Re: help me please!

["Ken Garlington" <Ken.Garlington@computer.org>]

[cross-posted to comp.lang.ada]

"Emmanuel Gustin" <Emmanuel.Gustin@skynet.be> wrote in message
news:9gb1uu$87u7o$1@ID-52877.news.dfncis.de...

: "Jamal Bengeloun" <jakb@caramail.com> wrote in message
: news:df481109.0106140310.5d923746@posting.google.com...
:
: > I am doing a graduate end of term research on the use of java in
: > avionics systems, on the certification issues regarding those systems
: > and finally on the viability of java in avionics (well why not Ada by
: > the way? From what I've read here java is regarded as cooler, but is
: > it safe?).

First, on the current use of Java in avionics: I haven't personally seen any
"safety-critical" (Level A, or SIL 4  if you prefer) real-time embedded
avionics projects announced to date that use the Java language. I suspect
this is due to a combination of issues: the complexity of certifying the
system (including the JVM), the potential impact of garbage collection on
run-time schedulability analysis, efficiency issues, and availability on
certain platforms. However, particularly since not all avionics applications
are necessarily safety-critical, this doesn't rule out Java implementations
for lower criticality levels.

With respect to certification issues, it depends on the certification
scheme. Trying to certify a Java implementation against MoD 00-55, for
example, would probably be much more difficult than with DO-178, which in
turn would be probably more difficult than MIL-STD-882 (although in
practice, it also depends a lot on the specific people granting the
certification). Part of the problem is defining what is really meant by a
"Java" implementation. If you're referring to Java targeted to the JVM,
that's going to be significantly more difficult than Java compiled as
"native" code. Conversely, using Ada as the source language, but with JVM as
the target (such compilers do exist), might also be easier than Java + JVM.
Again, it depends upon the certification criteria. For the sake of
discussion, let's assume we're taking about a "traditional" Java
implementation using a JVM, certified along the lines described in DO-178. I
would suspect the only way this could be certified is through the use of
some (probably all) of the following approaches:

-- The Java/JVM vendor would need to provide sufficient data to certify both
the Java toolset and the JVM implementation, including configuration
management and verification records. For a Level A implementation, this
would be significantly more information than you would normally expect a
commercial vendor to generate, although some embedded OS vendors (Aonix,
WindRiver, etc.) have such packages. As others have noted, the license
agreements normally included with Java products don't encourage me that many
Java vendors are working on this, but it's possible.

- The avionics developer (or a third party) would have to generate a
sufficiently robust verification scheme for both the toolset and JVM to
independently show that both components are acceptable when integrated into
the total system. AFAIK, RTCA has not yet bought off on the idea of
independently certifying individual software components, so such integrated
proof would be important.

- Some use of product service history (i.e., the lack of defects
attributable to the toolset/JVM when used in other applications) could be
helpful; however, RTCA's position as I understand it places a number of
limitations on how much faith can be placed on past experience. (Some DERs,
on the other hand, seem to put a lot of faith in it.)

Bottom line? I wouldn't want to be the first guy to go through this process.
However, it might be technically feasible. It wouldn't seem to be
economically desirable vs. other languages at this time, though.

In terms of the general viability/safety of Java (and Ada) vs. C++, a recent
column by Peter Coffee may be of some interest:

http://www.zdnet.com/eweek/stories/general/0,11011,2769111,00.html

I don't know if anyone has generated a specific guide for application of
Java to safety-critical systems, as exists for C and Ada. I'd be surprised
if one exists. One brief analysis is available at

http://www.adaic.com/docs/reports/lawlis/p.htm

It appears that the J Consortium's High Integrity Profile Task Group is
working on a better analysis; more information is available at
http://www.j-consortium.org and
http://www.aonix.com/content/news/pr_9.28.99_2.html. There's a presentation
on the first site that outlines some of the issues.

Moving on to the side-issue of Ada:

: Ada is widely regarded as a language designed by a committee,
: on a par with FORTRAN-99, and handicapped by an excessive
: number of features. I don't know; I never used it.

As someone who _has_ actually used Ada in avionics applications (unlike Mr.
Gustin, who was honest about his own lack of experience, and Mr. Tarver, who
failed to note that he is unqualified to give an educated opinion), I
believe this is an extremely inaccurate characterization of Ada. It
continues to be used in a number of areas, e.g. for MoD 00-55 SIL 4
applications. There are non-technical factors that adversely affect its use,
particularly in the U.S. marketplace. See the National Academy of Sciences
study "Ada and Beyond: Software Policies for the Department of Defense,"
available at http://www.nap.edu/catalog/5463.html for more information on
this subject. General information on Ada is available at
http://www.acm.org/sigada and other sources.