Certain kinds of applications leave no margin for error. Software that flies an aircraft or that controls a nuclear reactor must work correctly, or the results could be catastrophic; such software is said to be safety-critical. Regulatory agencies in safety-critical domains typically have stringent certification requirements that must be met by software providers, beyond what would be standard practice for most military embedded systems. The goal is to provide assurance that the delivered system is reliable (it does what it is supposed to do) and is also safe (it does not do what it is not supposed to do).

For the development of safety-critical software, the choice of programming language makes a significant difference in meeting the requirements of exacting safety standards and, ultimately, high-reliability applications. Ada, for example, has a long history of success in the safety-critical domain. In a recent example, Ada was used in software for the mission control system (MCS) aboard Boeing’s advanced aerial refueling tanker, the KC-767 (Figure 1).

The Italian Air Force was Boeing’s first KC-767 customer, ordering four of the world’s newest and most advanced tankers, the first of which had its maiden flight this past May. The KC-767 MCS is the first avionics application in flight to use the Software Common Operating Environment (SCOE), which consists of a safety-critical-certified ARINC653 operating system from Wind River, the GNAT Pro for VxWorks 653 Ada compilation system from AdaCore, and infrastructure software developed by Smiths Aerospace.

Well-Seasoned Language

Ada was designed from the start to promote sound software engineering, with features such as strong typing that help detect errors early. Ada’s semantics are well defined and, unlike Java, the language has gone through a rigorous international standardization process that guarantees a thorough and detailed review. Ada also lacks the “traps and pitfalls” that cause run-time surprises in other languages, such as C and C++.

The Ada language was first introduced in 1983—the date of the first ANSI standardization. From the start there was a fundamental commitment to safety and reliability. Fitting that commitment, a formal process and an extensive test suite were introduced for testing an implementation’s conformance with the language standard. This process has been known informally as “validating” an implementation. Today that validation process is defined in an ISO (International Organization for Standardization) standard. Ada is the only language for which such a standardized set of conformance procedures exists.

In 1995, as a result of a significant effort sponsored by the U.S. DoD, a major revision of the language standard was published, popularly called Ada 95. Ada 95 brought a number of enhancements, including support for object-oriented programming, and became the first internationally standardized object oriented language. In accordance with Ada’s fundamental design principles, key objectives were safety and reliability, and Ada 95’s object-oriented features preserve this goal, while providing important capabilities such as inheritance with type extension.

No DoD Funding This Time Around

ISO procedures call for revising standardized languages every ten years. Although the DoD no longer requires specific languages, and thus did not fund the new revision, major work was again invested, this time provided by the Ada vendor and user community, with some sponsorship by the Ada Resource Association (an industry trade group). The new proposed standard, which is referred to as Ada 2005, incorporates another decade of experience in using Ada to build large safety-critical systems, for example the onboard avionics control of the Boeing 777, and also a decade of research in language design.

The new language is not yet officially standardized, but the technical work is complete, and formal standardization is expected sometime next year. Meanwhile, Ada vendors are proceeding with its implementation, and Ada 2005-based products are available and in use today. There are important contributions that the use of Ada 2005 can make in ensuring safety and security of large critical software applications.

It is interesting to note that the phrase “safety-critical” specifically applies to applications where human lives depend on correct operation—for example, commercial avionics. However, in a society increasingly dependent on sophisticated computer software, there are more and more applications where correctness is essential, even if they are not formally considered safety-critical. For example, the commercial banking structure relies on complex computer controls. Even a minor failure can cause waves that can have huge economic consequences. There are several decades of experience in building safety-critical systems, and the success has been remarkable—no fatalities can be attributed to failure of certified safety-critical software. It is both practical and essential to extend these techniques to improve the reliability of our entire computer infrastructure.