On Sat, 27 Apr 2002 01:57:09 -0500 Jonathan Polleywrote
When you state your concerns about the FAA,
I assume that you are talking about avionics software, probably DO-178B
level C or higher.The vast majority of modern (1987+) avionics
software that I have seen is in Ada, largely due to the structure that
is built into the language. With Ada's strong typing and package
structure, you really need to work to do something bad. The little
bit of C software that we let wind up in our final software is *very*
process driven. This includes design reviews, code reviews, test
plans at design time, and test procedures that are traceable back to
top-level requirements. While our Ada software goes through these
same steps, extra care is taken with C (we restrict what can be used),
largely due to the lack of safeguards built into the language.The
biggest problem I see with C++ and the FAA is that it is VERY hard to
guarantee that C++ will not do any dynamic memory allocation. If
you step through the STL code with a debugger you will be amazed at how
much is going on there (strings are nasty). Since avionics are
embedded systems, the freeing of dynamic memory is a Very Bad
Thing.If you are developing software that will be used to test
avionics software, then the rules change. The same is true
for level D or lower software. With test applications, you need to
go through a verification process, which my team will be doing very
shortly. While the process demands are not as strict as it is for
the flight software, I tend to require the same level of process as our
flight code. We tend to share people across programs, and you
never quite know where your software will be used next.
I think I can safely say that FlightGear will
never be airworthy (unless it is level E, which, in this case, means it
will not be used for flight). There are no documented
requirements, design, evidence of peer reviews, interface documentation,
test procedures (especially ones mapped to the requirements), etc.
While you could, in theory, spend enough money to certify almost any
code, it is best if you think about airworthiness from the onset.
The structural coverage alone would be prohibitive (i.e., prove that
every branch of every line of code maps to some requirement and that you
have a test that exercises them).
Standards for application to general aviation
aircraft have been revised as to reduce the burden for
certification of specific classes of avionics
equipment.
AC 29-1309
An alternative would be to consider an effort to
certify FlightGear as a Flight Training Device under
AC 120-45A
Jonathan, what is your day job ?
Joe Mangan