ISET 2011 - The 6th International Symposium on Embedded Technology (May 20-21, 2011)

T-50 Avionics Embedded Software Development using Java

Warning: This material may contain defense sensitive data, competitive and sensitive trade secret or technical information of KAI proprietary rights. The use (to provide, disclose, reproduce or copy to the third person/party) of this material without the prior approval of KAI is strictly prohibited in accordance with the related laws and regulations.

Overview
The Flagship Project
Core Software

Why Java?
C/C++ Experience in Other Projects
Pointer Problems

Java Pros and Cons

Real-time Java

Language Selection Development

OFP Layers Speed & Size Issues Optimizations

Points to Ponder
Korea Aerospace Industries Proprietary Information 2

The Flagship Project

Total systems development
Core software: FC, MFDS, IUFC, HUD, and SMS Core avionics hardware: KMC, SMC Test bench, and Mission support system
Avionics Embedded System
Software Development Software Development
-- FC FC -- MFDS MFDS -- IUFC by AMC IUFC by AMC -- HUD by DoDaam Systems HUD by DoDaam Systems

Verification
Test Bench Development Test Bench Development
-- System Integration Laboratory System Integration Laboratory -- Software Development Station Software Development Station

Operation & Maintenance

Ground Support System Ground Support System
-- MPSS by KIDA MPSS by KIDA

RTOS Certification RTOS Certification

-- NEOS by MDS Technology NEOS by MDS Technology (DO-178B Level A Certifiable) (DO-178B Level A Certifiable)

Hardware Development Hardware Development

-- KMC by Intellics KMC by Intellics -- SMC by DoDaam Systems SMC by DoDaam Systems
FC: Fire Control HUD: Head Up Display IUFC: Integrated Up Front Controls KIDA: Korea Institute for Defense Analysis KMC: Korea Mission Computer MFDS: Multi-Function Display Set MPSS: Mission Planning and Support System SMC: Stores Management Computer SMS: Stores Management System

Korea Aerospace Industries Proprietary Information

Core Software
Software (OFP) developed from scratch with enhanced capabilities compared to initial T-50 OFPs
6 independent 5x7 MFD pages (3 for each seat) Embedded Training functions
Aerial Gunnary Target Simulation

MFD: Multi-Function Display OFP: Operational Flight Program

Korea Aerospace Industries Proprietary Information

Core Software
Central to Systems integration & mission operations
Aircraft & Weapon Specific Characteristics Pilot Interface

Static & Dynamic Parameters

Pilot Control & Command

Control Commands

Flight Control Nav. Aids

Core Software Mission & Displays

Stores Mgmt Vehicle Management

Mission/Flight Information

Secondary, Tertiary Software Communication Targeting

Avionic Systems
Korea Aerospace Industries Proprietary Information 5

Why Java?
Avionics Needs
Safety (DO-178) Long lifecycle support
An Empirical Study of Programming Language Trends, IEEE Software, 2005
30 Percent of respondents 25 C 20 15 10 5 0 C++ C++ Ada Java 1993 1998 Year 2003 Ada Java

Language Trends
F-16: Jovial F-22: Ada F-35: C++ T-50: C/C++

C 2008

TIOBE Programming Community Index, www.tiobe.com, 2011

25 Percent search hits 20 15 10 5 0 Java C C++ Java C C++

Evolution of Java

Real-time Java (JSR-1) Safety Critical Java (JSR-302)

2002

2005

Year

2008

2011

JSR: Java Specification Request

Korea Aerospace Industries Proprietary Information

C/C++ Experience in Other Projects

C/C++ demands high alertness and workload
Resource management : new/delete, open/close, lock/unlock
For C++, RAII helps but not without attention to copy constructors and copy assignment operators (The Rule of Three)

Exception handling: assert was used instead for debugging Pointers: cannot live without but usually the culprit of most of the troubles Many other dos and donts

Lessons learned from prior projects including T-50 went into KUH
Coding guidelines became Coding Standards Peer review prerequisites are enforced with automated tools
LDRA coding rule checking and PolySpace static verification
KUH: Korea Utility Helicopter RAII: Resource Acquisition is Initialization

Korea Aerospace Industries Proprietary Information

Pointer Problems
Problems such as an example shown below would easily be identified by a static analysis tool
An example of one of the problems
extract_data outputs an address of a data block to MESSAGE_DATA sidd_write_link uses MESSAGE_DATA to transmit the data block
// doubleTrouble.c typedef void* Data_Pointer_Type; Data_Pointer_Type MESSAGE_DATA; Would read better if named: MESSAGE_DATA_PTR

void extract_data(Data_Pointer_Type* MSG_DATA_PTR,...); void write_link(Data_List_Type* DATA_LIST,...); Should be a reference: &MESSAGE_DATA : : Should not dereference: (MESSAGE_DATA)

extract_data(MESSAGE_DATA,...); Casting not needed ... write_link((Data_List_Type *)(*(unsigned int*)MESSAGE_DATA),...

Korea Aerospace Industries Proprietary Information 8

Java Pros and Cons

Lessons learned from prior projects also led to considering Java
Boosted by the presence of OOTiA and RTSJ (2004)

Pros
C/C++ like syntax : easier transition to the new language No pointers, No header files Safer and more secure

Cons
Garbage Collection Big Slow JamaicaVM caught our attention so it was evaluated
OOTiA: Object Oriented Technology in Aviation RTSJ: Real-time Specification for Java

Korea Aerospace Industries Proprietary Information

Real-time Java
JSR-1 RTSJ adds features that are immune to GC
Memory models and regions that are not subject to GC Real-time threads that are not preemptible by GC

From aicas technology brief

GC: Garbage Collection JSR: Java Specification Request RTSJ: Real-time Specification for Java

Korea Aerospace Industries Proprietary Information

10

Real-time Java
JamaicaVM from aicas
Implements Work-Based GC which runs when and where memory allocation occurs Also implements RTSJ but having deterministic GC enables real-time programming easier

From aicas technology brief

GC: Garbage Collection RTSJ: Real-time Specification for Java

Korea Aerospace Industries Proprietary Information

11

Language Selection
Performance Evaluation
Test program
Existing in-house tool written in C was converted to Java The tool was a weapon delivery accuracy analysis software based on actual ballistics algorithm

Target Environment
OS: VxWorks 5.5.1, BSP 1.2/1.10 CPU: SBS CK5 MPC 7447A 999MHz RAM: 512MB

Some optimizations were done with profiling and adjusting compile options to get the best possible results
BSP: Board Support Package

Korea Aerospace Industries Proprietary Information

12

Language Selection
Results
C Speed (msec) File Size 1.43 157KB Java 2.8 4MB Java is 1.98 times slower Java includes JVM which is 3~4MB depending on packages

Conclusion
Target CPU speed (1.6 GHz) and large memory size (1 GB) were thought to be sufficient enough to run Java applications

JamaicaVM was selected for the development of the Flagship Project

Korea Aerospace Industries Proprietary Information 13

Development
Development Environment
Models containing code are put under configuration control
Requirements : DOORS Version Control : PVCS Rhapsody Eclipse JamaicaVM EMMA / CodeCover VeriFlux STE & SIL Ground Test / Flight Test

GUI : GL Studio - evaluated but not integrated with the process, yet
SIL: System Integration Laboratory STE: Software Test Equipment

Korea Aerospace Industries Proprietary Information

14

OFP Layers
JVMs platform independence enables modular development
Success story : One day integration of JVM and HUD OFP
JVM provided portability
T-50 Java Applications (OFP) FC HUD MFDS IUFC KAI Works JNI Real-time JVM Device Drivers OS* * OS : VxWorks, NEOS, Windows
CDU: Control & Display Unit JNI: Java Native Interface KUH: Korea Utility Helicopter OXF: Object Execution Framework SMM: System Mission Management

Self (KAI) provided portability

KUH C++ Applications (OFP) SMM PFD MFDS CDU

JOGL Vendor Works

KAI API

OpenGL SC

Device Drivers

KAI Framework based on Rhapsody OXF (OS Services) OS*

OpenGL

* OS : VxWorks, Windows
JOGL: Java OpenGL PFD: Primary Flight Display JVM: Java Virtual Machine SC: Safety Critical

Korea Aerospace Industries Proprietary Information

15

Speed & Size Issues

OFP is designed with 50Hz rate groups
Each rate group should complete well within 20msec

Initially, it took almost 40msec for a FC OFP rate group to complete which was double the time limit
One of the reasons was data I/O utilizing JNI, especially MIL-STD-1553 due to its tight coupling with the OFP The other reasons were compile options

HUD and MFDS were also suffered

HUD requires many JNI calls to present cursive graphic objects on the display MFDS initially had a size of over 300MB before optimization
Korea Aerospace Industries Proprietary Information 16

Optimizations
Took a few months to optimize
Compile/build options including
Tradeoff between profiled interpreter code vs compiled code Static binding for virtual calls (no dynamic class loading), etc.

JNI
Reducing the number of JNI calls Reducing run-time creation of temporary data buffers

Some design considerations

Making final and static where applicable e.g. constants Reducing the number of threads

Overall efforts brought down the speed to within 20msec, and the size from over 80MB to 50MB and then to 30MB in case of FC OFP
Korea Aerospace Industries Proprietary Information 17

Points to Ponder
JNI
With some care, it is a nice solution for hardware interfaces Alternatives may be considered e.g. CORBA, XML
But are they DO-178 compliant?

Sound practice is needed regardless of languages

Programming idioms such as LSP, and Design & Coding standards enforcing them, and Review processes with support from automated tools

But within the same rules, Java eases much of a burden off the programmer
Enables spending more time on design, or having a longer coffee break LSP: Liskov Substitution Principle
Korea Aerospace Industries Proprietary Information 18

Points to Ponder
DO-178C and supplement documents are due by the end of 2011
After 7 years of preparation since OOTiA handbook in 2004 Will enable the use of real-time Java Technology with deterministic garbage collection in critical avionics software

Open source, cost effective tools and environments

One such case is TOPCASED
Eclipse based systems/software development environment promoting model-driven development and formal methods

Java is a good language of choice for safety-critical, hard real-time embedded software development
DO-178C: Safety Considerations in Airborne Systems and Equipment Certification OOTiA: Object Oriented Technology in Aviation TOPCASED: The Open-Source Toolkit for Critical Systems

Korea Aerospace Industries Proprietary Information

19

Thank you
Bang, Keugyeol Principal Research Engineer Avionics Advanced R&D Team [email protected] 010-9048-0828 20

Korea Aerospace Industries Proprietary Information

Acronyms

Air-BEST API ARINC BSP CDU FAA FC GC HUD IUFC JNI JOGL JSR JVM KAI KIDA KUH KMC LSP MFDS

Air-borne Embedded System and Technologies Application Program Interface Aeronautical Radio Incorporated Board Support Package Control and Display Unit Federal Aviation Administration Fire Control Garbage Collection Head Up Display Integrated Up Front Controls Java Native Interface Java OpenGL Java Specification Request Java Virtual Machine Korea Aerospace Industries, Ltd. Korea Institute for Defense Analysis Korea Utility Helicopter Korea Mission Computer Liskov Substitution Principle Multi-function Display Set

MIL-STD MPSS OFP OOTiA OpenCL OpenGL OS OXF PDR PFD RAII RTOS RTSJ SC SIL SMC SMM SMS STE UFC

Military Standard Mission Planning and Support System Operational Flight Program Object Oriented Technology in Aviation, FAA Open Computing Language Open Graphics Library Operating System Object Execution Framework Preliminary Design Review Primary Flight Display Resource Acquisition Is Initialization Real-time Operating System Real-time Specification for Java Safety Critical System Integration Laboratory Stores Management Computer System Mission Management Stores Management System Software Test Equipment Up-front Controls

Korea Aerospace Industries Proprietary Information

21