Professional Documents
Culture Documents
1 INTRODUCTION
This paper reviews a LITEF internal study about the use of Ada in safety
critical real time avionic systems. The study is part of the development of
the Inertial Measurement Unit (IMU), a flight control subsystem of the
European Fighter Aircraft (EFA). The study's goal was to establish
programming rules and examinate support tools and methods for the
development of safe Ada programs for flight critical systems.
2 MOTIVATION
For the EFA project the Ada language is mandatorily required for the
software implementation of all operational aircraft software. Currently
assembly language is used most for such systems and typical assertions
against the Ada language in safety critical applications are:
Ada is unsafe because the language is too complex.
Ada tasking is unsafe because Ada tasking is too complex.
Ada tasking is not deterministic and therefore unsafe.
In Ada there is an unsafe kind of "erroneous execution".
The Ada exception mechanism is unsafe.
The language Ada is extremely inefficient and Ada compilers have lots
of bugs.
Therefore the EFA Joint Team ordered a study (called "Safe Ada Study"
[1]) to investigate ways to apply Ada avoiding features of the language that
are considered to be potentially "unsafe".
194
During the LITEF study it was found that some of the EFA rules can be
slightly modified without injuring any safety requirement. For example the
following EFA rule 8:
Actions shall not raise a predefined exception.
was changed to:
All possible exceptions shall be handled with defined effects on
the program execution.
This rule was modified, because it results in a very inefficient programming
style with explicit range testing. Also the Ada tasking and machine code
insertion restrictions where modified. The whole description of EFA rules
and LITEF changes is beyond the scope of this paper ([1] Appendix A,[2]).
195
6 TEST PROGRAMS
The second step in defining and verifying Ada programming rules uses
relevant parts of a typical Ada avionics program. The assembler output of
this program is examined for implicit contradictions to the safety
requirements which leads to a confirmation or to a modification of the
above rules. It is natural that this method is only applicable if a stable
version of the project Ada compiler has been defined.
Another very useful outcome from analyzing these tables are rules for
efficient Ada programs. In the LITEF study, it was found that these rules
are, in part, the same as the safety rules (which is on the other hand a proof
that safety need not be contradictory to efficiency).
The first type of rule can easily be checked with a special Ada parser. This
had already been developed by LITEF for a related project.
Also on the commercial market there are some tools for such sequential
testing. For EFA the SPARK tool [4] has been selected. The disadvantage
of this tools is that it only supports a very small subset of Ada. This kind of
tool relies on formal test methods, which only works with a 'PASCAL' like
subset of Ada, and needs additional special Ada comments (so called
annotations) to help the tool in understanding the semantics of Ada.
The second type of rule needs dynamic testing, which means that the
program is tested during execution. There are two major problems with this
test method:
Test input pattern and/or test strategies for the program must be
generated.
- The program flow must be controlled by additional Ada control code
or with the aid of a special trigger state analyzer.
There are some tools on the market which perform these functions but all
tools are based on additional Ada control code which will destroy the real
time behavior of the original program [5].
For this reason, LITEF has developed special trigger state hardware which
can control an avionic target even during flight conditions. Studies for
special pre- and postprocessing tools are currently under development.
8 CONCLUSION
The language Ada is no less safe than other languages. Because of its strong
typing, the predefined exception mechanism and the standardized tasking
features, it has an even greater advantage compared to other languages.
There are reasonable alternatives to restricting Ada to a 'PASCAL subset'
as required in the EFA Safe Ada Study. With some precise rules, Ada
fulfills all requirements of safety critical avionic applications. The adherence
to these safety rules can be controlled with appropriate tools and methods.
9 REFERENCED DOCUMENTS
[1] Flight Control System Safety Critical Software Study / EFJ-STY-EFA-
020-0005 / Issue 1 / 30 October 87
[2] Safe Ada & Compiler Study for EFA IMU / A. Welz / Internal
LITEF Report / Revision 1.00-04.
[3] Study LITEF Executive in Ada (LEA) / Phase 1-3 / A. Welz /
Internal LITEF Report / 16.2.89.
[4] SPARK - The SPADE Ada Kernel / Carre et al / July 1989 / HMSO
London / Second Edition
[5] LDRA TESTBED ADA / User Documentation & Technical Descrip-
tion / Liverpool Data Research Associates Ltd. / 1985
198