Expert: C/C++ Dominates Aerospace Due to Certified Tooling
An AI researcher explained that C and C++ remain dominant over languages like Rust in aerospace primarily due to decades of flight-proven tooling and established certification workflows. The existing ecosystem of C-native real-time operating systems (RTOS), drivers, and vendor SDKs is critical for achieving safety certifications like DO-178C. This established infrastructure provides a significant barrier to entry for newer languages.
- The high cost of DO-178C certification for the highest criticality level (Level A) is primarily driven by the need for hardware and system redundancy, not just the software itself. The cost differential for the software between Level A and Level B is considered minor. - Real-time operating systems (RTOS) are foundational to avionics, providing the deterministic behavior essential for safety-critical tasks. Prominent certified RTOSes in aerospace include VxWorks, used in the Boeing 787 and Airbus A380, and Integrity-178, which was the first to achieve DO-178B Level A certification. - NASA's Jet Propulsion Laboratory (JPL) has established strict coding standards for flight software, often referred to as "The Power of 10 Rules," which heavily influence safety-critical C development. These rules forbid practices like recursion and dynamic memory allocation after initialization and mandate that all loops have a fixed upper bound to ensure predictable behavior. - While C and C++ are dominant, the Ada language was also historically used for safety-critical systems, such as on the International Space Station, due to its strong type safety and readability features designed to minimize errors. However, its usage has become more niche since the DoD mandate was dropped in 1997. - For the highest Design Assurance Level (DAL A) under DO-178C, structural coverage analysis at the source code level is insufficient. Verification must extend to the object code to ensure that the compiler has not introduced errors or unintended behavior. - The ARINC 653 standard defines the software specification for space and time partitioning in avionics, allowing multiple applications of different criticality levels to run on the same hardware without interfering with each other. This is a key enabler for Integrated Modular Avionics (IMA) platforms. - Newer languages like Rust are being explored for aerospace applications due to inherent safety features that prevent common C/C++ bugs like memory errors. Efforts are underway to create qualified toolchains and demonstrate pathways for certifying Rust code, including rewriting critical C-based components and developing compiler targets for aerospace-common processors like PowerPC. - The DO-178C standard itself does not mandate specific programming languages but requires a rigorous verification process. This process includes creating several planning documents like the Plan for Software Aspects of Certification (PSAC), which outlines how compliance will be achieved for the specific project.
