DO-178B certification challenges for real-time Java applications

By John McHale


Every software engineer working on avionics systems has to deal with certifying their code to the Federal Aviation Administration's DO-178B safety certification standard. The process is required for any aircraft that flies in civilian airspace and can be quite costly.


Real-time operating system (RTOS) designers at companies such as Green Hills Software in Santa Barbara, Calif., LynuxWorks in San Jose, Calif., and Wind River Systems in Alameda, Calif., have been successful at certifying respective RTOSes to DO-178B, but certifying real-time Java to DO-178B still has challenges.


"DO-178B has not offered a straightforward path for certifying Java or any other object-oriented code," says Nat Hillary, field applications engineer at LDRA. "DO-178C, scheduled to be released in quarter 1 of 2011, offers guidance for certifying object-oriented code to the DO-178C standard. The maturity of Java for embedded devices and the soon-to-be-released standard offered good timing for LDRA to announce a Java version of its tool suite.


"There are two fundamental challenges to certifying Java," Hillary says. "The first is the fact that it is dependent on a run-time environment, so it is not possible to certify the program itself; the program needs to be certified in concert with the Java run time. The second is the standard issues of verifying and documenting the actual source code of the program under development. LDRA can specifically help with the latter aspect."


"The biggest challenge is that standard Java, as a modern programming language, supports very high levels of abstraction," says Kelvin Nilson, chief technology officer for Java technology at Atego in San Diego. "While this abstraction makes it easy for developers to create and maintain data processing software, the abstraction complicates safety certification because each line of Java code can represents a large amount of functionality, all of which needs to be carefully scrutinized in the certification effort. 


"The JSR-302 expert group is defining a simpler subset of Java that enables more economical certification of safety-critical Java applications," Nilson continues. "Intended to decrease impact on mainstream Java developers, the key changes from traditional Java are no automatic garbage collection because all temporary objects will be allocated on a run-time stack instead of from a garbage collected heap; significant pruning of the standard Java libraries available to developers of safety-critical Java applications; no dynamic class loading; and precise semantic requirements on task scheduling and task synchronization. 


"As with C, C++, and Ada, any Java implementations used in avionics systems has to go through the same level of testing rigor, including the use of coverage analysis to assess overall test effectiveness," Hillary says. "This is complicated by the object oriented data types and constructs that are available within Java, so it is imperative that any verification and/or coverage analysis process and/or solution have full awareness of the language and object-oriented concepts. To date, there's no official safety-critical Java standard. A standard is under development for safety-critical Java which will complement well the DO-178C object-oriented guidelines."


"The safety-critical Java specification also introduces certain capabilities not supported by traditional Java, such as the ability to directly read and write I/O ports, and the ability to implement first-level interrupt handlers in Java," Nilson says. "However, the key challenges in certifying Java for DO-178B are that it is too big and too abstract, and these challenges are being effectively addressed in the emerging JSR-302 standard."


"Atego's PERC Pico product is based on the anticipated JSR-302 standard for safety-critical development with Java," Nilson says. "As such, it uses safe stack allocation instead of a garbage collected heap, has a small subset of the standard Java libraries, and implements enhanced capabilities such as interrupt handling and access to device I/O registers. Because of its simpler execution model, PERC Pico runs over twice as fast as traditional Java on common benchmarks, and in less than a tenth the memory. The initial commercial release of PERC Pico was in 2007, long in advance of the JSR-302 standard which is still yet to be finalized. Once the JSR-302 standard is announced, Atego intends to refine the capabilities of the PERC Pico product to offer full compliance with that standard."


Certifying for NextGen applications


Other certification challenges may loom as avionics systems become more complex, especially with the move toward the FAA's Next Generation Transportation System (NextGen).


"As avionics systems become larger and more complex, the community of safety-critical developers is required to adopt modern software engineering practices that they had previously rejected as inappropriate for the domain of safety-critical software," Nilson says. "In past decades, it was common for all of the software for each safety-critical system to be developed and certified entirely within the context of a particular application. However, modern safety-critical systems are so large that this is no longer practical. Much of the software deployed in each modern safety-critical system was originally developed for a different application and is repurposed for each new application in which it is deployed. This requires that developers of safety-critical software pay increasing attention to issues of portability, modularity, scalability, customizability, and maintainability."


"Boeing and Airbus have both publicly stated that certification costs are becoming exorbitantly high," Hillary says. "The only way for the industry to reduce this increasingly excessive cost factor is by better management of the software development process. Java offers many time-savings features as well as having additional rigor as a language, which ensures that programmers do not make some of the errors that are quite easily made in C. Better quality code leads to fewer errors and less debug time.


"The scale of avionics systems is pushing the limits of time and resource availability to prove the system correctness, so in addition to the use of object-oriented technologies and techniques as a means of improving productivity, formal methods are increasingly being called on as a means of handling the proof of correctness of complex systems," Hillary says.


LDRA's tool suite for Java ensures that any Java written code can be fully analyzed, tested, and verified per DO-178C standards, says John Greenland, vice president of business development at LDRA. "The LDRA tool suite interprets Java code as object-oriented code, and analyzes it with these concepts in mind, preventing any object-oriented concepts implemented in the program from being skipped during analysis and verification. LDRA also recently announced Embed-X, an ALM (application lifecycle management) solution targeting critical software development processes. This solution provides requirements traceability -- a key DO-178B factor -- from design through coding, analysis, testing, and verification. Developers using LDRA will be able to apply the same solution to all parts of their code whether written in C, C++, Java, or Ada -- a distinct advantage over other solutions," Greenland notes.


RTOS DO-178B offerings


Green Hills Software offers INTEGRITY-178B, a securely partitioned RTOS for safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor, according to the Green Hills web site..


Wind River's VxWorks DO-178B Platform offers DO-178B certification evidence and is based on Wind River's VxWorks 6.x operating system and includes more than 240 VxWorks 6 application programming interfaces (APIs), selected for exact compliance to DO-178B safety standards, according to the Wind River web site. This common set of API calls has substantial functionality, including cache, clock, event flag, interrupt, memory management, message queue, ring buffer, semaphore, signal, and task management calls, along with an array of C library functions.


LynuxWorks offers the LynxOS-178 RTOS, which provides DO-178B level A certification with the benefits of POSIX with support for the ARINC 653 Application Executive (APEX). The LynxOS-178 RTOS is also time- and space-partitioned and supports Intel Pentium and PowerPC platforms, according to the LynuxWorks web site.





Get All the Military Aerospace Electronics News Delivered to Your Inbox or Your Mailbox

Subscribe to Military Aerospace Electronics Magazine or email newsletter today at no cost and receive the latest information on:

  • C4ISR
  • Cyber Security
  • Embedded Computing
  • Unmanned Vehicles

Military & Aerospace Photos

Most Popular Articles

Related Products

Custom and OEM Camera Design

We provide custom designs for both modifications to existing systems and development of new produ...

Latching Micro-D Connectors

Omnetics high reliability Micro-D connectors are available with Quick Latch System. For applicati...

Nano-D Bi-Lobes® Connectors Dual Row Horizontal SMT (Type AA)

Horizontal SMT Bi-Lobe® nanos offer an extremely low profile package that is well suited to pick ...

Nano-D BiLobe® Connectors -(COTS)

Sizes are 9, 15, 21, 25, 31, 37 , 51 & 65 pin, at .025 Mil. Pitch(Currently Available), mating pi...

Hybrid Micro-D Connectors

Omnetics high reliability Micro-D connectors are available withmixed power/signal contact layouts...

Micro-D Connectors

Highly rugged and compact designs in shell styles from 9 to 51 contacts. The Micro-D connectors i...

Omnetics Nano-D Bi-Lobe® Latching Connectors

Bi-Lobe® connectors utilize rugged and reliable flex pin contact system. Spaced on 25 mil (.64mm)...

XTend7103 | COM Express® Carrier for COM Express® Type 10 Mezzanine Modules

The XTend7103 is a COM Express® carrier card designed to provide a low-cost and compact platform ...

XPedite7575 | 5th Generation Intel® Core™ i7 Broadwell-H Processor-Based Conduction- or Air-Cooled 3U VPX-REDI Module

The XPedite7575 is a high-performance, 3U VPX-REDI, single board computer based on the 5th genera...

XPort6173 | 3U VPX Carrier for Two 2.5 in. Solid-State Drives (SSDs)

The XPort6173 supports two, standard, 2.5 in. Solid-State Drives (SSDs) in a single 0.8 in. or 1....

Related Companies

Interface Displays & Controls Inc

Certified ISO-9001/AS9100, veteran-owned, small business. Interface specializes in designing, reverse-engineering and...

Southwest Antennas

Designs and manufactures high-performance RF and Microwave antennas and accessories designed for today’s communicatio...

Curtiss-Wright Defense Solutions

About Curtiss-Wright Defense Solutions Curtiss-Wright Defense Solutions (CWDS) is a long established techno...

Omnetics Connector Corp

Omnetics Connector Corporation – Micro and Nano Connectors and Interconnect Systems for Military & Aerospa...

United Electronic Industries Inc

UEI is a leader in the PC/Ethernet data acquisition and control, Data Logger/Recorder and Programmable Automation Con...

GE Aviation Systems

Designs and manufactures high reliability microelectronics for aerospace and military applications. Thick film hybrid...

Cobham AvComm (formerly Aeroflex Test Solutions)

Is a global leader in avionics, communications, and synthetic test, monitoring, and control for commercial, governmen...

Astronics Ballard Technology

Manufactures avionics databus interfaces, embedded computers, and software for aerospace, military and commercial use...

Henniker Plasma

Plasma Treatment Equipment - Plasma Cleaners, Plasma Etchers, Plasma Coating & Plasma Surface ModificationWe are the ...

KAMAKA Electronic Bauelemente Vertriebs GmbH

One of the leading Hi-Rel suppliers in Central Europe for more than 23 years. The quality of our products and the tec...


Harsh Environment Protection for Advanced Electronics and Components

This webinar will offer an opportunity to learn more about ultra-thin Parylene conformal coatings – how they are applied, applications they protect today, and the properties and benefits they offer, includin...

New Design Tools That Help You Develop Radar That Sees the Un-seeable and Detects the Undetectable

Xilinx EW/ISR System Architect, Luke Miller, has new tricks and he’s going to tell you all about them in a new Xilinx Webinar—for free. His Webinar will cover new ways to implement Radar functions including ...
Sponsored by:

Press Releases


Curtiss-Wright Corporation today announced that its Defense Solutions division has received a contract from Sierra Nevada Corporation (SNC) to supply its small form factor ...

Innovative Integration Announces the FMC-Servo

Camarillo, CA June 19, 2015, Innovative Integration, a trusted supplier of signal processing and data acquisition hardware and software solutions, today announced the FMC-S...


Curtiss-Wright Corporation today announced that its Defense Solutions division has further enhanced its innovative VRD1 high definition (HD) video management system (VMS) w...

All Access Sponsors

Mil & Aero Magazine

August 2015
Volume 26, Issue 8

Download Our Apps




Follow Us On...


Military & Aerospace Electronics

Weekly newsletter covering technical content, breaking news and product information

Cyber Security

Monthly newsletter covering cyber warfare, cyber security, information warfare, and information security technologies, products, contracts, and procurement opportunities

Defense Executive

Monthly newsletter covering business news and strategic insights for executive managers

Electronic Warfare

Quarterly newsletter covering technologies and applications in electronic warfare, cyber warfare, optical warfare, and spectrum warfare.

Embedded Computing Report

Monthly newsletter covering news on embedded computing in aerospace, defense and industrial-rugged applications

Unmanned Vehicles

Monthly newsletter covering news updates for designers of unmanned vehicles