What makes (or at least made) Ada the language of choice for the ISS's safety-critical systems?

Question

We have it on good authority that Ada is widely used for "safety critical software" on at least the US side of the International Space Station.

Of all the possible languages to choose from, what are the aspects of Ada that ~~make~~ made it NASA's choice for such a critical application? What might be the weighting between legacy reasons versus intrinsic suitability?

Ada was the DoD's language. Having developed it, it's a shame not to use it. It has strong real time elements while remaining high level. I may be biased, it's my favorite language. (although that may be because I haven't written anything in it for over two decades) — , Jun 03 '19 at 09:07
@JCRM: Then you might be able to write an answer detailing some aspects of Ada that make it suitable for mission critical systems as opposed to, say C or Java, no? :-) As a software developer, I'm very interested in hearing from someone who has experience with the language (as opposed to reading the Wikipedia article…). — DarkDust, Jun 03 '19 at 09:12
I don't know enough about the system requirements of the ISS, and I have only old memories of Ada, so my contribution is limited to (hopefully) helpful comments. I strongly suspect it was the DoD's "you must write in Ada" that got it in the ISS; switching languages is not something one does without a VERY good reason in safety critical systems. — , Jun 03 '19 at 09:38
@repluser: Ada is several years faster than Java, in the sense that when the ISS was developed, Ada existed and Java didn't. The alternatives at that time would probably have been Modula-3 or Mesa, or maybe Eiffel (but Eiffel wasn't an international standard back then). — Jörg W Mittag, Jun 03 '19 at 14:48
@repluser: ... and even when Java did exist, it was not as strictly defined as it is now. Nailing down the exact specification of a programming language is hard. And the bigger a language, the more useful it is, but also harder to specify exactly. Java's threading library is especially tricky. — MSalters, Jun 03 '19 at 15:50
@JörgWMittag Not only that, but Java was still in its infancy - it didn't even have a real-time spec until 2001 with RTSJ 1.0, and at that it still isn't suitable for safety-critical applications, a spec for which (JSR-302) has been kicked around since 2006 and is currently in its fourth draft. — J..., Jun 04 '19 at 16:15
Interesting. Even though the history says it was developed in the late 70s, I'd swear I first heard mention of Ada while working with RCA Camden labs on hardware for Skylab, ca 1974. Then, working with IBM in Rochester MN in the late 70s, I "borrowed" some of Ada's program structuring concepts (particularly exception handling) for use in IBM's System/38. I had assumed that the language had run its course in the 1980s. — Dan, Jun 06 '19 at 00:13
As an aside, it would have been better to use the past tense: What made Ada the language of choice for the ISS's safety-critical systems? (As opposed to *What makes Ada ...".) Use of Ada was a mandate from very high up. Now that the Ada mandate has been vacated (which happened in 1997), new vehicles simply do not use Ada. The ISS still does, but that's because, as @Tristan wrote in a comment to my answer, " I would be thrown from the roof of Building 1 if I were to earnestly request a complete port of flight software into a different language." — David Hammen, Jan 28 '24 at 18:44

Morgloz · Accepted Answer · 2019-06-03T14:08:49.327

This Wikibooks link lists its strong points, some of which are:

An extremely strong, static and safe type system, which allows the programmer to construct powerful abstractions that reflect the real world, and allows the compiler to detect many logic faults before they become errors.

Modularity, whereby the compiler directly manages the construction of very large software systems from sources.

Information hiding; the language separates interfaces from implementation, and provides fine-grained control over visibility.

Readability, which helps programmers review and verify code. Ada favours the reader of the program over the writer, because a program is written once but read many times. For example, the syntax bans all ambiguous constructs, so there are no surprises, in accordance with the Tao of Programming's Law of Least Astonishment. (Some Ada programmers are reluctant to talk about source code which is often cryptic; they prefer program text which is close to English prose.)

Portability: the language definition allows compilers to differ only in a few controlled ways, and otherwise defines the semantics of programs very precisely; as a result, Ada source text is very portable across compilers and across target hardware platforms. Most often, the program can be recompiled without any changes.

Standardisation: standards have been a goal and a prominent feature ever since the design of the language in the late 1970s. The first standard was published in 1980, just 3 years after design commenced. Ada compilers all support exactly the same language; the only dialect, SPARK, is merely an annotated subset and can be compiled with an Ada compiler.

The point of readability is an important one, as the life of a software product doesn't end when you finish coding/testing it. The biggest expense (in time and money) is in the maintenance of that product. So, for a long project as the ISS, using a language built to aid in that task, by minimiZing errors and general ambiguity, seems appropiate.

This answer compares it with C and C++:

Ada has a number of safety features built into the language. (Compare with C, where the standard has twelve pages that summarize the undefined behaviors built into the language. Compare with C++, where the undefined behaviors are so numerous that they don't even list them.) Those Ada safety features can have a significant performance cost, and because of this, Ada also supplies the ability to selectively disable those safety features.

Note that is possible to reach the same level of security with C or C++, if you use a subset of the C or C++ languages and commiting to a style guide, but in Ada it comes with the language.

EDIT (Thanks JCRM): The first link also talks about support for low-level programming:

Ada has powerful specialised features supporting low-level programming for real-time, safety-critical and embedded systems. Such features include, among others, machine code insertions, address arithmetic, low-level access to memory, control over bitwise representation of data, bit manipulations, and a well-defined, statically provable concurrent computing model called the Ravenscar Profile.

Where I work, we actually use the address arithmetic and the low-level memory features to load different configuration data without having to compile the product each time, saving a lot of time.

Comments are not for extended discussion; this conversation has been moved to chat. — called2voyage, Jun 04 '19 at 12:48
I take issue with the suggestion that it "is possible to reach the same level of security with C or C++, if you use a subset of the C or C++ languages". Using a subset avoids some of the blatant pitfalls and insecurities built-into C/C++ and thus elevates them to a minimal degree of sanity. By comparison, Ada is designed with safety as a core design goal. For serious things. You know, airplanes and bombs and stuff. As opposed to yet another compiler compiler and stuff. I cannot remember how often a compiler error in Ada revealed a bug which would have been a core dump in C. — Peter - Reinstate Monica, Jun 05 '19 at 12:00
Answers to Why is C++ template use not recommended in space/radiated environment? might be worth linking to as well — uhoh, Jun 13 '19 at 02:30
@uhoh Those answers at stackoverflow are chock full of nonsense. I have worked on multiple spacecraft whose flight software do use C++ templates. What one does not want to do is use functions that dynamically allocate memory from the heap after initialization time, throw/catch exceptions, call system functions, or use recursing/looping without bounds. Much of the C++ standard library has no such algorithmic constraints. This has nothing to do with templates in general. — David Hammen, Feb 06 '22 at 22:53

David Hammen · Answer 2 · 2019-06-04T21:25:05.290

62

Timing. Ada was developed in the 1970s and 80s with the intent of replacing the plethora of languages used in the US Department of Defense's realtime systems. NASA (and also organizations from Europe) were active participants. The DoD mandated Ada for all major development in 1991. NASA did much the same. The International Space Station had been a paper concept until that time. It started to become real exactly when the Ada mandate took effect.

The DoD dropped its Ada mandate in 1997. NASA did much the same. If the ISS was built today, its flight software most likely would not be in Ada.

So why Ada? Ada was created to address a number of problems. One was the large number of languages in use at the DoD. Another was the perceived lack of safety in those languages, particularly so with respect to realtime systems and embedded systems. Ada did provide several features that were lacking in other languages.

There are many reasons Ada has become a niche language. One is that the excessive strictness and verboseness of the language get in the way of it being a general purpose language. Another problem was that the Ada community missed the boat on the transition from mainframes to minicomputers to desktop computers. The languages at the forefront of these transitions (C and C++) remain widely used. The Ada community also missed the boat on the free software movement. The first free Ada compiler didn't come out until 1995, and that release wasn't complete. By then, it was too late.

edited Jun 04 '19 at 21:25

answered Jun 03 '19 at 12:10

David Hammen

74,662
5
185
283

11

While I upvoted this answer because I think it identifies the prime cause, I think it would be improved by mentioning the reasons that NASA preferred Ada over other alternatives available at the time. It was not completely arbitrary. – Jack Aidley Jun 03 '19 at 12:20
1

As with the other answers, this answers what made it suitable, but not the second part of the quest about why it is still in use. – Jun 03 '19 at 14:01
2

@JackAidley: Were there alternatives? Modula-3 or Mesa, maybe? – Jörg W Mittag Jun 03 '19 at 14:49
32

The why is fairly simple: flight software is not like other software. You don't change anything unless you absolutely have to. I would be thrown from the roof of Building 1 if I were to earnestly request a complete port of flight software into a different language. – Tristan Jun 03 '19 at 14:50
14

@Tristan - I have an idea for an April Fool's joke next year... – BruceWayne Jun 03 '19 at 15:59
1

". If the ISS was built today, its flight software most likely would not be in Ada." It would be in Java or Python, as everything else. – Quora Feans Jun 03 '19 at 16:29
20

@QuoraFeans much as I love python, its not quite at the level of realtime/safety critical applications yet. Java, with its heavyweight runtime, is essentially ruled out from embedded controls applications. Its extremely likely the code would end up in C (maybe C++) using something like the MISRA standards that the automotive industry uses (or one of the million similar standards). Those languages are still king in the embedded space, for many very good reasons. – mbrig Jun 03 '19 at 18:58
1

@Tristan, exactly. just isn't in the answer(s) – Jun 04 '19 at 13:22
@JCRM - another way of putting it is "paradigms come and go, but legacy code is forever". It's not just flight software - I know of at least one corporate order management system that's still running '70s-era COBOL because the risk of porting it to a more modern language is simply too high. – John Bode Jun 04 '19 at 17:19
Ada community missed the boat during the transition from mainframes to desktops ? Well, there are boats that are missed and boats that some folks have no interest in catching! By its nature, Ada was always going to be a niche market language and never mainstream - most apps don't need its rigour. Anyway, catering for a mainstream market demands a high tech support overhead as customer companies will only have generalist (i.e. C/C++/Java) coding skills. There's no money in that. Better to pitch Ada to critical industries - all with in-house expertise - so tech support overhead is minimal. $ – Trunk Jun 09 '19 at 01:22
@Trunk - The problem with that point of view is that it presumes Ada is needed to build time critical / safety critical systems, and that other languages are insufficient. That very much is not the case. – David Hammen Jun 09 '19 at 03:34
@David Hammen - I was trying to present the business model of the Ada industry, as I read it. I hope this didn't suggest that I agreed with it or, still less, the narrow socio-economic horizons suggested by it. – Trunk Jun 09 '19 at 12:55

score 22 · Answer 3 · edited Jun 17 '20 at 08:54

I remember taking Computer Science courses in the late 90s. The professor of CS explained to our meager group of CS majors that he was going to teach us C, rather than COBOL or Ada, because it would be more useful in general. At the time, they were the major programming languages colleges were teaching back in the day (every major university in the area with a CS degree taught one of those two). Why would they teach older languages? Because you could still get a job writing code in them. This was around the time the ISS was being built.

The reason Ada came about was because they needed mission critical software that was reliable and Ada was literally made to fit the bill. NASA still has one of the costliest software errors in history (back in the dark ages of punch cards)

A bug introduced by a punch card turned out to be one of the most expensive software bugs in history, when it led to the destruction of the Mariner 1 spacecraft in 1962 (cost in 1962 dollars: 18.5 million; cost in today's dollars: $135 million), before it could complete its mission of flying by Venus.

However, there was a fatal flaw in the software of that guidance system: when the equations that would be used to process and translate tracking data into flight instructions were encoded onto punch cards, one critical symbol was left out: an overbar or overline, often confused in ensuing years with a hyphen. The lack of that overbar, essentially, caused the guidance computer to incorrectly compensate for some otherwise normal movement in the spacecraft.

Ada's main feature is stability

With its emphasis on sound software engineering principles Ada supports the development of high-integrity applications, including those that need to be certified against safety standards such as DO-178B and security standards such as the Common Criteria. For example, strong typing means that data intended for one purpose will not be accessed via inappropriate operations; errors such as treating pointers as integers (or vice versa) are prevented. And Ada’s array bounds checking prevents buffer overrun vulnerabilities that are common in C and C++.

NASA tried to create it's own Ada-esque language called (I am not making this up) HAL/S which the Space Shuttle used and... not much else. All the ground equipment would wind up using Ada by then (standards!)

A proposal for a NASA standard ground-based version of HAL named HAL/G for "ground" was proposed, but the coming emergence of the soon to be named Ada programming language contributed to Intermetrics' lack of interest in continuing this work.

Oh, HAL/S has one other minor problem

The weakness of Hal/S is that it is readily available only when hosted on the IBM 360/370 series of mainframe computers. Intermetrics has also hosted Hal/S on the Modcomp IV and Classic, and on Data General Eclipse minicomputers. But the Modcomp implementation is used only by JPL, and the Eclipse development is no longer in use because address-space limitations reduce compile speed to around 30 lines/minute.

As such, it's not surprising that in the early 90s (when PCs were on the rise) it was much cheaper to source more standard computing devices (my bet is IBM was able to make Ada run on more standard hardware, since they were already supplying astronauts with Thinkpads round that time). Fun fact: Thinkpads running Linux are used to interface with the station computer

"It was just the applicational needs," he said, describing how the laptop software that talked to the station's command and control systems in those early days was designed to run on a Linux-based OS.

By contrast, the curiousity rover (early 2000s) ran on C

It's running 2.5 million lines of C on a RAD750 processor manufactured by BAE.

That's not nearly the costliest error. The Mars Climate Orbiter cost $327.6 million in 1998. It crashed because imperial and metric units were mixed. Although technically that was not a software error in the end - the problem was noted before the failure, just the engineers "did not follow the rules about filling out [the] form to document their concerns". So this was really a bureaucracy error, just like Challenger where engineers had also warned the bureaucracy up front. — MSalters, Jun 03 '19 at 16:01
The overbar thing was not an error in the programming language, it was an error in the spec. (source: Scott Manley, I think), the actual issue was that the spec should have said that that value was to be averaged, hence the overbar, but the spec review and the code review failed to catch that it should have been an average value. Now, a language with lower cognitive load might let the programmer notice more easily, but this particular incident wasn't caused by a language. — Yet Another User, Jun 03 '19 at 16:13
"The professor of CS was a jovial guy" - talk about a language with 1000 dialects each requiring its own compiler! That's why Ada was developed: To replace the hundreds of Jovial dialects. No wonder he taught you C: Bad feelings that Ada replaced his favorite language! — davidbak, Jun 03 '19 at 18:02
@Machavity: Oh yes! JOVIAL is somewhat famous because the B2 Spirit's avionics software was written in JOVIAL. The Air Force then later contracted a company called Semantic Designs (whose Chief Engineer is actually very active on [softwareengineering.se] and [so]) to create a translator from JOVIAL to C, which they were able to do without ever having access to the source code. — Jörg W Mittag, Jun 04 '19 at 05:20
HAL/S preceded Ada by quite a bit. One of the three losing contenders for the DoD competition that eventually resulted in Ada was from Intermetrics. Their proposal was essentially a HAL/S derivative. That Intermetrics designed and implemented HAL/S strongly influenced their proposal. — David Hammen, Jun 04 '19 at 22:55
Interesting that Curiosity runs on code written in C. - though it should be noted that a SW error can either be fixed (SW updates), or at the extreme, it would cause loss of mission, but not loss of life. What did the Launch vehicle run on, I wonder? — Baldrickk, Jun 05 '19 at 15:14
I don't believe it's correct that Shuttle program ground equipment used Ada. The Mission Control Center didn't, nor the Shuttle Mission Simulator. The Launch Processing System used a language called GOAL. Ada began to be used by NASA in the ISS program, not Shuttle. — Organic Marble, May 10 '22 at 01:59

Cees Timmerman · Answer 4 · 2019-06-05T13:24:43.787

From the website:

AdaCore tools can be used to meet verification objectives including coding standard compliance, code accuracy (prevention of errors such as buffer overrun, integer overflow, and references to uninitialized variables), and structural coverage analysis up to MC/DC. Specialized high-assurance run-time libraries, including one that implements the Ravenscar tasking profile, are simple enough to be included in qualified systems but expressive enough to support the needed functionality for hard real-time space software. Qualification material for the run-time libraries can be developed for the ECSS standard and adapted to new project contexts.

C and C++ do not prevent those errors (bar costly addons), and Java is not hard real-time (bar nonstandard VMs).

When lives are on the line, it's best to rule out runtime errors and delays by design:

with Ada.Text_IO; use Ada.Text_IO;

procedure Learn is

   subtype Alphabet is Character range 'A' .. 'Z';

begin

   Put_Line ("Learning Ada from " & Alphabet'First & " to " & Alphabet'Last);

end Learn;

Here, Alphabet cannot contain any value other than A to Z. This rather unique language feature, among others, helped a team of students complete the 2013-2015 CubeSat mission:

As one example of Ada in an undergraduate setting, students at Vermont Technical College in the U.S. used the SPARK language (a formally analyzable subset of Ada) to develop the software for a CubeSat satellite that recently completed a successful two-year orbital mission. SPARK was chosen because of its reliability benefits. The students had no previous experience in Ada, SPARK, or formal methods, but were able to quickly come up to speed.

Of the twelve CubeSats from academic institutions that were included in the launch, the one from Vermont Tech was the only one that completed its mission. Many of the others met their doom because of software errors. The Vermont Tech group credits its success to the SPARK approach, which, for example, allowed them to formally demonstrate the absence of run-time errors.

Comments are not for extended discussion; this conversation has been moved to chat. — called2voyage, Jun 05 '19 at 12:10
@Uwe Use UTF8. https://ada-lang.io/docs/arm/AA-A/AA-A.4/#a411--string-encoding — Cees Timmerman, Jan 30 '24 at 14:57

Trunk · Answer 5 · 2019-06-09T01:27:56.867

Of all the possible languages to choose from, what are the aspects of Ada that make it NASA's choice for such a critical application? What might be the weighting between legacy reasons versus intrinsic suitability?

Ada is a language designed for this very kind of situation, i.e. fault intolerant, real-time and (often) embedded systems used to control critical equipment or processes
Ada's evolution was much more focussed and tightly managed from the very outset. Both its originators and its evaluators were handpicked experts in the language development field with a strong sense of duty to both their profession and the Ada project. Just as West Coast values permeate Java, the selfless modesty of Ichbiah, Dewar and Taft set a tone for Ada that still prevails and one that must appeal to an organization like NASA.
Ada has a formally-defined subset language called SPARK that allows ready mapping of a formally-verified system design onto its code
Ada is one of the fastest languages around, moreover with parallel processors
The Ada industry (companies like AdaCore, Altran, Green Hills, Wind River, etc, etc) has developed numerous support tools for critical system development in Ada/SPARK
There are few capable alternative languages to Ada
Alternative languages such as formally-defined C do not have the same depth of experience or support as Ada/SPARK do

I've no idea what the detailed system requirements were nor how tight the tendering guidelines were in relation to weighting of legacy and intrinsic suitability. But it seems rational to me that Ada/SPARK would score high in both categories. Legacy factors should include things like

NASA was an original sponsor of the Ada project and had used it from the outset on prior systems
System building company's likely greater familiarity with Ada/SPARK, know-how in deploying its constructs effectively for the new critical system's requirements
Likely existing use of Ada/SPARK by subcontractors, e.g. embedded systems for ancillary equipment like radar, x-ray scopes, etc, to the project and data interfacing between main and sub-systems

score 0 · Answer 6 · edited Jun 05 '19 at 13:29

0

Ada is SGML of programming languages (and Java/C# is XML). Both are built in a new base for a complete solution. And both failed to become popular due to their complexity and oddity. (Minority knows SGML but everyone understands HTML: simplicity is strength.) We learnt Ada in '91 and loved it even we came from Modula-3 and not from junk Pascal or C. (Not even mentioning assembly.) Ada looked perfectly built in general and in details. But none of us used it because the only Ada environment was for IBM 360 (or a russian clone of it) and no Ada compiler appeared for many years for PC. And it became a "shining diamond in a glass cabinet", theoretically perfect but untouchable. We wrote code for Sieve of Eratosthenes but there were no resource to run it with log(log(10e9)) tasks. (That day they counted RAM in hundred of KBs.) Meanwhile good C++ environments came (with usable class libraries!) and most programmer used it as primary platform until Java appeared a decade later. And even there was no good development tools for Java but there were usable ones and cheap PCs can run them.

edited Jun 05 '19 at 13:29

uhoh

148,791
53
476
1,473

answered Jun 05 '19 at 12:21

Peter Krassoi

125
1

2

I was compiling ADA on Sun Workstations in 1989, There were many versions for many platforms by 1991. – Jun 05 '19 at 14:31
4

I was writing Ada for Motorola 68000/68020 in 1988, cross-compiling on a VAX. A couple of years later, I was writing Ada for a TI floating-point DSP, again cross-compiling on a VAX. @JCRM is absolutely correct: there were many options for many platforms by 1991. – John R. Strohm Jun 05 '19 at 16:45
3

Ada is far, far less complex than C++. Even early C++. Not only is any claim of why it "failed to become popular" personal speculation which should not be presented as factual information, but this particular one happens to be provably wrong. – T.E.D. Jun 06 '19 at 13:57
1

As a rough measure, my old green Ada83 LRM is about 250 pages. This working draft of the ISO C++ standard is 1440 pages. – T.E.D. Jun 06 '19 at 14:08
AdaCore might say that today's Ada is getting to be more like the HTML 5 of the high-integrity system world - it can be (cross) compiled onto numerous op systems (including iOS and Android), has so many glitzy tools for exhaustively checking code, interfacing with systems in other major languages, APIs for GUIs, XML & script handlers for validation test frameworks, a secure web server, etc. The only disconnect with HTML 5 is the unloving appearance (but not functionality) of its IDE, GPS . . . – Trunk Jun 09 '19 at 00:46
1

By 1985 Alsys was shipping commercially a fully validated (passed the official test suite) Ada compiler for the IBM PC/AT under DOS. The full language including concurrency. I'm not sure what you meant by log(log(10e9)) tasks as that isn't too many tasks at all but a common demo for Alsys Ada was to run a heat-in-pipe simulation via relaxation with each character position on the screen (80x25) backed by an Ada task rendezvousing with its four neighbors. – davidbak Jun 10 '19 at 19:18
@T.E.D not true that Ada 83 was less complex than C+q a it had type safe and range checked tagged discriminated records that could have variable size arrays as fields (more than one varying separately), tasks - which could also be fields in those records, or in arrays - and of course powerful, optimizable, and completely type-safe generics with true separate compilation which C++ compilers do not have to this day!! And much more including ginsu knives! But, yes, the green book was shorter than today's C++ standard! – davidbak Jun 10 '19 at 19:28
1

@davidbak - C++'s templates are far, far more complex to implement, describe, and for users to deal with than Ada's generics. This comes mostly from the decision to use Duck typing (which IMHO in turn came from a decision to try to solve too many problems with this one feature) They are far more powerful too of course (they are even Turing complete!), but power always comes with a price. In particular, error novels, and land-mine code that compiles fine until some poor bastard tries to instantiate it are two particular issues that don't happen with Ada generics. – T.E.D. Jun 10 '19 at 19:52
3

@JCRM: We were living on the wrong side of the wall, any hardware not made in USSR was very far from up-to-date. Softwares too. The Ada compiler was made by two enthusiastic (and talented of course) teacher at the university. – Peter Krassoi Jun 13 '19 at 14:51

What makes (or at least made) Ada the language of choice for the ISS's safety-critical systems?

6 Answers6

Linked