
Boeing Flies on 99% Ada - galapago
http://archive.adaic.com/projects/atwork/boeing.html
======
SEJeff
FYI I used to date a girl with a Masters in CS who got a job with Boeing. She
worked on the OpenGL overlay for the B1 Lancer. She wrote about 3 pages of
justification for every 5-6 lines of code she wrote. After 2 years she bounced
as the job satisfaction in that type of environment, simply wasn't there. Also
OpenGL from ADA is... interesting.

She worked at the Boeing San Diego office, which is quite beautiful.

~~~
ubernostrum
If she has experience writing 3 pages of justification for every 5-6 lines of
code, perhaps she should join the functional-programming community...

~~~
eru
We don't tend to write that much justification (at least in industry).

~~~
coldtea
I think he meant it as a joke.

As in: "for every line of code a functional programmers writes" he'll write 5
blog posts and 10 HN comments on why functional programming is better, how
currying, functional composition, monads, etc, work etc...

~~~
eru
If only we could write the blogs in Haskell as well, for the awesome reduction
in LoC.

~~~
mercurial
Well, you can write them in literate Haskell...

~~~
Artemis2
Just use tons of monads!

~~~
eru
Monads are too mainstream. Applicative Functors is what it's at these days.

~~~
mercurial
But Monads _are_ Applicative Functors. Go for arrows instead.

------
ghshephard
This is an awesome article - there are a ton of interesting excerpts all in
one place, that I haven't seen before, such as this one:

 _One compelling reason behind the extensive pre-testing was Boeing 's desire
to meet the Federal Aviation Agency's (FAA's) Extended Twin Operations (ETOPS)
standards ahead of schedule. The original ETOPS rule was drafted in 1953 to
protect against the chance of dual, unrelated engine failures. Unless a newly
designed and produced aircraft has at least three engines, it usually had to
wait, sometimes as long as four years, before the FAA and the Joint
Airworthiness Authorities (JAA) will allow it to fly more than one hour from
an airport; after a time, the new aircraft is deemed a "veteran" and is
allowed to fly three hours away. A shortened trial period would drastically
increase Boeing's sales."_

It hadn't occurred to me that a 777 is always three hours away from an
Airport. I'll have to look more closely on the map.

~~~
idlewords
This is a nice mapping web app that lets you see allowed and forbidden areas
for different ETOPS levels: [http://gc.kls2.com](http://gc.kls2.com)

At 3 hours, it's mostly the Southern Ocean that's off-limits.

~~~
toomuchtodo
[http://gc.kls2.com/faq.html#etops-240](http://gc.kls2.com/faq.html#etops-240)

I had no idea Boeing was subsidizing Midway Island in order to provide an
ETOPS alternate airport.

Also, 5.5 hour ETOPS? That's crazy long!

[http://gc.kls2.com/faq.html#etops-330](http://gc.kls2.com/faq.html#etops-330)

------
reacweb
I have developed many years in Ada. It is a marvelous language. Many mistakes
are found during compilation. Very often, when it compiles, it works. Since
Ada95, the multitasking features are really awesome. The overhead of the
verbosity is real for short programs, but becomes less relevant for big
projects.

Ada is not in the hype anymore. It is getting more and more difficult (and
expensive) to have developers with a good knowledge in Ada.

In my current society, some projects are still in Ada, but the quality of the
code is becoming lower and lower, with a lot of type cast. It seems people are
thinking in C (C++) and are painfully writing their ideas in Ada.

~~~
ArkyBeagle
It is an absolute shame that Ada did not take its place as a dominant player
early on. But people have difficulties reasoning about cost in computing. The
verification cost for the toolchains pretty much kept places I worked at out
of it. It is too bad that those costs were not treated as public goods and
paid for out of tax money. I expect it would have been a good investment.

------
neurotech1
Google Cache Link:
[http://webcache.googleusercontent.com/search?q=cache%3Aarchi...](http://webcache.googleusercontent.com/search?q=cache%3Aarchive.adaic.com%2Fprojects%2Fatwork%2Fboeing.html&oq=cache%3Aarchive.adaic.com%2Fprojects%2Fatwork%2Fboeing.html)

------
eduardordm
The actual language has little to do with the current widespread use of Ada in
critical aviation software. The main reason lies in the certification process
and reuse of certified tools. I wrote a little about it here:
[http://eduardo.intermeta.com.br/posts/2013/2/10/making-
aviat...](http://eduardo.intermeta.com.br/posts/2013/2/10/making-aviation-
sofware)

~~~
foobarqux
C is usually supported as well as or better than Ada so it does have to do
with the language.

~~~
seanmcdirmid
With certified tools?

~~~
ahmett
FAA certifies software and databases (and the data in those databases) of
companies like Boeing.

~~~
seanmcdirmid
Yes, was parent claiming that C has a lot of "certified" tools as much as Ada
does? The phrasing was ambiguous.

~~~
tjr
Dynamic memory management is inadvisable in avionics code, making languages
that rely on garbage collection (perhaps pointlessly) challenging to use. But
in general, there are no restrictions on what _language_ is used. The
particular version of the compiler you are using has to be certified, but just
long as you can use the language and the compiler to meet DO-178B/C standards,
you can use whatever you want. You can use whatever tools you want, if they
get certified. You can write your own tools and certify them. Anything goes,
just so long as it meets standards.

(Working on some flight management software, I found a bug in our version of
GCC. It's free software, right? So I could just fix it? Or even upgrade to a
newer version? That would have meant re-certifying the compiler, so it was
easier to work around the bug.)

In practice, I do see a lot avionics code written in Ada. I see a lot written
in C. I see a lot written in C++. I haven't seen much else. I would guess a
roughly even split between Ada and C or C++, with either C or C++ being
increasingly favored for new clean sheet projects.

~~~
foobarqux
Surprisingly you don't even need to use DO-178, you just need to convince the
FAA that it is safe. I have never heard of anyone not using DO-178 though.

Have you seen level A software written using C++?

~~~
tjr
_I have never heard of anyone not using DO-178 though._

Me neither. I can imagine that would be harder than just using DO-178, as the
auditors are used to dealing with it.

 _Have you seen level A software written using C++?_

Not personally. I have heard of a level A flight controls project that was
planning to use C++, and was in the process of getting their C++ compiler (GCC
C++, I believe) certified. I don't know how it turned out.

------
jbogp
A good thread about programming languages in avionics.

[https://www.linkedin.com/groups/Which-is-Major-
Programming-l...](https://www.linkedin.com/groups/Which-is-Major-Programming-
language-141158.S.93712052)

Having had a lot of my undergrad CS classes in Ada (in Toulouse France, the
home of Airbus) I get nostalgic every time I see a post mentioning Ada on HN.

------
Artemis2
That's not surprising, given that safety-critical software is very often
programmed in Ada or SPARK.

~~~
yoodenvranx
If it is so safe and reliable, why isn't used more for normal projects?

~~~
awjr
I was involved in writing the short term collision alert system for the New En
Route Centre down in Swanwick, UK. Basically proving something won't kill is
extremely important in this environment. The language is almost irrelevant.
Proving every single piece of logic has been exercised (an OR statement had to
have true true, false true, true false and false false tests...now add
multiple ORs to that). Mission critical software is another world.

Probably rather alien to the HN crowd ;)

~~~
malka
The Paris subwway network is partially automated. The software is written in
OCaml, and mathematically proven correct using Coq.

~~~
sitkack
Which parts aren't automated?

~~~
brohee
Plenty of line still have drivers.

The only fully automated lines are 1 and 14.

------
xarien
Ada is by far the strongest typed language I've used in my 2 decades of
programming. In the defense / aviation industry, it's very common to have
multiple sub-contractors working on different pieces of the platform. Due to
this trait, interfaces between these sub-systems / components are heavily
scrutinized. Using a language such as Ada to ensure that large amounts of
bitwise data structures are clearly defined and match eases the burden (at
least a little).

------
damian2000
There's a relevant Programmers.SE post on this ...

[http://programmers.stackexchange.com/questions/153266/what-o...](http://programmers.stackexchange.com/questions/153266/what-
operating-systems-are-used-in-airplanes-and-what-programming-languages-are)

According to comments there, some modern aircraft run an RTOS (real time
operating system) on top of the bare hardware, which then lets you run Ada or
C code. Those mentioned include VxWorks[1] for the Boeing 787 and Integrity[2]
used by the Airbus A380.

[1]
[http://en.wikipedia.org/wiki/VxWorks](http://en.wikipedia.org/wiki/VxWorks)

[2]
[http://en.wikipedia.org/wiki/Integrity_(operating_system)](http://en.wikipedia.org/wiki/Integrity_\(operating_system\))

~~~
xarien
Most bootloaders (of components) if nothing else will be wrapped in vxworks.

------
donquichotte
I recently applied for a job at a company that makes civilian drones (rescue,
police). They required knowledge of the Oberon language, I'm pretty sure they
use HelyOS [1] for real-time control of their coaxial helicopters.

It's quite interesting how these Pascal derivatives seem to find their niche
in high-reliability or real-time applications, although I don't quite
understand why. That may have been part of the reason why I didn't get the
job.

[1]
[http://en.wikipedia.org/wiki/XOberon](http://en.wikipedia.org/wiki/XOberon)

~~~
nimrody
No pointers.

Range limited types, e.g.

    
    
         Type Day = (0..7);
    
         Days = (monday,tuesday,wednesday,thursday,friday,  
                 saturday,sunday);

------
blueskin_
...and now I will always want to fly on an Airbus instead.

Reminds me of the joke:

> At a recent real-time Java conference, the participants were given an
> awkward question to answer:

> "If you had just boarded an airliner and discovered that your team of
> programmers had been responsible for the flight control software, how many
> of you would disembark immediately?"

> Among the forest of raised hands only one man sat motionless. When asked
> what he would do, he replied that he would be quite content to stay aboard.
> With his team's software, he said, the plane was unlikely to even taxi as
> far as the runway, let alone take off.

~~~
enjoy-your-stay
>...and now I will always want to fly on an Airbus instead.

Reminds me of a joke I was once told by a QA consultant:

His colleague was on his way to deliver a revision of software which had been
extensively tested and many serious bugs discovered and fixed. The software
was so important that it was to be delivered in person by the consultant on a
laptop to the customer.

On the walkway to the plane, he happened to glance up and see the aeroplane he
was about to board was an Airbus. In fact the very revision that had the same
software he'd just been testing and had found to be full of bugs.

Oh no.

Suddenly getting very cold feet and desperately thinking of a way not to get
on the plane he takes a drastic step and deliberately drops and destroys the
laptop with the software he was going to deliver.

Happy now he returns to the office and declares 'well, that's a shame - but I
think I'll take the train next time'

\- was told to me as a true story, and you never know...

------
SkyMarshal
_> According to Brian Pflug, engineering avionics software manager at Boeing's
Commercial Airplane Group, most companies disliked the idea of a standard
language at all, and then seriously objected to Ada as too immature._

By what measure did they consider Ada "too immature" I wonder? It's one of the
oldest languages, an open international standard, and has been through several
major updates over three decades. On the surface there are few if any
languages that claim more maturity than that.

~~~
Padding
There's no compiler (and standard library implementation) that has faced
public scrutiny like other popular languages have. Aditionally, there are no
IDEs for Ada comparable to the IDEs of other comercial languages (e.g. C++, C#
or Java). Which is understandable given how little interest there is in Ada,
amongst the "general public" of developers, which is understandable given how
there's no proper free implementation of for Ada.

There's essentially just the AdaCore implementation that costs $$$, the GPL'd
AdaCore implementation that requires you to publish your source code (because
of the libraries) and then there's some unsupported GCC implementation.

I like Ada, and I would like to see it gain more market share. If it had,
things like Rust and Go may have been superfluous. But the way things are, I
just don't see it happening. Unless you're some big enterprise Ada is
essentially a non-option, due to licensing, and if you're a big enterprise
it's essentially a non-option since there's very few devs around for it. And
so it remains an obscure language used in very niche applications (albeit with
great success there?).

~~~
sgt101
Really strange about the tooling, if I were BAE or Boeing I'd be standing up a
project to create an IDE on top of Eclipse - ~2 man year effort for vast
productivity gains!

 __dons asbestos pants in expectation of anti eclipse comments!

~~~
johansch
[http://www.atego.com/products/atego-
objectada/](http://www.atego.com/products/atego-objectada/)

------
cpeterso
What new languages are being developed that could be even safer than Ada for
safety critical systems? Are Agda, Haskell, or Rust as safe or strongly typed
as Ada?

~~~
tjr
Weirdly, avionics development seems to be moving away from Ada toward C! I
personally think something like OCaml would be a better choice...

I think the problem is, there is so much momentum built up around Ada and C
usage in the avionics world that there just isn't the infrastructure and
culture built up around better languages, so it's hard to make the switch.
Even if you have to write a brand new codebase for some small avionics
project, how do you justify the expense of doing it all in OCaml when there is
already certified compilers and support for Ada?

It ought to happen, though.

~~~
en4bz
Yes, cause one definitely wants "Stop the World" GC in a real-time system.

~~~
tjr
Right, that was unclear. Languages that rely on garbage collection can't
realistically be used in flight. "Something like OCaml" but with manual memory
management might be better than Ada. But with recursive functions also frowned
upon in avionics, a lot of the fun of OCaml might be drained...

------
theoutlander
What is the other 1%? (I was only able to glance through pieces of the article
for now)

~~~
WildUtah
The hardware access routines, real time operating system, and bottom level I/O
can't be written in ADA. CPUs accept only machine code, so those programs have
to be written at least partly in machine code.

Likewise the compiler has to generate CPU instructions,the opcodes and
operands of which are embedded in the code generator as binary data. That is
code that isn't in ADA either.

~~~
amock
Ada get compiled to machine code, so of course it can run directly on the CPU.

There's also no reason it can't be used to write a compiler and there's
probably several Ada compilers written in Ada. I'm not sure what you mean
about binary data having to be embedded in the code generator; you can easily
generate arbitrary binary data from almost any language.

------
warriar
Anyone else thinking that Public Write and Execute would be bad for an
Airplane?!

