By John McHale
Every software engineer working on avionics systems has to deal with certifying their code to the Federal Aviation Administration's DO-178B safety certification standard. The process is required for any aircraft that flies in civilian airspace and can be quite costly.
Real-time operating system (RTOS) designers at companies such as Green Hills Software in Santa Barbara, Calif., LynuxWorks in San Jose, Calif., and Wind River Systems in Alameda, Calif., have been successful at certifying respective RTOSes to DO-178B, but certifying real-time Java to DO-178B still has challenges.
"DO-178B has not offered a straightforward path for certifying Java or any other object-oriented code," says Nat Hillary, field applications engineer at LDRA. "DO-178C, scheduled to be released in quarter 1 of 2011, offers guidance for certifying object-oriented code to the DO-178C standard. The maturity of Java for embedded devices and the soon-to-be-released standard offered good timing for LDRA to announce a Java version of its tool suite.
"There are two fundamental challenges to certifying Java," Hillary says. "The first is the fact that it is dependent on a run-time environment, so it is not possible to certify the program itself; the program needs to be certified in concert with the Java run time. The second is the standard issues of verifying and documenting the actual source code of the program under development. LDRA can specifically help with the latter aspect."
"The biggest challenge is that standard Java, as a modern programming language, supports very high levels of abstraction," says Kelvin Nilson, chief technology officer for Java technology at Atego in San Diego. "While this abstraction makes it easy for developers to create and maintain data processing software, the abstraction complicates safety certification because each line of Java code can represents a large amount of functionality, all of which needs to be carefully scrutinized in the certification effort.
"The JSR-302 expert group is defining a simpler subset of Java that enables more economical certification of safety-critical Java applications," Nilson continues. "Intended to decrease impact on mainstream Java developers, the key changes from traditional Java are no automatic garbage collection because all temporary objects will be allocated on a run-time stack instead of from a garbage collected heap; significant pruning of the standard Java libraries available to developers of safety-critical Java applications; no dynamic class loading; and precise semantic requirements on task scheduling and task synchronization.
"As with C, C++, and Ada, any Java implementations used in avionics systems has to go through the same level of testing rigor, including the use of coverage analysis to assess overall test effectiveness," Hillary says. "This is complicated by the object oriented data types and constructs that are available within Java, so it is imperative that any verification and/or coverage analysis process and/or solution have full awareness of the language and object-oriented concepts. To date, there's no official safety-critical Java standard. A standard is under development for safety-critical Java which will complement well the DO-178C object-oriented guidelines."
"The safety-critical Java specification also introduces certain capabilities not supported by traditional Java, such as the ability to directly read and write I/O ports, and the ability to implement first-level interrupt handlers in Java," Nilson says. "However, the key challenges in certifying Java for DO-178B are that it is too big and too abstract, and these challenges are being effectively addressed in the emerging JSR-302 standard."
"Atego's PERC Pico product is based on the anticipated JSR-302 standard for safety-critical development with Java," Nilson says. "As such, it uses safe stack allocation instead of a garbage collected heap, has a small subset of the standard Java libraries, and implements enhanced capabilities such as interrupt handling and access to device I/O registers. Because of its simpler execution model, PERC Pico runs over twice as fast as traditional Java on common benchmarks, and in less than a tenth the memory. The initial commercial release of PERC Pico was in 2007, long in advance of the JSR-302 standard which is still yet to be finalized. Once the JSR-302 standard is announced, Atego intends to refine the capabilities of the PERC Pico product to offer full compliance with that standard."
Certifying for NextGen applications
Other certification challenges may loom as avionics systems become more complex, especially with the move toward the FAA's Next Generation Transportation System (NextGen).
"As avionics systems become larger and more complex, the community of safety-critical developers is required to adopt modern software engineering practices that they had previously rejected as inappropriate for the domain of safety-critical software," Nilson says. "In past decades, it was common for all of the software for each safety-critical system to be developed and certified entirely within the context of a particular application. However, modern safety-critical systems are so large that this is no longer practical. Much of the software deployed in each modern safety-critical system was originally developed for a different application and is repurposed for each new application in which it is deployed. This requires that developers of safety-critical software pay increasing attention to issues of portability, modularity, scalability, customizability, and maintainability."
"Boeing and Airbus have both publicly stated that certification costs are becoming exorbitantly high," Hillary says. "The only way for the industry to reduce this increasingly excessive cost factor is by better management of the software development process. Java offers many time-savings features as well as having additional rigor as a language, which ensures that programmers do not make some of the errors that are quite easily made in C. Better quality code leads to fewer errors and less debug time.
"The scale of avionics systems is pushing the limits of time and resource availability to prove the system correctness, so in addition to the use of object-oriented technologies and techniques as a means of improving productivity, formal methods are increasingly being called on as a means of handling the proof of correctness of complex systems," Hillary says.
LDRA's tool suite for Java ensures that any Java written code can be fully analyzed, tested, and verified per DO-178C standards, says John Greenland, vice president of business development at LDRA. "The LDRA tool suite interprets Java code as object-oriented code, and analyzes it with these concepts in mind, preventing any object-oriented concepts implemented in the program from being skipped during analysis and verification. LDRA also recently announced Embed-X, an ALM (application lifecycle management) solution targeting critical software development processes. This solution provides requirements traceability -- a key DO-178B factor -- from design through coding, analysis, testing, and verification. Developers using LDRA will be able to apply the same solution to all parts of their code whether written in C, C++, Java, or Ada -- a distinct advantage over other solutions," Greenland notes.
RTOS DO-178B offerings
Green Hills Software offers INTEGRITY-178B, a securely partitioned RTOS for safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor, according to the Green Hills web site..
Wind River's VxWorks DO-178B Platform offers DO-178B certification evidence and is based on Wind River's VxWorks 6.x operating system and includes more than 240 VxWorks 6 application programming interfaces (APIs), selected for exact compliance to DO-178B safety standards, according to the Wind River web site. This common set of API calls has substantial functionality, including cache, clock, event flag, interrupt, memory management, message queue, ring buffer, semaphore, signal, and task management calls, along with an array of C library functions.
LynuxWorks offers the LynxOS-178 RTOS, which provides DO-178B level A certification with the benefits of POSIX with support for the ARINC 653 Application Executive (APEX). The LynxOS-178 RTOS is also time- and space-partitioned and supports Intel Pentium and PowerPC platforms, according to the LynuxWorks web site.