118
$\begingroup$

We have it on good authority that Ada is widely used for "safety critical software" on at least the US side of the International Space Station.

Of all the possible languages to choose from, what are the aspects of Ada that make made it NASA's choice for such a critical application? What might be the weighting between legacy reasons versus intrinsic suitability?

Improve this question
$\endgroup$
11
  • 22
    $\begingroup$ Ada was the DoD's language. Having developed it, it's a shame not to use it. It has strong real time elements while remaining high level. I may be biased, it's my favorite language. (although that may be because I haven't written anything in it for over two decades) $\endgroup$
    – user20636
    Commented Jun 3, 2019 at 9:07
  • 18
    $\begingroup$ @JCRM: Then you might be able to write an answer detailing some aspects of Ada that make it suitable for mission critical systems as opposed to, say C or Java, no? :-) As a software developer, I'm very interested in hearing from someone who has experience with the language (as opposed to reading the Wikipedia article…). $\endgroup$
    – DarkDust
    Commented Jun 3, 2019 at 9:12
  • 6
    $\begingroup$ I don't know enough about the system requirements of the ISS, and I have only old memories of Ada, so my contribution is limited to (hopefully) helpful comments. I strongly suspect it was the DoD's "you must write in Ada" that got it in the ISS; switching languages is not something one does without a VERY good reason in safety critical systems. $\endgroup$
    – user20636
    Commented Jun 3, 2019 at 9:38
  • 25
    $\begingroup$ @repluser: Ada is several years faster than Java, in the sense that when the ISS was developed, Ada existed and Java didn't. The alternatives at that time would probably have been Modula-3 or Mesa, or maybe Eiffel (but Eiffel wasn't an international standard back then). $\endgroup$
    – Jörg W Mittag
    Commented Jun 3, 2019 at 14:48
  • 2
    $\begingroup$ @JörgWMittag Not only that, but Java was still in its infancy - it didn't even have a real-time spec until 2001 with RTSJ 1.0, and at that it still isn't suitable for safety-critical applications, a spec for which (JSR-302) has been kicked around since 2006 and is currently in its fourth draft. $\endgroup$
    – J...
    Commented Jun 4, 2019 at 16:15

6 Answers 6

Reset to default
86
$\begingroup$

This Wikibooks link lists its strong points, some of which are:

  • An extremely strong, static and safe type system, which allows the programmer to construct powerful abstractions that reflect the real world, and allows the compiler to detect many logic faults before they become errors.
  • Modularity, whereby the compiler directly manages the construction of very large software systems from sources.
  • Information hiding; the language separates interfaces from implementation, and provides fine-grained control over visibility.
  • Readability, which helps programmers review and verify code. Ada favours the reader of the program over the writer, because a program is written once but read many times. For example, the syntax bans all ambiguous constructs, so there are no surprises, in accordance with the Tao of Programming's Law of Least Astonishment. (Some Ada programmers are reluctant to talk about source code which is often cryptic; they prefer program text which is close to English prose.)
  • Portability: the language definition allows compilers to differ only in a few controlled ways, and otherwise defines the semantics of programs very precisely; as a result, Ada source text is very portable across compilers and across target hardware platforms. Most often, the program can be recompiled without any changes.
  • Standardisation: standards have been a goal and a prominent feature ever since the design of the language in the late 1970s. The first standard was published in 1980, just 3 years after design commenced. Ada compilers all support exactly the same language; the only dialect, SPARK, is merely an annotated subset and can be compiled with an Ada compiler.

The point of readability is an important one, as the life of a software product doesn't end when you finish coding/testing it. The biggest expense (in time and money) is in the maintenance of that product. So, for a long project as the ISS, using a language built to aid in that task, by minimiZing errors and general ambiguity, seems appropiate.

This answer compares it with C and C++:

Ada has a number of safety features built into the language. (Compare with C, where the standard has twelve pages that summarize the undefined behaviors built into the language. Compare with C++, where the undefined behaviors are so numerous that they don't even list them.) Those Ada safety features can have a significant performance cost, and because of this, Ada also supplies the ability to selectively disable those safety features.

Note that is possible to reach the same level of security with C or C++, if you use a subset of the C or C++ languages and commiting to a style guide, but in Ada it comes with the language.

EDIT (Thanks JCRM): The first link also talks about support for low-level programming:

Ada has powerful specialised features supporting low-level programming for real-time, safety-critical and embedded systems. Such features include, among others, machine code insertions, address arithmetic, low-level access to memory, control over bitwise representation of data, bit manipulations, and a well-defined, statically provable concurrent computing model called the Ravenscar Profile.

Where I work, we actually use the address arithmetic and the low-level memory features to load different configuration data without having to compile the product each time, saving a lot of time.

Improve this answer
$\endgroup$
4
  • $\begingroup$ Comments are not for extended discussion; this conversation has been moved to chat. $\endgroup$
    – called2voyage
    Commented Jun 4, 2019 at 12:48
  • 4
    $\begingroup$ I take issue with the suggestion that it "is possible to reach the same level of security with C or C++, if you use a subset of the C or C++ languages". Using a subset avoids some of the blatant pitfalls and insecurities built-into C/C++ and thus elevates them to a minimal degree of sanity. By comparison, Ada is designed with safety as a core design goal. For serious things. You know, airplanes and bombs and stuff. As opposed to yet another compiler compiler and stuff. I cannot remember how often a compiler error in Ada revealed a bug which would have been a core dump in C. $\endgroup$
    – Peter - Reinstate Monica
    Commented Jun 5, 2019 at 12:00
  • $\begingroup$ Answers to Why is C++ template use not recommended in space/radiated environment? might be worth linking to as well $\endgroup$
    – uhoh
    Commented Jun 13, 2019 at 2:30
  • 2
    $\begingroup$ @uhoh Those answers at stackoverflow are chock full of nonsense. I have worked on multiple spacecraft whose flight software do use C++ templates. What one does not want to do is use functions that dynamically allocate memory from the heap after initialization time, throw/catch exceptions, call system functions, or use recursing/looping without bounds. Much of the C++ standard library has no such algorithmic constraints. This has nothing to do with templates in general. $\endgroup$
    – David Hammen
    Commented Feb 6, 2022 at 22:53
62
$\begingroup$

Timing. Ada was developed in the 1970s and 80s with the intent of replacing the plethora of languages used in the US Department of Defense's realtime systems. NASA (and also organizations from Europe) were active participants. The DoD mandated Ada for all major development in 1991. NASA did much the same. The International Space Station had been a paper concept until that time. It started to become real exactly when the Ada mandate took effect.

The DoD dropped its Ada mandate in 1997. NASA did much the same. If the ISS was built today, its flight software most likely would not be in Ada.

So why Ada? Ada was created to address a number of problems. One was the large number of languages in use at the DoD. Another was the perceived lack of safety in those languages, particularly so with respect to realtime systems and embedded systems. Ada did provide several features that were lacking in other languages.

There are many reasons Ada has become a niche language. One is that the excessive strictness and verboseness of the language get in the way of it being a general purpose language. Another problem was that the Ada community missed the boat on the transition from mainframes to minicomputers to desktop computers. The languages at the forefront of these transitions (C and C++) remain widely used. The Ada community also missed the boat on the free software movement. The first free Ada compiler didn't come out until 1995, and that release wasn't complete. By then, it was too late.

Improve this answer
$\endgroup$
12
  • 11
    $\begingroup$ While I upvoted this answer because I think it identifies the prime cause, I think it would be improved by mentioning the reasons that NASA preferred Ada over other alternatives available at the time. It was not completely arbitrary. $\endgroup$
    – Jack Aidley
    Commented Jun 3, 2019 at 12:20
  • 2
    $\begingroup$ @JackAidley: Were there alternatives? Modula-3 or Mesa, maybe? $\endgroup$
    – Jörg W Mittag
    Commented Jun 3, 2019 at 14:49
  • 32
    $\begingroup$ The why is fairly simple: flight software is not like other software. You don't change anything unless you absolutely have to. I would be thrown from the roof of Building 1 if I were to earnestly request a complete port of flight software into a different language. $\endgroup$
    – Tristan
    Commented Jun 3, 2019 at 14:50
  • 14
    $\begingroup$ @Tristan - I have an idea for an April Fool's joke next year... $\endgroup$
    – BruceWayne
    Commented Jun 3, 2019 at 15:59
  • 20
    $\begingroup$ @QuoraFeans much as I love python, its not quite at the level of realtime/safety critical applications yet. Java, with its heavyweight runtime, is essentially ruled out from embedded controls applications. Its extremely likely the code would end up in C (maybe C++) using something like the MISRA standards that the automotive industry uses (or one of the million similar standards). Those languages are still king in the embedded space, for many very good reasons. $\endgroup$
    – mbrig
    Commented Jun 3, 2019 at 18:58
22
$\begingroup$

I remember taking Computer Science courses in the late 90s. The professor of CS explained to our meager group of CS majors that he was going to teach us C, rather than COBOL or Ada, because it would be more useful in general. At the time, they were the major programming languages colleges were teaching back in the day (every major university in the area with a CS degree taught one of those two). Why would they teach older languages? Because you could still get a job writing code in them. This was around the time the ISS was being built.

The reason Ada came about was because they needed mission critical software that was reliable and Ada was literally made to fit the bill. NASA still has one of the costliest software errors in history (back in the dark ages of punch cards)

A bug introduced by a punch card turned out to be one of the most expensive software bugs in history, when it led to the destruction of the Mariner 1 spacecraft in 1962 (cost in 1962 dollars: 18.5 million; cost in today's dollars: $135 million), before it could complete its mission of flying by Venus.

However, there was a fatal flaw in the software of that guidance system: when the equations that would be used to process and translate tracking data into flight instructions were encoded onto punch cards, one critical symbol was left out: an overbar or overline, often confused in ensuing years with a hyphen. The lack of that overbar, essentially, caused the guidance computer to incorrectly compensate for some otherwise normal movement in the spacecraft.

Ada's main feature is stability

With its emphasis on sound software engineering principles Ada supports the development of high-integrity applications, including those that need to be certified against safety standards such as DO-178B and security standards such as the Common Criteria. For example, strong typing means that data intended for one purpose will not be accessed via inappropriate operations; errors such as treating pointers as integers (or vice versa) are prevented. And Ada’s array bounds checking prevents buffer overrun vulnerabilities that are common in C and C++.

NASA tried to create it's own Ada-esque language called (I am not making this up) HAL/S which the Space Shuttle used and... not much else. All the ground equipment would wind up using Ada by then (standards!)

A proposal for a NASA standard ground-based version of HAL named HAL/G for "ground" was proposed, but the coming emergence of the soon to be named Ada programming language contributed to Intermetrics' lack of interest in continuing this work.

Oh, HAL/S has one other minor problem

The weakness of Hal/S is that it is readily available only when hosted on the IBM 360/370 series of mainframe computers. Intermetrics has also hosted Hal/S on the Modcomp IV and Classic, and on Data General Eclipse minicomputers. But the Modcomp implementation is used only by JPL, and the Eclipse development is no longer in use because address-space limitations reduce compile speed to around 30 lines/minute.

As such, it's not surprising that in the early 90s (when PCs were on the rise) it was much cheaper to source more standard computing devices (my bet is IBM was able to make Ada run on more standard hardware, since they were already supplying astronauts with Thinkpads round that time). Fun fact: Thinkpads running Linux are used to interface with the station computer

"It was just the applicational needs," he said, describing how the laptop software that talked to the station's command and control systems in those early days was designed to run on a Linux-based OS.

By contrast, the rover (early 2000s) ran on C

It's running 2.5 million lines of C on a RAD750 processor manufactured by BAE.

Improve this answer
$\endgroup$
8
  • 9
    $\begingroup$ That's not nearly the costliest error. The Mars Climate Orbiter cost $327.6 million in 1998. It crashed because imperial and metric units were mixed. Although technically that was not a software error in the end - the problem was noted before the failure, just the engineers "did not follow the rules about filling out [the] form to document their concerns". So this was really a bureaucracy error, just like Challenger where engineers had also warned the bureaucracy up front. $\endgroup$
    – MSalters
    Commented Jun 3, 2019 at 16:01
  • 5
    $\begingroup$ The overbar thing was not an error in the programming language, it was an error in the spec. (source: Scott Manley, I think), the actual issue was that the spec should have said that that value was to be averaged, hence the overbar, but the spec review and the code review failed to catch that it should have been an average value. Now, a language with lower cognitive load might let the programmer notice more easily, but this particular incident wasn't caused by a language. $\endgroup$
    – Yet Another User
    Commented Jun 3, 2019 at 16:13
  • 9
    $\begingroup$ "The professor of CS was a jovial guy" - talk about a language with 1000 dialects each requiring its own compiler! That's why Ada was developed: To replace the hundreds of Jovial dialects. No wonder he taught you C: Bad feelings that Ada replaced his favorite language! $\endgroup$
    – davidbak
    Commented Jun 3, 2019 at 18:02
  • 3
    $\begingroup$ @davidbak rimshot TIL there's such a language... $\endgroup$
    – Machavity
    Commented Jun 3, 2019 at 18:28
  • 1
    $\begingroup$ @Machavity: Oh yes! JOVIAL is somewhat famous because the B2 Spirit's avionics software was written in JOVIAL. The Air Force then later contracted a company called Semantic Designs (whose Chief Engineer is actually very active on Software Engineering and Stack Overflow) to create a translator from JOVIAL to C, which they were able to do without ever having access to the source code. $\endgroup$
    – Jörg W Mittag
    Commented Jun 4, 2019 at 5:20
17
$\begingroup$

From the website:

AdaCore tools can be used to meet verification objectives including coding standard compliance, code accuracy (prevention of errors such as buffer overrun, integer overflow, and references to uninitialized variables), and structural coverage analysis up to MC/DC. Specialized high-assurance run-time libraries, including one that implements the Ravenscar tasking profile, are simple enough to be included in qualified systems but expressive enough to support the needed functionality for hard real-time space software. Qualification material for the run-time libraries can be developed for the ECSS standard and adapted to new project contexts.

C and C++ do not prevent those errors (bar costly addons), and Java is not hard real-time (bar nonstandard VMs).

When lives are on the line, it's best to rule out runtime errors and delays by design:

with Ada.Text_IO; use Ada.Text_IO;

procedure Learn is

   subtype Alphabet is Character range 'A' .. 'Z';

begin

   Put_Line ("Learning Ada from " & Alphabet'First & " to " & Alphabet'Last);

end Learn;

Here, Alphabet cannot contain any value other than A to Z. This rather unique language feature, among others, helped a team of students complete the 2013-2015 CubeSat mission:

As one example of Ada in an undergraduate setting, students at Vermont Technical College in the U.S. used the SPARK language (a formally analyzable subset of Ada) to develop the software for a CubeSat satellite that recently completed a successful two-year orbital mission. SPARK was chosen because of its reliability benefits. The students had no previous experience in Ada, SPARK, or formal methods, but were able to quickly come up to speed.

Of the twelve CubeSats from academic institutions that were included in the launch, the one from Vermont Tech was the only one that completed its mission. Many of the others met their doom because of software errors. The Vermont Tech group credits its success to the SPARK approach, which, for example, allowed them to formally demonstrate the absence of run-time errors.

Improve this answer
$\endgroup$
3
6
$\begingroup$

Of all the possible languages to choose from, what are the aspects of Ada that make it NASA's choice for such a critical application? What might be the weighting between legacy reasons versus intrinsic suitability?

  • Ada is a language designed for this very kind of situation, i.e. fault intolerant, real-time and (often) embedded systems used to control critical equipment or processes

  • Ada's evolution was much more focussed and tightly managed from the very outset. Both its originators and its evaluators were handpicked experts in the language development field with a strong sense of duty to both their profession and the Ada project. Just as West Coast values permeate Java, the selfless modesty of Ichbiah, Dewar and Taft set a tone for Ada that still prevails and one that must appeal to an organization like NASA.

  • Ada has a formally-defined subset language called SPARK that allows ready mapping of a formally-verified system design onto its code

  • Ada is one of the fastest languages around, moreover with parallel processors

  • The Ada industry (companies like AdaCore, Altran, Green Hills, Wind River, etc, etc) has developed numerous support tools for critical system development in Ada/SPARK

  • There are few capable alternative languages to Ada

  • Alternative languages such as formally-defined C do not have the same depth of experience or support as Ada/SPARK do

I've no idea what the detailed system requirements were nor how tight the tendering guidelines were in relation to weighting of legacy and intrinsic suitability. But it seems rational to me that Ada/SPARK would score high in both categories. Legacy factors should include things like

  • NASA was an original sponsor of the Ada project and had used it from the outset on prior systems

  • System building company's likely greater familiarity with Ada/SPARK, know-how in deploying its constructs effectively for the new critical system's requirements

  • Likely existing use of Ada/SPARK by subcontractors, e.g. embedded systems for ancillary equipment like radar, x-ray scopes, etc, to the project and data interfacing between main and sub-systems

Improve this answer
$\endgroup$
0
$\begingroup$

Ada is SGML of programming languages (and Java/C# is XML). Both are built in a new base for a complete solution. And both failed to become popular due to their complexity and oddity. (Minority knows SGML but everyone understands HTML: simplicity is strength.) We learnt Ada in '91 and loved it even we came from Modula-3 and not from junk Pascal or C. (Not even mentioning assembly.) Ada looked perfectly built in general and in details. But none of us used it because the only Ada environment was for IBM 360 (or a russian clone of it) and no Ada compiler appeared for many years for PC. And it became a "shining diamond in a glass cabinet", theoretically perfect but untouchable. We wrote code for Sieve of Eratosthenes but there were no resource to run it with log(log(10e9)) tasks. (That day they counted RAM in hundred of KBs.) Meanwhile good C++ environments came (with usable class libraries!) and most programmer used it as primary platform until Java appeared a decade later. And even there was no good development tools for Java but there were usable ones and cheap PCs can run them.

Improve this answer
$\endgroup$
9
  • 2
    $\begingroup$ I was compiling ADA on Sun Workstations in 1989, There were many versions for many platforms by 1991. $\endgroup$
    – user20636
    Commented Jun 5, 2019 at 14:31
  • 4
    $\begingroup$ I was writing Ada for Motorola 68000/68020 in 1988, cross-compiling on a VAX. A couple of years later, I was writing Ada for a TI floating-point DSP, again cross-compiling on a VAX. @JCRM is absolutely correct: there were many options for many platforms by 1991. $\endgroup$
    – John R. Strohm
    Commented Jun 5, 2019 at 16:45
  • 3
    $\begingroup$ Ada is far, far less complex than C++. Even early C++. Not only is any claim of why it "failed to become popular" personal speculation which should not be presented as factual information, but this particular one happens to be provably wrong. $\endgroup$
    – T.E.D.
    Commented Jun 6, 2019 at 13:57
  • 1
    $\begingroup$ As a rough measure, my old green Ada83 LRM is about 250 pages. This working draft of the ISO C++ standard is 1440 pages. $\endgroup$
    – T.E.D.
    Commented Jun 6, 2019 at 14:08
  • 3
    $\begingroup$ @JCRM: We were living on the wrong side of the wall, any hardware not made in USSR was very far from up-to-date. Softwares too. The Ada compiler was made by two enthusiastic (and talented of course) teacher at the university. $\endgroup$
    – Peter Krassoi
    Commented Jun 13, 2019 at 14:51

Not the answer you're looking for? Browse other questions tagged or ask your own question.