Certification of Ada real time executives for safety critical applications

Abstract

The certification procedures apply to a full equipment including both hardware and software components. The issue is that the equipment supplier must integrate various components coming from separate sources. In particular, the Ada Run Time System is embedded in the equipment as any other application component. This leads to two major requirements: a. the Ada Run Time System must be a glass box b. unused run-time services must be eliminated from the embedded components. The first requirement comes from the civil aviation procedures DO 178A [1] and the second is a consequence of the need to proof the system. This can lead to eliminate some unpredictible or unsafe Ada language features. The criticity of the system consists of three levels: critical, essential and non essential. The report ARINC 613 (from the Airlines Electronic Engineering Committee) surveys the Ada language and provides a list of features not to be used in avionics embedded software at least for the two first levels. Two solutions are proposed: 1. The SMall Ada Run Time System (SMART) which meets such requirements for an Ada subset. This Run Time System does not support tasking, exception and dynamic memory allocation except for global objects or fixed size collections. We show how calls to this reduced Run Time System can be generated by the standard Ada compilation system. 2. The alternative Run Time System called C-SMART which is an approach used by Boeing with the cooperation of Alsys for the B777 project. C-SMART shares most of the SMART functionalities. Two major differences exist: it requires a devoted Ada compilation system and Alsys provides the end-user with the test plan of C-SMART which consists also of unitary tests set.