By Franco Gasperoni, AdaCore
A group of experts is investigating the creation of a Java variant for safety-critical systems that can undergo DO-178B certification. This ongoing effort finds its roots in the work on the real-time specification for Java that started in December 1998.
The question is: What problem does this effort try to solve?
The answer is not technology. There are many technical challenges to create a Java derivative suitable for the development of safety-critical software. These challenges make this task interesting for a group of experts. Yet, there is no technical need for another programming language in the safety-critical domain. Indeed today there are plenty of safety-critical systems developed using a plethora of technologies and successfully programmed in Ada 83/Ada 95 and C/C++.
So, again: What problem would a Java variant for safety-critical systems solve? Answer: developer shortage.
The argument goes like this: Today it is difficult to find Ada and
C/C++ developers, while there are plenty of Java programmers out there
that will be able to pick up a safety-critical Java variant quickly.
really? This reminds me of the time I attended the Java One conference
in 2000 where employers were looking for Java developers with 10 years
of experience (Java was introduced in 1995).
Finding Ada and C/C++ developers cannot be the issue. We are not
talking about ancient Greek. We are talking about a programming
language. Take Ada for instance. There are 20,000 unique users in the
last two years that have downloaded GNAT, the Ada tool chain from AdaCore “Libre” web site
to learn Ada or develop free software in Ada. This number does not
include developers that have downloaded GNAT from the Free Software
More anecdotally, in November 2007, the National Museum of Computing
sponsored an historical code-breaking competition to celebrate the
rebuild of Colossus Mark 2 at Bletchley Park.
Colossus, the first programmable digital computer, was used in
world-war II to crack the codes created by the Lorenz cipher machines
used by the Nazis. Programmers and code breakers were invited to try to
beat the rebuilt Colossus in cracking the 1938 Lorenz SZ42 encrypted
message. Joachim Schüth, an Ada novice, was able to decipher the code and beat Colossus with a program written in Ada after having learnt Ada in his spare time.
What problem would a Java variant for safety-critical systems solve?
In the author’s opinion: none. Confining the issue of developing
safety-critical software to the programming language alone is a bit
like saying that the building of skyscrapers reduces to the type of
concrete and steel used. Yes, you cannot build a safe skyscraper with
poor quality steel and concrete, so a programming language with safety
concerns built-in is necessary to build safety-critical software.
Necessary does not mean sufficient, though.
In the author’s opinion the real issue is the shortage of expertise.
A good developer of safety-critical software is hard to come by, and
Java, C/C++, or Ada alone cannot address this issue. From requirements
capture, to safety engineering, to system modeling, to software design,
development, and verification, to configuration management and quality
assurance there are many activities and know-hows that participate in
the creation of safety-critical software. Reducing these activities to
the programming language and coding is wishful thinking.
To summarize, the illusion is that by making small changes to Java
we (a) will be able to create a language suitable for safety critical
systems and (b) we will be able to draw from the large pool of Java
developers to develop safety-critical systems. Both of these are
pitfalls. (a) is like saying that by making small changes to a Toyota
you can create a Ferrari, while (b) is saying that once we have done
(a) we can take the large pool of Toyota drivers and use them to drive
Ferraris in a Formula 1 race. Most of hese drivers don’t have the
appropriate skill set.
The shortage of expertise in the design and development of
safety-critical software is a real and difficult problem. This is
compounded by the fact that we need a world-wide pool of
safety-critical software expertise in the thousands, not in the
So how does one ensure that a small but steady stream of
safety-critical developers is produced by the academic system year
after year? (See Computer Science Education: ‘Where Are the Software Engineers of Tomorrow?‘) This is the real challenge.
Franco is co-founder and General Director of AdaCore, the company
that develops and offers commercial support for GNAT Pro, the Free
Software environment for Ada 2005, Ada 95, and Ada 83. AdaCore is a 100% Free Software Company basing its business model
on high-quality support and subscription-based pricing. AdaCore
provides Ada solutions to customers in the avionics, air traffic
management, military, railways, and space industries, amongst others. Franco Gasperoni has an engineering degree from the Ecole des
Mines de Paris, France and a PhD in Computer Science from New York
University, USA. While at the Ecole des Mines, Franco worked with
Maurice Allais, the French Economics Nobel prize winner. Franco has lectured and conducted research at New York University and at the
Ecole des Telecommunications (ENST), in Paris. Franco has published
over 25 papers.