Boeing pushes the envelope of team-oriented embedded software development, using Ada’s advantages to drive down system design costs on the Comanche helicopter.
Safety-critical embedded systems — where system failure is measured in human lives as well as dollars — originated in the defense industry, and nowhere do they remain more important than on the modern electronic battlefield. The RAH-66 Comanche helicopter, currently in Phase III development with The Boeing Company and Sikorsky Aircraft Corporation, offers irrefutable proof.
A massive leap forward in helicopter design, the Comanche is America’s attack helicopter for the 21st Century. Created to serve a dual role as both a pinpoint accurate close air support tool and sophisticated mobile reconnaissance platform, it depends heavily on safety-critical systems to control the crucial tactical assessment, fire control, and pilotage systems that comprise its Mission Equipment Package (MEP).
The tactical “mind” of the Comanche, the MEP is capable of providing accurate real-time pictures of front line action to the entire military command and control team. Merging supercomputer intelligence with next generation battlefield sensors using digital interconnectivity, the MEP provides the Comanche with a level of low-altitude field reconnaissance capability that dramatically exceeds any previous military attack aircraft.
The MEP was originally created when the Ada software programming language was mandated for military projects by the Department of Defense (DoD), but Boeing’s Phase III work is no longer covered by the order, which was lifted in 1997. However, as Boeing began Phase III, they were also implementing a new company-wide “synergy” policy. The result has been the creation of a more cost-effective, team-oriented approach to hardware and software development as they design the MEP systems used on the Comanche.
Boeing Senior Staff Engineer Gerry Furniss, the Integrated Product Team Lead responsible for both the target acquisition and pilotage systems on the helicopter, explains that Boeing’s choice to stick with Ada in Phase III was motivated largely by the fact that it would facilitate the new cost reduction strategies.
“We were making significant changes in our overall development model and looking for less expensive ways to handle software development,” he explains. “As it turns out, Ada’s package specs lend themselves very nicely to how we decided to divide up the old design and review processes.”
Ada’s clear advantages over other programming languages in multi-programming applications are helping Furniss and the Boeing Comanche team realize significant changes in how they manage multi-project software development. For the first time, instead of each individual MEP system representing a single project, Boeing is pioneering a “round table” approach.
With a directive from upper management to reduce costs and improve software development processes, they began to move away from the traditional Preliminary and Critical Design Review (PDR/CDR) model. According to Furniss, the new “In-Process Review” (IPR) cycle that gathers the vendors, Boeing teams, and the provider of the Ada software development platform, Phoenix, Arizona-based DDC-I, is achieving the desired results.
“Using IPR’s, as opposed to traditional software development methodologies, is proving very fruitful, especially in the area of communication. By getting the teams together up front and keeping everyone talking, we’ve really been able to enhance our team-oriented approach,” he states.
By gathering all the vendors on a uniform development platform, the individual teams learn collectively, dramatically reducing inevitable redundancies between the project teams. The uniform development platform being used is the DDC-I Comanche Ada Compiler System (ACS), proposed by DDC-I when Boeing updated the processors in the MEP from the older Intel 960 to the newer Pentium.
The Comanche ACS being developed for Boeing by DDC-I is based on the proven DDC-I Ada Compiler System (DACS). Serving as the central hub around which the entire Comanche MEP software development team designs their individual systems, it contains a number of proprietary modifications designed specifically for Boeing. Alongside their already unique debugger technology, DDC-I also created a custom version of their leading run-time system which addresses specific Comanche requirements.
“Boeing’s choice to remain with Ada on the Comanche sends a clear signal that Ada is still the language of choice for large-scale, safety-critical embedded system development,” explains Joyce Tokar, Ph.D, Vice President of Technology at DDC-I. Beyond her role as DDC-I’s chief technologist and visionary, Tokar is also an executive member of the Ada Resource Association board, an industry panel guiding future development of the Ada language.
“Despite predictions of its demise after the DoD lifted the Ada mandate for defense contracts in 1997, Ada usage is actually increasing and industry recognition of Ada’s advantages in code reliability, reusability, readability, and portability is on the rise,” she adds.
The hard numbers back Tokar’s assertions about Ada. In studies conducted during the eighties Ada consistently outperformed established programming languages like Pascal, Fortran, and C. In the nineties, Ada continues to surpass C++ in performance evaluations measuring capability, efficiency, maintenance, risk, and lifecycle cost.
The current trend at Boeing also bolsters Tokar’s assessment. When the management directive that motivated Furniss and his team to establish the new IPR process also encouraged standardizing software development to a single commercial language like C++, there was a great deal of concern among the team members about moving away from Ada.
“There is a huge reluctance to move to C++ and it’s not because of the language, it’s because of the structure around the language,” he details. “There are so many variants of C and C++, and they’re not as well structured as Ada, so even though you may settle on the same C++ language the coding standards that go with it are always different. You’ve got to put a shell around it, where Ada already has one.”
Ada was originally created in the late seventies, as a logical alternative to the proliferation of software languages being used by defense contractors. Successfully completing its early mission, Ada reduced the total number of high-order programming languages in use from over 450 when it was released in 1983 to just 37 by 1996.
This success was based on the principles guiding its creation, which stated that the language must be developed with sound software engineering principles in mind and capable of handling large, complex projects. It also had to be standardized, validated, reliable, and maintainable.
Ada use continues to rise — despite the lifting of the DoD mandate — because it still supports these primary goals for major projects like Comanche. A crucial Ada strength is the early identification of programming errors typically detected much later with other languages. Since Ada catches the majority of coding glitches at compile-time, before run-time or system integration and deployment, programming errors are less damaging to project schedules and less expensive to repair.
Viewed from purely business perspective, Ada’s primary advantage is in its support for open systems and interoperability. However, a list of other “ilities” also contributed to the higher programmer productivity and lower lifecycle cost that were part of Boeing’s decision to choose DDC-I’s Comanche ACS:
- Portability – correctly designed Ada source code is readily portable across numerous architectures, saving time and money when hardware changes and upgrades, management shifts, or support problems make it necessary to move a system. Because of language standardization, programmers trained in Ada can also move swiftly from project to project without extensive or expensive retraining.
- Availability/Reliability – Ada is reliable because its compilers apply rigorous checks to the code at compile-time, enabling the programmer to locate and remove defects. At run-time Ada effectively compartmentalizes code, preventing unpredictable interactions between modules.
- Reusability – Ada allows the compartmentalization of information within packages and tasks, and use of generic procedures and data abstractions to achieve a modularized structure. The result is an increased capacity for the creation of reusable software components, and the potential for dramatic cost reductions.
- Readability – Ada code is very readable, making errors easier to locate and correct before compile-time. Code maintenance and change is made easier because earlier work can be clearly understood, helping developers avoid incorrect and unintentional code alteration.
- Verifiability – Ada does not specifically provide verification features, as software verification is not an end in itself, but a means of achieving reliability. Ada provides reliability directly, making the additional abstraction of a verification process unnecessary. In addition, all Ada compilation systems are verified against the Ada standard using the Ada Conformance Assessment Test Suite (ACATS – formerly known as the ACVC tests).
“The truth is that Ada will not go away in the foreseeable future,” DDC-I’s Tokar emphasizes. “The DoD has an enormous investment in Ada, and major embedded systems written in Ada like those in the Comanche will be in service well into the next century.”
Acting as a central “hub,” the Comanche ACS — in this case the debugger and run-time system — is integrated into the MEP operating system (OS) by the Comanche OS team in Wichita, Kansas. Once integrated, each OS release is sent out to the suppliers, where it is used to generate the firmware and software for their applications.
“This approach is proving cost-effective because we’re all using the same tool at the integration point,” Furniss affirms. “We all come up with the same concerns, but nobody has to reinvent the solution. We’re able to cross-pollinate in terms of answering questions and solving problems, and DDC-I is also part of the working group that includes the suppliers to help deal with any issues that arise.”
DDC-I’s Tokar stresses that the most significant benefit Ada offers often isn’t even considered when the choice between development languages is made. “When you look at computer systems from the total lifecycle perspective, research has determined that between sixty and eighty percent of costs occur after development and implementation. In other words, the maintenance phase accounts for the lion’s share of the costs in traditional projects.”
Since procurement decisions are typically driven by development costs and maintenance is typically handled as a separate contract on most projects, this creates an artificial division in the lifecycle that makes it far too easy to overlook maintenance. Basically, a decision based exclusively on the first phase costs is only considering twenty to forty percent of the total possible project expenses.
“Ada was developed with good software engineering practices as a founding principle and remains the only internationally standardized programming language specifically designed to address large, complex applications like the Comanche MEP,” states Tokar. “For real-time, safety-critical embedded systems applications Ada is still the leader.”
Though as a Boeing employee and DoD contractor Furniss has to stop short of personally endorsing the Comanche ACS, he agrees wholeheartedly with Tokar’s views on the benefits of Ada for software development on safety-critical systems.
“Ada is a language designed to be used in a team environment, and our team approach is a nice way to do business. It creates a very positive, collaborative environment with the vendors,” he concludes. “I think the movement at Boeing is a smart one, and it will become even more obvious because we did save money.”