49

I recently had a discussion with people who were active in the aviation industry and told me that one of the main languages/tools they use is Python.

On the other hand I have always known that people avoid C++ or eg Linux due to certification reasons for avionics. Certification is also one of the reasons you don't see AI and computer vision in C++ on aircraft. Yet, those people use Python all the time.

I didn't have (and never will have) the opportunity to ask why and for what they used it. Could someone explain why and for what people would still use Python although it may be very difficult to get it certified?

chicks
  • 225
  • 1
  • 3
  • 8
LandonZeKepitelOfGreytBritn
  • 731
  • 1
  • 5
  • 13
  • 12
    there are more computers on a plane than avionics, especially on a airliner. also there are more computer in the industry than ones on a airplane. they can write their website in php, their booking server in cobol, infotainment in java, or data base in sql, whatever. – user3528438 Oct 12 '17 at 03:45
  • 49
    Also, just because they use it doesn't mean they use it on the plane. I work on (less critical) embedded software and the whole test system is written in Python even though the actual software is in C. – user253751 Oct 12 '17 at 04:57
  • 9
    What do you mean by certified? – LangeHaare Oct 12 '17 at 11:49
  • 60
    This is begging for a 'snakes on a plane' joke.... – Roddy of the Frozen Peas Oct 12 '17 at 13:18
  • 4
    @LangeHaare Pretty much everything that goes into the design of an aircraft has to be certified by the relevant aviation authorities before the aircraft is allowed to be flown legally. Safety-critical systems - such as the code that runs the flight controls - require quite stringent certification standards to be met. – reirab Oct 12 '17 at 22:28
  • 8
    To add a further comment about C++, Lockheed specifically wrote a coding standard for its use on the F-35 program: http://www.stroustrup.com/JSF-AV-rules.pdf. So yes, C++ is used. – Synchrondyne Oct 13 '17 at 20:38
  • "...told me that one of the main languages/tools they use is Python..." But for what? The question should really be extended to include that vital information. Otherwise I fear it will be too speculative. – NoDataDumpNoContribution Oct 16 '17 at 07:31
  • @reirab why would c++ and linux be certifiable? Seems reasonable to me to be able to certify the software. – tuskiomi Oct 31 '17 at 21:51
  • 1
    @tuskiomi It depends on the type of code in question. Using Linux on the passenger in-flight entertainment system? Not a problem. Using it on the computers that run the fly-by-wire system? Much bigger problem. Among other things, non-determinism will be an issue. Timing is inherently non-deterministic on an OS with preemptive multitasking. RTOS or bare metal are typically the only viable choices for such scenarios. Dynamic memory allocation is also inherently non-deterministic (unless you know exactly every allocation that will occur and in what order.) – reirab Oct 31 '17 at 22:53

3 Answers3

105

Just because aviation developers use Python, does not mean that Python actually goes flying.

Lots of aviation development is about testing, stressing, validating, analyzing, and documenting the code that does go flying.

Python is an excellent language for all that validation work, even though it stays on the ground.

abelenky
  • 30,696
  • 9
  • 92
  • 143
  • 4
    Yep, Python is a common scripting language used with automating test equipment. The primary languages that I'm aware of that actually fly are Ada/SPARK, C/C++, and assembler – selectstriker2 Oct 11 '17 at 21:09
  • 1
    @selectstriker2 C++ you sure about that? I was pretty sure companies had some issues with certification for that language as well. As an example: People doing AI and computervision for UAV's write all their code in plane C rather than using the well-known opensource libraries like openCV. – LandonZeKepitelOfGreytBritn Oct 11 '17 at 21:30
  • 11
    It isn't the language that causes certification issues. Things like dynamic memory, exception handling, inheritance, and function overloading can increase the amount of certification (verification) work needed. The biggest certification burden is when you use an RTOS rather than write for bare metal. – selectstriker2 Oct 11 '17 at 21:35
  • 1
    I'm sure there is plenty of C++ being used on DO-178B/C projects at Level D or Level E. – selectstriker2 Oct 11 '17 at 21:38
  • 4
    And just because code is flying does not mean it's safety critical. These days people are using iPads as part of their avionics setup - IPADS!! But these are normally used for navigation and charting - the iPad never gets to control any control surfaces or landing gear or anything mechanical – slebetman Oct 12 '17 at 02:28
  • 5
    There are comprehensive guidelines puiblished for software development in C and C++. These prohibit using the more "troublesome" parts of the languages. See https://www.misra.org.uk/Publications/tabid/57/Default.aspx. Ada "seemed like a good idea at the time" but it has never become a mainstream language, which means the user base is (probably unsustainably) small - unless you believe it does have a long term future which you want to be part of, you would most likely avoid getting involved with it. – alephzero Oct 12 '17 at 02:33
  • 24
    @LandonZeKepitelOfGreytBritn: "Plane C" - is that a deliberate joke? :-) – psmears Oct 12 '17 at 08:55
  • 1
    @psmears Given alephzero's link, there is indeed a subset of C that could be considered "plane C". – JAB Oct 12 '17 at 13:47
  • 3
    As a side note, some of the verification software does have to be formally qualified under DO-330. The general rule of thumb is that if software automates DO-178 certification processes and the output of the tool isn't reviewed, you need to do a qualification process to prove your software is dependable. – Cody P Oct 12 '17 at 16:07
  • Of course Python goes flying! import antigravity – dotancohen Oct 15 '17 at 11:40
  • @selectstriker2 Some languages basically force dynamic memory allocation on you whether you like it or not. Python is one of them. – Peter Green Oct 15 '17 at 13:41
  • 1
    @PeterGreen Which is why you wouldn't use Python in safety critical applications. I was talking about using C++, which can be used but you need to consider the items I listed. – selectstriker2 Oct 15 '17 at 13:53
  • @selectstriker2 Heh, agreed. The QNX'ers and C/MISRA guys who work in automotive can't even get C++ in vehicles, in spite of considerable efforts. Python? The proposal would be laughed out of the building, since it won't come anywhere near meeting safety specs, certs, etc. – Cloud Oct 15 '17 at 16:01
  • 1
    I worked for a avionics sub contractor. We used C for all controls software and python to Hardware in the loop blackbox test EVERYTHING. ~80%-90% of all code written was python test code. Every line of C had hundreds of lines of python testing it. – 8bitwide Oct 15 '17 at 21:04
  • @selectstriker2 nearly all the language features of C++ over c cause determinism issues. That coupled with unpredictable and un certified compilers means there is no real point in writing in a language where you need to be constatly vigilant to make sure language features aren't being use.d – 8bitwide Oct 15 '17 at 21:07
34

As a software engineer who works at a defence company that develops and sells mission critical (but not safety critical) systems, I can confirm that there's a pretty even split between development in Ada (95) for our legacy products and various flavours of C/C++ for our new products. Development in both is of course done to the appropriate standards.

Python is largely limited to plugins for our IDEs or validation and verification activities (being used by both software and systems engineers).

T. Archer
  • 441
  • 3
  • 6
  • 5
    I enjoyed Ada 83 a lot when it was taught in my college, partly in order to create a level playing field for the students. I found that when I put its features to good use my programs were a lot less likely to crash than with C or C++. I find especially C++ extraordinarily toublesome as a language (and I have been using it for >20 years now, and read the last three standards -- ok, maybe that's why). C is not exactly safe but at least a small language which is easy to completely grasp (the language, not the libraries). So is Ada indeed phased out even in avionics? That would be sad. – Peter - Reinstate Monica Oct 12 '17 at 12:59
  • I've worked on safety critical avionics software for the past 10 years or so, and in that time I've never seen Ada used. I know some large companies may use it for some projects, but it isn't taught in most colleges. C/C++ tends to be the most widely taught bare metal language. – selectstriker2 Oct 12 '17 at 13:47
  • 1
    @Peter The SPARK/Ada people claim it sees use in the EuroFighter and Rolls-Royce engines. I really like the idea of language provability, but it definitely seems like a niche feature. – mbrig Oct 12 '17 at 17:50
  • @mbrig I find it amusing that the US DOD developed ADA is being used in the EuroFighter and the British (well, sort of... OK in name only) Rolls-Royce engines. – FreeMan Oct 12 '17 at 21:06
  • 2
    @FreeMan I'd imagine that EuroFighter and Rolls use the U.S. DoD-developed Internet, too. :) DoD develops a lot of things. – reirab Oct 12 '17 at 22:42
  • 2
    @mbrig Currently working on the Eurofighter so I can confirm, it's all over the Typhoon (and the Tornado). I believe it was mandated by the MOD way-back-when. – T. Archer Oct 13 '17 at 06:50
  • 1
    @PeterA.Schneider: A major problem with C is that while the Standard notes that implementations often usefully expose documented features of the execution environment in cases where the Standard would otherwise impose no requirements, and low-level programming often requires use of such features, there's no standard means by which code can indicate that it requires e.g. the ability to use relational operations to test whether two pointers identify overlapping regions of storage. Linear-address systems will generally define a global transitive ordering relation among all pointers... – supercat Oct 13 '17 at 19:27
  • 1
    ...but compilers for such systems may sometimes decide that since the Standard imposes no requirements on what happens if code compares two unrelated pointers, they should assume code will never do so. – supercat Oct 13 '17 at 19:28
  • That's why we test and verify everything, just make sure that the compiler didn't generate machine code that behaves differently than is expected – selectstriker2 Oct 14 '17 at 18:16
14

There are three basic areas of coding for aviation engineers. Software code that runs on flight computers and other avionics equipment, software that formally verifies and creates that code, and scripting to automate informal work tasks. Python has different use cases in all of them.

First, for actual on-airplane software. There are different safety levels here and different required levels of testing. Python would be a nightmare to certify for a critical display, autopilot, or ground-proximity warning unit. C's lack of object-oriented programming and complaints when you abuse variable types may be annoying, but they also lead to easy verification that the software isn't doing something wrong behind your back. On the other hand, I've heard of noncritical systems like in-flight entertainment and maintenance even using systems like Windows NT.

Code generation and formal verification (the kind that's documented to prove to certification authorities that you won't, well, kill anyone), do have to be formally qualified sometimes. You can't just write a Python script to test all your software by simulation, formal methods, etc, then say to certification authorities that your Python script showed no problems. To be more specific, DO-330 provides guidance that if you're using a tool to replace DO-178 processes (like testing, code generation, or configuration control), then that tool needs to either be formally qualified or its output needs to be checked (yes, even if the output is more fool-proof then a human doing the same analysis).

Finally, a lot of engineers' jobs involve scripting, and there are few langugages more popoular right now for scripting than python. By scripting I mean solving problems like:

  • What issues am I working on in this area?
  • How do I add a description to a hundred files at once?
  • Is this criteria statistically different from that criteria?
  • How can I pull hundreds of lines of data from our database and dump it into a spreadsheet for my project engineer?
  • How can I email my boss every day asking for a promotion?

In these non-critical but quotidian affairs, python scripting can help wrangle lots of complex or repetitive tasks and make them manageable.

selectstriker2
  • 2,573
  • 1
  • 12
  • 24
Cody P
  • 6,773
  • 2
  • 26
  • 55
  • I've seen more than a few airport terminals running Win NT - you can tell by the BSOD! (Yup, I've seen a few.) Of course, that's aviation related, but not aircraft specific. – FreeMan Oct 12 '17 at 21:07
  • For sure we spend a good chunk of time writing fancy Excel spreadsheets full of VBA to process data! – T. Archer Oct 13 '17 at 06:52
  • ...hacks away at that promotion script – pipe Oct 13 '17 at 12:43
  • “C's lack of object-oriented programming and complaints when you abuse variable types may be annoying, but they also lead to easy verification that the software isn't doing something wrong behind your back.” Um... C is horrible for verifying anything, you really want a stronger type system for that. Java, C++, obviously Ada all have a better standing here, not to speak of the really strong type systems that languages like O'Caml, Haskell or Idris offer. And even Python is arguably safer than C because its type system is stronger. – leftaroundabout Oct 14 '17 at 11:38
  • (I suppose you're right though that C code which essentially uses the Fortran77 subset of the language can be verified quite well, but it's extremely painful to write.) – leftaroundabout Oct 14 '17 at 11:45
  • 2
    I like how you put "How can I email my boss every day asking for a promotion?" as a problem that needs a script to solve. Make sure that in those e-mails you point out the virtues of automation. :-) – user Oct 14 '17 at 12:37
  • 1
    @leftaroundabout Yes, C has plenty of room for errors like NaN handling, initialization, and memory structures, but typically code generation for those is set up consistently enough to avoid issues (like avoiding dyanmic allocation and protections against divide by zero). OOP and loose typing, on the other hand, requires lots of complex structural coverage testing because its possible what you think is a Foo is actually an insidious Bar. See CAST-17 for example. – Cody P Oct 21 '17 at 00:21
  • @CodyP well, loose typing is what I mainly meant by “C is horrible for verifying anything”. Again – true is, as long as you basically just write Fortran77 in C, it is reasonably rigid. But as soon as you want to do any sort of polymorphism, C doesn't help you at all and you have to go through void* which is about the loosest typing you can get. And without any polymorphism, it is very difficult to adhere to DRY, which in principle is very desirable for safety. – leftaroundabout Oct 21 '17 at 09:48
  • C++ OTOH allows lots of code reuse through templates, which doesn't rely on any dangerous subtyping and is completely verifiable at compile-time. And the Hindley-Milner languages generally resolve all polymorphism at compile-time, and never do any implicit coercions at all. About Java or C#... I'm not sure – they certainly aren't the safest option, but at least they're designed upfront with awareness of OO subtyping and its possible security ramifications. – leftaroundabout Oct 21 '17 at 09:48