T-50 Avionics Embedded Software Development Using Java

Warning: This material may contain defense sensitive data, competitive and sensitive trade secret or technical information of KAI proprietary rights. The use (to provide, disclose, reproduce or copy to the third person/party) of this material without the prior approval of KAI is strictly prohibited in accordance with the related laws and regulations.

T-50 Avionics Embedded Software Development using Java

ISET 2011 - The 6th International Symposium on Embedded Technology (May 20-21, 2011)

Overview• The Flagship Project

− Core Software

• Why Java?− C/C++ Experience in Other Projects

• Pointer Problems− Java Pros and Cons

• Real-time Java

• Language Selection• Development

− OFP Layers− Speed & Size Issues− Optimizations

• Points to Ponder

Korea Aerospace Industries Proprietary Information 2

The Flagship Project• Total systems development

− Core software: FC, MFDS, IUFC, HUD, and SMS− Core avionics hardware: KMC, SMC− Test bench, and Mission support system

Korea Aerospace Industries Proprietary Information 3

RTOS CertificationRTOS Certification

- NEOS by MDS Technology (DO-178B Level A Certifiable)- NEOS by MDS Technology (DO-178B Level A Certifiable)

Test Bench DevelopmentTest Bench Development

- System Integration Laboratory- Software Development Station- System Integration Laboratory- Software Development Station

Hardware DevelopmentHardware Development

- KMC by Intellics- SMC by DoDaam Systems

- KMC by Intellics- SMC by DoDaam Systems

Ground Support System Ground Support System

- MPSS by KIDA- MPSS by KIDA

Software DevelopmentSoftware Development

- FC- MFDS- IUFC by AMC- HUD by DoDaam Systems

- FC- MFDS- IUFC by AMC- HUD by DoDaam Systems

Avionics Embedded System Verification

Operation & Maintenance

KMC: Korea Mission ComputerMFDS: Multi-Function Display SetMPSS: Mission Planning and Support SystemSMC: Stores Management ComputerSMS: Stores Management System

FC: Fire ControlHUD: Head Up DisplayIUFC: Integrated Up Front ControlsKIDA: Korea Institute for Defense Analysis

Core Software• Software (OFP) developed from scratch with

enhanced capabilities compared to initial T-50 OFPs− 6 independent 5x7 MFD pages (3 for each seat)− Embedded Training functions

Korea Aerospace Industries Proprietary Information 4

Aerial Gunnary Target Simulation

MFD: Multi-Function DisplayOFP: Operational Flight Program

Core Software• Central to Systems integration & mission operations

Korea Aerospace Industries Proprietary Information 5

Avionic Systems

Secondary, Tertiary Software

Core SoftwareFlight Control

Stores MgmtMission &

Displays

Targeting

Vehicle Management

Pilot InterfaceAircraft & Weapon Specific Characteristics

Communication

Static & Dynamic Parameters

Nav. Aids

Pilot Control & Command

Mission/FlightInformation

ControlCommands

Why Java?• Avionics Needs

− Safety (DO-178)− Long lifecycle support

• Language Trends− F-16: Jovial− F-22: Ada− F-35: C++− T-50: C/C++

• Evolution of Java− Real-time Java (JSR-1)− Safety Critical Java (JSR-302)

Korea Aerospace Industries Proprietary Information 6

An Empirical Study of Programming Language Trends, IEEE Software, 2005

Java

C++

Ada

CJava

AdaC++

C

Perc

ent

of r

espo

nden

ts

Year1993 1998 2003 2008

10

15

20

25

5

0

30

TIOBE Programming Community Index, www.tiobe.com, 2011

Java

C++

CJava

C++

C

Perc

ent

sear

ch h

its

Year2002 2005 2008 2011

10

15

20

25

5

0

JSR: Java Specification Request

C/C++ Experience in Other Projects• C/C++ demands high alertness and workload

− Resource management : new/delete, open/close, lock/unlock• For C++, RAII helps but not without attention to copy constructors

and copy assignment operators (The Rule of Three)− Exception handling: assert was used instead for debugging− Pointers: cannot live without but usually the culprit of most of

the troubles− Many other do’s and don’ts

• Lessons learned from prior projects including T-50 went into KUH− Coding guidelines became Coding Standards− Peer review prerequisites are enforced with automated tools

• LDRA coding rule checking and PolySpace static verification

Korea Aerospace Industries Proprietary Information 7

KUH: Korea Utility HelicopterRAII: Resource Acquisition is Initialization

Pointer Problems• Problems such as an example shown below would

easily be identified by a static analysis tool− An example of one of the problems

• extract_data outputs an address of a data block to MESSAGE_DATA• sidd_write_link uses MESSAGE_DATA to transmit the data block

Korea Aerospace Industries Proprietary Information 8

// doubleTrouble.c

typedef void* Data_Pointer_Type;Data_Pointer_Type MESSAGE_DATA;void extract_data(Data_Pointer_Type* MSG_DATA_PTR,...);void write_link(Data_List_Type* DATA_LIST,...);

: :

extract_data(MESSAGE_DATA,...); ...write_link((Data_List_Type *)(*(unsigned int*)MESSAGE_DATA),...

Should be a reference:&MESSAGE_DATA Should not dereference:

(MESSAGE_DATA)

Would read better if named:MESSAGE_DATA_PTR

Casting not needed

Java Pros and Cons• Lessons learned from prior projects also led to

considering Java− Boosted by the presence of OOTiA and RTSJ (2004)

• Pros− C/C++ like syntax : easier transition to the new language− No pointers, No header files− Safer and more secure

• Cons− Garbage Collection− Big− Slow

Korea Aerospace Industries Proprietary Information 9

JamaicaVM caught our attention so it was evaluated

OOTiA: Object Oriented Technology in AviationRTSJ: Real-time Specification for Java

Real-time Java• JSR-1 RTSJ adds features that are immune to GC

− Memory models and regions that are not subject to GC− Real-time threads that are not preemptible by GC

Korea Aerospace Industries Proprietary Information 10

GC: Garbage CollectionJSR: Java Specification RequestRTSJ: Real-time Specification for Java

From aicas technology brief

Real-time Java• JamaicaVM from aicas

− Implements Work-Based GC which runs when and where memory allocation occurs

− Also implements RTSJ but having deterministic GC enables real-time programming easier

Korea Aerospace Industries Proprietary Information 11

GC: Garbage CollectionRTSJ: Real-time Specification for Java

From aicas technology brief

Language Selection• Performance Evaluation

− Test program• Existing in-house tool written in C

was converted to Java• The tool was a weapon delivery

accuracy analysis software based on actual ballistics algorithm

− Target Environment• OS: VxWorks 5.5.1, BSP 1.2/1.10• CPU: SBS CK5 MPC 7447A 999MHz• RAM: 512MB

− Some optimizations were done with profiling and adjusting compile options to get the best possible results

Korea Aerospace Industries Proprietary Information 12

BSP: Board Support Package

Language Selection

Korea Aerospace Industries Proprietary Information 13

• Results

• Conclusion− Target CPU speed (1.6 GHz) and large memory size (1 GB)

were thought to be sufficient enough to run Java applications

• JamaicaVM was selected for the development of the Flagship Project

C Java

Speed (msec) 1.43 2.8 Java is 1.98 times slower

File Size 157KB 4MB Java includes JVM which is 3~4MB depending on packages

Development• Development Environment

− Models containing code are put under configuration control

Korea Aerospace Industries Proprietary Information 14

Requirements : DOORSVersion Control : PVCS

GUI : GL Studio - evaluated but not integrated with the process, yet

Rhapsody

STE & SIL

Ground Test / Flight Test

Eclipse

JamaicaVM

EMMA / CodeCover VeriFlux

SIL: System Integration LaboratorySTE: Software Test Equipment

OFP Layers• JVM’s platform independence enables modular

development− Success story : One day integration of JVM and HUD OFP

Korea Aerospace Industries Proprietary Information 15

CDU: Control & Display Unit JNI: Java Native Interface JOGL: Java OpenGL JVM: Java Virtual Machine KUH: Korea Utility Helicopter OXF: Object Execution Framework PFD: Primary Flight Display SC: Safety CriticalSMM: System Mission Management

KAI Works

Vendor Works

OS*OS*

T-50 Java Applications (OFP)T-50 Java Applications (OFP)

Real-time JVMReal-time JVM

OpenGL SCOpenGL SCDevice DriversDevice Drivers

FCFC HUDHUD MFDSMFDS IUFCIUFC

* OS : VxWorks, NEOS, Windows

JNIJNI JOGLJOGL

JVM provided portability

OS*OS*

KUH C++ Applications (OFP)KUH C++ Applications (OFP)

OpenGLOpenGL

Device DriversDevice Drivers

SMMSMM PFDPFD MFDSMFDS CDUCDU

KAI Framework based on

Rhapsody OXF(OS Services)

KAI Framework based on

Rhapsody OXF(OS Services)

* OS : VxWorks, Windows

KAI APIKAI API

Self (KAI) provided portability

Speed & Size Issues• OFP is designed with 50Hz rate groups

− Each rate group should complete well within 20msec

• Initially, it took almost 40msec for a FC OFP rate group to complete which was double the time limit− One of the reasons was data I/O utilizing JNI, especially

MIL-STD-1553 due to its tight coupling with the OFP− The other reasons were compile options

• HUD and MFDS were also suffered− HUD requires many JNI calls to present cursive graphic

objects on the display− MFDS initially had a size of over 300MB before optimization

Korea Aerospace Industries Proprietary Information 16

Optimizations• Took a few months to optimize

− Compile/build options including• Tradeoff between profiled interpreter code vs compiled code• Static binding for virtual calls (no dynamic class loading), etc.

− JNI• Reducing the number of JNI calls• Reducing run-time creation of temporary data buffers

− Some design considerations• Making final and static where applicable e.g. constants• Reducing the number of threads

• Overall efforts brought down the speed to within 20msec, and the size from over 80MB to 50MB and then to 30MB in case of FC OFP

Korea Aerospace Industries Proprietary Information 17

Points to Ponder• JNI

− With some care, it is a nice solution for hardware interfaces− Alternatives may be considered e.g. CORBA, XML

• But are they DO-178 compliant?

• Sound practice is needed regardless of languages− Programming idioms such as LSP, and− Design & Coding standards enforcing them, and− Review processes with support from automated tools

• But within the same rules, Java eases much of a burden off the programmer− Enables spending more time on design, or having a longer

coffee breakKorea Aerospace Industries Proprietary Information 18

LSP: Liskov Substitution Principle

Points to Ponder• DO-178C and supplement documents are due by the

end of 2011− After 7 years of preparation since OOTiA handbook in 2004− Will enable the use of real-time Java Technology with

deterministic garbage collection in critical avionics software

• Open source, cost effective tools and environments− One such case is TOPCASED

• Eclipse based systems/software development environment promoting model-driven development and formal methods

• Java is a good language of choice for safety-critical, hard real-time embedded software development

Korea Aerospace Industries Proprietary Information 19

DO-178C: Safety Considerations in Airborne Systems and Equipment CertificationOOTiA: Object Oriented Technology in AviationTOPCASED: The Open-Source Toolkit for Critical Systems

Korea Aerospace Industries Proprietary Information 20

Thank you

Bang, KeugyeolPrincipal Research Engineer

Avionics Advanced R&D [email protected]

방극열수석연구원항전선행연구팀010-9048-0828

Acronyms

Korea Aerospace Industries Proprietary Information 21

Air-BEST Air-borne Embedded System and TechnologiesAPI Application Program InterfaceARINC Aeronautical Radio IncorporatedBSP Board Support PackageCDU Control and Display UnitFAA Federal Aviation AdministrationFC Fire ControlGC Garbage CollectionHUD Head Up DisplayIUFC Integrated Up Front ControlsJNI Java Native InterfaceJOGL Java OpenGLJSR Java Specification RequestJVM Java Virtual MachineKAI Korea Aerospace Industries, Ltd.KIDA Korea Institute for Defense AnalysisKUH Korea Utility HelicopterKMC Korea Mission ComputerLSP Liskov Substitution PrincipleMFDS Multi-function Display Set

MIL-STD Military StandardMPSS Mission Planning and Support SystemOFP Operational Flight ProgramOOTiA Object Oriented Technology in Aviation, FAAOpenCL Open Computing LanguageOpenGL Open Graphics LibraryOS Operating SystemOXF Object Execution FrameworkPDR Preliminary Design ReviewPFD Primary Flight DisplayRAII Resource Acquisition Is InitializationRTOS Real-time Operating SystemRTSJ Real-time Specification for JavaSC Safety CriticalSIL System Integration LaboratorySMC Stores Management ComputerSMM System Mission ManagementSMS Stores Management SystemSTE Software Test EquipmentUFC Up-front Controls