In the world of embedded systems, some applications simply must not fail—ever—as a result of a software bug. In avionics software, for example, where a minor bug can easily lead to a disaster, you need software that goes well beyond commercial standards for reliability. If your PC crashes, you can recover; if your airplane crashes, you can't.
That's why there's DO178B, a standard for systems whose failure would put human life at risk. Software installed in civilian aircraft has been meeting DO178B requirements for several years, and now many military avionics programs are mandating adherence. DO178B has five levels, the two most stringent being Level A, covering catastrophic failures that would prevent continued safe flight, and Level B, covering failures that would result in a hazardous aircraft condition. Meeting the requirements of DO178B, especially at Level A, is a lengthy and arduous procedure.
Fortunately, newly available software tools greatly simplify the DO178B certification process. Not coincidentally, these tools also simplify software development, making it less error prone. As a bonus, these tools greatly speed up the development process. By some estimates, the savings can reach as much as 80% or more in comparison with traditional software-development techniques.
Coding Airbus. Consider the experience of European aircraft consortium Aerospatiale in developing software for the Airbus A340. By using the automatic code-generation capability of SCADE (Safety Critical Application Development Environment) from Telelogic (Kungsgatan, Sweden, www.telelogic.com), Aerospatiale reduced manual software programming to only 30% of the total programming effort. Total coding errors were fewer than 10 per 100 kbytes of software, down from several hundred errors in the earlier Airbus A310 development, which didn't use SCADE.
What makes such dramatic improvements possible is a combination of graphics-based prototyping tools and automatic code generators. The graphical tools let you prototype complex subsystems with a simple point-and-click, drag-and-drop interface. For example, you can quickly create on your computer screen a working prototype of a cockpit display. Then, after you've tested and refined the prototype, an automatic code generator converts it into the computer code that will implement it as an actual airborne display.
Not just airplanes. Graphical design tools and code generators are also useful in areas other than avionics. For designing displays of any type—for cars, portable communication devices, medical and test instruments, and numerical-control machines, for example—graphical tools are particularly helpful. In fact, the Virtual Prototypes division of eNGENUITY Technologies (Montreal, Canada, www.virtualprototypes.ca) has special versions of its VAPS software tool for both avionics and automotive display design.
These tools aren't limited to display design either. VAPS, for example, links with MATLAB and Simulink from The MathWorks (Natick, MA, www.mathworks.com) to provide other, complementary capabilities. VAPS also links with MATRIX, an interactive tool from Wind River Systems (Alameda, CA, www.windriversystems.com) for the development of real-time embedded control systems.
Graphical design and automatic code generation aren't new, but their application to the stringent safety requirements of DO178B is relatively recent. Telelogic's SCADE, which meets requirements for Level A qualification, was the first on the scene. eNGENUITY's QCG (for Qualified Code Generator) is newly available for Level B qualification, and a version that meets Level A requirements is due out next year. Both SCADE and QCG automatically generate computer code that is very reliable in comparison with manually programmed code.
Avoiding infinite loops. The reliability of code from these tools is largely due to restrictions that the tools automatically place on programming practice. Programs created with the tools don't use dynamic memory allocation, for example, by which a program might claim a certain amount of system memory as it needs it and then release it when it's through. Although dynamic memory allocation reduces the amount of memory a system needs to have installed, it sometimes introduces unpredictable program behavior.
Similarly, programs created by DO178B-compliant software tools use only bounded program loops in order to prevent the possibility of a program's hanging up in an infinite loop. Likewise, a program may not make calls to library functions that are separate from the program's main code and that may undergo revision without the programmer's knowledge. Also, the tools may require that variables in a program be "typed" (declared as integer or floating-point, for example) and that they have initialization values to prevent unintended program behavior.
Advantages of portability. Fortunately, graphical-design tools and code generators, whether or not they are DO178B-compliant, offer advantages that go beyond reliable code and cost savings. For example, because the code produced by these tools is "portable" (usually ANSI standard C or Ada), it's easy to re-implement it on a variety of rugged COTS (commercial off-the-shelf) systems. Typically, these COTS systems are VME boards that are available with various general-purpose processors, graphics processors, and other hardware options. The wide range of choices in VME systems makes it relatively easy to find computing hardware that offers the best performance for the required tasks.
Portable code also lets designers take advantage of changing technology. Because computer technology changes so rapidly, a system designed in a traditional manner could be out of date by time it's deployed. In fact, embedded-system design now sometimes begins before the computing hardware is even selected. Portable code doesn't lock you to a particular system, however, so you can select hardware fairly late in the game and then implement your code on it quickly.
Not least of the advantages of DO178B software-development tools is the ability to respond quickly to changing project requirements. You have to "qualify" the design of a DO178B application, explains eNGENUITY marketing director Phil Cole, and if you then need to change the design, you have to re-qualify it—a lengthy process.
However, says Cole, "If you use a qualified [DO178B] development tool, a lot of that issue goes away, because the FAA or other regulatory body has already approved the tool for use." In addition, the qualified tools speed the design process, making it possible to implement a change in a relatively short time.