned Vehicles

Military & Aerospace Photos

Most Popular Articles

Related Products

Rigid Printed Circuit Boards

Rigid printed circuit boards can only meet diverse industrial applications if the best materials ...

Flexible Printed Circuit Board

Flexible Printed Circuit Boards are one of the most popular types of circuit boards used in a var...

Printed Circuit Board Assembly

Printed Circuit Board Assembly (PCB ASSY) is as critical a process as circuit board manufacturing.

BiSlide® Stages

Velmex manual or motorized BiSlide positioning stage's modular design makes it highly configurabl...

Velmex VXM™ Motor Controller

Velmex VXM Controller Systems are integral components of the power systems that efficiently drive...

Velmex XSlide™ Stages

The Velmex XSlide Assembly is a compact positioning stage highly suitable for high performance in...

UniSlide® Stages

UniSlide Assemblies deliver precise movement in one, two or three dimensions with linear motion. ...

Video Borescope ORION

Ø 4mm (0.16”) to 10mm (0.44”)Working Lengths: up to 30 meters (98')3.5” color LCD display, with 7...

Rigid Video Borescope HERON-A with Tip Articulation

CMOS Camera Chip: 450,000 pixels 340° Rotation of the Probe Articulating Tip (180˚in each directi...

XPand6020 | Small Form Factor (SFF) System Featuring XPedite5205 Running Cisco IOS® and XPedite7450

The XPand6020 is a Small Form Factor (SFF) system that features an XPedite5205, which runs Cisco ...

Related Companies


Provides customized Printed Circuit Board fabrication in California. The entire process can be customized according t...

Uniforce Sales and Engineering

Provides solutions to machine vision and image acquisition in many applications, including in the fields of medical, ...

Velmex Inc

Manufactures linear and rotary motion-control positioning equipment for scientific, research, photonics, machining an...

TASC Technical & Assembly Services Corporation Electronic Equipment Manufacturing

Electronic Manufacturing sub-contractor. Circuit Board assembly, Cable Assembly, Wire Harness Assembly, Box Build Ass...

General Atomics Aeronautical Systems Inc

GA-ASI is a leading manufacturer of proven, reliable Remotely Piloted Aircraft (RPA) systems, radars, and electro-opt...

BellowsTech LLC

Develops, designs and manufactures metal bellows using edge welded bellows technology. Expertise in design, machining...

HC Controls Inc

Specialists in design, installation, commissioning, calibration, training and support services to aero engine test fa...

Curtiss-Wright Defense Solutions

About Curtiss-Wright Defense Solutions Curtiss-Wright Defense Solutions (CWDS) is a long established techno...

Medit Inc

Supplies remote visual inspection devices. The company is one of the important players in the industry, serving clien...


Offers complete solutions for embedded software developers with a focus on mission- and safety-critical applications....
Wire News provided by   

Press Releases


Curtiss-Wright Corporation today announced that its Defense Solutions division has received a contract from Sierra Nevada Corporation (SNC) to supply its small form factor ...

Innovative Integration Announces the FMC-Servo

Camarillo, CA June 19, 2015, Innovative Integration, a trusted supplier of signal processing and data acquisition hardware and software solutions, today announced the FMC-S...


Curtiss-Wright Corporation today announced that its Defense Solutions division has further enhanced its innovative VRD1 high definition (HD) video management system (VMS) w...


Harsh Environment Protection for Advanced Electronics and Components

This webinar will offer an opportunity to learn more about ultra-thin Parylene conformal coatings – how they are applied, applications they protect today, and the properties and benefits they offer, includin...

New Design Tools That Help You Develop Radar That Sees the Un-seeable and Detects the Undetectable

Xilinx EW/ISR System Architect, Luke Miller, has new tricks and he’s going to tell you all about them in a new Xilinx Webinar—for free. His Webinar will cover new ways to implement Radar functions including ...
Sponsored by:

All Access Sponsors

Mil & Aero Magazine

June 2015
Volume 26, Issue 6

Download Our Apps




Follow Us On...


Military & Aerospace Electronics

Weekly newsletter covering technical content, breaking news and product information

Cyber Security

Monthly newsletter covering cyber warfare, cyber security, information warfare, and information security technologies, products, contracts, and procurement opportunities

Defense Executive

Monthly newsletter covering business news and strategic insights for executive managers

Electronic Warfare

Quarterly newsletter covering technologies and applications in electronic warfare, cyber warfare, optical warfare, and spectrum warfare.

Embedded Computing Report

Monthly newsletter covering news on embedded computing in aerospace, defense and industrial-rugged applications

Unmanned Vehicles

Monthly newsletter covering news updates for designers of unmanned vehicles