Is C++ Suitable for Avionics? (DO-178B Level A)

I'm curious if anybody out there has considered using C++ for avionics applications. Civil certification requires compliance to RTCA/DO-178B (here). The FAA published a pertinent handbook in 2004: Object Oriented Technology in Aviation. There are many issues, but I'll focus on structural coverage in this post.

One of the benefits of DO-178B is that it provides a clear criteria for when it is ok to stop testing. This criteria is based on achieving certain code coverage thresholds based on the criticality of the software. (Criticality is determined by assessing the worst possible consequences of software malfunction.)

In most cases, these thresholds are based on coverage of the source code (that is, you instrument your source code to see which paths are taken). However, software of the highest criticality (ie, "Level A") must achieve object code coverage. That is, all paths through the object code must be taken. We are now concerned with occult features of the compiler -- optimization, error checking, run-time libraries, constructors, destructors, garbage collection, etc -- that create paths that aren't visible in the source code.

I don't know how to measure object coverage in C, let alone C++. Does anybody out there have any relevant experience or opinions?

re: Is C++ Suitable for Avionics? (DO-178B Level A)

Hello donbock,

DO-178B level A does not require to perform object-level coverage. It requires to perform additional verification to demonstrate that either:
- your compiler does not generate untraceable code in your specific context (compilation options, coding standard etc.) OR
- the untraceable code is correct.
Usually, you have two options to perform such an activity. You can either:
- perform object level coverage *in addition* to source level coverage OR
- provide a traceability study
More information can be found in CAST papers.

I can go much more in details on this topic (and provide all required references). Why don't you register and post a message on open-do.org? Open-DO is an initiative to promote a collaborative and open approach in the DO-178 context. I would be happy to reply to you in detail on open-do.org.

Now, back to your question. I believe your concern is how to plan a satisfying verification strategy when using object orientation. I cannot speak for C++, but I can speak for Ada 2005, which is basically as expressive as C++ for object-orientation. We have customers heavily using the object-oriented features of Ada 2005 in a DO-178B level A context. Take a look at:

http://www.adacore.com/2009/06/01/a350/

What we managed to provide is:
- a compiler guaranteeing a certain degree of traceability between source code and generated object code, even in presence of object-oriented features
- a qualified coverage tool able to perfrom both source level coverage (up to MC/DC) and object level coverage. See:

http://libre.adacore.com/libre/tools/coverage/

Object level coverage can measure instructions or branch coverage (cover "all paths through the object code" seems unreasonable to me).

We can also provide a COTS traceability study for similar purposes:

http://www.adacore.com/2009/03/11/ad...e-for-do-178b/

I would be happy to further discuss this with you: feel free to contact me
on open-do.org or at bordin AT adacore.com.