Beruflich Dokumente
Kultur Dokumente
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it
intended to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a
standalone product but, rather, as input when considering issues in a project-specific context.
1-ii
Volume 1
Contents
1.1 HANDBOOK INTRODUCTION .................................................................................................................... 1-1
1.1.1 Purpose.............................................................................................................................................. 1-1
1.1.2 Background........................................................................................................................................ 1-1
1.2 HANDBOOK ORGANIZATION .................................................................................................................... 1-2
1.2.1 Scope.................................................................................................................................................. 1-2
1.2.2 Approach ........................................................................................................................................... 1-2
1.3 OOT BACKGROUND ................................................................................................................................ 1-4
1.3.1 OOT Basics........................................................................................................................................ 1-4
1.3.2 Principles of OOT.............................................................................................................................. 1-5
1.3.3 OOT Methodology ............................................................................................................................. 1-6
1.3.4 OOT Languages................................................................................................................................. 1-7
1.3.5 Additional Key OO Concepts............................................................................................................. 1-7
1.3.6 Further OOT Reading........................................................................................................................ 1-8
1.4 ACRONYM LIST ....................................................................................................................................... 1-9
1.5 GLOSSARY............................................................................................................................................. 1-11
1.6 OOTIA WORKSHOPS ............................................................................................................................. 1-25
1.6.1 Workshop Committee....................................................................................................................... 1-25
1.6.2 Participants in Workshop #1 ........................................................................................................... 1-25
1.6.3 Participants in Workshop #2 ........................................................................................................... 1-28
1.7 REFERENCES ......................................................................................................................................... 1-32
1.8 FEEDBACK FORM .................................................................................................................................. 1-33
Figures
Figure 1.2-1 Handbook Approach............................................................................................................................. 1-2
Figure 1.3-1 Object-Oriented Class Representation ................................................................................................. 1-5
Figure 1.3-2 OOA Tasks............................................................................................................................................ 1-7
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 1-iii
Volume 1
1.1.1 Purpose
The purpose of this four-volume Handbook is to identify key issues and provide some potential approaches to
address these issues when using OOT in airborne products. Although some of the issues identified in this Handbook
are not unique to OOT, they are discussed in the Handbook because the way they are addressed is key to safe
implementation of OOT. This Handbook also provides an approach for certification authorities and their designees
to help ensure that OOT issues have been addressed in the projects they are reviewing or approving.
1.1.2 Background
Compliance with the objectives of RTCA/DO-178B, Software Considerations in Airborne Systems and Equipment
Certification [1], is the primary means of obtaining approval of software used in civil aviation products. When DO-
178B was published in 1992, procedure programming was the predominant technique for organizing and coding
computer programs. Consequently, DO-178B provides guidelines for software developed using a functional
technique and does not specifically consider software developed using OOT. OOT is a software development
technique that is “expressed in terms of objects and connections between those objects” [9]. Since object-oriented
technology differs from the traditional functional approach to software development, satisfying some of the DO-
178B objectives when using OOT may be unclear and/or complicated.
To date, few airborne computer systems in civil aviation have been implemented using OOT. Although OOT is
intended to promote productivity, increase reusability of software, and improve quality, uncertainty about how to
comply with certification requirements has been a key obstacle to using OOT in airborne systems.
Although organizations such as the Object Management Group (OMG) work to develop specifications for OOT, no
universal guidelines exist for using OOT in safety-critical systems. Certification authorities have been using issue
papers on a project-by-project basis to address OOT concerns. These project-specific issue papers document high-
level safety issues and concerns with OOT but do not suggest or provide detailed issues or acceptable solutions.
This Handbook extends the use of issue papers by identifying key issues and providing some guidelines to help the
software community satisfy applicable DO-178B objectives when using OOT. It also provides an approach for
certification authorities and their designees when evaluating OOT projects.
The FAA co-sponsored the Object-Oriented Technology in Aviation (OOTiA) project with the National Aeronautics
and Space Administration (NASA) to address OOT challenges in aviation. The FAA, NASA, other government
organizations, academia, international certification authorities, airborne systems manufacturers, and aircraft
manufacturers collaborated through two OOTiA workshops and the OOTiA workshop committee to produce this
Handbook [see Section 1.6 for additional information on the workshops].
It is anticipated that this Handbook and other documents may be used to impact future changes to the FAA’s
software guidance (e.g., to impact future revisions to DO-178B or supplementary guidance). It is also anticipated
that this Handbook will be updated in the future as OOT in aviation matures and lessons are learned. If you have
comments, suggested improvements to this Handbook, additional issues, or potential solutions to address an issue(s),
please complete and submit the feedback form in Section 1.8 of this volume.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 1-1
Volume 1
1.2.1 Scope
This Handbook documents key issues and some potential approaches to address these issues when using OOT in
airborne systems. It is intended to be informational and educational – a compilation of what we know to date
regarding the use of OOT in aviation systems. This Handbook does not constitute Federal Aviation
Administration (FAA) policy or guidance nor is it intended to be an endorsement of OOT. This Handbook is
not to be used as a standalone product but, rather, as input when considering issues in a project-specific
context. In addition, this Handbook does not attempt to define the project criteria or circumstances under which this
Handbook should or should not be used in software development. That determination is left to project planners,
decision makers, or developers, as appropriate.
This Handbook addresses issues that were identified as having potential impact in safely applying OOT in airborne
systems. Certification authorities, industry, and others submitted potential issues through a web site dedicated to the
OOTiA project [7]. Some of the issues are not unique to OOT (e.g., inlining and templates); however, these issues
are discussed in the Handbook because the way they are addressed is key to safe implementation of OOT. Note that
this Handbook does not address all potential issues, nor are the guidelines in Volume 3 the only possible solutions to
addressing the related issues. As technology advances and experience with OOT increases within the aviation
community, this Handbook will likely be updated.
1.2.2 Approach
The Handbook follows a “tiered” approach as shown in Figure 1.2-1 in which each of its four volumes provides the
foundation for all volumes above it. For example, Volume 3: Best Practices relies on contents in both Volume 1:
Handbook Overview and Volume 2: Considerations and Issues in substantiating its guidelines.
The four volumes are:
• Volume 1: Handbook Overview (this volume)
• Volume 2: Considerations and Issues
• Volume 3: Best Practices
• Volume 4: Certification Practices
Volume 4:
Certification Practices
1-2
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Each volume is written for a unique combination of target audience and purpose. Each volume is self-contained in
that each has a separate list of references applicable to that volume alone. However, to provide a consistent basis
among volumes, Volume 1: Handbook Overview contains the Acronym List (see section 1.4) and Glossary (see
section 1.5) common to all volumes.
The following sections provide the title, target audience, purpose, and overview of the contents for each volume.
1-3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Templates
Inlining
Type conversion
Overloading and method resolution
Dead and deactivated code, and reuse
Object-oriented tools
Traceability
Structural coverage
References for Volume 3
Index of terms
Frequently asked questions
Extended guidelines and examples
1-4
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Class Name
Attributes:
Operations:
1-5
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Typing is a principle that is used in OOT that has many definitions. Booch presents one of the most clear and
concise definitions by stating, “Typing is the enforcement of the class of an object, such that objects of different
types may not be interchanged, or at the most, they may be interchanged only in very restricted ways” [8]. Examples
of OOT typing are strong typing, weak typing, static typing, and dynamic typing. Each OOT programming language
varies in its implementation of typing.
Another OOT concept closely related to typing is polymorphism. Polymorphism comes from the Greek meaning
“many forms.” It allows one name to be used for two or more related but different purposes [15]. It is the ability of
an object to assume or become many different forms of an object. Polymorphism specifies slightly different or
additional structure or behavior for an object, when assuming or becoming an object [11]. This allows different
underlying implementations for the same command. For example, assume there exists a vehicle class that includes a
steer-left command. If a boat object was created from the vehicle class, the steer-left command would be
implemented by a push to the right on a tiller. However, if a car object was created from the same class, it might use
a counter-clockwise rotation of the steering wheel to achieve the same command.
Concurrency is the process of carrying out several events simultaneously.
Persistence is “the property of an object through which its existence transcends time (i.e., the object continues to
exist after its creator ceases to exist) and/or space (i.e., the object’s location moves from the address space in which
it was created)” [8].
1-6
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Identify user
requirements
(use cases)
Identify classes
(attributes &
operations) (CRC)
Reapply as needed
Specify class
hierarchy
(CRC)
Identify object-
to-object
relationships (OR)
Model object
behavior (OB)
1-7
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
The Liskov substitution principle (LSP) is a set of subtyping rules that ensure that instances of a subclass are
substitutable for instances of all parent classes in every context in which they may appear. These rules go beyond the
simple checking of signatures, taking into account the behavior of operations (as defined by their pre- and post-
conditions) and the invariants defined by classes. Even if classes are not defined formally, the principle can be
upheld by requiring the inheritance of test cases. Reference [17] provides additional insight into the LSP concept.
1-8
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
AC Advisory Circular
ACB Anomalous Construction Behavior
AMJ Advisory Material Joint
API Application Programming Interface
AVSI Aerospace Vehicle Systems Institute
BIT Built-in Test
CAST Certification Authorities Software Team
CC Control Category
CM Configuration Management
CORBA Common Object Request Broker Architecture
COTS Commercial Off-The-Shelf
CRC Class-Responsibility-Collaborator
DBC Design By Contract
DER Designated Engineering Representative
EASA European Aviation Safety Agency
EUROCAE European Organization for Civil Aviation Equipment
FAA Federal Aviation Administration
HIT Hierarchical Incremental Testing
IEEE Institute of Electrical and Electronics Engineers
IL Issue List
IP Issue Paper
JAA Joint Aviation Authorities
LRU Line Replaceable Unit
LSP Liskov Substitution Principle
MC/DC Modified Condition / Decision Coverage
NASA National Aeronautics and Space Administration
OB Object Behavior
OMG Object Management Group
OO Object-Oriented
OOA Object-Oriented Analysis
OOD Object-Oriented Design
OOP Object-Oriented Programming
OOT Object-Oriented Technology
OOTiA Object-Oriented Technology in Aviation
OOV/T Object-Oriented Verification/Test
OR Object Relationship
PDS Previously Developed Software
PSAC Plan for Software Aspects of Certification
RBT Requirements-Based Testing
R-D-C Requirements-Design-Code
RSC Reusable Software Component
RTCA RTCA, Inc.
1-9
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
1-10
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
1.5 Glossary
This glossary provides definitions for terms used in this Handbook to discuss object-oriented technology issues. It is
intended to provide terminology for consistent communication and discussion of issues. Many terms are taken
directly from the glossary 1 of RTCA/DO-178B, Software Considerations in Airborne Systems and Equipment
Certification [1]. Other terms are taken from references on object-oriented technology. References are noted, as
appropriate, after each definition. Relationships between terms are denoted as contrast, synonym, and see, where
specifically pertinent to the definition. This glossary is a resource to be used for all volumes of the Handbook.
Abstract class - A class that cannot be directly instantiated. Any class containing an abstract operation must itself be
abstract. Contrast: concrete class. [2], [16]
Abstract operation - An operation that is declared but not implemented by an abstract class. Abstract operations do
not have associated methods (bodies) in the class that defines them, but must have an associated implementation in
concrete subclasses. See: operation, method. [2], [8] Contrast: concrete operation.
Abstract pattern - A pattern that does not prescribe a particular approach. Additional guidelines are defined by sub-
patterns of the abstract pattern where these guidelines vary by the approach used.
Access mechanism - The manner in which a software component is called upon to perform its intended function.
This includes invocation mechanisms and data flow to and from the component. This is typically part of the
interface description data. [3]
Actual parameter - See: argument.
Aggregation - A composition technique for building a new object from one or more existing objects that support
some or all of the new object's required interfaces. Synonym: composition. [18]
Algorithm - A finite set of well-defined rules that gives a sequence of operations for performing a specific task. [1]
Anomalous behavior - Behavior that is inconsistent with specified requirements. [1]
Applicant - A person or organization seeking approval from the certification authority. [1]
Approval - The act or instance of expressing a favorable opinion or giving formal or official sanction. [1]
Argument - A binding for a parameter that resolves to a run-time instance. Synonym: actual parameter. Contrast:
parameter. [16]
Aspect-oriented programming - An approach used to encapsulate policies and strategies that cross-cut the core
functionality of a system. Such system- or subsystem-wide policies are referred to aspects. They include policies for
error handling, synchronization, resource allocation, fault-tolerance, performance, software monitoring, distributed
data access, and other potentially safety related issues. Aspect-oriented programming is generally viewed as
complementary to object-oriented development. [2]
Assertion - A Boolean expression whose value should always evaluate to true at a given point in a program's
execution. For example, a pre-condition, whose value should evaluate to true whenever a given operation is called; a
post-condition, whose value should evaluate to true upon the normal (non-exceptional) return from a given
operation; or a class invariant, whose value should evaluate to true after the execution of a class constructor and
before/after the execution of every externally visible operation on the class.
Association - The semantic relationship between two or more classifiers that specifies connections among their
instances. Such connections may be represented as pointers or access types that reference other objects. They may
also be computed rather than stored. [2], [16]
Assurance - The planned and systematic actions necessary to provide adequate confidence and evidence that a
product or process satisfies given requirements. [1]
1
The glossary definitions from RTCA/DO-178B are used with permission of RTCA.
1-11
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Attribute - A feature within a class that describes a range of values those instances of the class may hold. Attributes
are stored values or fields in Ada 95, C++, and Java. They may represent either data values or references to other
objects (association ends). [2], [16]
Audit - An independent examination of the software life cycle processes and their outputs to confirm required
attributes. [1]
Baseline - The approved, recorded configuration of one or more configuration items, that thereafter serves as the
basis for further development, and that is changed only through change control procedures. [1]
Certification - Legal recognition by the certification authority that a product, service, organization, or person
complies with the requirements. Such certification comprises the activity of technically checking the product,
service, organization, or person and the formal recognition of compliance with the applicable requirements by issue
of a certificate, license, approval, or other documents as required by national laws and procedures. In particular,
certification of a product involves: (a) the process of assessing the design of a product to ensure that it complies with
a set of standards applicable to that type of product so as to demonstrate an acceptable level of safety; (b) the process
of assessing an individual product to ensure that it conforms with the certified type design; (c) the issuance of a
certificate required by national laws to declare that compliance or conformity has been found with standards in
accordance with items (a) or (b) above. [1]
Certification authority - The organization or person responsible within the state or country concerned with the
certification of compliance with the requirements.
Note: A matter concerned with aircraft, engine, or propeller type certification or with equipment approval would
usually be addressed by the certification authority; matters concerned with continuing airworthiness might be
addressed by what would be referred to as the airworthiness authority. [1]
Certification credit - Acceptance by the certification authority that a process, product, or demonstration satisfies a
certification requirement. [1] See: credit.
Change control - (1) The process of recording, evaluating, approving, or disapproving and coordinating changes to
configuration items after formal establishment of their configuration identification or to baselines after their
establishment. (2) The systematic evaluation, coordination, approval, or disapproval and implementation of
approved changes in the configuration of a configuration item after formal establishment of its configuration
identification or to baselines after their establishment.
Note: This term may be called configuration control in other industry standards. [1]
Checked type conversion - Types are checked if conversion from one type to the other includes a determination
either by the compiler or at run-time as to whether they are normally convertible.
Child - In a generalization relationship, the specialization of another element, the parent. See: subclass, subtype.
Contrast: parent, superclass, supertype. Child classes inherit from their parent classes. Similarly, subclasses inherit
from their superclasses. [2], [16]
Class - Informally, any classifier. Formally, a description of a set of objects that share the same attributes,
operations, methods, relationships, and semantics. A class may use a set of interfaces to specify collections of
operations it provides to its environment. [2], [16]
Class hierarchy - A collection of classes connected by generalization relationships. The root of the hierarchy
represents the most general of these classes. The leaves represent the most specific of these classes. Synonym:
inheritance hierarchy.
Classifier - The Unified Modeling Language (UML) defines the term classifier to include interfaces, classes,
datatypes, and components. In the Aerospace Vehicle Systems Institute (AVSI) guide (and elsewhere), the term
“class” is often used informally as a synonym for classifier. Formally, however, classes describe only objects, which Mis en forme
have an identity and state, and not datatypes, interfaces, or components. [2], [16]
Client class - A class that can reference the attributes of another class.
1-12
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Client operation - An operation accessible to classes other than the defining class and its subclasses.
Code - The implementation of particular data or a particular computer program in a symbolic form, such as source
code, object code, or machine code. [1]
Code-sharing - The sharing of code by more than one class or component (e.g., by means of implementation
inheritance or delegation). See: implementation inheritance, delegation.
Note: There are many ways to support the sharing of code. The risk is that inheritance can be misused to support
only the sharing of code and data structure, without attempting to follow behavioral subtyping rules.
Commercial off-the-shelf (COTS) software - Commercially available applications sold by vendors through public
catalog listings. COTS software is not intended to be customized or enhanced. Contract-negotiated software
developed for a specific application is not COTS software. [1]
Compiler - Program that translates source code statements of a high level language, such as FORTRAN or Pascal,
into object code. [1]
Component - (1) A self-contained part, combination of parts, sub-assemblies or units, which performs a distinct
function of a system. (2) A physical, replaceable part of a system that packages implementation and provides the
realization of a set of interfaces. [1], [16]
Composition - See: aggregation.
Concrete class - A class that can be directly instantiated. A concrete class has no abstract operations. Contrast:
abstract class. [2], [16]
Concrete operation - An operation that has an associated method in the context of a given class. Contrast: abstract
operation. [2]
Concurrency - (1) Process of carrying out several events simultaneously. (2) A technique used in an operating
system for sharing a single processor between several independent jobs. [18]
Condition - A Boolean expression containing no Boolean operators. [1]
Condition/Decision Coverage - Every point of entry and exit in the program has been invoked at least once, every
condition in a decision in the program has taken on all possible outcomes at least once, and every decision in the
program has taken on all possible outcomes at least once. [1]
Configuration identification - (1) The process of designating the configuration items in a system and recording their
characteristics. (2) The approved documentation that defines a configuration item. [1]
Configuration item - (1) One or more hardware or software components treated as a unit for configuration
management purposes. (2) Software life cycle data treated as a unit for configuration management purposes. [1]
Configuration management - (1) The process of identifying and defining the configuration items of a system,
controlling the release and change of these items throughout the software life cycle, recording and reporting the
status of configuration items and change requests and verifying the completeness and correctness of configuration
items. (2) A discipline applying technical and administrative direction and surveillance to: (a) identify and record the
functional and physical characteristics of a configuration item, (b) control changes to those characteristics, and (c)
record and report change control processing and implementation status. [1]
Configuration status accounting - The recording and reporting of the information necessary to manage a
configuration effectively, including a listing of the approved configuration identification, the status of proposed
changes to the configuration and the implementation status of approved changes. [1]
Constraint - A semantic condition or restriction. Constraints include pre-conditions, post-conditions, and invariants.
They may apply to a single class of objects, to relationships between classes of objects, to states, or to use cases.
[16]
Constructor - An operation that creates an object and/or initializes its state. Formally, the constructor is responsible
for establishing any class invariant.
1-13
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Control coupling - The manner or degree by which one software component influences the execution of another
software component. [1]
Control coupling analysis - Evaluation of the execution relationships and dependencies between software
components and in component logic to ensure application execution is correctly designed and implemented.
Control flow analysis - (1) Analysis typically used in the identification and confirmation of control coupling. DO-
178B does not explicitly define this term or the related term control flow. However, it references both (on pages 21,
28, 52, 61, and 57). [1] (2) Analysis whose objectives are: to ensure the code is executed in the right sequence, to
ensure the code is well structured, to locate any syntactically unreachable code, and to highlight parts of the code
where termination needs to be considered (i.e., loops and recursion). Call tree analysis is cited as an example of one
of many control flow analysis techniques, and is offered as a means of confirming that design rules for the
partitioning of critical and non-critical code have been followed. [5]
Control program - A computer program designed to schedule and to supervise the execution of programs in a
computer system; e.g., operating system, executive, run-time system. [1]
Conversion - See: type conversion.
CORBA - An industry wide standard for communication between distributed objects, independent of their location
and target language. The CORBA standard is defined by the Object Management Group (OMG). CORBA itself is
an acronym for Common Object Request Broker Architecture. [2]
Coupling - A relationship between components or elements.
Coverage analysis - The process of determining the degree to which a proposed software verification process
activity satisfies its objective. [1]
Credit - The compliance to one or more RTCA/DO-178B objectives supported by RTCA/DO-178B software life
cycle data. This compliance is used to show that the certification basis has been met and the equipment may receive
a certificate. Three types of credit are referred to throughout AC 20-148 [3]:
1. Full credit: fully meets the RTCA/DO-178B objective and requires no further activity by the user.
2. Partial credit: partially meets the RTCA/DO-178B objective and requires additional activity by the user to
complete compliance.
3. No credit: does not meet the RTCA/DO-178B objective and must be completed by the user for
compliance. [3]
Data abstraction - An abstraction denotes the essential characteristics of an object that distinguish it from all other
kinds of objects, suppressing all non-essential details. In data abstraction the non-essential details deal with the
underling data representation. [8] [16]
Database - A set of data, part or the whole of another set of data, consisting of at least one file that is sufficient for a
given purpose or for a given data processing system. [1]
Data coupling - The dependence of a software component on data not exclusively under the control of that software
component. [1]
Data coupling analysis - An evaluation of the data flow relationships and dependencies between software
components to ensure they are correctly designed and implemented.
Data dictionary - The detailed description of data, parameters, variables, and constants used by the system. [1]
Data flow analysis - (1) Analysis typically used in the identification and confirmation of data coupling. DO-178B
does not explicitly define this term or the related term data flow. However, it references both (on pages 21, 28, 52,
61, and 57). [1] (2) Analysis whose objective is to show that there is no execution path in the software that would
access a variable that does not have a set value. Data flow analysis uses the results of control flow analysis in
conjunction with the read or write access to variables to perform the analysis. Data flow analysis can also detect
other code anomalies such as multiple writes without intervening reads. [5]
1-14
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Data type, Datatype - (1) A class of data characterized by the members of the class and the operations that can be
applied to them. Examples are character types and enumeration types. (2) A descriptor of a set of values that lack
identity and whose operations do not have side effects. Datatypes include primitive pre-defined types and user-
definable types. Pre-defined types include numbers, string and time. User-definable types include enumerations.
Note: Instances of datatypes, unlike objects, do not have identity or state, but are immutable. As a result,
operations on datatypes do not change the state of values they act upon, but compute new values based on existing
ones. Some languages use the term immutable in combination with terms class and object to denote a datatype and
its values. [1], [2] See: immutable.
Deactivated code - Executable object code (or data) which by design is either (a) not intended to be executed (code)
or used (data), for example, a part of a previously developed software component, or (b) is only executed (code) or
used (data) in certain configurations of the target computer environment, for example, code that is enabled by a
hardware pin selection or software programmed options. [1]
Dead code - Executable object code (or data) which, as a result of a design error cannot be executed (code) or used
(data) in a operational configuration of the target computer environment and is not traceable to a system or software
requirement. An exception is embedded identifiers. [1]
Decision - A Boolean expression composed of conditions and zero or more Boolean operators. A decision without a
Boolean operator is a condition. If a condition appears more than once in a decision, each occurrence is a distinct
condition. [1]
Decision Coverage - Every point of entry and exit in the program has been invoked at least once and every decision
in the program has taken on all possible outcomes at least once. [1]
Declared type - The type associated with a name (such as a variable, constant or parameter) at its point of
declaration. The run-time type of any associated object must be a subtype of its declared type. [2]
Delegation - The implementation of an operation by means of a call to an equivalent operation on a component
object (the delegate). Delegation can be used as an alternative to implementation inheritance. Contrast: inheritance.
[2]
Derived requirements - Additional requirements resulting from the software development processes, which may not
be directly traceable to higher level requirements. [1]
Derived type - A type derived for specialization from another type. The derived type is a specialization from the
conceptual point of view and may be an expansion from the structural point of view. [4]
Design pattern - A documented solution to a commonly encountered design problem. In general, a design pattern
presents a problem, followed by a description of its solution in a given context and programming language. [2]
Designee - An industry representative that has been authorized by the FAA to make findings of compliance on
behalf of the FAA.
Destructor - An operation that frees the state of an object and/or destroys the object itself. [8]
Dynamic binding - See: dynamic dispatch.
Dynamic classification - A semantic variation of generalization in which an object may change its classifier.
Contrast: static classification. Using dynamic classification, the class of an object may change during its lifetime.
Using static classification, it may not. [2], [16]
Dynamic dispatch - The association of a method with a call based on the run-time type of the target object. Dynamic
dispatch is not related to dynamic linking or dynamic link libraries. Synonym: dynamic binding. [2]
Dynamic loading (of classes) - The loading of classes dynamically (at run-time) when they are first referenced by an
application. The desktop Java environment, for example, provides a class loader capable of finding and loading a
named class appearing in any of a prescribed list of locations, which may be either local or remote. In real-time
systems, class loading is generally not supported or permitted.
1-15
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Emulator - A device, computer program, or system that accepts the same inputs and produces the same output as a
given system using the same object code. [1]
Equivalence class - The partition of the input domain of a program such that a test of a representative value of the
class is equivalent to a test of other values of the class. [1]
Error - With respect to software, a mistake in requirements, design or code. [1]
Executable Object Code - Consists of a form of Source/Object Code that is directly usable by the central processing
unit of the target computer and is, therefore, the software that is loaded into the hardware or system. [1]
Explicit type conversion - Conversion of a value from its type to a designated type by use of a conversion routine.
Failure - The inability of a system or system component to perform a required function within specified limits. A
failure may be produced when a fault is encountered. [1]
Failure condition - The effect on the aircraft and its occupants both direct and consequential, caused or contributed
to by one or more failures, considering relevant adverse operational and environmental conditions. A failure
condition is classified according to the severity of its effect as defined in FAA AC 25.1309-1A or JAA AMJ
25.1309. [1]
Fault - A manifestation of an error in software. A fault, if it occurs, may cause a failure. [1]
Fault tolerance - The built-in capability of a system to provide continued correct execution in the presence of a
limited number of hardware or software faults. [1]
Feature - An attribute, operation, or method. This includes attributes that reference other objects (i.e., association
ends). Features correspond to methods and fields in Java, methods and member functions in C++, and subprograms
and record fields in Ada 95.
Flattened class - The flattened form of a class is a self contained module representing the composition of its
elements with those inherited by it, taking into account the rules for inheritance associated with the language.
Inherited elements appear in the flattened class if: 1) they are defined by a superclass and never overridden, or 2)
they are defined by a superclass and referenced by some other element that is not overridden. Some languages (e.g.,
Eiffel) allow you to print the flattened form of a class interface. This is useful to clients because it specifies the full
client interface, eliminating the need to refer to superclass definitions. [12]
Flow analysis - A term encompassing both control flow analysis and data flow analysis. [2]
Formal analysis - A type of analysis with a range of acceptable approaches, some of which are only minimally
formal (assertions are specified in a reasonably precise manner), others of which are highly formal (involve use of
formal specification languages and supporting tools). The former would involve writing assertions in some agreed
upon, reasonably precise form, and some simple inspections (involving checking of signatures and pre-/post-
conditions) where the basis for the checks is formal, but no training in formal methods is required and no formal
methods tools need be used. The latter would involve formal methods to provide an automated approach with more
precise, more completely specified assertions that serve as the basis for model checking and other forms of analysis.
Formal methods - Descriptive notations and analytical methods used to construct, develop, and reason about
mathematical models of system behavior. [1]
Framework - A framework is a partially completed software application, which has a set of related classes that can
be specialized and/or instantiated to implement the application. Since the UML is a formally defined language, some
of the existing visual modeling tools use existing frameworks to help the coder/developer generate complete
applications from UML models.
Generalization - A taxonomic relationship between a more general element and a more specific element. The more
specific element is fully consistent with the more general element and contains additional information. An instance
of the more specific element may be used where the more general element is allowed. See: inheritance. [16]
Generic - In an Ada program, a generic is a unit that allows the same logical function on more than one type of data.
1-16
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Hard real-time system - A real-time system in which lateness is not accepted under any circumstance. [6]
Hardware/software integration - The process of combining the software into the target computer. [1]
High-level requirements - Software requirements developed from analysis of system requirements, safety-related
requirements, and system architecture. [1]
Host computer - The computer on which the software is developed. [1]
Immutable - Incapable of being changed. Immutable objects represent values whose state cannot be changed (e.g.,
the string literal “ABC” or the integer literal “4”). Immutable values, however, may be combined to produce new
values. The string “ABC”, for example, may be concatenated with the string “DEF” to produce a new immutable
string value “ABCDEF”. See: data type, datatype.
Implementation - A definition of how something is constructed or computed. For example, a class is an
implementation of a type, a method is an implementation of an operation. [16]
Implementation inheritance - The inheritance of the implementation of a more specific element. Includes inheritance
of the interface. Contrast: interface inheritance. Unlike interface inheritance, the inherited elements are more than
specifications. They contribute to the executable object code. [2], [16]
Implicit type conversion - A type conversion generated by the compiler as the result of an association between
variables of different types, resulting in a value being converted to an expected type based on context.
Independence - Separation of responsibilities which ensures the accomplishment of objective evaluation. (1) For
software verification process activities, independence is achieved when the verification activity is performed by a
person(s) other than the developer of the item being verified, and a tool(s) may be used to achieve an equivalence to
the human verification activity. (2) For the software quality assurance process, independence also includes the
authority to ensure corrective action. [1]
Inheritance - A mechanism by which more specific elements incorporate (inherit) the structure and behavior of more
general elements. Inheritance can be used to support generalization, or misused to support only code sharing,
without attempting to follow behavioral subtyping rules. See: generalization, Liskov substitution principle. [16]
Inheritance hierarchy - See: class hierarchy.
Inherited element - An element of a class inherited by its subclasses. In UML, inherited elements include operations,
methods, associations, and constraints involving classes.
Inline - A command used in Java, Ada, and C++ to hint to the compiler that expansion of a method body within the
code of a calling method is to be preferred to the usual call implementation. For all of these languages, the compiler
can follow or ignore the recommendation to inline. [2]
Instance - An entity to which a set of operations can be applied and which has a state that stores the effects of the
operations. See: object. [2]
Integral process - A process which assists the software development processes and other integral processes and,
therefore, remains active throughout the software life cycle. The integral processes are the software verification
process, the software quality assurance process, the software configuration management process, and the
certification liaison process. [1]
Integrator - The manufacturer responsible for integrating a software component (e.g., a reusable software
component) into the target computer and system with other software components. [3]
Interface – For object-oriented technology, an interface is a definition of the features accessible to clients of a class.
Interfaces are distinct from classes, which may also contain methods, associations and modifiable attributes.
Note: The UML definition of interface differs slightly from that defined by Java in that Java interfaces may
contain constant fields, while UML interfaces may contain only operations. [2]
Interface description data - Data that identifies the interface details of the reusable software component. It is
provided by the reusable software component developer to the integrator and applicant. \ The interface description
1-17
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
data should explicitly define what activities are required by the integrator and/or applicant to ensure that the reusable
software component will function in accordance with its approval basis. [3]
Interface inheritance - The inheritance of the interface of a more specific element. Does not include inheritance of
the implementation. Contrast: implementation inheritance. Unlike implementation inheritance, the inherited
elements are only specifications. They are not contained in the executable object code. [2], [16]
Interrupt - A suspension of a task, such as the execution of a computer program, caused by an event external to that
task, and performed in such a way that the task can be resumed. [1]
Invariant - A condition associated with a class that is established when a new instance of the class is created and
must be maintained by all its publicly accessible operations. As a result, the invariant is effectively a part of the pre-
condition and the post-condition of every such operation. It may be violated in the intermediate states that represent
the execution of a given method so long as the operations of the object are properly synchronized and such
violations are not externally observable. [2]
Liskov substitution principle (LSP) - A set of subtyping rules that ensure that instances of a subclass are
substitutable for instances of all parent classes in every context in which they may appear. These rules go beyond the
simple checking of signatures, taking into account the behavior of operations (as defined by their pre and post
conditions) and the invariants defined by classes. Even if classes are not defined formally, the principle can be
upheld by requiring the inheritance of test cases. [2] See: inheritance.
Logically unrelated types - Types are logically unrelated when one does not define a set of operations that is a subset
of the other.
Low-level requirements - Software requirements derived from high-level requirements, derived requirements, and
design constraints from which source code can be directly implemented without further information. [1]
Macro-expansion - Full expansion of the code generated by the compiler for each instantiation of a template.
Maintenance code - Code residing in a airborne computer-based system that interfaces with an onboard maintenance
computer or computer used by maintenance personnel. The function of this code is usually to report to the
maintenance computer any problems detected during normal operations. [3]
Means of compliance - The intended method(s) to be used by the applicant to satisfy the requirements stated in the
certification basis for an aircraft or engine. Examples include statements, drawings, analyses, calculations, testing,
simulation, inspection, and environmental qualification. Advisory material issued by the certification authority is
used if appropriate. [1]
Media - Devices or material which act as a means of transferal or storage of software, for example, programmable
read-only memory, magnetic tapes or discs, and paper. [1]
Member Function - A method in C++. [17]
Memory device - An article of hardware capable of storing machine-readable computer programs and associated
data. It may be an integrated circuit chip, a circuit card containing integrated circuit chips, a core memory, a disk, or
a magnetic tape. [1]
Memory usage analysis - See: other memory usage analysis and stack usage analysis.
Message - In object-oriented programming, the invocation of an operation is referred to as a message, i.e., a
message that identifies the operation being called and provides argument values for associated parameters.
Method - The implementation of an operation. A method specifies the algorithm or procedure associated with an
operation. A method corresponds to a subprogram with a body in Ada 95, to a member function with a body in C++,
and to a concrete method in Java. See: operation. [2], [16] Contrast: multimethod.
Modified Condition/Decision Coverage - Every point of entry and exit in the program has been invoked at least
once, every condition in a decision in the program has taken all possible outcomes at least once, every decision in
the program has taken all possible outcomes at least once, and each condition in a decision has been shown to
1-18
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
independently affect that decision's outcome. A condition is shown to independently affect a decision's outcome by
varying just that condition while holding fixed all other possible conditions. [1]
Monitoring - (1) [Safety] Functionality within a system which is designed to detect anomalous behavior of that
system. (2) [Quality Assurance] The act of witnessing or inspecting selected instances of test, inspection, or other
activity, or records of those activities, to assure that the activity is under control and that the reported results are
representative of the expected results. Monitoring is usually associated with activities done over an extended period
of time where 100% witnessing is considered impractical or unnecessary. Monitoring permits authentication that the
claimed activity was performed as planned. [1]
Multimethod - A method invoked using multiple dispatch. Multimethods differ from ordinary methods in that the
run-time classes of all parameters (rather than only the target object) are considered when selecting the method to be
executed at the point of call. See: method.
Multiple dispatch - Dynamic dispatch based on the run-time types of all the arguments to a call, rather than only the
run-time type of the target object. Contrast: single dispatch. [2]
Multiple inheritance - A semantic variation of generalization in which a type (a class) may have more than one
supertype (superclass). Contrast: single inheritance. [16]
Multiple-version dissimilar software - A set of two or more programs developed separately to satisfy the same
functional requirements. Errors specific to one of the versions are detected by comparison of the multiple outputs.
[1]
Non-virtual - A C++ keyword that specifies that a given member function may be overridden in subclasses and calls
to it are resolved at compile time (static binding).
Object - An entity with a well-defined boundary and identity that encapsulates state and behavior. State is
represented by attributes and relationships; behavior is represented by operations, methods, and state machines. An
object is an instance of a class. See: class, instance. [16]
Object Code - A low-level representation of the computer program not usually in a form directly usable by the target
computer but in a form which includes relocation information in addition to the processor instruction information.
[1]
Object Management Group (OMG) - A standards body for the object-oriented development community. The
membership includes all major object-oriented tool vendors, many companies offering OO training and consulting
services, many companies offering COTS software, and many end users of OO technology, including several of the
members of AVSI. The OMG defines interface standards for distributed object communication (e.g., CORBA) and
for OO modeling tools (e.g., UML). [2]
Object-oriented (OO) - (1) the use of classes to support encapsulation, (2) the use of inheritance of interfaces to
support subtyping, (3) the use of inheritance of implementation (state and code) to support subclassing, and (4) the
use of dynamic dispatch (virtual method invocation) to support polymorphism and the inheritance of code. [2]
Operation - A service that can be requested of an object. An operation has a signature, which may restrict the actual
parameters that are possible. An operation corresponds to a subprogram declaration in Ada 95, to a function member
declaration in C++, and to an abstract method declaration in Java. It does not define an associated implementation.
See method. [2], [16]
Other memory usage analysis - Analysis related to the sharing of resources between different software ‘partitions’.
These forms of analysis include, but are not limited to, memory (heap), input/output (I/O) ports, and special purpose
hardware, which perform specific computations or watchdog timer functions. [5]
Overloading - Use of the same name for different operators or behavioral features (operations or methods) visible
within the same scope.
Overriding - The redefinition of an operation or method in a subclass. [2]
1-19
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Parameter - The specification of a variable that can be changed, passed, or returned. A parameter may include a
name, type, and direction. Parameters are used for operations, messages, and events. [16] See: argument.
Parent - In an inheritance relationship, the generalization of another element, producing the child. See: superclass,
supertype. Contrast: child, subclass, subtype. Child classes inherit from their parent classes. Similarly, subclasses
inherit from their superclasses. [2], [16]
Part number - A set of numbers, letters or other characters used to identify a configuration item. [1]
Partitioning - See: software partitioning.
Patch - A modification to an object program, in which one or more of the planned steps of re-compiling, re-
assembling or re-linking is bypassed. This does not include identifiers embedded in the software product, for
example, part numbers and checksums. [1]
Pattern - A documented solution to a commonly encountered analysis or design problem. Each pattern documents a
single solution to the problem in a given context. [2] See: process pattern.
Polymorphism - A concept in type theory, according to which a name (such as a variable) may denote objects of
many different classes that are related by some common superclass; thus, any object denoted by this name is able to
respond to some common set of operations in different ways. [8]
Post-condition - A constraint that must be true at the completion of an operation. [16]
Pre-condition - A constraint that must be true when an operation is invoked. [16]
Process - A collection of activities performed in the software life cycle to produce a definable output or product. [1]
Process pattern - A documented solution to a problem with the software development process. A process pattern
presents the problem, followed by a description of its solution in a given context. [2] See: pattern.
Product service history - A contiguous period of time during which the software is operated within a known
environment, and during which successive failures are recorded. [1]
Proof of correctness - A logically sound argument that a program satisfies its requirements. [1]
Range checking - The verification that data values lie within specified ranges and maintain a specified accuracy.
Range checking includes, but is not limited to, overflow and underflow analysis, the detection of rounding errors,
range checking, and the checking of array bounds. [5]
Real-time system - A system that responds in a (timely) predictable way to unpredictable external stimuli arrivals. A
real-time system has to fulfill under extreme load conditions including:
• timeliness: meet deadlines, it is required that the application has to finish certain tasks within the time
boundaries it has to respect;
• simultaneity or simultaneous processing: more than one event may happen simultaneously, all deadlines
should be met;
• predictability: the real-time system has to react to all possible events in a predictable way; and
• dependability or trustworthiness: it is necessary that the real-time system environment can rely on it. [6]
Relationship - A semantic connection among model elements. Examples of relationships include associations and
generalizations. [16]
Release - The act of formally making available and authorizing the use of a retrievable configuration item. [1]
Repeated inheritance - The inheritance of an element via more than one path through the inheritance hierarchy.
Requirements-based testing - (1) Testing performed using test cases and procedures developed to confirm that the
software performs its intended function as specified by its requirements. Requirements-based testing includes both
normal range test cases, and robustness (abnormal range) test cases. The test cases are to be developed from the
software requirements and the errors sources inherent in the software development process. [1] (2) Testing
1-20
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
performed with the objective of showing that the actual behavior of the program is in accordance with its
requirements. Two common methods are cited for conducting requirements-based testing: equivalence class testing,
and boundary value testing. [5] The use of the term in this Handbook is intended to encompass both definitions.
Requirements, Design, and Code Standards (R-D-C Standards) - Guidelines used to control, develop, and review
software requirements, design, and code. [1]
Reusable software component (RSC) - The software, its supporting RTCA/DO-178B software life cycle data, and
additional supporting documentation being considered for reuse. The component designated for reuse may be any
collection of software, such as, libraries, operating systems, or specific system software functions. [3]
Reverse engineering - The method of extracting software design information from the source code. [1]
Robustness - The extent to which software can continue to operate correctly despite invalid inputs. [1]
Run-time type/class - The type/class associated with an object at run-time (e.g., when the object is first created). In
Ada 95, this is the tag associated with objects of a tagged type. [2]
Scalar types - A type that defines a variable containing a single value at run-time. A scalar type is either a discrete
type or a real type. The values of a scalar type are ordered.
Signature - The name and parameter types of an operation or method. A signature may include an optional returned
parameter type (depending upon the target language). [16]
Simple dispatch - A restricted form of single dispatch, in which (a) all calls other than method extensions are
dispatching, and (b) dispatch is semantically equivalent to invocation of a dispatch routine containing a case
statement. [2]
Simulator - A device, computer program, or system used during software verification, that accepts the same inputs
and produces the same output as a given system, using object code which is derived from the original object code.
[1]
Single dispatch - Dynamic dispatch based on only the run-time type of the target object. Most OO languages,
including Java, Ada 95 and C++ are single dispatching. Contrast: multiple dispatch. [16]
Single inheritance - A semantic variation of generalization in which a type (a class) may have only one supertype
(superclass). Contrast: multiple inheritance. [16]
Software - Computer programs and, possibly, associated documentation and data pertaining to the operation of a
computer system. [1]
Software architecture - The structure of the software selected to implement the software requirements. [1]
Software change - A modification in source code, object code, executable object code, or its related documentation
from its baseline. [1]
Software integration - The process of combining code components. [1]
Software level - One of the software levels defined by DO-178B, section 2.2.2. Software level is based upon the
contribution of software to potential failure conditions as determined by the safety assessment process. [1]
Software library - A controlled repository containing a collection of software and related data and documents
designed to aid in software development, use or modification. Examples include software development library,
master library, production library, program library and software repository. [1]
Software life cycle - (1) An ordered collection of processes determined by an organization to be sufficient and
adequate to produce a software product. (2) The period of time that begins with the decision to produce or modify a
software product and ends when the product is retired from service. [1]
Software partitioning - The process of separating, usually with the express purpose of isolating one or more
attributes of the software, to prevent specific interactions and cross-coupling interference. [1]
1-21
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Software product - The set of computer programs, and associated documentation and data, designated for delivery to
a user. In the context of DO-178B, this term refers to software intended for use in airborne applications and the
associated software life cycle data. [1]
Software requirement - A description of what is to be produced by the software given the inputs and constraints.
Software requirements include both high-level requirements and low-level requirements. [1]
Software tool - A computer program used to help develop, test, analyze, produce or modify another program or its
documentation. Examples are an automated design tool, a compiler, test tools and modification tools. [1]
Source code - Code written in source languages, such as assembly language and/or high level language, in a
machine-readable form for input to an assembler or a compiler. [1]
Stack usage analysis - A form of shared resource analysis that establishes the maximum possible size of the stack
required by the system and whether there is sufficient physical memory to support this stack size. Some compilers
use multiple stacks, and this form of analysis is required for each stack. Potential stack-heap allocation collisions,
when these forms of storage compete for the same space, are also included. [5]
Standard - A rule or basis of comparison used to provide both guidance in and assessment of the performance of a
given activity or the content of a specified data item. [1]
State - A condition or situation during the life of an object during which it satisfies some condition, performs some
activity, or waits for some event. [16]
Statement coverage - Every statement in the program has been invoked at least once. [1]
Static analyzer - A software tool that helps reveal certain properties of a program without executing the program. [1]
Static binding - With regard to calls to operations, the ability to associate a particular method (implementation of an
operation) with a particular call to that operation at compile time.
Static classification - A semantic variation of generalization in which an object may not change [its] classifier.
Contrast: dynamic classification. Using dynamic classification, the class of an object may change during its life
time. Using static classification, it may not. [2], [16]
Strongly typed - A characteristic of a programming language, according to which all expressions are guaranteed to
be type consistent. [8]
Strongly typed language - A strongly typed language associates a type with each data element (variable or
expression), and ensures that only operations appropriate to that type are applied to the data element. Only
meaningful conversions between logically related types are permitted. A subset of a language may be considered
strongly typed, even if the full language is not.
Structural coverage - A software-program method of determining the adequacy of the extent of the verification
accomplished in the composition/decomposition of the software program.
Structural coverage analysis - An analysis that (1) determines which software structures and code structures were
not exercised by the requirements-based test procedures; and (2) provides traceability between the implementation
of the software requirements in the code structure and the verification of those requirements via test cases. [1]
Structure - A specified arrangement or interrelation of parts to form a whole. [1]
Subclass - In a generalization relationship, the specialization of another class; the superclass (parent). See:
generalization, child. Contrast: superclass, parent.
Note: “subclass” and “child” are used interchangeably in object-oriented development. [16]
Subinterface - A subclass/subtype that is an interface (defines no methods, associations, or modifiable attributes).
See: interface.
1-22
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Substitutability - With regard to subtyping, the ability to substitute an instance of a given subtype for an instance of
one of its supertypes in any context in which the supertype instance may appear (see also Liskov substitution
principle (LSP), which defines a set of typing rules intended to guarantee substitutability).
Substitution - With regard to subtyping, the replacement of an instance of a subtype with an instance of one of its
supertypes.
Subtype - In a generalization relationship, the specialization of another type; the supertype. See: generalization.
Contrast: supertype. [2], [16]
Superclass - In a generalization relationship, the generalization of another class; the subclass. See: generalization,
parent. Contrast: subclass, child.
Note: “superclass” and “parent” are used interchangeably in object-oriented development. [16]
Superinterface - A superclass/supertype that is an interface (defines no methods, associations, or modifiable
attributes). See: interface.
Supertype - In a generalization relationship, the generalization of another type; the subtype. See: generalization.
Contrast: subtype. [16]
System - A collection of hardware and software components organized to accomplish a specific function or set of
functions. [1]
System architecture - The structure of the hardware and software selected to implement the system requirements. [1]
System safety assessment - An ongoing, systematic, comprehensive evaluation of the proposed system to show that
relevant safety-related requirements are satisfied. [1]
System safety assessment process - Those activities which demonstrate compliance with airworthiness requirements
and associated guidance material, such as, JAA AMJ/FAA AC 25.1309. The major activities within this process
include: functional hazard assessment, preliminary system safety assessment, and system safety assessment. The
rigor of the activities will depend on the criticality, complexity, novelty, and relevant service experience of the
system concerned. [1]
Target computer - The physical processor that will execute the program while airborne. [3]
Target computer environment - The target computer and all its support hardware and systems needed to function in
its actual airborne environment. [3]
Target environment - See: target computer environment. [3]
Target object - The object that is the target of a method call [most often written targetObject.methodName
(argumentList);]. Dynamic dispatch typically involves selection of a method based on the declared types of the
arguments and the run-time type of the target object. [2]
Task - The basic unit of work from the standpoint of a control program. [1]
Template - A parameterized model element with unbound (formal) parameters that must be bound to actual (type)
parameters before it can be used. At a target language level, templates correspond to Ada generics and to C++
templates. [2]
Template class - A parameterized class. Template classes are implemented as generic packages in Ada, and to
template classes in C++. Java does not currently support parameterized class definitions. [2]
Template operation - A parameterized operation or method. Template operations are referred to as generic
subprograms in Ada, and as template member functions in C++. Java does not currently support parameterized class
definitions. [2]
Test case - A set of test inputs, execution conditions, and expected results developed for a particular objective, such
as to exercise a particular program path or to verify compliance with a specific requirement. [1]
1-23
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Testing - The process of exercising a system or system component to verify that it satisfies specified requirements
and to detect errors. [1]
Test procedure - Detailed instructions for the set-up and execution of a given set of test cases, and instructions for
the evaluation of results of executing the test cases. [1]
Timing analysis - A form of analysis to establish the temporal properties of the input/output dependencies. A
common and important aspect of this analysis is the worst-case execution time for the correct behavior of the overall
system. Certain languages offer features that make timing analysis difficult, e.g., loops without static upper bounds
and the manipulation of dynamic data structures. [5]
Tool qualification - The process necessary to obtain certification credit for a software tool within the context of a
specific airborne system. [1]
Traceability - The evidence of an association between items, such as between process outputs, between an output
and its originating process, or between a requirement and its implementation. [1]
Transition criteria - The minimum conditions, as defined by the software planning process, to be satisfied to enter a
process. [1]
Type - The concepts of type and class are in general distinguished, with a type representing an abstraction
implemented by one or more classes. In most of the classical object-oriented programming languages this
distinction is not performed. [4] In UML and languages such as Java, however, a distinction is made between
interface types (abstractions) and class types, which implement them.
Type conversion - The act of producing a representation of some value of a target type from a representation of
some value of a source type. Type conversion is used to resolve mismatched types in assignments, expressions, or
when passing parameters. Type conversions may be either implicit or explicit. With implicit type conversion the
compiler is given the responsibility for determining that a conversion is required and how to perform the conversion.
With explicit type conversion the programmer assumes the responsibility. Synonym: conversion.
Unchecked type conversion - Types are unchecked if conversion from one type to the other does not include a
determination either at compiler time or run-time as to whether they are normally convertible.
Unified Modeling Language (UML) - A language for specifying, visualizing, constructing, and documenting the
artifacts of software systems, as well as for business modeling. The UML represents a collection of best engineering
practices that have proven successful in the modeling of large and complex systems. [16]
Use case - The specification of a sequence of actions, including variants, that a system (or other entity) can perform,
interacting with actors of the system. [16]
Validation - The process of determining that the requirements are the correct requirements and that they are
complete. The system life cycle process may use software requirements and derived requirements in system
validation. [1]
Variables - Named memory locations that contain data that may change during software execution.
Verification - The evaluation of the results of a process to ensure correctness and consistency with respect to the
inputs and standards provided to that process. [1]
Virtual - For C++, “virtual” is a keyword that specifies a given method (member function) may be overridden in
subclasses, and that calls to it are dispatching.
Weakly typed - Strict enforcement of type rules but with well-defined exceptions or an explicit type-violation
mechanic, e.g., operations on a data element are not restricted to those defined for its logical type (Booleans can be
added to one another), or automatic conversions between logically unrelated types are permitted with no change in
data representation (integer values are converted to floating point values). Contrast: strongly typed.
Weakly typed language - A programming language or modeling language that is weakly typed. Contrast: strongly
typed language.
1-24
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Participant Affiliation
K. Achenbach Rolls-Royce Corporation
M. Almesåker Saab AB Sweden
J. Angermayer MITRE
J. Auld NovAtel Inc.
I. Baxter Semantic Designs
A. Bell The Boeing Company
D. Bernier Rockwell Collins
1-25
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
B. Bianchi Ametek
B. Bogdan Computer Science Corporation
M. Brennan Applied Microsystems
D. Brown Rolls-Royce plc
V. Brown Honeywell, Inc.
R. Butler NASA Langley Research Center
B. Calloni Lockheed Martin Aeronautics Company
R. Calloway NASA Langley Research Center
S. Chappell Computer Science Corporation
J. Chelini Verocel, Inc.
J. Chilenski Boeing Commercial Airplanes
M. Christie Universal Avionics Systems Corporation
J. Coleman Hamilton Sundstrand
O. Collins Raytheon - IATC
M. Consiglio ICASE
M. Cors Goodrich Avionics Systems
J. Daly TRW (Aeronautical Systems)
G. Daugherty Rockwell Collins, Inc.
R. Deal Honeywell
D. DeHoff Raytheon Technical Services Company
M. DeWalt Certification Services, Inc.
V. Dovydaitis Foliage Software Systems, Inc.
P. Dunn Northrop Grumman Commercial Nav Systems
G. Edmands The MITRE Corporation
E. Edora Solers, Inc.
C. Erwin FAA Wichita Aircraft Certification Office (ACE-115)
T. Ferrell FAA Consulting
U. Ferrell FAA Consulting
G. Finelli NASA Langley Research Center
S. Fischer LITEF GmbH, Germany
L. Framarini BAE Systems
D. Geis Goodrich Avionics Systems
G. Graessle Honeywell, Intl.
S. Grainger Marinvent Corporation
M. Gulick Solers, Inc.
T. Hammer Honeywell
K. Hayhurst NASA Langley Research Center
M. Haynes Marinvent Corporation
R. Hirt Raytheon Aircraft Company
1-26
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
1-27
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
Participant Affiliation
G. Adams Lockheed Martin Aero
J. Angermayer The MITRE Corp.
J. Auld NovAtel
F. Barber Avidyne Corporation
B. Bianchi Ametek
1-28
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
1-29
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
D. Hatfield FAA
R. Hawkins University of York
M. Hawthornthwaite Engenuity Technologies
K. Hayhurst NASA Langley Research Center
M. Haynes Marinvent Corporation
B. Hendrix Lockheed Martin Aeronautics Company
R. Hirt FAA
T. Hofmann Diehl Avionik Systeme GmbH
M. Holloway NASA Langley Research Center
S. Hutchesson Rolls-Royce plc
M. Jones NovAtel
R. Key FAA
J. Kilchert Diehl Avionik Systeme GmbH
J. Knickerbocker Sunrise Certification and Consulting
J. Knight University of Virginia
P. La Pietra Honeywell
T. Lambregts FAA
J. D. Lawrence DRPM AAA
J. Lewis FAA
B. Lingberg FAA
J. Liscouski BAE Systems
P. Maneely Honeywell
E. Mannisto Honeywell
S. Matthews Avidyne Corporation
D. Mayerhoefer Green Hills Software
M. Mehlich Semantic Designs, Inc.
B. Mierow Hamilton Sundstrand
G. Millican Honeywell
S. Morton Applied Dynamics International
S. Obeid Embedded Plus Engineering
J. Offutt George Mason University
R. Oracheff Paragon Transportation LLC
L. Peckham NASA Langley Research Center
M. Peuser Honeywell
S. Ray BAE Systems Controls
T. Reeve Patmos Engineering. Services
B. Reynolds Rockwell Collins
T. Rhoads Goodrich
W. Richter Gulfstream
1-30
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
L. Rierson FAA
B. Rivet Hamilton Sundstrand - UTC
D. Robinson FAA
C. Rosay JAA/CEAT
T. Roth Honeywell
W. Ryan FAA
L. Schad-Alford The Boeing Company
K. Schlatter Jeppesen
E. Schonberg Ada Core Technologies, Inc.
V. Shapiro AMTI
T. Smith Air Traffic Software Architecture
C. Spitzer AvioniCon
R. Stanley Air Traffic Software Architecture
E. Startzman The Boeing Company
J. Steidl Astronautics Corporation of America
E. Strunk University of Virginia
T. Swinehart Goodrich Avionics Systems, Inc.
B. Thedford Hanscom AFB
A. Theodore Unitech
L. Thompson Honeywell
M. Valentin AIRBUS France
J. Van Leeuwen Sikorsky Aircraft
D. Wallace FAA
P. Whiston High Integrity Solutions Ltd
M. Whitehurst The Boeing Company
A. Wils K.U. Leuven
M. Wittman Honeywell
D. Woodward BAE Systems
P. Wright The Boeing Company
1-31
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
1.7 References
1. RTCA, Inc., Software Considerations in Airborne Systems and Equipment Certification, RTCA/DO-178B,
December 1992, Washington, D.C.
2. Aerospace Vehicle Systems Institute. Guide to the Certification of Systems with Embedded Object-Oriented
Software, version 1.5.
3. FAA AC 20-148, Reusable Software Components, final (unsigned) version dated August 3, 2004.
4. Laplante, Phillip A (editor). Dictionary of Computer Science, CRC Press LLC, 2001.
5. Guidance for the Use of Ada in High Integrity Systems, ISO/IEC TR 15942:2000 see
http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.
8. Booch, Grady. Object-Oriented Analysis and Design. Addison-Wesley, 2nd edition, 1994.
10. Gomaa, Hassan. Software Design Methods for Concurrent and Real-time Systems. Addison-Wesley, 1993.
12. Meyer, Bertrand. Object-Oriented Software Construction. Prentice Hall, 2nd edition, 1997.
14. Pressman, Roger. Software Engineering: A Practitioner’s Approach. McGraw Hill, 4th edition, 1997.
16. Object Management Group. OMG Unified Modeling Language Specification, version 1.3, June 1999, available
from http://www.omg.org/technology/documents/vault.htm#modeling.
17. Liskov, Barbara and Jeanette Wing. “A Behavioral Notion of Subtyping,” ACM Transactions on Programming
Languages and Systems, 16(6): 1811-1841, November 1994.
1-32
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 1
U.S. Department
of Transportation
Federal Aviation
Administration
Feedback Information
Please submit any written comments or recommendations for improving this Handbook. You may also
suggest new items or subjects to be added. And, if you find an error, please tell us about it. Send to:
FAA, AIR-120, Room 815, 800 Independence Ave., S.W., Washington, DC 20591.
Recommend Volume __, section ______, paragraph _______ on page _______ be changed as follows:
(attach separate sheet if necessary)
In a future change to this Handbook, please include coverage on the following subject:
(briefly describe what you want added):
Other comments:
1-33
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
DRAFT
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it
intended to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a
standalone product but, rather, as input when considering issues in a project-specific context.
2-ii
Volume 2
Contents
2.1 INTRODUCTION ........................................................................................................................................ 2-1
2.1.1 Background........................................................................................................................................ 2-2
2.1.2 Purpose and Organization of Volume 2............................................................................................. 2-2
2.2 CONSIDERATIONS BEFORE MAKING THE DECISION TO USE OOT ........................................................... 2-3
2.2.1 Reality of the Benefits ........................................................................................................................ 2-4
2.2.2 Project Characteristics ...................................................................................................................... 2-4
2.2.3 OOT Specific Resources .................................................................................................................... 2-5
2.2.4 Regulatory Guidance ......................................................................................................................... 2-5
2.2.5 Technical Challenges......................................................................................................................... 2-6
2.3 CONSIDERATIONS AFTER MAKING THE DECISION TO USE OOT ............................................................. 2-8
2.3.1 Considerations for the Planning Process .......................................................................................... 2-8
2.3.2 Considerations for Development Processes -- Requirements, Design, Code, and Integration........ 2-10
2.3.3 Considerations for Integral Processes............................................................................................. 2-14
2.3.4 Additional Considerations ............................................................................................................... 2-19
2.4 OPEN ISSUES (SUMMARY OF WORKSHOP #2 BRAINSTORMING SESSION) .............................................. 2-21
2.5 SUMMARY ............................................................................................................................................. 2-22
2.5.1 Summary of Decision-Making Process for Using OOT ................................................................... 2-22
2.5.2 Summary of Key Areas of Concern for OOT When Meeting DO-178B........................................... 2-22
2.6 REFERENCES ......................................................................................................................................... 2-24
APPENDIX A RESULTS OF THE BEYOND THE HANDBOOK SESSION............................................. 2-27
Figures
Figure 2.2-1 Original Classification Scheme for the “Beyond the Handbook” Questions ....................................... 2-3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 2-iii
Volume 2
2.1 Introduction
The introduction of object-oriented techniques and tools to aviation software development presents challenges to
understanding their effect on safety and certification. As discussed in Volume 1, there is an increasing desire among
aviation software developers to use object-oriented technology (OOT), including object-oriented modeling, analysis,
design, programming, and verification/test in the development of aviation applications. These desires are fueled, at
least in part, by claims of increased efficiency in the development of complex systems through using reusable
components. Object-oriented (OO) design, with the ability to encapsulate design decisions, is considered by some to
be “the most important low-level design technology in modern software engineering” [18].
In response to the aviation industry’s desire to use OOT, the Federal Aviation Administration (FAA) enlisted the
National Aeronautics and Space Administration’s (NASA) support for the Object-Oriented Technology in Aviation
(OOTiA) project. This project sponsored research and conducting workshops designed to identify concerns about
OOT relevant to safety and certification and to develop recommendations for demonstrating compliance to DO-
178B and ensuring safe use in airborne systems.
The OOTiA project was initially based on work by the Aerospace Vehicle Systems Institute (AVSI). AVSI is an
aerospace research consortium whose goals are to reduce the costs and maintain the safety of complex subsystems in
aircraft. As part of this consortium, Boeing, Honeywell, Goodrich, and Rockwell Collins collaborated on an AVSI
project titled Certification Issues for Embedded Object-Oriented Software, the goal of which was to mitigate the risk
that individual projects face when certifying airborne systems with OO software. The AVSI project proposed a
number of guidelines for producing object-oriented software that complies with DO-178B [2].
In 2001, a committee including representatives from the AVSI project, FAA, and NASA Langley Research Center,
was formed to extend the AVSI work for the benefit of the entire aviation software community. This committee
developed the following approach for accomplishing this purpose:
• Establish a web site dedicated to collecting data on OO safety and certification concerns
• Hold public workshops to which the aviation software community would be invited to discuss concerns
• Document each key OO concern raised either through the web site or the workshops
• Adapt the AVSI guidelines to address the OO concerns
• Produce a handbook to document the results
The OOTiA Handbook is comprised of four volumes. This volume focuses expressly on the concerns and questions
about OOT that have been collected through the OOTiA web site and workshops, with the goal of raising awareness
of aspects of OOT that may complicate compliance with DO-178B. Consequently, the tone of this volume may seem
overly negative to some readers, just as the tone of other volumes may seem overly positive to others. Readers of
this volume should carefully note the following:
• Comments recorded through the OOTiA activities are cited throughout the volume. The purpose of citing
recorded comments is not to imply their individual validity, but to account for the data that has been
collected and show the basis for a concise set of key concerns relevant to DO-178B compliance that are
derived from the data as a whole.
• The key concerns documented in this report do not constitute a complete set of safety and certification
concerns.
• Nearly all of the submitted issues used a particular nomenclature for OO concepts and constructs (class,
subclass, superclass, method). For simplicity, the same nomenclature is used in this volume. This usage
does not imply a preference for languages or tools that use these terms over those that do not.
• This volume does not discuss approaches for how to resolve the concerns. Other volumes of the Handbook
(Volume 3, in particular) provide some guidelines for OOT software developers.
It should also be noted that this volume assumes that the reader has a fundamental understanding of OOT concepts
and languages. Further information and references on these can be found in Volume 1. Additionally, it should be
noted that this volume uses the Acronym list and Glossary provided in Volume 1.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 2-1
Volume 2
2.1.1 Background
On September 14, 2001, the OOTiA web site http://shemesh.larc.nasa.gov/foot/ was launched by NASA Langley
Research Center, and the aviation software community was invited by e-mail to participate in a dialogue about OOT.
The email distribution list comprised over 900 individuals who had expressed an interest in or attended software
related functions sponsored by the FAA. Individuals were invited to participate by submitting comments or concerns
about OOT to an issue list (IL) kept on the OOTiA web site, by attending public workshops organized by the
OOTiA committee, and by reviewing products from the effort.
To date, 103 separate concerns 1 about various aspects of OOT have been collected through the web site. The web
site initially requested that each submission include a topic, a statement of the concern, and a proposed solution (if
known). Neither individual nor company names were recorded with the submittals. No specific guidance was given
regarding what could or could not be submitted. Later updates of the web site simply requested that concerns be
emailed to a point of contact at NASA Langley. The web site continues to accept new submissions.
Each submission to the web site is added to a list titled “Issues and Comments about Object-Oriented Technology in
Aviation.” This issue list is posted on the web site and updated as new issues are submitted. Every entry that is
submitted is added to the list exactly as it is submitted; entries to the list are not edited. As of the date of publication
of this report, the web site is operational. Decisions about how to respond to future submissions or when to close the
web site have not been made.
Considerable overlap and similarities are evident when reviewing the entries in the issue list. The OOTiA committee
originally determined that most of the issues on the issue list related to the following eight topics: single inheritance,
multiple inheritance, reuse and dead/deactivated code, tools, templates, overloading, type conversion, and inlining.
The OOTiA committee drafted papers for each of these topics, drawing heavily from the original AVSI documents.
In April 2002, a public workshop was held to introduce the OOTiA project, to discuss the draft papers, and to
provide an opportunity for people to raise additional concerns about OOT. Workshop attendance included 13 FAA
representatives and more than 100 aviation industry representatives supporting both airborne and ground-based
applications. Volume 1, section 1.6.2, lists workshop attendees. After this workshop, the individual draft papers
were revised and collated into a single document: “Handbook for Object-Oriented Technology in Aviation.” Also, a
ninth topic, traceability, was added, and a paper on the topic was included in the draft Handbook.
The draft Handbook served as the basis for discussion at a second public workshop, held in March 2003. Attendance
at this workshop was similar in number and composition to the first workshop (see Volume 1, section 1.6.3 for list
of attendees at the second workshop). Results of both workshops are available on the OOTiA web site. Most of the
workshop was devoted to individual sessions on specific chapters of the Handbook. The purpose of those sessions
was to review and modify the draft chapters, and to document new issues, if raised. Two other sessions at the
workshop were not directly tied to the Handbook: “Beyond the Handbook” and “Open Issues.” The “Beyond the
Handbook” session provided participants with an opportunity to discuss questions that should be answered before
making a decision to use OOT on a project. The “Open Issues” session provided participants the opportunity to
discuss any concerns they thought had not been adequately covered in the draft Handbook. As a result of the second
workshop, it was determined that structural coverage should be addressed as a separate topic and that the Handbook
should be sub-divided into multiple volumes to target the specific audiences.
1
There are actually 107 entries to the list, but 4 of them are duplicates.
2-2
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
as issues to be considered before the decision to use OOT has been made. Section 2.3 presents issues documented
about OOT that should be considered after the decision to use OOT has been made. This discussion focuses on the
entries to the issue list, and identifies key concerns with respect to the life cycle processes specified in DO-178B.
Section 2.4 reports those items that have been proposed as open issues (i.e., issues not currently addressed by this
Handbook). Finally, Section 2.5 summarizes the challenges and discusses their relationship to other volumes of the
Handbook, and Section 2.6 provides references specific to this volume. This volume also contains three appendices.
2 DO-178B Issue
Are all the objectives (Annex A) in DO-178B compatible with OOT? Is there anything specific
to OOT that is not addressed in DO-178B?
3 Handbook Issues
How should the handbook be applied to a practical project? For example, is it a certification
aid or best practice? Is it adequate – that is, what needs to be extended, added, and changed?
Figure 2.2-1 Original Classification Scheme for the “Beyond the Handbook” Questions
Appendix A contains the original questions recorded during the brainstorming session. Since that time, the questions
from the session have been re-examined and placed in one of the following five categories:
1. Reality of the Benefits
2. Project Characteristics
2-3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-4
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-5
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
and wondered whether doing so implied a need for additional method-specific handbooks. For example, will we
need handbooks for aspect- or goal-oriented programming? Other participants, including some certification
authorities, however, argued in favor of the benefits that additional clarification and guidelines might provide to the
industry in the short term (that is, until DO-178B is revised or supplementary guidance is developed).
Ultimately, certification authorities, applicants, system developers, and software developers should understand the
requirements that an OO system must satisfy for it to be approved, and how the system will be shown to satisfy
these requirements [13]. Misunderstandings can result in substantial cost and schedule problems [29].
2.2.5.1 Requirements
Several questions were raised as to whether OOT is an adequate approach for requirements development and
implementation. That is, do OO approaches to requirements help with the correct specification and implementation
of intended functionality? At least two points were raised: (1) the difference between approaches to requirements
decomposition (functional versus object), and (2) documentation of requirements.
With functional decomposition, the typical programming unit is some form of subprogram, such as a function,
subroutine, or procedure. Each subprogram typically performs a single specific function, where good programming
practice calls for maximizing functional cohesion within a subprogram and minimizing coupling between
subprograms. Applications are built by sequencing these functional building blocks—“first do this, then do that.”
Verification, in turn, starts with the functionality of an individual subprogram and works its way up by testing
increasing levels of functionality.
In contrast to functional decomposition, OOT focuses on objects and the operations performed by or to those
objects. In an OO program, a class, which is a set of objects that share a common structure and a common behavior,
is the structural element most comparable to a subprogram. Operations related to a given functional requirement
often are distributed among objects associated with different classes.
The concern identified between the approaches is whether the distribution of functionality inherent in OO systems
complicates assurance of the intended functionality. While it is true that program flow may involve calls between
many small methods defined by different classes and, thus, complicate functionality implementation, distribution of
functionality may also provide positive benefits. These benefits include means to encapsulate state, eliminate
references to global data, and more easily ensure synchronized access by concurrent threads.
DO-178B organizes objectives for development and verification around the decomposition of requirements from
system requirements to software high-level requirements to software low-level requirements and architecture to
source code. Although both the functional approach and OOT typically have software requirements data comprised
of text with diagrams maintained by modeling tools, the diagrams offer a different perspective based on what each
approach considers to be most important. With a functional approach, the diagrams, e.g., Visio®, consist largely of
data and control flow diagrams, structure charts, entity-relationship charts, state and sequence diagrams, data stores,
and data schemas. OOT diagrams are mainly comprised of Use Cases, associations, packages, classes, subtypes,
objects, and activity diagrams. Some overlap does occur, however, with the use of sequence diagrams in that Use
Cases typically rely upon them. However, determining how to map the OOT diagrams and their subsequent
refinements to the DO-178B objectives and life cycle data was thought by session participants to be difficult. The
number and diversity of the diagrams used to describe the system can add additional complication.
2-6
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
Requirements definition by any method is a significant challenge to developing a correct and safe system [17].
While some would argue that the close correspondence between real-world entities and the objects within an OO
requirements model makes it easier to construct, validate, and maintain such models, developers should consider
whether OOT makes this challenge easier or more difficult for their project.
2.2.5.2 Verification
In addition to the questions raised about the suitability of OOT for requirements development, a similar number of
questions were raised about verification. The questions about verification are not unrelated to the concerns raised
about requirements. The following sentiment exemplifies the opinion of many in the brainstorming session:
“Object-oriented programs are generally more complex than their procedural counterparts. This added complexity
results from inheritance, polymorphism, and the complex data interactions tied to their use. Although these features
provide power and flexibility, they increase complexity and require more testing” [1].
Several of the questions discussed in the session sought to explore the extent that OO software can be verified:
• Can we analyze OO software?
• Can we adequately test OO software?
• Can we determine the error cases unique to OOT?
That is, do we have the same level of confidence in our ability to adequately review, analyze, and test OO programs
as we do with traditional functional programs? Some specific analysis issues included source code to object code
traceability, low-level requirements-based test coverage, robustness test coverage, and control and data flow
analysis. Several participants in the session argued for the application of static analysis and logic-based methods.
Most of those participants would likely argue for static analysis and formal methods even in a functional approach.
However, the broader question is whether additional verification methods are needed for OOT to achieve the same
level of assurance that could be obtained under a functional approach.
Lastly, many participants acknowledged the need for additional research to better understand error classes that are
unique to OOT, such as research by Offutt [25], and to better understand the extent to which existing methods are
adequate for verifying OOT. Several error classes introduced by OOT have been submitted as entries to the issue
list, and are discussed in section 3.
2.2.5.3 Safety
The final technical challenge mentioned in the questions concerns the ability to conduct an effective system safety
assessment. Participants discussed whether system safety assessments can be easily and accurately derived from an
OO program. Current safety analysis is often based on determining that a function, as implemented, is both correct
and safe (i.e., will function correctly and contains no design errors that would result in unacceptable, anomalous
behavior). In an OO program, operations related to a function can be widely distributed among objects that interact
with each other by exchanging messages. Assessing these interactions among distributed objects complicates safety
analysis and verification and makes functionality difficult to trace. In [19], Nancy Leveson argues that engineers
find that functional decomposition is a more natural approach to the design of control systems, and “that naturalness
translates into easier to understand and review, easier to design without errors, easier to analyze to determine
whether the system does what the engineer wants and does it safely.” Others, however, for example those who
design communication and switching systems, might argue that it is most natural to model control logic using
objects whose behavior is defined using state machines.
Although the system safety assessment is not one of the software life cycle processes specified in DO-178B,
connections with system development and system safety assessment are mentioned in DO-178B [10] (e.g., DO-
178B sections 5.1.2j and 5.2.2d). Hence, the effect of OO design and implementation on the safety assessment
process should be considered and addressed.
2-7
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
The data in Appendix A from the “Beyond the Handbook” session represents only a small portion of the data
collected in the OOTiA project. Appendix C also identifies other considerations to be addressed prior to making the
decision to use OO. However, the majority of the data deals with issues specific to OO methods and languages; that
is, the decision to use OOT is assumed. As might be guessed, many of the questions for deciding whether to use
OOT are directly related to issues raised about OO features discussed in the next section.
2
Some concerns span multiple life cycle processes. Determining which process is most influenced is necessarily subjective. Overlap of concerns
is evident throughout the discussion.
2-8
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
that do not map directly with the data for requirements, design, and code in DO-178B. A description of the software
life cycle data is typically included in the Plan for Software Aspects of Certification, as discussed in section 11.1e of
DO-178B. Some specific questions from the issue list included:
a. How does OO life cycle data map to the DO-178B section 11 life cycle data? e.g., What does “source
code” mean in OO? What are requirements, design, and code in OOT? (IL 87)
b. What are “low level requirements” for OO? (IL 77)
Another fundamental concern for planning relates specifically to requirements. Software requirements standards, as
described in section 11.6 of DO-178B, define the methods, rules, notations, and tools for developing high-level
requirements. The concerns from the issue list covered two aspects of requirements: methods and notations.
2.3.1.3 Restrictions
The final topic relevant to planning deals with restrictions. Section 4.5c of DO-178B states, “the software
development standards should disallow the use of constructs or methods that produce outputs that cannot be verified
or that are not compatible with safety-related requirements” [10]. Some OO languages have features that could make
it extremely difficult or impossible to satisfy the objectives of DO-178B. In many cases, a well-defined subset of the
language may be identified and documented in the coding standards that will allow compliance to objectives for a
given software level. For example, ANSI C++ has some language features, such as multiple inheritance, that may
make it difficult to meet some DO-178B objectives. Two of the entries from the issue list spoke to the potential need
for restrictions or special rules:
a. Multiple inheritance should be avoided in safety critical, certified systems. (IL 38)
b. How can we enforce the rules that restrict the use of specific OO features? (IL 58)
2-9
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
The key concern is that language features, such as multiple inheritance, should be evaluated carefully in the planning
process and restrictions or rules established, documented, and followed as warranted for a particular project.
a. Use of inheritance (either single or multiple) raises issues of compatibility between classes and subclasses.
(IL 17)
b. A subclass either does not accept all messages that the superclass accepts or leaves the object in a state that
is illegal in the superclass. This situation can occur in a hierarchy that should implement a subtype
relationship that conforms to the Liskov substitution principle. (IL 22)
c. A subclass computes values that are not consistent with the superclass invariant or superclass state
invariants. (IL 23)
d. Fundamental pre-requisite language issues need clarification prior to adopting LSP and Design by Contract
(DBC). How can LSP be implemented using available languages? Strongly consider a language subset that
is amenable to use of LSP and DBC. Concern is how far to take this subset. (IL 90)
e. When a descendent adds an extension method that defines an inherited state variable, an inconsistent state
definition can occur. (IL 95)
2-10
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-11
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2.3.2.2.2 Overriding
Overriding is the redefinition of an operation or method in a subclass. The key concern here is that unintentionally
overriding an operation is easy in some OO languages because of the lack of restrictions on name overloading (the
use of the same name for different operators or behavioral features, operations or methods, visible within the same
scope). The consequence is that a method of the expected name but of a different type might be called in a program.
a. It is important that the overriding of one operation by another and the joining of operations inherited from
different sources always be intentional rather than accidental. (IL 32)
b. A subclass-specific implementation of a superclass method is [accidentally] omitted. As a result, that
superclass method might be incorrectly bound to a subclass object, and a state could result that was valid
for the superclass but invalid for the subclass owing to a stronger subclass invariant. For example, object-
level methods like isEqual or copy are not overridden with a necessary subclass implementation. (IL
20)
c. It is unclear whether the normal overload resolution rules should apply between operations inherited from
different superinterfaces or whether they should not (as in C++). (IL 31)
d. Offutt has identified the following classes of errors associated with overriding [25]:
1 If a computation performed by an overriding method is not semantically equivalent to the computation
of the overridden method with respect to a variable, a behavior anomaly can result. (IL 94) This is
referred to as a State Defined Incorrectly (SDI) problem.
2 If a descendant class provides an overriding definition of a method which uses variables defined in the
descendant’s state space, a data flow anomaly can occur. (IL 96) This is referred to as an Anomalous
Construction Behavior (ACB1) problem.
3 If a descendant class provides an overriding definition of a method which uses variables defined in the
ancestor’s state space, a data flow anomaly can occur. (IL 97) This is referred to as an Anomalous
Construction Behavior (ACB2) problem.
4 If refining methods do not provide definitions for inherited state variables that are consistent with
definitions in an overridden method or if an indiscriminately-named local state variable is introduced,
data flow anomalies can result. (IL 92, 93) These are referred to as State Definition Anomaly (SDA)
and State Definition Inconsistency (SDIH) problems, respectively.
5 When private state variables exist, if every overriding method in a descendant class doesn’t call the
overridden method in the ancestor class, a data flow anomaly can exist. (IL 99) This is referred to as a
State Visibility Anomaly (SVA) problem.
As mentioned above, overriding is affected by the use of overloading. In theory, overloading enhances readability
when the overloaded operators, operations or methods are semantically consistent. (IL 60) However, overloaded
operators, operations, and methods contribute to confusion and human error when they introduce methods that have
the same name but different semantics.
2-12
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2.3.2.3.2 Initialization
Incorrect initialization of variables and constants is dealt with in sections 6.3.4 and 6.4.3 of DO-178B. In OO
programs, class hierarchies (deep hierarchies in particular) may lead to initialization problems. The key concern is
that a subclass method might be called (via dynamic dispatch) by a higher level constructor before the attributes
associated with the subclass have been initialized. (IL 19) This can lead to the incomplete (failed) construction
problem identified by Offutt [25]. (IL 98) According to Offutt, there are two possible faults, depending on
programming language:
“First, the construction process may have assigned an initial value to a particular state variable, but it is the wrong
value. That is, the computation used to determine the initial value is in error. Second, the initialization of a particular
state variable may have been overlooked. In this case, there is a data flow anomaly between the constructor and each
of the methods that will first use the variable after construction (and any other uses until a definition occurs)” [25].
2-13
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
c. Reusability is one of the objectives of OO development, but reusable components may be hard to trace
because they are designed to support multiple usages of the same component. Reusable components may
also have functionality that may not be used in every application. (IL 106)
2-14
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
to perform the services provided by a class. Determining the correctness of control flow decisions requires analysis
of how individual data objects that control the execution flow of the software are produced and maintained: where
and when are the objects created or destroyed, where and when are the values of the objects set, and how are any
potential “shared data” conflicts controlled. The key concern in OO programs is that decision points use data objects
with values that are maintained in other parts of the software that might be remote from the proximate path of
execution, thus making flow analysis difficult [32].
OOT also encourages hiding the details of the data representation (that is, attributes) behind an abstract class
interface. Suggested best practice is that attributes of an object should be private, and access to them only provided
through the methods appropriate to the class of the object. Being able to access attributes only through methods
makes the interaction between two or more objects implicit in the code, complicating analysis.
Many of the relevant entries from the issue list express questions about how to do the analysis, as listed below:
a. How can we meet the control and data flow analysis requirements of DO-178B with respect to dynamic
dispatch? (IL 56)
b. Flow analysis, recommended for Levels A-C, is complicated by dynamic dispatch (just which method in
the inheritance hierarchy is going to be called?). (IL 2)
c. Flow analysis and structural coverage analysis, recommended for Levels A-C, are complicated by multiple
implementation inheritance (just which of the inherited implementations of a method is going to be called
and which of the inherited implementations of an attribute is going to be referenced?). The situation is
complicated by the fact that inherited elements may reference one another and interact in subtle ways
which directly affect the behavior of the resulting system. (IL 16)
OO language features such as inlining can also complicate flow analysis because inlining can cause substantial
differences between the flow apparent in the source code and the actual flow in the object code. The following issue
demonstrates the concern:
a. Flow Analysis, recommended for levels A-C, is impacted by Inlining (just what are the data coupling and
control coupling relationships in the executable code?). The data coupling and control coupling
relationships can transfer from the inlined component to the inlining component. (IL 43)
2-15
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
e. How can we meet the structural coverage requirements of DO-178B with respect to dynamic dispatch?
There is cause for concern because many current Structural Coverage Analysis tools do not “understand”
dynamic dispatch, i.e. do not treat it as equivalent to a call to a dispatch routine containing a case statement
that selects between alternative methods based on the run-time type of the object. (IL 55)
The following entries from the issue list refer to the effect that OO language constructs such as inlining and
templates have on structural coverage analysis:
a. With inlining, the “logical” coverage of the inline expansions on the original source code is not clear. This
is generally only a problem when inlined code is optimized. If statements are removed from the inlined
version of a component, then coverage of the inlined component is no longer sufficient to assert coverage
of the original source code. (IL 45)
b. Inlining may affect tool usage and make structural coverage more difficult for levels A, B, and C. (IL 47)
c. Templates can be compiled using code sharing or macro-expansion. Code sharing is highly parametric,
with small changes in actual parameters resulting in dramatic differences in performance. Code coverage,
therefore, is difficult and mappings from a generic unit to object code can be complex when the compiler
uses the "code sharing" approach. (IL 52)
Code sharing involves the sharing of code by more than one class or component, for example, by means of
implementation inheritance or delegation. There are many ways to support code sharing. One risk is that inheritance
can be misused to support only the sharing of code and data structure, without attempting to follow behavioral
subtyping rules.
2-16
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
along with constructors/destructors and other language helper functions. (IL 12) Additional entries from the issue
list related to source to object code traceability include:
a. Dynamic dispatch presents a problem with regard to the traceability of source code to object code that
requires “additional verification” for level A systems as dictated by DO-178B section 6.4.4.2b. (IL 8)
b. Are there unique challenges for source to object code traceability in non-Level A systems? Where should
this be addressed? Multiple tools and ways of addressing source to object traceability? (IL 81)
Some OO language features, such as inlining and implicit type conversion, can also complicate source to object code
traceability:
a. Conformance to the guidelines in DO-178B concerning traceability from source code to object code for
Level A software is complicated by inlining (is the object code traceable to the source code at all points of
inlining/expansion?). Inline expansion may not be handled identically at different points of expansion.
This can be especially true when inlined code is optimized. (IL 46)
b. Implicit type conversion raises certification issues related to source to object code traceability, the potential
loss of data or precision, and the ability to perform various forms of analysis called for by DO-178B
including structural coverage analysis and data and control flow analysis. It may also introduce significant
hidden overheads that affect the performance and timing of the application (IL 59)
3
Some of the books themselves are huge; for example Binder’s Testing Object-Oriented Systems, Models, Patterns, and Tools [Binder] is over
1000 pages.
2-17
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-18
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
implementation (IL 61). Providing traceability from a code sequence to a specific requirement might be difficult
because operations related to a function might be widely distributed among objects. Inheritance, polymorphism, and
overloading exacerbate the problem by increasing the complexity of interaction among distributed objects. The issue
is further described as follows:
• The use of OO methods typically leads to the creation of many small methods which are physically
distributed over a large number of classes. This, and the use of dynamic dispatch, can make it difficult for
developers to trace critical paths through the application during design and coding reviews. (IL 69)
2.3.3.4.2 Complexity
Another key concern for traceability is that class hierarchies, especially those constructed through multiple
inheritance, can become overly complex, making traceability difficult. The following issues were identified:
• Polymorphic and overloaded functions may make tracing and verifying the code difficult. (IL 13)
• When inheritance is used in the design, special care must be taken to maintain traceability. This is
particularly a concern if multiple inheritance is used. (IL 35)
• Class hierarchies can become overly complex, which complicates traceability. Generalization, weak
aggregation, strong aggregation, association, and composition are some of the relations that can be used to
create the class diagrams. (IL 104)
2-19
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-20
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
b. Auto-test and code generation tools – what are the concerns when a single tool generates code and test
from the same model? The concern is with the independence – same input and same tool. (IL 83)
c. When using OO tools to develop software requirements, design and implementation, it is beneficial to
work at the visual model level, especially when using UML. When working with OO tools, configuration
management might be done at the modeling level (i.e., diagrams). This may cause a concern when the OO
tools can introduce subtle errors into the diagrams. (IL 100)
2-21
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
p. If you are going to go OO, you may require more processing power and memory for the delivered system
than if you had not used OO.
q. Formal Methods:
• Why aren’t correct-by-construction and static verification recognized as valuable within the aviation
community?
• Ignorance about static verification.
• Documentation of best practices that include formal methods for producing better software.
• Formal methods should be included in DO-178C, acknowledging the maturity of formal methods.
• Determine the gain you get from formal methods by showing how it affects Annex A.
2.5 Summary
Identifying safety and certification concerns is an important step in developing guidelines for safely using OOT in
aviation applications. Because OOT has been around for a while, there is industry experience to help shed light on
possible problems. In this report, we focus specifically on potential pitfalls to using OOT in aviation applications.
These concerns and questions about OOT have been collected through the OOTiA project web site and workshops.
In general, two sets of challenges are summarized below: (1) challenges to consider before making the decision to
use OOT on a program, and (2) challenges to consider once that decision is made.
2.5.2 Summary of Key Areas of Concern for OOT When Meeting DO-178B
Other challenges to safely implementing OOT in compliance with DO-178B were captured through the OOTiA web
site on a list of “Issues and Comments about Object-Oriented Technology in Aviation.” The key areas of concern are
summarized in question format below (with reference to the appropriate section in Volume 2) and are further
addressed in Volume 3. These are the types of questions that developers should consider and address in their OOT
projects.
2-22
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
d) Have appropriate language restrictions been established, documented, and followed? (section 2.3.1.3)
2.5.2.3.1 Verification
a) Does the approach for data and control flow analysis address complications that may arise with dynamic
dispatch, polymorphism, multiple implementation inheritance, and inlining? (section 2.3.3.1.1)
b) Does the approach account for dynamic dispatch and the run-time classes of objects when measuring the
structural coverage of an object-oriented program? (section 2.3.3.1.2)
c) Does the approach for measuring structural coverage adequately address inlining and templates when they
are used? (section 2.3.3.1.2)
d) Are problems related to timing analysis avoided or addressed when using dynamic dispatch? (section
2.3.3.1.3)
e) Are problems related to timing analysis avoided or addressed when using inlining, templates, and macro
expansion? (section 2.3.3.1.3)
f) Is source to object code traceability provided when using dynamic dispatch, inlining, and/or implicit type
conversion? (section 2.3.3.1.4)
g) Is functional coverage of low-level requirements provided? ((section 2.3.3.2.1)
h) Has adequate requirements coverage at all levels of integration been provided, even if the number of test
cases is large? (section 2.3.3.2.1)
i) If test cases developed for a class will be reused to test its subclasses, has the approach been adequately
assessed? (section 2.3.3.2.2)
2.5.2.3.2 Configuration Management
a) Have unique configuration items been defined in the OO project? (section 2.3.3.3.1)
b) Has the management and change of configuration items been addressed, when using OO tools and
modeling languages? (section 2.3.3.3.2)
2-23
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2.5.2.3.3 Traceability
a) Has traceability between functional requirements and object-oriented implementations been ensured?
(section 2.3.3.4.1)
b) Has traceability when constructing inheritance hierarchies been ensured? (section 2.3.3.4.2)
c) Have behavioral requirements that map to multiple graphical views in OOT models been addressed?
(section 2.3.3.4.3)
d) When using an iterative development process that leads to a large number of changes to a large number of
artifacts, has traceability been ensured? (section 2.3.3.4.4)
For each of the above questions, key concerns are identified based on input to the OOTiA program. This list is
certainly incomplete; however, it provides a starting point for developing guidelines for the safe use of OOT in
aviation applications. Volume 3 of the OOTiA Handbook provides some best practices for developing OOT
applications in systems to be certified by the FAA. Volume 4 provides an approach for certification authorities and
designees to ensure that OOT issues have been addressed in the projects they are reviewing or approving.
2.6 References
1. Alexander, Roger T. “Improving the Quality of Object-Oriented Programs,” IEEE Software, September/
October 2001, pp. 90-91.
2. Aerospace Vehicle Systems Institute. Guide to the Certification of Systems with Embedded Object-Oriented
Software. Version 1.2, 31 October 2001.
3. Aerospace Vehicle Systems Institute. Guide to the Certification of Systems with Embedded Object-Oriented
Software. Version 1.6.
4. Basili, V., L. Briand and W. Melo. “How Reuse Influences Productivity in Object-Oriented Systems.”
Communications of the ACM, vol. 39, no. 10, 1996, pp. 104-116.
6. Briand, L., E. Arisholm, S. Counsell, F. Houdek, and P. Thévenod-Fosse. “Empirical Studies of Object-
Oriented Artifacts, Methods, and Processes: State of the Art and Future Directions.” Technical Report ISERN-
99-12, 1999.
7. Certification Authorities Software Team (CAST). “Object-Oriented Technology (OOT) in Civil Aviation
Projects: Certification Concerns.” Position Paper CAST-4, January 2000, available at
http://www2.faa.gov/certification/aircraft/av-info/software/CAST_Papers.htm. Visited on 29 July 2003.
8. Certification Authorities Software Team (CAST). “Use of the C++ Programming Language.” Position Paper
CAST-8, January 2002, available at http://www2.faa.gov/certification/aircraft/av-
info/software/CAST_Papers.htm. Visited on 29 July 2003.
2-24
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
9. Cuthill, Barbara. “Applicability of Object-Oriented Design Methods and C++ to Safety-Critical Systems.”
Proceedings of the Digital Systems Reliability and Safety Workshop, 1993.
10. RTCA, Inc. Software Considerations in Airborne Systems and Equipment Certification. RTCA/DO-178B,
December 1992.
11. RTCA, Inc. Final Report for Clarification of DO-178B “Software Considerations in Airborne Systems and
Equipment Certification.” RTCA/DO-248B, 12 October 2001.
12. Glass, Robert L. “The Naturalness of Object Orientation: Beating a Dead Horse?” IEEE Software, May/June
2002, pp. 103-104.
13. Hayhurst, Kelly J., C. Michael Holloway. “Challenges in Software Aspects of Aviation Systems.” Proceedings
of the 26th Annual NASA Goddard Software Engineering Workshop, 27-29 November 2001, pp. 7-13.
14. Information Processing Ltd. “Advanced Coverage Metrics for Object-Oriented Software.” Available at
http://www.iplbath.com/pdf/p0833.pdf. Visited on 30 October 2003.
15. FAA Aircraft Certification Service. Conducting Software Reviews Prior to Certification. Job Aid, June 1998,
available at http://www2.faa.gov/certification/aircraft/av-info/software/Job_Aids.htm. Visited on 29 July 2003.
16. Knight, J.; Evans, D.; and Offutt, J. “Object Oriented Programming in Safety-Critical Software.” A white paper.
17. Hanks, Kimberly S., John C. Knight, Elisabeth A. Strunk. “Erroneous Requirements: A Linguistic Basis for
Their Occurrence and an Approach to Their Reduction.” Proceedings of the 26th Annual NASA Goddard
Software Engineering Workshop, 27-29 November 2001, pp. 115-119.
19. Leveson, Nancy. “Re: object-orientation vs. safety-critical” in Safety-Critical Mailing List, 2002, archived at
http://www.cs.york.ac.uk/hise/safety-critical-archive/2002/0203.html. Visited on 28 July 2003.
20. Liskov, Barbara H., Jeanette M. Wing. “A Behavioral Notion of Subtyping,” ACM Transactions on
Programming Languages and Systems, Nov. 1994, vol. 16, no. 6, pp. 1811-1841.
21. Rierson, Leanna. “Object-Oriented Technology (OOT) in Civil Aviation Projects: Certification Concerns.”
Proceedings of the 18th Digital Avionics Systems Conference, St. Louis, MO, Oct. 24-29, 1999.
23. Meyer, Bertrand. Object-Oriented Software Construction. Prentice Hall, 2nd edition, 1997.
25. Offutt, Jeff, Roger Alexander, Ye Wu, Quansheng Xiao, Chuck Hutchinson. “A Fault Model for Subtype
Inheritance and Polymorphism,” The 12th IEEE International Symposium on Software Reliability Engineering,
Hong Kong, PRC, pp. 84–95, November 2001, available at
http://ieeexplore.ieee.org/iel5/7759/21326/00989461.pdf?tp=&arnumber=989461&isnumber=21326.
26. Object Management Group. OMG Unified Modeling Language Specification. Version 1.5, March 2003.
27. Rierson, Leanna K. “FAA’s Next Steps for OOTiA.” Presented at the Object-Oriented Technology in Aviation
Workshop 2, 27 March 2003, available at http://shemesh.larc.nasa.gov/foot/next-steps-end.ppt. Visited on 29
July 2003.
2-25
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
28. Rosay, Cyrille. “Is DO-178B still compatible with modern modeling methods?” A white paper from
JAA/CEAT, draft 3-15, 22 February 2002.
29. Hayhurst, Kelly J., Cheryl Dorsey, John Knight, Nancy Leveson, G. Frank McCormick. “Streamlining Software
Aspects of Certification: Report on the SSAC Survey.” NASA/TM-1999-209519, August 1999.
30. Vessey, Iris, and Sue A. Conger. “Requirements Specification: Learning Object, Process, and Data
Methodologies.” Communications of the ACM, vol. 37, no. 5, May 1994, pp. 102-113.
31. Webster, Bruce F. Pitfalls of Object-Oriented Development. M&T Books, 1995. (out of print)
32. Whitford, S. A. “Software Safety Code Analysis of an Embedded C++ Application.” Proceedings of the 20th
International System Safety Conference, August 5-9, 2002, pp. 422-429.
33. Wood, M, J. Daly, J. Miller, and M. Roper. “Multi-Method Research: An Empirical Investigation of Object-
Oriented Technology.” The Journal of Systems and Software, 1999, no. 34, pp. 13-26.
2-26
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 2-27
Volume 2
28. Are we subjecting OOT to extra scrutiny because it is new to the aviation community?
29. Does the OO paradigm actually fit your problem domain?
30. How much of current good practice is non-applicable to OOT?
31. Do we need to make a distinction between the design process and the develop/test process? Does OOD <->
OO implementation?
32. Do you have a plan for failure?
33. Where is dynamic dispatch really useful? Would the non-OO alternative be any easier to analyze?
34. How mature are your requirements?
35. Is there an existing tool set to support your effort?
36. Has the company analyzed the benefits & risks of using OOT over their current established approaches to
software engineering?
37. Have you run out of steam in regards to existing techniques for really large systems and if so does OOT
help us manage such systems better?
38. Is there an agreement on what is OOT? What is essential, what is not, etc.?
39. Does OOT help us write the requirements correctly and implement them properly? Can we integrate
Formal Methods into the process?
40. Does OOT help us identify what we really want in the system and document this in requirements?
41. Will our system interface with other systems that are not OOT-based?
42. Do you understand the issues presented in the Handbook and why are they issues? Does anyone?
43. Can your company make a case for using OOT in a system in such a way that you can document and verify
the system?
44. Why is company X using OOT?
45. Can the system & software safety assessments be derived easily from OOT or is it a difficult task to ensure
safety?
46. Why is company Y not using OOT?
47. Is OO the best method from the engineering point of view for reuse?
48. Are the objectives in DO-178B sufficient to define ‘correctly’ for OOT development?
49. Are your requirements implementable using OOT?
50. What measures or metrics will you use to determine success/failure for your project?
51. Is control-flow analysis, data-flow analysis, Z-flow analysis applicable to OO software, or should we be
looking for something else?
2-28
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-29
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-30
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-31
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-32
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-33
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-34
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-35
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
70 The difference between dead and deactivated code is not Development 2.3.2.4.1 identifying
always clear when using OOT. Without good Integral dead and deactivated
traceability, identifying dead vs. deactivated code may be (Traceability) code
difficult or impossible.
71 When a design contains abstract base classes, portions of Development 2.3.2.4.1 identifying
the implementations of these classes may be overridden dead and deactivated
in more specialized subclasses, resulting deactivated code
code.
72 Traceability is made more difficult because there is often Integral 2.3.3.4.3 tracing
a lack of OO methods or tools for the full software (Traceability) through OO views
lifecycle.
73 Formal specification languages are generally accessible Planning 2.3.1.2 requirements
only to those specially trained to use them. To make methods and
formal specifications accessible to developers and the notations
authors of test cases, we must map such formal
specifications to natural language and/or other less formal
notations (e.g. UML). There, however, is currently no
well defined means of doing so. This issue applies to both
preliminary and detailed design.
74 Change impact analysis may be difficult or impossible Integral 2.3.3.3.2
due to difficulty in tracing functional requirements (Configuration configuration control
through implementation. Management)
2-36
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-37
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-38
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-39
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-40
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-41
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
2-42
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 2
extend their former approaches in a one-sided fashion. For example, they may take a data structure, turn it into a
class, define methods to access (get and set) the data fields, and leave it at that. The resulting class is little more than
a cumbersome version of the original data structure, with no intelligence or behavior built into it. On the process
side, developers may take a set of functions and turn them into methods of a single class, possibly with few no data
members.” [31] Both represent a misuse of OO principles, and lead to poor designs.
2-43
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Handbook for Object-Oriented
Technology in Aviation (OOTiA)
Contents
3.1 INTRODUCTION ........................................................................................................................................ 3-1
3.1.1 Purpose.............................................................................................................................................. 3-1
3.1.2 Organization ...................................................................................................................................... 3-1
3.2 MAPPING OF VOLUME 2 ISSUES TO VOLUME 3 GUIDELINES .................................................................... 3-2
3.2.1 Key Concerns/Issues Addressed by the Guidelines............................................................................ 3-2
3.3 SINGLEINHERITANCEANDDYNAMICDISPATCH....................................................................................................... 3-11
3.3.1 Purpose............................................................................................................................................ 3-11
3.3.2 Background...................................................................................................................................... 3-11
3.3.3 Overall Approach ............................................................................................................................ 3-13
3.3.4 Inheritance with Overriding ............................................................................................................ 3-14
3.3.5 Method Extension ............................................................................................................................ 3-17
3.3.6 Subtyping ......................................................................................................................................... 3-18
3.3.7 Formal Subtyping ............................................................................................................................ 3-19
3.3.8 Unit Level Testing of Substitutability............................................................................................... 3-21
3.3.9 System Level Testing of Substitutability Using Assertions............................................................... 3-22
3.3.10 System Level Testing of Substitutability Using Specialized Test Cases ...................................... 3-24
3.3.11 Class Coupling............................................................................................................................ 3-26
3.3.12 Deep Hierarchy........................................................................................................................... 3-28
3.4 MULTIPLE INHERITANCE ....................................................................................................................... 3-29
3.4.1 Purpose............................................................................................................................................ 3-29
3.4.2 Background...................................................................................................................................... 3-29
3.4.3 Overall approach............................................................................................................................. 3-29
3.4.4 Multiple Interface Inheritance ......................................................................................................... 3-30
3.4.5 Multiple Implementation Inheritance............................................................................................... 3-31
3.4.6 Mixed Multiple Inheritance ............................................................................................................. 3-32
3.4.7 Combination of Distinct Abstractions.............................................................................................. 3-33
3.4.8 Top Heavy Hierarchy....................................................................................................................... 3-34
3.5 TEMPLATES ........................................................................................................................................... 3-36
3.5.1 Purpose............................................................................................................................................ 3-36
3.5.2 Background...................................................................................................................................... 3-36
3.5.3 Source Code Review ........................................................................................................................ 3-36
3.5.4 Requirements-Based Test Development, Review, and Coverage ..................................................... 3-37
3.5.5 Structural Coverage for Templates.................................................................................................. 3-37
3.6 INLINING ............................................................................................................................................... 3-39
3.6.1 Purpose............................................................................................................................................ 3-39
3.6.2 Background...................................................................................................................................... 3-39
3.6.3 Inlining and Structural Coverage .................................................................................................... 3-39
3.6.4 Source Code Review of Inlined Code............................................................................................... 3-40
3.7 TYPE CONVERSION ................................................................................................................................ 3-41
3.7.1 Purpose............................................................................................................................................ 3-41
3.7.2 Background...................................................................................................................................... 3-41
3.7.3 Overall Approach ............................................................................................................................ 3-41
3.7.4 Source Code Review, Checklist, and Coding Standards.................................................................. 3-41
3.7.5 Loss of Precision in Type Conversions ............................................................................................ 3-42
3.7.6 Type Conversions of References and Pointers................................................................................. 3-43
3.7.7 Language Specific Guidelines.......................................................................................................... 3-43
3.8 OVERLOADING AND METHOD RESOLUTION .......................................................................................... 3-44
3.8.1 Purpose............................................................................................................................................ 3-44
3.8.2 Background...................................................................................................................................... 3-44
3.8.3 Code Review Method ....................................................................................................................... 3-44
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-ii
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-iii
Volume 3
Figures
Figure 3.4-1 Combination of Distinct Abstractions ................................................................................................ 3-33
Figure 3.10-1 Code Generation using Visual Modeling Tools................................................................................ 3-54
Figure 3.11-1 Overview of Traceability .................................................................................................................. 3-59
Figure 3.12-1 Inheritance........................................................................................................................................ 3-64
Figure 3.12-2 Concrete Coverage ........................................................................................................................... 3-65
Figure 3.12-3 Context Coverage ............................................................................................................................. 3-66
Figure 3.12-4 Flattened Inheritance ....................................................................................................................... 3-67
Figure 3.12-5 Dynamic Dispatch ............................................................................................................................ 3-67
Tables
Table 3.2-1 Mapping of Key Concerns and Guidelines........................................................................................... 3-11
Table 3.12-1 Hierarchical Incremental Testing Summary ...................................................................................... 3-64
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-iv
Volume 3
3.1 Introduction
Volume 3 identifies some of the currently known best practices for the implementation of object-oriented
technology (OOT) in aviation. These “best practices” are called “guidelines” throughout this volume. Developers of
OOT software are the target audience for this volume, as are certification authorities and designees who evaluate
airborne software. OOT in embedded and safety-critical systems is still an evolving discipline; best practices will
likely be added and modified in the future revisions of this Handbook. In any case, the OOT standards and methods
the developer intends to use should be documented in the project plans and standards, and presented to the
certification authorities as early as possible in the project.
3.1.1 Purpose
The purpose of this volume is to identify best practices to safely implement OOT in aviation by providing some
guidelines to address the key concerns and issues documented in Volume 2. The guidelines presented in this volume
are not necessarily the only way to address these issues. There may also be other means that are effective, and the
Handbook may itself define alternative ways to resolve a given issue. In some areas, this volume does not provide
best practices but, rather, cites areas of ongoing research that should be monitored by prospective OOT developers.
Such areas of research occur most notably in the areas control and data coupling, and structural coverage analysis as
applied to OOT in aviation. In all cases, it should be noted that it is still the developer’s responsibility to
demonstrate that the OOT methods and processes they have selected to utilize can, and will, provide the appropriate
integrity for safe software implementation.
3.1.2 Organization
This volume is organized as follows: Section 3.1 introduces Volume 3 and provides the purpose and layout of the
document. Section 3.2 provides a mapping from the key concerns and issues in Volume 2 to the guidelines (best
practices) in Volume 3. Sections 3.3 through 3.12 provide background and guidelines for each of the following
technical areas:
Single Inheritance and Dynamic Dispatch (section 3.3)
Multiple Inheritance (section 3.4)
Templates (section 3.5)
Inlining (section 3.6)
Type Conversion (section 3.7)
Overloading and Method Resolution (section 3.8)
Dead And Deactivated Code, And Reuse (section 3.9)
Object-Oriented Tools (section 3.10)
Traceability (section 3.11)
Structural Coverage (section 3.12)
Section 3.13 lists the references used in Volume 3. Section 3.14 provides an index of terms to assist users of the
volume. Appendix A provides nine frequently asked questions (FAQs) and their answers regarding the use of OOT
and this Handbook. Appendix B contains some extended guidelines and examples that support the Handbook.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-1
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-2
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-3
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-4
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-5
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-6
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-7
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-8
Volume 3
Section 3.4.4.3,
Section 3.4.6.3,
Section 3.4.7.3,
Section 3.11.5.1,
Section 3.11.6.1, and
Section 3.11.7.1
Volume 2, section 2.3.3.4.3 72 Sections 3.10.3 and 3.11.6.1
How do we deal with behavioral
requirements that map to multiple
graphical views in OOT models?
Volume 2, section 2.3.3.4.4 105 Section 3.11.10.1
How do we maintain traceability when
using an iterative development process
that leads to a large number of changes
to a large number of artifacts?
Volume 2, section 2.3.4.1 101, 102 Sections 3.10.4.2, 3.10.5.2, and 3.10.6.3
How can we ensure that visual modeling
tools support compliance with DO-178B
without introducing additional verification
burden?
Volume 2, section 2.3.4.1 103 Sections 3.10.7, 3.10.8.2, and 3.10.9.2
How can we ensure that structural
coverage tools provide a reliable
measurement of the structural coverage
achieved?
Volume 2, section 2.3.4.2 86 Issue is not specific to OOT.
Considering the rapid rate of tool Not specifically addressed in Volume 3; however,
evolution and new tool types, how will the known type of tools for which best practices
tools be identified and maintained to have been identified were addressed in Section
meet long-term needs for development
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-9
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-10
Volume 3
3.3.1 Purpose
This section provides guidelines for the safe implementation and use of single inheritance and dynamic dispatch
(also known as dynamic binding) in projects that use object-oriented (OO) technology.
3.3.2 Background
Inheritance. Inheritance supports the organization of object-oriented systems in terms of classes and class
hierarchies. This is a fundamental concept that permits OO systems to directly represent and classify objects
representing real-world entities from the problem domain without introducing redundancy.
Classes. Classes may define a variety of elements, including operations (which specify the services provided by the
class), methods (which provide the code to implement operations), attributes (which represent stored data values),
and associations (representing references to other objects).
Visibility. Class elements may be restricted in terms of their visibility. Unified Modeling Language (UML) [4], for
instance, distinguishes between elements that are visible to all clients that have access to the class itself (public
access), elements that are visible to clients within the same package (package access), and elements that are
accessible only to subclasses (protected access). Elements may also be accessible to both classes in the same
package and to subclasses (e.g., in Java), or to a named set of classes (e.g., in Eiffel).
Operations. Operations accessible to classes other than the defining class and its subclasses are sometimes referred
to as client operations. All operations are identified by their signatures. The signature of an operation consists of its
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-11
Volume 3
name and a list of the types of its parameters – the information needed to match a call to the operation being called.
Consider the UML definition of an operation “m (p: Integer, q: Float)”. The signature of this operation consists of its
name “m” and its parameter types “Integer” and “Float”. In some languages, the return parameter (if any) is
considered a part of the signature, while in others (such as C++) it is not.
Most OO languages support constructors and destructors. A constructor is an operation called by the run-time
environment when a new object is allocated to ensure it is properly initialized. Conversely, a destructor is an
operation called by the run-time environment when an object is deallocated to ensure any resources held by the
object are released. In most OO languages, a class may define more than one constructor, each with its own
signature. The constructor called by the run-time environment is the one that matches the arguments supplied by the
program at the point it requests the allocation of a new object. Destructors typically have no parameters and, as a
result, at most one destructor is associated with a class.
Constraints. Class definitions may also include constraints in the form of pre-conditions, post-conditions, and
invariants. Pre-conditions represent constraints that must hold at the time a given method is called. Post-conditions
represent constraints that are guaranteed to hold once execution of the method completes, provided its pre-
conditions were first met. Invariants represent constraints that are established by the class constructor and are
considered to be a part of the pre-condition and post-condition of every client operation. Additional constraints may
also apply to the relationships between classes. Constraints may be used to specify safety predicates as well as
conditions for correctness, and acceptable use.
Class hierarchies. Class hierarchies consist of classes connected via generalization relationships. In such a
relationship, the more general of the classes is termed the superclass, while the more specialized class is termed the
subclass. The relationship itself is also referred to as subclassing or subtyping.
The class hierarchy may be extended to any depth, although very deep class hierarchies may cause difficulties.
Subclasses inherit the elements of their superclasses. Subclasses may also extend these superclass definitions to
include additional elements they define themselves, or redefine elements by overriding their inherited definitions.
Single inheritance allows each class to have at most one immediate superclass, while multiple inheritance permits a
class to have more than one immediate superclass. Interface inheritance involves the inheritance of only interface
elements (such as operation specifications and constraints), while implementation inheritance involves the
inheritance of implementation elements (such as methods, attributes, and associations).
Polymorphism. In most object-oriented languages, an object is permanently assigned a run-time class at the point at
which it is allocated and initialized. Although the run-time class of the object never changes, the object can be
treated not only as a member of its run-time class, but also as a member of any superclass of this class. This ability
to treat an object as a member of any of its superclasses is referred to as polymorphism. Polymorphism supports the
replacement of general implementations with more specialized ones. It, however, requires strict adherence to
subtyping rules that guarantee that instances of subclasses behave like instances of their superclasses.
Substitutability. The basic subtyping rules are those given by Liskov and Wing [7]. Because they guarantee that we
can substitute an instance of a subclass for an instance of a superclass, they are often collectively referred as the
Liskov Substitution Principle (LSP). Although the term LSP was not used by the authors [7], it has become a
convenient way to refer to the principles required to guarantee substitutability and will be used in such context to
discuss inheritance issues. The subtyping rules have also been popularized by Bertrand Meyer [17][18] in terms of a
contracting metaphor between the clients of a class and its implementation.
In contracting terms, the client is responsible for establishing the pre-condition of an operation before calling it.
Given this pre-condition, the method that implements the operation is then responsible for either delivering on the
post-condition, or reporting an error to the client. The class invariant is established by the constructor when the
object is first created, and must be maintained by all client operations. As a result, it is considered to be a part of the
pre-condition and the post-condition of every client operation. The class invariant, however, need not hold at all
points during the execution of a client operation, only at the beginning and at the end. This is sufficient to ensure
that temporary violations of the invariant are not observable by clients if data is encapsulated and calls to client
operations are properly synchronized.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-12
Volume 3
Substitutability requires, quite simply, that subclasses not break the contract between client and implementation
established by their superclasses. This applies both to the redefinition of one operation by another operation and the
implementation of an operation by a method. As a result, the pre-condition of an operation in the subclass must be
weaker (demand less) or the same as the pre-condition of the same operation in the superclass. Conversely, the post-
condition must either be stronger (deliver more) or the same. Viewed in this way, substitutability requires that we
not demand more of clients, i.e., the types of input parameters must be either be made more general or left
unchanged, and that we deliver at least as much as promised, i.e., the types of output parameters must either be made
more specific or left unchanged.
With regard to errors, the subclass version of an operation can only report the same types of errors as its superclass
version. Otherwise, clients would be expected to handle error cases that were not part of the original contract.
Substitutability also applies to changes to the signatures of operations introduced in subclasses. In this regard, the
types of an operation’s input parameters are logically a part of its pre-condition. Similarly, the types of an
operation’s output parameters (and any return parameter type) are logically a part of its post-condition. In most OO
languages, dynamic dispatch is used to associate a method with a call based on the run-time type of the target object.
Dynamic dispatch is not related to dynamic linking or dynamic link libraries, nor is it any more dynamic than the
use of a case statement to explicitly select a method based on the run-time type of the target object.
Dynamic dispatch. Method selection based only on the type of the target object is referred to as single dispatch
(since it involves only consideration of the run-time class of the object, i.e., a single parameter). In a few OO
languages, method selection also includes the run-time classes of the remaining parameters. This is referred to as
multiple dispatch [14]. The methods considered for selection are referred to as multi-methods. Languages that
support multiple dispatch are more flexible in terms of the overriding of methods than single dispatch languages and
able to deal more elegantly with issues such as the binary methods problem [12][13]. Analogous to single dispatch,
multiple dispatch is logically equivalent to the use of a series of nested case statements for method selection.
Issues and guidelines. A number of issues arise when using single inheritance and dynamic dispatch that may make
compliance with DO-178B difficult. Volume 2 documents key concerns and related issues and Volume 3 associates
these concerns and issues with some applicable guidelines. Guidelines assume that all source code is available for
software developed to meet DO-178B levels A, B, and C. In general, these “guidelines” do not represent new
“guidance”, but an interpretation of existing guidance (DO-178B) with respect to the use of particular OO features.
The “rules” associated with these guidelines are also rules only in the sense that they must be followed in order to
adopt the given approach. Often there are also alternative approaches that can be followed in order to address the
same issues and still comply with DO-178B.
1
Use of UML is not a requirement. Users are free to choose their own approach to modeling and OO development.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-13
Volume 3
through the strict enforcement of a small set of basic principles, an approach similar to that taken by Meyer with
respect to Eiffel [18].
Note that, there may be some situations in which it is entirely reasonable to use inheritance to support code sharing
without intending to achieve type substitutability. The aim is usually to achieve aggregation with export of methods
(and possibly attributes) from the aggregated class(es). The problem is that most OO programming languages do not
distinguish this form of inheritance from subtyping inheritance (or provide a mechanism for aggregation with export
of features). Inheritance should be used for this purpose only when it is documented and the use of polymorphism
and dynamic dispatch in respect of these classes is avoided.
The guidelines on Subtyping (see section 3.3.6) and Formal Subtyping (see section 3.3.7) complement those on
Inheritance with Overriding (see section 3.3.4) by specifying how to test for superclass/subclass compatibility.
Several different approaches are possible. The simplest involves unit level testing and the inheritance of unit level
test cases, as in the guidelines for Unit Level Testing of Substitutability (see section 3.3.8). For organizations that
want to do all testing at a system level, two approaches are provided. The guidelines for System Level Testing of
Substitutability Using Assertionsinvolve instrumentation of the code with assertion checks. The guidelines for
System Level Testing of Substitutability Using Specialized Test Cases (see section 3.3.10) involve the development
of specialized versions of system level test cases for this purpose.
Note that, although the subtyping guidelines address compliance from a behavioral perspective, inheritance involves
both classification and implementation, and the valid use of inheritance need not be limited to subtyping (although it
often is, e.g., by UML).
The remaining guidelines address special cases and individual issues. The guidelines on Method Extension (see
section 3.3.5) deal with the definition of a subclass method as an extension of an inherited version of the same
method. It applies most often to constructors, but can be used to extend the implementation of any method.
The guidelines on Class Coupling (see section 3.3.11) address concerns related to flow analysis between superclass
and subclass definitions. They recommend the definition of an abstract interface between a class and its subclasses
analogous to the client interface for the class.
The guidelines on Deep Hierarchy (see section 3.3.12) provide a rule to help identify class hierarchies that are “too
deep”. Unlike the rules associated with the other guidelines, this is intended only as a rule of thumb. Engineering
judgment is required to balance the tradeoffs associated with any proposed changes.
3.3.4.1 Motivation
The unrestricted use of dynamic dispatch raises a number of issues with respect to certification, especially with
regard to weakly typed languages, and systems that permit the run-time loading of new classes (that are not a part of
a previously verified system configuration). With suitable language restrictions (i.e., a precisely defined language
subset that permits use of static analysis techniques), dynamic dispatch is semantically equivalent to the use of hand-
coded dispatch methods containing nested case statements or compound if statements. The automation of dynamic
dispatch by the compiler is then equivalent to the auto-generation of these dispatch routines and inlined calls to
them. This treatment as an inlined call, combined with compliance with structural coverage criteria identified in
Sections 3.10 and 3.12 of this volume, provides a means to ensure compliance with DO-178B.
3.3.4.2 Applicability
These guidelines assume:
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-14
Volume 3
3.3.4.3 Guidelines
The following rules define a form of inheritance, overriding, and dynamic dispatch which is equivalent to hand-
coded dispatch using case statements or compound if statements:
Simple overriding rule: An operation may redefine an inherited operation, and a method may implement an
operation so long as changes to its signature guarantee substitutability. Specifically, a redefined operation may be
made more visible to clients. And, a redefining operation or implementing method may be made more restrictive
regarding the types of errors it can report to clients (e.g., as exceptions or by setting error return codes). With
regard to parameter types, an operation may override an inherited operation or a method may implement an
operation by supertyping its input parameters, or subtyping its return type or the types of output parameters. The
types of parameters that represent both inputs and outputs must remain unchanged (invariant). No other form of
overriding should be allowed for languages supporting only single dispatch.
Accidental override rule: To ensure that overriding is always intentional rather than accidental, design and code
inspections should consider whether locally defined features are intended to override inherited features with a
2, 3
matching signature .
Simple dispatch rule: When an operation is invoked on an object, a method associated with the operation in its run-
time class should be executed. This rule applies to all calls except explicit calls to superclass methods, which
should be addressed as described by the Method Extension guidelines (see section 3.3.5).
Complete initialization rule: Every attribute must be initialized to a value consistent with the class invariant by the
class constructor.
Initialization dispatch rule: No overridden method should be called during the initialization (construction) of an
object.
Dispatch time rule: All dispatch times should be bounded and deterministic
Object code traceability rule: Everywhere concerns about source code to object code traceability and timing
analysis dictate, the compiler vendor may be asked to provide evidence of deterministic, bounded mapping of the
dispatched call. If the evidence is not available from the compiler vendor, it may be necessary to examine the
structure of the compiler-generated code and data structures (e.g., method tables) at the point of call.
A dispatching method call is considered semantically equivalent to the invocation of a dispatching routine
containing a case statement of the form:
case of <target-object-run-time-class>
case <class>:
<statically-resolved-call-to-method-implemented-by-class>;
...
end
2
When the language itself does not allow the user to make the intent to override an inherited operation/method explicit.
3
As defined in the Glossary, a feature is an attribute, operation, or method. This includes attributes that reference other objects (i.e., association
ends).
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-15
Volume 3
Each case of this case statement handles dispatch to an implementation of the method by the target object’s declared
type or one of its subclasses, i.e., the class corresponding to the object’s run-time type.
With regard to the Simple overriding rule, the inability to subtype the types of input parameters does not preclude
the use of overloading for this purpose. The developer, however, must clearly understand that the selection of an
overloaded method is based on the declared types (rather than the run-time types) of the arguments at the point of
call.
In accordance with the Simple dispatch rule, method calls are expected to be dispatching. 4 Dispatch must account
for the run-time type of the target. Static resolution is regarded as an optimization in those cases where only one
resolution is possible.
Note: The Initialization rule is not intended to be an obstacle to the creation of “reset” operations that can be called
by clients to reinitialize on object after it has been constructed, or to the sharing of initialization code with class
constructors. It suggests only that the client reset operation (which has the class invariant as a part of its pre-
condition) and the constructors (which do not) call a non-overridden, internal operation that performs the
initialization steps common to them all.
The Simple overriding rule ensures substitutability is not violated at the language level, in terms of method
declarations. The Subtyping guidelines (see section 3.3.6) extend this to include testing for substitutability at the
behavioral level. Compliance with substitutability is necessary if instances of subclasses are to be treated as
instances of their superclasses 5. This is not only required by the UML definitions of generalization and inheritance,
but a fundamental assumption underlying the use of polymorphism and dynamic dispatch. Verification of
substitutability for the most critical software can be can be shown in one of two ways: (1) by testing each case at
each call site (when dynamic dispatch is only rarely used) or (2) by conforming to the Subtyping guidelines (see
section 3.3.6) (more practical for software where dynamic dispatch is more widely used).
The Accidental override rule is intended to guard against errors that could occur in languages that assume that a
subclass feature, including attributes, operations and methods [19], can override a superclass feature that has a
matching signature. This rule is unnecessary if the language forces the developer to explicitly state that overriding is
intended (as in C#).
The Simple dispatch rule is intended to support a model of object-oriented behavior in which (1) each class can be
completely understood by looking at it in flattened form, and (2) the behavior of any object can be completely
understood by looking at the flattened definition of its run-time class. The Simple dispatch rule guarantees this even
when the declared type of the object is a superclass of its run-time class (i.e., when polymorphism is used).
The Initialization rule is intended to avoid errors that may arise during the construction of an object when a subclass
version of a method is called before associated subclass attributes have been initialized and the subclass invariant (if
any) has been established. In particular, the class invariant is implicitly a part of the pre-condition and post-condition
of every client operation, and the class invariant is not guaranteed to be true until the constructor completes. As a
result, overridden client operations should not be called during object construction. For similar reasons, special care
should also be taken with respect to calls to client operations in destructors, and at other points where the class
invariant may no longer hold.
4
In OOT languages such as Ada 95, C++, and Java, binding occurs when the application is built, not at execution time. Only in languages such as
Smalltalk and Common Lisp is dynamic binding truly dynamic (execution time). In the other languages mentioned dynamic dispatch is no more
dynamic than a case statement, i.e., all alternatives are statically determined. As a result, the developer should avoid languages such as Smalltalk
and Lisp for avionics applications.
5
State Visibility Anomaly (SVA): Per the example given in [19], B::m() must be compatible with both A::m() and C::m(). When introducing a
method B::m() that both overrides a method A::m() and is overridden by another method C::m(), compatibility must be compatible in both
directions.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-16
Volume 3
3.3.5.1 Motivation
Often we want to provide a subclass version of an operation that extends the functionality provided by the operation
in its superclass. This extension in functionality must be consistent with substitutability. As a result, the pre-
condition for the subclass operation must be weaker than or the same as its pre-condition in the superclass, and the
post-condition for the subclass operation must be stronger than or the same as its post-condition in the superclass.
By implementing an extended operation in terms of an explicit call to the superclass method, preceded or followed
by additional code, we are able to:
• avoid repeating the code appearing in the superclass method,
• provide code before the call to handle the additional cases implied by a weaker pre-condition 6, and
• provide code after the call that adds to its effect, as implied by a stronger post-condition.
Such explicit calls to superclass methods are by their nature statically bound, and do not involve dynamic dispatch.
The code that follows the call to the superclass method must not undo its effects in order for the overall post-
condition to be an extension of that for the superclass.
3.3.5.2 Applicability
These guidelines are commonly applied to constructors, which begin by calling the constructor for the superclass,
then initialize all the attributes defined by the class itself. It may also be used to select between competing inherited
versions of a method (multiple implementation inheritance).
6
Weakening the pre-condition makes it valid to call an operation with additional inputs or input combinations. Consider the operation f(p:
Integer) pre p > 0. If we weaken the pre-condition to give us f(p: Integer) pre p ≥ 0., then the implementation must handle the additional case in
which p is zero.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-17
Volume 3
3.3.5.3 Guidelines
The following rule for method extension represents the sole exception to the Simple dispatch rule given in section
3.3.4.3:
Method extension rule: When extending the functionality of an inherited method, the subclass method should
explicitly call the superclass version of the same method.
Note that the terms method and operation are used in accordance with the UML definitions (see Glossary in Volume
1) since some languages blur the distinction. Implementation of method extension in different target languages is
described in Appendix B.1.2.
3.3.6 Subtyping
The Subtyping guidelines extend the Inheritance with Overriding guidelines (see section 3.3.4) (which addresses
substitutability at a language level in terms of operation signatures) in order to verify compliance with
substitutability at a behavioral level.
3.3.6.1 Motivation
DO-178B verification activities may involve testing (at either a unit or system level), the use of formal or informal
proofs, or other techniques. This section does not prescribe a particular approach. That is left to those sections that
extend the basic guidelines given in this section.
Intuition can be misleading when it comes to subtyping relationships. We might, for instance, think (intuitively and
mathematically) that all squares are rectangles, so Square should be a subclass of Rectangle. Whether Square should
be a subclass of Rectangle, however, should not be based on our intuition, or any mathematical definition, but on the
interfaces we define for these classes. If the interface for Square specializes the interface for Rectangle in
accordance with substitutability, then it is appropriate for it to be a subclass of Rectangle. Otherwise, it is not [11].
By assuming that instances of subclasses must always be substitutable for instances of their superclasses, these
guidelines restrict the pre-conditions and post-conditions of redefined operations in addition to their signatures.
Formally, the pre-condition for a redefined operation must be weaker than or the same as the pre-condition of the
operation it redefines. Conversely, the post-condition for a redefined operation must be stronger than or the same as
the post-condition of the operation it redefines.
In terms of the client interface, this means that a subclass is compatible with a superclass if we:
(1) expect no more of clients than we do in the superclass (the pre-conditions of overridden operations are weaker
or the same), and
(2) deliver at least as much (the post-conditions of overridden operations are stronger or the same).
The same rules apply to the relationship between methods and the operations they implement: the pre-condition for
an implementing method must be weaker than or the same as the pre-condition of the operation it implements, and
the post-condition for an implementing method must be stronger than or the same as the post-condition of the
operation it implements.
Note that in real-time systems, the deadline by which a method must complete may be treated as part of the post-
conditions. If it is important to know up-front in system development that timing constraints are met, then every
implementation must be required to meet its respective timing bound. Otherwise, when complete closure exists, the
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-18
Volume 3
system as a whole must be tested to ensure it meets its required bounds. In a broader sense, post-conditions can
address other quality of service (QOS) issues in addition to timing constraints.
3.3.6.2 Applicability
These guidelines apply when instances of different subclasses may be assigned (polymorphically) to a given variable
or parameter.
3.3.6.3 Guidelines
The guidelines in this section extend those on Inheritance with Overriding (see section 3.3.4) to include the
following additional rules.
Minimum compatibility rule: At a minimum, superclass/subclass compatibility should be verified with respect to all
classes involved in the polymorphic assignment of different subclass instances to the same variable or parameter
during the execution of the system.
Substitutability compliance rule: Any approach used to verify superclass/subclass compatibility should be
consistent with the principles of behavioral subtyping defined by Liskov and Wing [7].
As specified by UML, the semantics of subclassing implies superclass/subclass compatibility in accordance with
substitutability. In practice we must, at a minimum, ensure that we verify this in all cases where instances of
different subclasses may be associated with the same variable or parameter during the execution of the system under
test.
Additional guidelines are defined by a number of sections that extend these basic guidelines. These guidelines vary
with the approach used to verify superclass/subclass compatibility. The standard for superclass/subclass
compatibility, however, is the same: compliance with the principles of behavioral subtyping defined by [7].
3.3.7.1 Motivation
The signature of an operation, which includes its name, parameter types, result types (if any), and errors (if any),
provides clues to the operation’s behavior but, by itself, is insufficient. Comments that describe the purpose of the
operation and the relationships between inputs, outputs, and errors are also helpful. But most comments are
informal, cannot be processed by tools, and lack the precision to serve as a basis for analysis, proofs, or the
development of test cases.
As a result, it is generally recommended that class interfaces be specified in a pre-condition/post-condition/invariant
style (an approach referred to by Meyer as ‘Design by Contract’). Expressing low-level requirements in this way
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-19
Volume 3
helps prevent errors by making the semantics of the interface clear to developers before client code is written. Such
specifications can also be processed by tools and used as a basis for analysis, formal proofs, and the generation of
test cases. This, in turn, supports reverification and regression testing in response to changes to the class introduced
in order to comply with other guidelines.
It is also useful to specify global data access and information flow relations as part of an operation’s contract. While
these are not as strong as the recommended pre-condition/post-condition/invariant style, they can be efficiently
checked and also used as the basis for analysis, formal proofs, and the generation of test cases.
3.3.7.2 Applicability
These guidelines apply when instances of different subclasses may be assigned (polymorphically) to a given variable
or parameter.
3.3.7.3 Guidelines
The guidelines in this section extend those on Subtyping (see section 3.3.6) to include the following rules:
Explicit pre/post-condition/invariant rule: To ensure that all classes define their interfaces as contracts, all pre-/post-
conditions and invariants for operations and methods must be explicitly stated and all errors returned by them must
be specified. Unless the program is to be subjected to automated formal analysis, this includes pre-/post-
conditions, invariants, and lists of reported errors/exceptions that are considered to be trivial (e.g., conditions
whose value is true, and error lists that are empty).
Frame condition rule: Unless the language provides a separate mechanism for indicating which variables may and
may not change, ideally each post-condition should also include a ‘frame condition’ which indicates which variables
are guaranteed not to change as a result of executing the operation/method.
Software developers tend to rely on testing to verify substitutability. While associated test cases may be developed
at either the system or the unit level, the development of test cases alone, however, has its limitations. Test cases are
no substitute for a complete, precise specification of behavior, which is needed by the clients of a class, and by
developers seeking to subclass an existing class.
A complete and precise specification of behavior is also needed in order to develop the test cases for a class and to
provide traceability from high level to low level requirements. As a result, it is generally recommended that class
interfaces be specified in a pre-condition/post-condition/invariant style (an approach referred to by Meyer as
‘Design by Contract’). This style provides the basis to make compliance with substitutability easier and helps avoid
errors by making contracts between clients and classes explicit. In addition, explicit statement of pre/post-condition
and invariants can be used to generate unit level test cases, or can be used as the basis for formal analysis and
proofs.
Realistic implementation of these guidelines requires the use of an unambiguous programming language and
application of static analysis techniques.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-20
Volume 3
3.3.8.1 Motivation
The verification of superclass/subclass compatibility is straightforward if we develop a set of unit level test cases for
Mis en forme
all classes identified by the Minimum compatibility rule (see section 3.3.6.3).
Subtype compatibility then means that all superclass test cases should run successfully against all subclass instances
(superclass test cases are inherited by subclasses) provided that all such tests satisfy the method pre-condition(s)
involved, taking account of any dynamic dispatch involved in evaluating the pre-condition. Subclasses also often
extend this set of superclass test cases to include their own more specialized tests (the subclass test set is a superset
of the superclass test set).
3.3.8.2 Applicability
These guidelines apply when concerns exist about compatibility between specific classes, and test cases are written
to directly test these classes. Typically, this applies to low-level requirements. These guidelines should be applied to
situations where instances of different subclasses may be assigned at run-time to a variable or parameter whose
declared type is an associated superclass (polymorphic assignment).
In contrast to other Subtyping guidelines (see section 3.3.6), the guidelines in this section are most effective when
the development organization relies on a combination of system level and class level testing, rather than on system
level testing (i.e., requirements-based testing) alone. Separate sections address System Level Testing for
Substitutability (see the guidelines for System Level Testing of Substitutability Using Assertions and System Level
Testing of Substitutability Using Specialized Test Cases, sections 3.3.9 and 3.3.10, respectively).
3.3.8.3 Guidelines
The guidelines in this section extend those on Subtyping (see section 3.3.6) to include the following rules which
apply to all classes identified by the Minimum compatibility rule in section 3.3.6.3:
Inherited test case rule: Every test case appearing in the set of test cases associated with a class should appear in
the set of test cases associated with each of its subclasses.
Separate context rule: If dynamic dispatch is involved in the execution of a method, the method should be
separately tested in the context of every concrete class in which it appears, irrespective of whether it is defined by
the class or inherited by it, provided that all such tests take account of the method pre-condition(s) involved, taking
account of any dynamic binding involved in evaluating the pre-condition. An exception is made for methods that are
guaranteed not to directly or indirectly invoke a method that is dynamically bound with respect to the current object,
for example, simple get and set methods that only assign a value to, or return the value of an attribute or
association. Such methods need only be tested once, in the context of the defining class.
These rules are intended to imply that all inherited test cases (other than those for simple gets and sets) should be run
against instances of all concrete subclasses. As a result, changes to the code inherited by a class that affect its
flattened form should result in its retest precisely as if the class itself had been edited.
The Inherited test case rule is intended to apply to all test cases, including those introduced solely to meet structural
coverage criteria. It could be argued that such tests should only be inherited when the tested code is also inherited. It,
however, seems simpler and safer to recommend that they be inherited in all cases, since they should pass when run
against the subclass.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-21
Volume 3
When applying the Inherited test case rule, if the subclass invariant is stronger than that of its superclass, then a
check of this invariant (rather than the weaker superclass invariant) should be a part of the pass/fail check of each
inherited test case. In this way, issues associated with overriding are avoided.
The Separate context rule is intended to ensure that superclass methods are separately tested in the context of each
subclass. This recommendation addresses the fact that even when a given method is inherited without change, the
methods called by it may be overridden in the subclass, leading to a different behavior. An exception is made for
methods that are guaranteed not to directly or indirectly invoke a method that is dynamically bound with respect to
the current object, for example simple get and set methods that reference only data, and do not call other methods. A
more complete impact analysis could be used to determine whether other inherited methods need to be retested in
the context of each subclass. The guidelines in this section, however, assume it is simpler and easier to rerun such
tests than to perform such an analysis.
Note that testing in accordance with these guidelines will ensure that all dispatch table entries are exercised at some
call site, equivalent to providing MC/DC of the case statement assumed to be associated with the dispatch routine.
Although not required to use these guidelines, it is recommended that class interfaces be specified in a pre/post-
condition style prior to writing test cases (an approach referred to by Meyer [17] as ‘Design by Contract’).
Expressing low-level requirements in this way helps prevent errors by making the semantics of the interface clear to
developers before client code is written. Pre- and post- conditions may be specified in a variety of ways (e.g., as
informal comments, as formal annotations, in table form, in terms of a state diagram, or in terms of executable run-
time checks used by a test driver). Such pre- and post- conditions may also be useful as input to test case generation
tools.
Although these guidelines typically apply to the testing of low-level classes and requirements, they can be used at a
high-level if the classes and subclasses to be tested for compatibility represent a software system or a subsystem. For
example, given a class System with subclasses SystemA and SystemB, SystemA and SystemB should inherit the test
cases defined for System (which are based on the high-level requirements common to both of them).
3.3.9.1 Motivation
Some projects prefer to focus exclusively on system level testing (i.e., requirements-based testing) without
developing any unit level/class level test cases. Use of the Unit Level Testing of Substitutability (see section 3.3.8) is
clearly in conflict with this approach. A number of programming languages and tools, however, support the selective
use of pre- and post- condition and invariant declarations as run-time checks. One particularly simple way to test for
substitutability at a system level is to take advantage of the use of these checks to verify superclass/subclass
compatibility for classes identified by the Minimum compatibility rule (see section 3.3.6.3). This does not involve
any substantial changes to existing system level, requirements based tests. It does, however, require that these tests
be run against both an instrumented and uninstrumented version of the software.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-22
Volume 3
3.3.9.2 Applicability
These guidelines apply when concerns exist about the substitutability of various subclasses for one another at run-
time and requirements-based test cases are written to test these configurations. Typically, the test cases are based on
high-level requirements.
Although these guidelines typically apply to the testing of high-level requirements at a system level, they can also be
applied at a subsystem level, in terms of low-level or derived requirements. These guidelines differ from those for
the Unit Level Testing of Substitutability (see section 3.3.8) in that test cases are written against some entity (e.g.,
system or subsystem) that contains instances of the classes we wish to test for compatibility, and not directly against
these classes.
Use of these guidelines is straightforward if a project already instruments the code to measure structural coverage, or
is already defining interfaces as contracts [17], [18, Design by Contract]. These, though, are not prerequisites.
The guidelines, however, do assume that system level test cases have been developed (or will be developed) to test
for all system configurations in which instances of various subclasses may be substituted for one another at run-
time. (Development of these test cases should be driven by high-level requirements related to substitutability).
Substitutability related assertions require language or tool support.
As with the instrumentation of code for any reason (e.g., measurement of structural coverage), care should be taken
to account for the overhead associated with the run-time checks involved, e.g., timing may be affected. It is also
necessary to consider what should be done if any of the conditions (pre-, post-, and invariant) are violated (i.e.,
handling of exceptions needs to be accounted for).
3.3.9.3 Guidelines
The guidelines in this section extend those for Subtyping (see section 3.3.6). The following rules describe the type
of assertion checks required to test for superclass/subclass compatibility in accordance with substitutability. Such
checks should be performed on all classes identified by the Minimum compatibility rule (see section 3.3.6.3).
Pre-condition assertion rule: An assertion to check the operation’s pre-condition should appear before the body of
all methods that implement a public operation. In accordance with substitutability, this pre-condition may only be
weakened or the same in overridden versions of the operation.
Post-condition assertion rule: An assertion to check the operation’s post-condition should appear after the body of
all methods that implement a public operation. In accordance with substitutability, this post-condition may only be
strengthened or the same in overridden versions of the operation.
Invariant assertion rule: An assertion to check the operation’s invariant should be a part of the pre-condition
check and the post-condition check of all public operations. In accordance with substitutability, the invariant may
only be strengthened or the same in all subclasses of a class.
Instrumented/uninstrumented testing rule: A test case run against an instrumented version of the code should be
considered to pass only if all assertion checks associated with substitutability hold during its execution. A test case
run against an uninstrumented version of the code should be considered to pass only if it produces the same result
that it did when run against an instrumented version of the same code.
The first three rules echo the basic principles of substitutability. Some languages (such as Eiffel [17][18]) enforce
these rules directly and provide facilities for enabling and disabling associated run-time checks, as required for
instrumented/uninstrumented testing. In other languages (such as C++ and Java), it is possible to use language level
assertions to achieve the same effect, although the substitutability relations between pre-conditions, post-conditions
and invariants must be enforced by code reviews. A subset of the language that is amenable to use of substitutability
and that will help static analysis should strongly be considered.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-23
Volume 3
A simple way in which to ensure that these relations hold is to require that:
• new pre-conditions be of the form ‘overridden_ pre or some _condition’,
• new post-conditions be of the form ‘overridden_post and some_condition’, and
• new subclass invariants be of the form ‘superclass_invariant and some_condition’.
3.3.10.1 Motivation
Some projects prefer to focus exclusively on system level testing (i.e., requirements-based testing) without
developing any unit level /class level test cases. Use of the Unit Level Testing of Substitutability (see section 3.3.8)
is clearly in conflict with this approach. There are, however, ways to test for substitutability at a system level. One
approach involves the development of specialized system level tests for this purpose. This has the advantage of
avoiding instrumentation (see guidelines for System Level Testing of Substitutability Using Assertions in section
3.3.9) although it typically requires that test cases be developed with this approach in mind.
3.3.10.2 Applicability
These guidelines apply when concerns exist about substitutability of various subclasses for one another at run-time
and requirements-based test cases are written to test these configurations. Typically, the test cases are based on high-
level requirements.
Although these guidelines typically apply to the testing of high-level requirements at a system level, they can also be
applied at a subsystem level, in terms of low-level and derived requirements. They differ from the guidelines for
Unit Level Testing of Substitutability (see section 3.3.8) in that test cases are written against some entity (e.g.,
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-24
Volume 3
system or subsystem) that contains instances of the classes we wish to test for compatibility, and not directly against
these classes.
Use of these guidelines is straightforward if test cases have not yet been developed, or if the current set of test cases
ignores substitutability.
3.3.10.3 Guidelines
The guidelines in this section extend those for Subtyping (see section 3.3.6). The following rules relate to the process
used to develop system level test cases to test for substitutability [3, section 5]. They assume that, with suitable
language restrictions, dynamic dispatch is semantically equivalent to the use of hand-coded dispatch methods
containing case statements or compound if statements. The rules begin with conformance to coverage criteria based
on inlined calls to a case statement with MC/DC testing for Level A systems. They culminate in conformance to
coverage criteria that guarantees substitutability between subtypes and supertypes.
Generalized test case rule: First, construct a set of system level test cases to meet the required DO-178B coverage
criteria while considering only the declared classes of objects and object references. The run-time classes of
objects and dynamic dispatch should be ignored other than to mark test cases that include dispatching calls as
polymorphic.
Specialized test case rule: Next, create a set of specialized test cases for each polymorphic test case that are
explicitly designed to test for substitutability. The set of test cases generated from a given polymorphic test case
should be designed to drive dynamic dispatch down different paths with regard to the selection of subclass
methods. The initial state and resulting state associated with each specialized test case should be compatible (in
terms of substitutability) with the more general test case from which it was derived.
It is also possible, by complying with the following rules, to develop a set of test cases that meet any of a number of
different substitutability-related coverage criteria.
Min substitutability coverage rule: By this test case coverage criteria, the full set of specialized test cases must
exercise dynamic dispatch to subclass methods to the extent required to meet the structural coverage criteria of
DO-178B.
Max substitutability coverage rule: By this test case coverage criteria, the set of specialized test cases derived from
each polymorphic test case must exercise all reachable subclass methods at each point of call involving dynamic
dispatch.
Mid substitutability coverage rule: By this test case coverage criteria, the full set of specialized test cases must
meet the criteria set by the Min Substitutability coverage rule. Additional specialized test cases, however, must be
introduced to test specifically for the types of problems raised by issues 20, 21, 22, 26, and 40 identified in Volume
2, Appendix B of this Handbook.
Compliance with DO-178B objectives requires conformance to the Min Substitutability coverage rule. This rule is
designed to rely on DO-178B to set the criteria for test case coverage. Rather than require additional test cases to test
for substitutability, it takes advantage of the process for test case generation to add substitutability-related
compatibility checks to the test cases created (“The initial state and resulting state associated with each specialized
test case should be compatible (in terms of substitutability) with the more general test case from which it was
derived.” [7]). This is not as rigorous as the process of the Unit Level Testing of Substitutability (see section 3.3.8),
but it does make the most of the test cases already required by DO-178B.
The Max substitutability coverage rule matches the degree of rigor offered by the Unit Level Testing of
Substitutability (section 3.3.8), and exceeds it. It is most appropriate when the DO-178B software level is high (e.g.,
level A) and the number of calls involving dynamic dispatch is small. If run-time substitution of different subclass
instances is commonplace (Minimum compatibility rule, section 3.3.6.3), exhaustive testing of all subclass methods
in the context of every system level test case is impractical. Typically, however, the most safety-critical applications
are also the most static, making this level of substitutability test coverage acceptable in many cases.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-25
Volume 3
The Mid substitutability coverage rule attempts to strike a balance between the previous coverage criteria by
requiring compliance with the Min substitutability coverage rule, but adding rigor through the introduction of
additional test cases targeted specifically to the types of problems raised in issues 20, 21, 22, 26, and 40 identified in
Volume 2, Appendix B of this Handbook. Additionally, explicit robustness test cases may need to be developed, but
this is not unique to substitutability-related testing [19].
Tools are often used to verify structural coverage criteria and should follow the guidelines given in section 3.12 of
this volume. Structural coverage analysis tools for OO languages should measure coverage for each polymorphic
call and each resolution for each set of identical polymorphic calls. When a tool does not have the capability to
measure coverage in this way, then a process will need to be performed to augment the tool’s analysis capabilities to
satisfy structural coverage objectives. The sets of rules in this section may be used to augment a tool’s capability to
meet DO-178B structural coverage objectives. A clarification of the coverage requirements for class structure versus
the coverage of method internals within the class structure is found in sections 3.10.8 and 3.10.9 of this volume.
3.3.11.1 Motivation
One of the fundamental principles of object-oriented development is data abstraction. The goal is to hide the details
of the data representation behind an abstract class interface. This permits the data representation to change without
affecting other classes. It also simplifies the enforcement of class invariants, and permits control over concurrent
access to shared data. Extending this principle, we can use abstract class interfaces to control access to hardware
resources as well as data.
For example, consider the implementation of a class for a set. The selection of an optimum data representation (list,
tree, hash table, etc.) will vary depending on the mix of operations required by the application. Typical strategies
involve a choice between a sorted and a hashed representation, and a choice between fast insert/delete and fast
lookup. The use of data abstraction makes it easy to change this representation with no significant change to client
code.
The same situation arises with respect to the abstraction of other resources. For example, a number of different
hardware devices may perform a given function, or a number of different caching policies may be associated with
access to a given file system, or a number of different ways may exist to represent the elements of a given display,
with a number of different strategies for drawing/redrawing them. In all these cases, it is desirable to publish a single
interface but support a number of different underlying implementations and data representations.
In terms of DO-178B, data abstraction supports partitioning by permitting the developer to restrict access to the
resources controlled by the class (see section 2.3.1 of [1]. By limiting the degree of control and data coupling
between software components, analysis is simplified and it is easier to verify key system invariants maintained by a
given class (see objective 8 of Table A-7 and objectives 1 and 4 of Table A-3 in DO-178B [1]).
To be effective, the interface should provide a true abstraction of the data and other resources controlled by the
class, rather than simple accessors (get and set operations) for each attribute or hardware register. Any invariants
associated with the class should be established by the class constructor, and maintained by every publicly accessible
operation. Access restrictions associated with the class interface permit a proof of the invariant to be local to the
class, rather than global to the system and different for each system in which the class appears.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-26
Volume 3
These principles apply not only to interfaces provided by the class to clients but to interfaces between superclasses
and subclasses. In particular, it should be possible for the developer to define the interface between a class and its
subclasses in the same manner as the interface between the class and its clients. Both can be considered ‘contracts’,
only with different parties. The interface between client and class is concerned with how the class will be used. The
interface between superclass and subclass is concerned with how the class definition and implementation can be
extended. Both can be defined formally (in terms of pre- and post- conditions) when desired.
3.3.11.2 Applicability
These guidelines apply when control and data coupling between classes is a concern in an object-oriented system.
Access to the attributes of a class is provided by public and protected operations, which can be inlined to avoid the
overhead associated with a call, producing code comparable to that for direct access. When performance is critical,
but the target compiler does not support inlining or does not perform inlining efficiently, use of these guidelines may
not be appropriate.
3.3.11.3 Guidelines
The following rules address the basic issues associated with Class Coupling:
As a result, clients should be able to influence the value of the invariant only through execution of these operations.
Private and protected operations are exempted in the Invariant rule since the invariant need not hold at all times, but
only at points where it is externally observable.
These guidelines may be extended to deal with the coupling between classes and subclasses by also adopting the
following rule:
Again, these guidelines may be used to reduce coupling issues when coupling is considered to be a problem and
these guidelines are adopted to address this problem. To be most effective, both the client and subclass interfaces
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-27
Volume 3
should provide a true abstraction of the data and other resources controlled by the class, rather than simple accessors
(get and set operations) for each attribute or hardware register.
3.3.12.1 Motivation
Most class hierarchies have a characteristic depth of between three and six, irrespective of the application. Class
hierarchies that are either too deep or too shallow can cause problems. Dynamic dispatch can introduce problems
related to initialization, especially with regard to deep class hierarchies. Top-heavy multiple inheritance and deep
hierarchies also tend to be error-prone, even when they conform to good design practice. The wrong variable type,
variable, or method may be inherited, for example, due to confusion about a multiple inheritance structure. Binder
refers to this as “spaghetti inheritance” [11].
3.3.12.2 Applicability
These guidelines apply when the complexity of the class hierarchy is a concern.
3.3.12.3 Guidelines
The following rule addresses the issues associated with Deep Hierarchies:
Six deep rule: Any class hierarchy with a depth greater than six warrants a careful review that specifically
addresses the above issues and weighs this against the need to isolate various proposed changes. When extending
an existing framework, depth should be measured from the point at which the framework is first subclassed. When
developing an application specific class hierarchy, depth should be measured from the root. In languages in which
all classes implicitly inherit from a common root class, this class should not be included in the count.
A class hierarchy that successfully passes an inspection should be marked so as to avoid repeated review with
respect to the same issue.
A certain amount of variation in the threshold (e.g., plus or minus two) may also be expected based on the results of
reviews using the six deep threshold. Deep hierarchies may also be more of a problem with respect to
implementation inheritance than interface inheritance. The use of multiple inheritance can also be an important
factor in adjusting the threshold.
This rule is based on the metrics for class hierarchy nesting level (discussed on pages 61-64 of [9]). Note that this
rule does not, in anyway, imply that class hierarchies with a depth of six or less do not require careful review.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-28
Volume 3
3.4.2 Background
Single inheritance, overriding, subtyping, and dynamic dispatch are described in Section 3.3. Multiple inheritance
permits a class to have more than one superclass. It may involve either interface inheritance or implementation
inheritance, or some combination of these. Interface inheritance involves the inheritance of only interface elements
(such as operation specifications and constraints), while implementation inheritance involves the inheritance of
implementation elements (such as methods, attributes, and references to other objects).
Multiple inheritance may lead to name clashes involving elements inherited from different superclasses that have the
same signature. Some languages support renaming as a means of resolving such name clashes. Eiffel is particularly
elegant in dealing with this [18]. Most other languages either require more complicated workarounds [22, section
12.8] or the editing of the superclass definitions to rename inherited elements.
Most issues arise with respect to multiple implementation inheritance because it is difficult to implement well,
because associated errors have run-time consequences, and because the inherited elements reference one another and
may interact in subtle ways, increasing overall complexity and the potential for error.
Because delegation is considered an effective substitute for multiple implementation inheritance, many more recent
languages (such as Java and C#) only support multiple inheritance involving interface specifications. The Aerospace
Vehicle Systems Institute (AVSI) Guide [21] also recommends the use of delegation rather than multiple
implementation inheritance for systems certified to levels A, B, and C.
A number of issues arise when using multiple inheritance that may make compliance with DO-178B difficult.
Volume 2 documents key concerns and related issues and Volume 3 associates these concerns and issues with some
applicable guidelines. Guidelines assume that all source code is available for software developed to meet DO-178B
levels A, B, and C. These “guidelines” provide an approach for addressing DO-178B guidance with respect to the
use of particular OO features. The “rules” associated with these guidelines are also rules only in the sense that they
must be followed in order to adopt the given approach. Often there are also alternative approaches that can be
followed in order to address the same issues and still comply with DO-178B.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-29
Volume 3
respect to ambiguity and complexity, delegation is still considered preferable to the use of multiple implementation
inheritance for most systems (as recommended by the AVSI Guide [21]).
The guidelines for the Combination of Distinct Abstractions (see section 3.4.7) provide an alternative to those for
Multiple Implementation Inheritance (see section 3.4.5). They forbid the use of repeated inheritance in order to
eliminate related sources of ambiguity.
The guidelines for Mixed Multiple Inheritance (see section 3.4.6) address the case in which we have a mix of
interface and implementation inheritance.
The Top Heavy Hierarchy guidelines (see section 3.4.8) address issues of complex class hierarchies that contain Mis en forme
many classes and inherited features near the top (root) of the hierarchy.
3.4.4.1 Motivation
In the real world, objects are often classified in more than one way. Multiple interface inheritance allows us to
model this without introducing redundancy (and without the complications associated with multiple implementation
inheritance).
3.4.4.2 Applicability
Multiple interface inheritance involves two or more superinterfaces, each of which contributes features (compile-
time constants and operations) to a single subinterface. Each super-interface may, in turn, itself inherit from other
interfaces, either singly or multiply. The resulting inheritance hierarchy forms a directed acyclic graph that permits
the definition of common ancestors, and the inheritance of the same feature along more than one path (repeated
inheritance). Features may also be redefined, potentially resulting in different definitions of the same feature along
different paths. Section B.2.1of Appendix B illustrates the following issues with multiple interface inheritance:
• Repeated inheritance,
• Redefinition along separate paths, and
• Independently defined operations with same signature.
3.4.4.3 Guidelines
The guidelines in this section extend those for Inheritance with Overriding (see section 3.3.4) to include the
following rules that addresses the three issues listed above:
Repeated interface inheritance rule: When the same operation declaration is inherited by an interface via more than
one path through the interface hierarchy without redeclaration or renaming, this should result in a single operation
in the subinterface.
Interface redefinition rule: When a subinterface inherits different definitions of the same operation (as a result of
redefinition along separate paths), the definitions must be combined by explicitly defining an operation in the
subinterface that follows the Simple overriding rule with respect to each parent interface.
Independent interface definition rule: When more than one parent independently defines an operation with the
same signature, the user must explicitly decide whether they represent the same operation or whether this
represents an error. Such decisions should be recorded as explicit annotations to the source code. If the
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-30
Volume 3
operations are not intended to be the same, one of them should be renamed. If the operations are intended to be
the same, any pre-conditions and post-conditions should also be the same.
Compile time constant rule: All of the above rules apply to compile time constants as well as operations. Constants
whose value involves run-time computation should not be permitted in interfaces.
The rationale for the Repeated interface inheritance rule is that cases involving the sharing of operations are
common while cases that demand replication are not (see section B.2 of Appendix B). Sharing is also supported by
many languages, whereas replication is not. Therefore, sharing is defined to be the normal, expected behavior and
additional work is needed to support replication in those rare cases in which it is required.
The Interface redefinition rule is derived from the guidelines for behavioral subtyping [7] that inspired the Simple
overriding rule (see section 3.3.4.3). The user is required to define the operation representing the combination of the
inherited definitions in order to make its specification explicit even when the language does not require it. The intent
here is that clients of the sub-interface be able to directly see the result of combining the inherited definitions.
The Independent interface definition rule requires the user to always explicitly decide when two independently
defined operations with the same signature are intended to represent the same operation and when they are not. The
intent is to avoid errors resulting from the accidental matching of operation signatures.
The Compile time constant rule specifies that compile time constants be treated in the same manner as operations
with respect to the previous cases. It applies only to constants with an initial value that can be computed at
compilation time. Constants whose value is computed at run-time require the generation of code to perform the
computation and assignment. This, in turn, conflicts with the fundamental definition of an interface, which is not
permitted to define either the code or the data.
Language-specific guidelines are provided in section B.2.2.1 of Appendix B. In general, it is only necessary to
enforce (e.g., by means of design and code inspections) those guidelines that the language does not enforce itself.
3.4.5.1 Motivation
Multiple implementation inheritance supports maximum reuse of code.
3.4.5.2 Applicability
These guidelines apply when a given class is implemented by inheriting the methods and attributes of two or more
superclasses.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-31
Volume 3
3.4.5.3 Guidelines
The guidelines in this section extend those for Inheritance with Overriding (see section 3.3.4) to address the basic
issues raised by the multiple inheritance of code and data in a manner consistent with the multiple inheritance of
interface specifications:
Repeated implementation inheritance rule: When the same feature (method or attribute) is inherited by a class via
more than one path through the interface hierarchy, this should result in a single feature in the subclass.
Implementation redefinition rule: When a subclass inherits different definitions of the same method (as a result of
redefinition along separate paths), the definitions must be combined by explicitly defining a method in the subclass
that follows the Simple overriding rule (see section 3.3.4.3) with respect to each parent class.
Independent implementation definition rule: When more than one parent independently defines a method with the
same signature, the user must explicitly decide whether they represent the same method or whether this
represents an error. If they are intended to be different, renaming should be used to distinguish them. Otherwise,
the definitions must be combined by explicitly defining a method in the subclass that follows the Simple overriding
rule (see section 3.3.4.3) with respect to each parent class.
As in the guidelines on Inheritance with Overriding (see section 3.3.4), it is recommended that decisions related to
the Independent implementation definition rule be recorded as explicit annotations to the source code.
Languages specific guidelines for C++ are provided in section B.2.2.2 of Appendix B. In general, it is only
necessary to enforce (e.g., by means of design and code inspections) those guidelines that the language does not
enforce itself.
3.4.6.1 Motivation
Often we want to define a class that implements one or more interfaces while building on the implementation
provided by a second class. This can be accomplished in a number of ways. In situations where the resulting class is
logically a subtype of the other classes, inheritance is a natural choice. This typically works well as long as all the
superclasses are interfaces, save one.
In the more general case, involving an arbitrary combination of interfaces, abstract classes, and concrete classes, the
problems associated with multiple implementation inheritance may also arise.
3.4.6.2 Applicability
These guidelines apply when a class has at least one parent class that is an interface and at least one parent class that
is not.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-32
Volume 3
3.4.6.3 Guidelines
Both the guidelines for Inheritance with Overriding (see section 3.3.4) and Multiple Interface Inheritance (see
section 3.4.4) apply here. If more than one superclass provides an implementation, the guidelines on Multiple
Implementation Inheritance (see section 3.4.5) also apply.
Verification in accordance with the guidelines on Subtyping (see section 3.3.6) is also recommended.
3.4.7.1 Motivation
The guidelines in this section are intended to maximize the reuse of code while complying with the associated
guidelines for Subtyping (see section 3.3.6). Any use of multiple inheritance, however, can lead to ambiguities
within the class hierarchy. Three potential sources of ambiguity are identified in Appendix B.2.1: (1) repeated
inheritance, (2) redefinition along separate paths, and (3) independently defined operations with the same signature.
The first two are eliminated by the guidelines in this section, which require that superclasses always be distinct
rather than subclasses of a common superclass. As Meyer suggests, “This is the form that you will need most often
in building inheritance structures, …” [18, page 521].
3.4.7.2 Applicability
A given class is implemented by inheriting the features of two or more distinct superclasses. The superclasses are
considered distinct because they are not variants of a single abstraction [18, page 521] (i.e., they have no common
ancestors). The following example illustrates the basic structure.
Plane Asset
CompanyPlane
As described by Meyer [18, page 521], a class Plane describes the abstraction suggested by its name. Operations are
provided to query the passenger_count, altitude, position, and speed of the airplane. Additional operations include
commands to take_off and set_speed. In a completely different domain, we have a class Asset that represents
something that a company owns. Our concerns here are related to accounting, the manner in which the asset is paid
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-33
Volume 3
for, its depreciation and sale. Operations associated with an asset include queries to determine its purchase_price
and resale_value, and the actions depreciate, resell, and pay_installment.
These classes are then combined by means of inheritance to create a new class CompanyPlane. Because each
superclass is taken from a different domain and because they have no common ancestors, the odds of inheriting two
independently defined operations with the same signature is small.
3.4.7.3 Guidelines
Although the guidelines in this section extend those for Multiple Implementation Inheritance (see section 3.4.5), the
restrictions on inheritance structure eliminate ambiguities arising from repeated inheritance and redefinition along
separate paths. As a result, we do not need the Repeated implementation inheritance rule or the Implementation
redefinition rule defined by the guidelines for Multiple Implementation Inheritance (see section 3.4.5).
Only the Independent implementation definition rule: from the guidelines on Multiple Implementation Inheritance is
required, to handle cases in which superclasses independently define operations with the same signature. Because
the superclasses are distinct, any ambiguity usually represents an error, and should result in a renaming of one of the
inherited operations in order to make them distinct.
In addition to the two rules below, the rules associated with the guidelines on Inheritance with Overriding and
Subtyping (sections 3.3.4 and 3.3.6, respectively ) must also be followed.
No diamond rule: Repeated inheritance is not permitted; i.e., no subclass may inherit from the same superclass via
more than one path.
Independent implementation definition rule: When more than one parent independently defines a method with the
same signature, the user must explicitly decide whether they represent the same method or whether this
represents an error. If they are intended to be different, renaming should be used to distinguish them. Otherwise,
the definitions must be combined by explicitly defining a method in the subclass that follows the Simple overriding
rule with respect to each parent class. Note: This rule is identical to the rule of same name in the section on
Multiple Implementation Inheritance (see section 3.4.5).
3.4.8.1 Motivation
Most class hierarchies have a characteristic shape. They are generally narrow near their top (root) and broad near
their base, with a depth of between three and six. As a result the number of classes increases as a function of their
distance from the root and the number of inherited elements increases in small steps.
Problems can arise when class hierarchies fail to exhibit this shape. A class hierarchy with many classes near the
root, and with many features associated with these top-level classes can be difficult to understand and change. “Top-
heavy multiple inheritance and deep hierarchies are error-prone, even when they conform to good design practice.
The wrong variable type, variable, or method may be inherited, for example, due to confusion about a multiple
inheritance structure.” [11, p. 503, spaghetti inheritance]
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-34
Volume 3
3.4.8.2 Applicability
These guidelines apply when the complexity of the class hierarchy is a concern and there are too many classes near
its root. This is a particular concern when multiple inheritance is used and the number of features inherited from
each of these upper level classes is large.
3.4.8.3 Guidelines
The following rules define the basic approach:
Three parents rule: Any class near the top of the hierarchy with three or more parents warrants careful review.
Top heavy composition rule: Any class near the top of the hierarchy that inherits more than 20 features from each
of two or more parent classes warrants careful review.
Top to bottom rule: Any class hierarchy that contains more classes near the top of the hierarchy than near the
bottom warrants careful review.
A class is considered “near the top of the hierarchy” if it appears in one of the top two levels. A class is considered
“near the bottom of the hierarchy” if it appears in one of the bottom two levels. A class hierarchy that successfully
passes an inspection should be marked so as to avoid repeated review with respect to the same issue.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-35
Volume 3
3.5 Templates
3.5.1 Purpose
Templates and the guidelines on templates in this section are not unique to OOT. This section addresses issues
raised and considered regarding DO-178B guidelines for development and verification when using templates in an
OOT environment.
3.5.2 Background
Templates provide a means of abstracting common structural and behavioral aspects of a family of classes or
operations in a domain independent way. Template is the UML term for a parameterized model element with
unbound (formal) parameters that must be bound to actual parameters before it can be instantiated.
At a target language level, templates correspond to Ada generics and to C++ templates. A template is a
parameterized code replication feature that provides stronger typing than macros. Templates provide for reusability
in programming languages. Consider a Stack with a generically parameterized base type. Templates allow the Stack
class to provide many class instantiations, such as a Stack of integers, a Stack of any fundamental or user-defined
type, or even a Stack of Stacks.
A template’s behavior results from its implementation, the values of the arguments used to instantiate the template,
and the behavior of any types specified to it as arguments. The use of templates directly impacts: source code
reviews, coding standards, requirements-based test case and procedure development and review, timing analysis,
memory usage analysis, requirements-based test coverage, source code to object code traceability, and structural
coverage, including data coupling analysis and control coupling analysis. Dead code and deactivated code may also
be a concern because unused functionality of a template may be considered either dead or deactivated code.
Template guidelines are provided below in three areas: (1) Source Code Review (section 3.5.3); (2) Requirements-
Based Test Development, Review, and Coverage (section 3.5.4); and Structural Coverage for Templates (section
3.5.5).
3.5.3.1 Motivation
The use of templates can affect source code reviews. Depending on the parameter types and the scope of the call, a
different instantiation of the template may be invoked by the compiler. Each instantiation may use different sub-
components and features of the template. The template may contain features that are not used at all by a specific
application.
3.5.3.3 Guidelines
Standards need to address the issues identified in this section. The source code developer and code reviewer should
be aware of the implications and potential effects of using templates. A template must be reviewed with respect to
the actual parameters to determine if the source code is verifiable. Consequently, the following practices are
recommended:
• It may be necessary for types to be defined in low-level requirements to facilitate test coverage.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-36
Volume 3
• Coding standards should require templates to document all the assumptions about types to be used with that
template.
• Coding standards should be established to ensure that every type used in the instantiation of a template complies
with the assumptions documented for the use of the template.
• Coding standards should be established to determine which features of a template, if any, are not used by the
application. Unused features may be considered dead or deactivated code.
• Each template should be reviewed with respect to the actual parameters.
3.5.4.1 Motivation
Templates are instantiated by substituting zero or more specific arguments for each formal parameter defined in the
template class or operation. Test cases and procedures are developed based on the software high-level, low-level,
and derived requirements. Consequently, test developers and reviewers may not be aware whether a template
contains additional functionality, and may not be aware of or have visibility into all the functionality contained
within a specific operation that is instantiated by a template call. In general, requirements-based test cases and
procedures may not test all functionality of the template, especially that functionality which is not instantiated for a
particular template. All instantiations should be tested to guarantee that the template functions as intended [23] [11].
3.5.4.3 Guidelines
Each instance of a template with a unique set of arguments should be tested for software at Levels A, B, and C. It is
theoretically possible to test the template for all known instances if the types map to the same underlying
representation and object code can be shown to be equivalent. In practice, the complexity of the instantiation
process makes it difficult to verify all instances of a template without testing each instance individually. [23] It also
complicates the requirements to test coverage traceability, as many tests may need to be executed to cover all
possible instantiations that do not trace to specific requirement of the application. Also, the developer may need to
provide protection that ensures that the unused functionality of the template (deactivated code) cannot be
inadvertently activated. Therefore, while templates may lead to coding efficiencies, the use of templates may
actually substantially increase the amount of requirements-based test development, review, and coverage needed.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-37
Volume 3
3.5.5.1.2 Guidelines
In general, templates should be analyzed for complexity and complex templates should be avoided. Nesting
templates increases the complexity of the code and therefore warrants careful review. Also, any template class that
inherits from another template class or provides interfaces or operations to be overridden by a subclass warrants
careful review.
3.5.5.2.2 Guidelines
Code sharing is not widely used, and in general, code sharing should be avoided.
3.5.5.3.2 Guidelines
Data and control coupling associated with templates should be evaluated with respect to the actual parameters.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-38
Volume 3
3.6 Inlining
3.6.1 Purpose
Inlining and the guidelines on inlining in this section are not unique to OOT. This section addresses issues raised
and considered regarding DO-178B guidelines for development and verification when inlining in an OOT
environment.
3.6.2 Background
When a compiler chooses to inline, a method body is compiled without the call overhead (i.e., the inlined method
body’s object code is physically placed in the calling method’s object code). This is in contrast to the “usual”
implementation of making a call (and potential context switch) during execution to a separate method with the
associated parameters, if any, being passed to the called method. If the compiler chooses not to inline, a call to the
method is inserted in the caller’s object code, and the called method’s object code remains separate. The inlining of
methods eliminates the overhead associated with a call, and is thus useful for optimization of performance. This
performance optimization results in a space penalty, unless the inlined method is shorter than the sequence of
instructions used to make the call. Simple get and set methods, for example, are commonly used in OO software and
can sometimes be smaller than the calling sequence.
When inlining, it is important to know if the compiler will honor or ignore the inline request, whether the code has
been inlined or not, and what the impact is to the code.
The following analyses are directly impacted by inlining: memory and stack usage analyses, timing (performance)
analysis, structural coverage analysis, and source code to object code traceability. Inlining may affect a number of
verification methods as noted below. The use of inlining, however, is not an obstacle to certification, so long as its
effects on each of these verification activities are understood, documented, and addressed.
Guidelines are provided below in two areas: (1) Inlining and Structural Coverage (see section 3.6.3) and Source
Code Review of Inlined Code (see section 3.6.4).
3.6.3.2 Guidelines
In general, inlining should consist of a simple expression only, which is almost always one or more statements that
do not contain conditional or iterative expressions. Generally, virtual methods and class constructors/destructors
should not be inlined. See page 140 of [16]. This guideline helps to address DO-178B Table A-7 objectives 5
through 8.
Inline expansion may be handled differently at different points of expansion in order to optimize the code for the
caller’s context. Structural coverage should be verified separately for each expansion, if the inline operation contains
elements that may result in structural coverage escapes. This generally implies the inline operation contains
conditional or iterative statements.” This guideline helps to address DO-178B Table A-7 objectives 5 through 7.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-39
Volume 3
Inline expansion can eliminate parameter passing, which can affect the amount of information pushed on the stack
as well as the total amount of code generated. This, in turn, can affect the stack usage and timing analysis. In
addition, data coupling and control coupling relationships can transfer from the inlined component to the
inlining component. For data coupling and control coupling, the verification approach should address the inlining of
code, including call tree analysis and data set/use analysis. In addition, the verification should include an analysis of
various resources, including worst-case memory usage analysis, stack usage analysis, and timing analysis. This
guideline helps to address objective 8 of DO-178B Table A-7.
3.6.4.2 Guidelines
The inline method should be reviewed against the low-level requirements. This is sufficient to verify the behavior of
all expansions and should help satisfy objectives 1 and 3 of DO-178B Table A-5.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-40
Volume 3
3.7.1 Purpose
Type conversion and the guidelines on type conversion in this section are not unique to OOT. This section addresses
issues raised and considered regarding DO-178B guidelines for verification and coding standards when types are
converted in strongly typed languages, including when it is appropriate to convert types implicitly and when type
conversion should be explicit. These “guidelines” provide an approach for addressing DO-178B guidance with
respect to type conversion for OO languages that provide for strong typing with abstraction. Guidelines are in the
form of recommended practices which support compliance with DO-178B objectives. An analysis should be
conducted to examine the effects of type conversion for all languages as a part of satisfying the DO-
178B verification objectives. Languages that are not strongly typed are not within the scope of this document.
Examples of strongly typed languages include Ada, C++, and Java. Dynamic dispatch, which uses a form of implicit
type conversion, is discussed in a separate section of this document (see section 3.3).
3.7.2 Background
Strongly typed languages are an improvement over languages that are not strongly typed because they provide
additional control of type conversion. User-defined type conversions are easier to identify and understand. Type
conversion may be implicit or explicit and may be checked (to determine if the type conversion results are valid and
correct) or unchecked. With implicit type conversion, the compiler is given the responsibility for determining that a
conversion is required and how to perform the conversion. With explicit type conversion, the programmer assumes
the responsibilities. Checked types can be checked at compile time (producing a compilation error for an invalid
conversion) or at run-time (usually resulting in a run-time error). Conversion can result in loss of data. Unchecked
type conversions need to be verified by test to ensure the conversion was correct.
The following are directly impacted by implicit type conversion: potential loss of data or precision; performance and
timing analysis; requirements-based test development, review, and execution results; structural coverage analysis;
data flow and control flow analyses; and source code to object code traceability.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-41
Volume 3
3.7.4.2 Guidelines
Unchecked type conversions are error prone and should be addressed specifically in coding standards and during
verification. Coding standards may address unchecked type conversions, as in the following recommended practice:
Conversion rule: To help ensure intended function and verification, all conversions (both checked and unchecked)
should be justified or should be explicit, use the most restrictive conversion available, be conspicuously marked
(identified) in the program source code, and be permitted only after thorough review and analysis of potential
adverse effects.
Verification of unchecked type conversions may be accomplished through code reviews, checklists, or analyses
(e.g., static code checking), and testing.
3.7.5.2 Guidelines
Type conversions should be addressed for loss of data, data accuracy, or precision. This may be accomplished
through coding standards and through verification including code reviews, checklists, or analysis. Coding standards
may address type conversions that can result in loss of data, data accuracy, or precision, as in the following
recommended practice:
Loss of information rule: To help ensure correctness, any conversions that may result in loss of data or data
accuracy and precision should be justified or should:
- be explicit,
- use the most restrictive conversion available,
- be conspicuously marked (identified) in the program source code, and
- be permitted only after thorough review and analysis of potential adverse effects.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-42
Volume 3
A clear understanding of the programming language being used is needed to identify and analyze implicit type
conversions for potential loss of information.
3.7.6.2 Guidelines
The following recommended practice may address implicitly converted references and pointers that result in code
with unintended behavior:
Supertype rule: To help ensure intended function and verification, all implicit type conversions involving
references/pointers to class instances should be justified or should only represent a conversion from a subtype to
one of its supertypes.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-43
Volume 3
3.8.1 Purpose
Overloading and the guidelines on overloading in this section are not unique to OOT. This section addresses issues
raised regarding DO-178B guidelines when overloading is used. Guidelines are in the form of recommended
practices, which support compliance with DO-178B objectives. These “guidelines” provide an approach for
addressing DO-178B guidance with respect to overloading and method resolution.
3.8.2 Background
Overloading means: using the same name for different operators or behavioral features (operations or methods)
visible within the same scope. Overloading is a simple but useful form of static polymorphism when used
consistently. Conversely, too much overloading and improper use of overloading can make source code readability
more difficult, and can thus contribute to human error.
Overloading can enhance readability when the overloaded operators, operations, or methods are semantically
consistent. However, overloaded operators, operations, and methods could coincidentally have the same name and
potentially have very different semantic behaviors. Specifically, overloading can be confusing when it introduces
methods that have the same name but different semantics. This may be further complicated when overloading is
combined with other language features (e.g., overriding, templates, etc.). Overloading can also complicate matters
for tool use (e.g., structural coverage and control flow analysis tools) if the overloading rules for the language are
overly complex.
Overloading may affect a number of verification methods as noted below. The use of overloading is not an obstacle
to certification so long as it is verified that the intended operation is, in fact, the operation called.
Guidelines are provided below in two areas: (1) Code Review Method (see section 3.8.3); and (2) Implicit
Conversion (see section 3.8.4).
3.8.3.2 Guidelines
Overloaded methods and operators should be addressed for inconsistencies which can lead to code complexity and
ambiguities. Overloading special language features should be discouraged or justified. This may be accomplished
through code reviews, checklists, or coding standards. Software code standards should include complexity
restrictions that address overloading. For example, the following practices are recommended:
Overloaded method rule: Overloaded operations or methods should form "families" that use the same semantics,
share the same name, have the same purpose, and that are differentiated by the types of their formal parameters.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-44
Volume 3
Overloaded operator rule: Overloaded operators should obey the "natural" meaning and follow conventions of the
language. For example, a C++ operator "+=" should have the same meaning as "+" and "=". Arithmetic operators
should be overloaded using conventional notation whenever possible.
Overloading in general rule: When calls are overloaded, reviewers should know exactly what is being called.
Overloading of special language constructs must be justified.
When performing code reviews, the pre- and post- conditions for overloaded methods should be examined for
consistent behavior in the context of the code under review.
3.8.4.2 Guidelines
To avoid potential problems involving the association of calls with methods, it is recommended that any family of
overloaded operators and methods whose arguments (signatures) are implicitly convertible to one another or from
one to another be required to have the same semantics. Formally, this means they must have the same structure of
pre-conditions and post-conditions. Informally, this means that they may share the same structure of test cases.
The user of any family of overloaded operators and methods whose arguments (signatures) are implicitly convertible
should: (1) perform the call using arguments that do not need to be converted, and (2) perform structural coverage
analysis applicable to the software level per DO-178B to ensure the proper method is being called.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-45
Volume 3
3.9.1 Purpose
This section identifies issues, perspectives, and recommendations for addressing concerns associated with software
reuse, deactivated code, and dead code contained in aviation software applications as a result of using OOT
development processes, environments, and tool libraries. This section provides clarification for certain sections of
DO-178B and contains no new or additional guidance material.
3.9.2 Background
A major objective of OOT is to provide developers with the ability to create new software systems utilizing reusable
software components where a component may be comprised of classes, methods, procedures, packages, modules,
and so on. A reusable component often contains more software functionality than required by the system being
certified. The requirements and design of the reusable component should be more generic and cover more situations
if the component is truly reusable. If this extra functionality results in extra code in the system itself, then there may
be deactivated code with which to deal. Deactivated code will likely be present in any application that uses general
purpose software components and libraries, such as commercial off-the-shelf (COTS) software libraries provided
with a compiler, operating system or run-time environment, or OO development frameworks.
Particular areas of concern for deactivated code when utilizing OO techniques include:
• Compiler generated default methods (e.g., default constructors, destructors, and assignment operators)
• Completely unused classes
• Unused methods within classes
• Unused operations within overloaded methods
• Overridden methods due to use of sub-classes
• Existence of unexecuted paths because the entry conditions for those paths are never satisfied for a given
system
• Unused class attributes
• Unintended functionality or anomalous behavior
RTCA documents DO-178B [1] and DO-248B [2] provide guidance for reuse and modification of previously
developed software (PDS), deactivated code, and dead code. FAA Order 8110.49 [24] and AC 20-148 [34] also
provide additional guidance for the use of reusable software components, including life cycle data. PDS is included
in this discussion as it is one form of a reusable component. DO-178B guidance for upgrading software from a
previous development (such as DO-178A) still applies.
OO components taken from the non-avionics or non-commercial avionics industries and reused may have been
designed to be highly reusable, but, quite often, not all of the necessary software life cycle data is available. Again,
normal guidance from DO-178B applies in these situations. Generally, the product and process assurance artifacts
must be produced as part of a first software approval.
While DO-178B already provides guidance for deactivated and dead code, significantly more software component
reuse is expected through OOT. The following subsections provide elaboration of issues, which may become more
pervasive as more software components are reused through the application of OOT. The major issues for reuse, dead
code, and deactivated code are addressed in the following subsections. References to existing DO-178B guidance
are provided, as appropriate.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-46
Volume 3
3.9.3.2 Guidelines
For standard libraries, the applicant should identify which Application Programming Interfaces (API) of the library
are used and unused in the system. For option-selectable software, the applicant should identify which classes and
methods within classes are used and unused for particular installations.
The use of individual subclasses, each of which represents a different option, is a good way to implement option-
selectable software. Only the appropriate sub-class is actually created in the system. The caller of the desired
algorithm need not know which algorithm is actually in the system – it is hidden from the other parts of the program.
Deactivated code for both forms of reusable components should conform to the Developer’s intent rule and the All
code verified rule (see below). In both cases, unused interfaces, classes, and methods will be tied to either derived
requirements or explicit, option-selectable requirements specified by the integrator. The derived requirements must
be verified and provided to the system safety assessment (SSA) process for consideration by the integrator. One
acceptable means to identify unused functionality to the integrator would be through the use of traceability matrices.
Verification data for derived requirements must satisfy the objectives of DO-178B. In addition, if the deactivated
classes and methods are built into the executable object code for the various installation options, analysis should be
performed to show that the deactivated code in a particular installation cannot be activated.
Developer’s intent rule: All code must be exercised by requirements-based tests (the requirements may be
derived). Code not associated with requirements should be carefully evaluated and either removed (if it is dead
code) or requirements should be developed for the code. Code which exists due to derived requirements needs to
be explicitly identified by the developer and the associated requirements must be noted as “derived” for inclusion in
the SSA process by the integrator.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-47
Volume 3
All code verified rule: All code executed within any aircraft or engine configuration must be verified per applicable
DO-178B objectives, even if it can be demonstrated that a particular piece of code can never be activated in a
specific system. Note that requirements will be needed for all deactivated code associated with the various aircraft
or engine configurations (either derived requirements or explicit, option-selectable requirements specified by the
integrator).
Reused components must be associated with requirements for the new system. The level of reuse may vary and
include reused requirements data, reused code, and some reuse of verification data. However the reused data must
still satisfy the Developer’s intent rule and be consistent with the SSA. Objective evidence must exist to demonstrate
all reused data satisfies the objectives of DO-178B.
3.9.4.2 Guidelines
Requirements should be developed to a sufficiently low level of detail so that the traceability between requirements
and corresponding classes, methods and operators is clear. Tools to support OO software design and assist with
traceability relationships are highly recommended.
An applicant must demonstrate that an adequate process is in place to resolve dead code issues. A careful evaluation
of apparently dead code is needed to ensure that code that appears dead is actually dead and that it is not just a
documentation omission that makes it appear to be dead code. The Developer’s intent rule, as discussed in section
3.9.3.2, should provide the documentation to make this task much easier. The process also needs to cover overriding
of methods, including compiler generated default methods, operators, or other OO-specific instances where
confusion might arise due to the OO structure of the code.
The following points should be observed when dealing with deactivated code:
• Deactivated code which is intended to operate in any configuration used within an aircraft or engine requires
associated explicit requirements specified by the integrator or derived requirements created by the developer.
• The design and architecture life cycle data should account for deactivated methods and attributes.
• The documented traceability relationships should exist from the source code to either derived or explicit
requirements (deactivated code will have associated requirements; dead code, on the other hand, could exist due
to a design error and there would be no associated requirements).
• The completeness of requirements-based tests against structural coverage objectives should be confirmed
(derived requirements must be verified and will have associated source code; dead code could exist due to a
design error and there would be no associated requirements).
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-48
Volume 3
• The effect of derived requirements on the SSA process should be evaluated, and the effect of unintended
functionality which could be introduced by the derived requirements should be examined.
• Run-time examination of methods should be invoked when the software component is integrated into the final
target environment (control and data coupling/flow coverage are part of the DO-178B objectives; reusable
software component interfaces will need to be examined by the integrator).
Note that many OO languages provide features that, if fully utilized, will make the above activities much more
difficult (e.g., multiple inheritance). Developers may find it useful to develop standards which create a deterministic,
verifiable subset of a given OO language.
In the case of Level A software, object code not directly traceable to the source code will also be of concern, as
noted in Section 6.4.4.2b of DO-178B. Examples of non-traceable, compiler-generated object code could include
default constructors, default destructors, default copy methods, and default assignment methods. The developer
should provide explicit guidelines in terms of utilization of default methods and the appropriate verification
techniques in the planning and standards documents.
See section B.3.1 of Appendix B for an example of deactivated code that contains both deactivated methods and
attributes.
3.9.5.2 Guidelines
This issue applies to a certification project when class hierarchies are not being completely retested. In this case,
applicants must provide a regression analysis of all changes to a class hierarchy in the form of flattened class
hierarchy. More succinctly, the applicant should adhere to the following rule:
Flattened class reverification rule: When a change to an element of a class occurs, reverification of all subclasses
whose flattened form contains the changed element is recommended.
A clear trace of the subclasses that are affected by changes in base classes could be created either manually or with
tools.
If full retesting is performed, an alternative (and recommended) approach is to apply the guidelines described for the
Inherited test case rule (see section 3.3.8.3). This rule states that “every test case appearing in the set of test cases
associated with a class should appear in the set of test cases associated with each of its subclasses.” This conforms to
the Liskov Substitution Principle [7] and will ensure the behaviors of the inherited methods are appropriate for each
subclass.
3.9.6 Changes in the Status of Deactivated Code Versus Actively Used Code
When software components are reused, they are typically used in a slightly different manner than in the original
usage. What was considered “deactivated code” in the original usage may become “active code” in the subsequent
usage. Likewise, active code for the original usage may become deactivated code in the subsequent usage. This
section considers the status change of active and deactivated code.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-49
Volume 3
3.9.6.2 Guidelines
When previously developed software is submitted by an applicant for a new certification, changes in the status of
deactivated code versus actively used code must be documented. Since the reusable components should follow the
All code verified rule (see section 3.9.3.2) as previously discussed, the components should have already have been
verified to obtain regulatory approval. However, in order to gain regulatory approval for the previously deactivated
code, the integrator will need to document and verify the interfaces associated with the newly activated code. This
may drive requirements, design, code, and verification changes from the previously approved baseline.
3.9.7.2 Guidelines
Service history credit may be granted for deactivation mechanisms with appropriate service history data.
The applicant should adhere to the following rule:
Service history rule: Service history credit may only be given for activated code and deactivation mechanisms that
have been actually executed during the service experience period. The target environment, certification basis, and
SSA will need to be considered in this process.
Integrators and regulators need to be aware that deactivated code in a previous certification basis could easily
become active in a newer certification effort. Previously identified derived requirements for deactivated code that
were provided for the previous SSA process may assist in this activity. Integrators and regulators need to review the
documentation for code that has now become active and ensure that, at least for that particular code, proper
certification artifacts and life cycle data exist and any new system hazards have been addressed. Code that becomes
deactivated in a later certification may be left in the executable as long as the guidelines for reuse are followed per
section 3.9.3.2 of this volume. Note that section 4.4 of DO-248B [2] provides additional insight into the issue of
service history.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-50
Volume 3
3.10.1 Purpose
This section addresses issues impacting compliance with DO-178B objectives for traceability, configuration
management, development, verification, structural coverage analysis (including data coupling and control coupling
analyses), dead code, and deactivated code when object-oriented development and verification tools are used.
Additionally, tool issues related to dynamic dispatch, polymorphism, inheritance, frameworks and automatic code
generation are discussed. Tool qualification with regard to OOT is also discussed. As with most of the sections in
this Handbook, UML terminology and examples are used, since UML is the predominant OO modeling language
currently being considered by the aviation community, and other modeling languages present similar issues.
3.10.2 Background
Current OO tools (either internally developed or commercially procured) may not fully satisfy DO-178B objectives
with regard to configuration management, development, and verification. This section provides guidelines for OO
tools to assist applicants in satisfying DO-178B objectives. OO may present new challenges to tool vendors and
applicants that have not been prevalent with structure-based development. The specific OO tool issues and
guidelines are presented in the following subsections; however, the more general concerns are:
1. Addressing verification coverage for OO software;
2. Using OO frameworks, automatic code generators, dynamic dispatch, polymorphism, and inheritance; and
3. Addressing requirements management and traceability during OO development.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-51
Volume 3
3.10.4.2 Guidelines
The developer should control the visual models, charts, intermediate translations of the models, and the code
generated from the model. It is important to understand that there are two parts to UML: (1) a graphical notation,
and (2) an underlying model representation with well-defined semantics. The diagrams are simply views of the
underlying model, and are physically separate from it. Each model element may appear in several diagrams or none
at all. In the extreme, a UML model need not have any graphical representation at all. If the tools used to develop
the models will automatically track the different components of the software requirements and design, then the tool
may need to be qualified, unless the tool can be shown to be deterministic and the output of the tool is verified.
Visual modeling tools should be shown to be deterministic and preserve software life cycle data integrity. Software
visual modeling tools may need to add integrity checks to their raw data files to ensure that when the tool opens or
closes a file, the file’s integrity is maintained. For example, checksums or printed copies of the models can be
compared to the electronic visual models to ensure integrity or electronic copies can implement integrity checks
(e.g., cyclic redundancy checks) of the files computed and compared to ensure the tool does not introduce errors.
As with any software life cycle data, DO-178B configuration management concepts apply to the artifacts of the OO
tools (e.g., frameworks, model files, manual or automatic generated code, and the software environment).
3.10.5.2 Guidelines
Some of the OO tools provide a framework to automate and generate the source code from the UML model and
framework “libraries” of patterns, templates, generics, and classes; replacing the tedious coding tasks for the user.
This will add code or objects (i.e., some tools may generate dynamic constructors, destructors, queues, stubs,
skeletons, and other features). Engineers should understand the tools that are used to develop the airborne
application and what components of the framework are ending up embedded in the airborne software. The
framework and the tool may need to be qualified, and components of the framework embedded in the airborne
application should be assured to the same level as the airborne application.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-52
Volume 3
code generation, the user may also need to produce additional information (e.g., state charts, activity diagrams,
and/or UML action semantics) to specify additional detail of their implementations.
3.10.6.1 Applicability
When discussing automatic code generation, this section assumes that the tool is an automatic code generator that
generates source code. Then the source code is provided to a compiler that generates the object code. The object
code can then be linked to generate the executable object code, and then loaded (or burned) into computer memory
for execution. The tool may automate this process by providing one “make” file to do all of the steps. Although the
code generated has to comply with the coding standards, the user may or may not have control over the code
generator itself. This may be a problem, if the code generated does not comply with the coding standard.
3.10.6.3 Guidelines
Most of the OO UML-based tools use some type of automatic code generation. Since the UML is a formally defined
language, the tools can take the class diagrams, object model diagrams, state charts, and activity diagrams and
generate the source code, or at least the structure. The code generator is a software development tool that may need
to be qualified to the same level as the airborne software application (see section 12.2.2 of DO-178B [1] and FAA
Order 8110.49 [24]). If qualification is required, it will be of a defined configuration of the tool.
If the automatically generated code will be manually modified, the applicant should define and implement a process
for controlling the automatically generated code, manually modifying the code, and keeping track of all changes.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-53
Volume 3
3.10.8.2 Guidelines
Both applicants and certification authorities need to understand which form of analysis for inheritance their
structural coverage analysis tools perform. If the tool performs analysis on concrete methods only, then the
verification process will need to identify where additional verification is needed, and that the appropriate tests are
run and the appropriate structural coverage is obtained. If the tool performs analysis on both concrete and inherited
methods, then the verification process will need to identify where the tool reported that non-coverage was not
needed. Additionally, the structural coverage tool may need to be qualified as a software verification tool.
Guidelines for structural coverage are described in section 3.12 of this Handbook.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-54
Volume 3
entries in the dispatch table) [26]. Unfortunately, current tools performing structural coverage of polymorphism with
dynamic dispatch only measure the execution of the polymorphic call. Guidelines for structural coverage are further
described in section 3.12 of this Handbook.
3.10.9.2 Guidelines
Structural coverage analysis tools for OO languages should measure coverage for each polymorphic call and each
entry in the dispatch tables. Unfortunately, current tools performing structural coverage of polymorphism with
dynamic dispatch only measure the execution of the polymorphic call, and thereby support only the first part of the
recommended coverage analysis. These tools will need to be augmented with other analyses or tools in order to
support the second part of the recommendation (i.e., coverage of every entry in the dispatch tables). For example,
this can be achieved as a result of using the substitutability test guidelines described in sections 3.3.6 through 3.3.10
of this Handbook (i.e., covering every method table entry).
Compliance with the section 3.3.6 through 3.3.10 guidelines should be combined with structural coverage objectives
(e.g., executing every polymorphic call). Additionally, the structural coverage tool may need to be qualified as a
software verification tool. Guidelines for structural coverage are further described in section 3.12 of this Handbook.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-55
Volume 3
3.11 Traceability
3.11.1 Purpose
This section addresses issues influencing compliance with DO-178B objectives regarding traceability, when OO
development and verification methods and tools are used. As with most of the sections in this Handbook, UML
terminology is used, since UML is the predominant OO modeling language currently being considered by the
aviation community, and other modeling languages present similar issues. In this section, it is assumed that the
software development process starts with a set of system level requirements allocated to software. These
requirements can be functional requirements written in text, a requirement model, a set of Use Cases, or even a
combination of these approaches.
3.11.2 Background
Current OO methods and tools (either internally developed or commercially procured) may not satisfy the DO-178B
objectives related to traceability. This section documents the issues related to traceability when OO methods and
tools are used and defines some guidelines for addressing those issues.
Traceability is an important aspect of meeting DO-178B objectives. Section 3.71 of DO-248B [2] states that
traceability is used to:
1. Enable verification of implemented system requirements, high-level requirements, and low-level requirements;
2. Verify the absence of unintended function and/or undocumented source code;
3. Provide visibility to the derived requirements. Traceability applies to both the verification and configuration
management processes.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-56
Volume 3
code and low-level requirements should be provided to enable verification of the absence of undocumented source
code and verification of the complete implementation of the low-level requirements. Traceability from system
requirements to high-level requirements to low-level requirements to code also helps identify derived requirements
and ensure they are passed up to the system safety assessment process.
Other objectives within DO-178B are indirectly related to traceability. The following subsections identify specific
OOT issues that make it difficult to comply with DO-178B’s objectives. Each issue is discussed and recommended
guidelines to address the issue are provided.
3.11.4.1 Guidelines
The software development process usually starts with a set of system level requirements allocated to software.
These requirements can be documented using text, requirements model, or Use Cases. In UML, Use Cases represent
the functional requirements of the system. These functional requirements can be traced to the system level
requirements that can be documented in text. The software functional requirements will be decomposed to create the
low-level requirements and any derived requirements necessary for the implementation of the software. Every
method or a message reception in every object in the software should be traced to its requirement.
Figure 3.11-1 illustrates an example traceability approach for an OO-based system. There are a number of ways to
specify requirements. The user may choose to specify requirements in text, in Use Cases, and/or in a requirements
model. A requirements model may include a combination of requirements-level Use Cases (customer validated) and
a class model of the system. The user may specify the requirements for a class as Statecharts. In this case, the
transition and the states of each Statechart could become the low-level requirements.
Whatever method the user chooses to specify the requirements, they need to be clearly tagged. Figure 3.11-1 shows
that design, implementation, and testing elements are traced to the requirements.
In the design stage, instances are traced to classes. Classes may have relations and should be traced to each other. If
class interfaces are specified as contracts (with pre-/post-conditions for operations and class invariants), then tools
can be used to help trace the relationship between classes and between operations, as well as check them for
consistency and correctness. Each operation or message provided by the instance should be traced to the instance.
The implementation files should also be traced to the instances.
Additionally, the test model should be traced to the requirements. This section assumes that test classes will not have
relations and each test class will have only one instance.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-57
Volume 3
3.11.5.1 Guidelines
The realization of a Use Case may be specified by a set of collaborations. The collaborations define how instances in
the software interact to perform the sequences of the Use Case. Traceability should be done at the instance level.
When the user creates an instance, they must know what that instance is traced to and where its requirements are
coming from. The instances themselves must be traced to their classes. The class and all of its contents and relations
should be traced to a higher-level class or to a Use Case. Since the high level classes are the realization of Use
Cases, which is the functional requirements of the software, the high level classes should be traced to the Use Cases
that they implement. The Use Case must be traced to a system level requirement or a higher-level Use Case. Not all
of the UML diagrams must be traced; tracing all of the objects in the software should be sufficient. Only the
diagrams and UML modeling elements that add some requirements or affect the generation of the executable should
be traced. Class hierarchies and their relations need to be flattened and every class should have clear traceability to
its high level class, Use Case, or text requirements.
The following relations affect traceability in the following ways:
• Association is the semantic relationship between two or more classes that specifies connections among their
instances. In this case, there is no need to trace associations, since they only indicate that one class can talk to the
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-58
Volume 3
other. Each class should have its own traceability to its requirements. Association classes are treated as regular
classes and they will have to be traced to the requirements that caused their existence.
• Aggregation is a special form of association that specifies the whole-part relationship between the aggregate
(whole) and a component (part). Aggregation will affect traceability, because the instance of the aggregate
(whole) will have to be traced to both the whole and the part requirements. The part will only have to be traced to
its own requirements.
• Generalization is the relationship between a more general element and a more specific element. The specific
element is fully consistent with the more general element. An instance of the more specific element may be used
where the more general element is allowed. Generalization will affect traceability, because any instance of the
specific element should be traced to its own requirements. Additionally, it should be traced to the requirements
of the general element from which it is inherited.
Normally, traceability is limited to the UML elements and does not include diagrams.
3.11.6.1 Guidelines
Each UML element (e.g., class, method, object, Use Case) should have traceability, but not every diagram
containing those elements needs to be traced. For example, an object model diagram may not need to be traced, but
every object in the diagram should be traced to its own requirements. The developer should have a process that
enforces the guidelines for traceability, some of the basic guidelines include:
• Every object in the software should be traced to its class.
• Every class in the software should be traced to its superclass.
• Every operation call should be traced to its class.
• Each overridden or overloaded operation should be traced to some requirement(s) or Use Case (s).
• Every class or superclass should be traced to the Use Case (s) that they realize.
3.11.7.1 Guidelines
Traceability should be performed to the object level. Every operation associated with an object should be traced.
This will provide traceability to the implementation of any operations or methods that have been overridden.
“component-based design” or “design by contract” approaches may be used.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-59
Volume 3
3.11.8.1 Guidelines
If the OOT traceability is done to the operation level, then it will be possible to identify dead code at that level. This
will not cover code within a operation itself. OO concepts encourage building reusable classes. The idea of reuse
means that classes are built with generic functional requirements that can be used in multiple systems. In this case,
the reusable library may include some deactivated or dead code in a specific application. Traceability analysis
should be performed on the reusable library in order to identify dead and deactivated code. Dead and deactivated
code is further addressed in section 3.9 of this Handbook.
3.11.9.1 Guidelines
Each operation within an instance should be traced to its requirements. The operation can have more than one
requirement, but it should not have more than one Use Case. This is the normal case for a Use Case driven
development approach; however, it should be noted that it is a good practice to reduce the complexity of traceability
even if another approach is used. In this Use Case approach, we may have one Use Case traced to many operations.
The traceability data for each Use Case should contain the references to all of the operations within the objects that
implement that Use Case.
If it is necessary to trace one operation to multiple Use Cases, then Use Case relationships may be used to help
eliminate redundancy and support traceability.
3.11.10.1Guidelines
Iterative development is most effective when each iterative cycle is completed prior to starting the next cycle. The
iteration should have its own requirements, design, implementation, and test. Completing traceability for each
iterative cycle is recommended, and an impact analysis should be done on the current iteration, whenever the
requirements from the previous iterations are changed.
3.11.11.1Guidelines
Traceability must be done for each application regardless of its usage of reusable components. When reusable
components are used, the traceability should show implementation and verification mapping for all requirements, or
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-60
Volume 3
as a minimum, provide verification and justification for the unused functionality. See section 3.9 of this Handbook
for further guidelines on reuse.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-61
Volume 3
3.12.1 Purpose
This section addresses issues concerning compliance with the structural coverage objectives given in DO-178B [1]
and clarified in DO-248B [2] for certain features of OOT.
3.12.2 Background
Structural coverage, as one of the adequacy measures of requirements-based testing, will not be eliminated with
OOT. Most of what has been learned in the testing of traditional (functional) systems still applies within OOT.
However, traditional functional testing with traditional structural coverage metrics based on source code may not be
adequate for OO software [25][33][34]. In particular, inheritance and polymorphism with dynamic dispatch are two
OOT mechanisms that present problems with verification in general, and testing and structural coverage in particular
[25][34][19].
The FAA has already sponsored some research in this area [26]. Not only were issues identified for inheritance and
polymorphism with dynamic dispatch, but the broader issue of data coupling and control coupling was also raised.
Research is ongoing in this area.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-62
Volume 3
One of the techniques introduced for the understanding of inheritance is that of the flattened class. In a flattened
class, all inherited features are represented along with the features explicitly defined within the subclass. Figure
3.12-1 illustrates a normal inheritance hierarchy on the left, and a flattened inheritance hierarchy on the right. In the
flattened form, all inherited attributes and methods appear in italics.
Class_1 Class_1
Attribute_1 Attribute_1
Method_1() Method_1()
Method_2() Method_2()
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-63
Volume 3
3.12.4.1 Guidelines
Requirements-based testing and requirements and structural coverage of the flattened class is a recommended
practice for OO [11]. A number of researchers recommend class flattening, as they believe the savings from trying
to save tests will be negated by the effort of the analysis, plus the circumstances where savings are possible will be
very rare in real systems. Binder states: “Retesting can be safely skipped only when (1) there is no possible data
flow or control flow from or to the superclass and subclass methods, or (2) the subclass is null and simply renames
the superclass” [11, p. 510]. The difference between covering the class, and covering the flattened class for
Method_1 from Figure 3.12-1 is demonstrated in Figure 3.12-2 and Figure 3.12-3.
In Figure 3.12-2, complete coverage is shown for Method_1 as a composite of the coverages obtained within
Class_1, Class_2, and Class_3. This is referred to as coverage of concrete features.
Class_1
Method_1() Structural
Coverage
Report
Class_2 Class_3
Method_1() Method_1()
In Figure 3.12-3, only partial coverage is shown for Method_1 in the three different classes. This is referred to as
context coverage.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-64
Volume 3
Class_1
Method_1() Structural
Coverage
Report
Class_2 Class_3
Method_1() Method_1()
DO-178B does not require the context sensitive verification required by flattened classes. Always flattening the
class hierarchy for verification, recommended in [26], will lead to some over-verification of certain inherited
features (e.g., simple get and set methods for attributes). Fortunately, HIT can be used to prevent the over-
verification by identifying those methods that do not need any reverification. The HIT analysis could be automated,
incorporated into structural coverage analysis tools, and qualified.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-65
Volume 3
Class_1
Attribute_1
Method_1()
Method_2()
Class_2 Class_3
Attribute_1 Attribute_1
Attribute_2 Attribute_3
Method_1() Method_1()
Method_2() Method_2()
Method_3() Method_4()
Assume that in our system we have an “Object_X” that can refer to objects of either Class_1, Class_2, or Class_3.
When we see the call to “Object_X.Method_2()” in the source code for our system, different Method_2’s will be
called depending on the run-time class of the object that “Object_X” refers to. This is depicted graphically in Figure
3.12-5.
Figure 3.12-5 shows that the reference “Object_X.Method_2()” can dispatch to either Class_1.Method_2() or
Class_2.Method_2(). Class_1.Method_2() will be called if “Object_X” refers to an object of either Class_1 or
Class_3. This is because Class_1.Method_2() was defined in Class_1 and inherited in Class_3. Class_2.Method_2()
will be called if “Object_X” refers to an object of Class_2. This is because Class_2.Method_2() was defined in
Class_2, where it overrode the definition of Class_1.Method_2(). Polymorphism with dynamic dispatch has made
some of the control flow, and thereby the associated data flow, implicit in the source code rather than explicit.
Object_X
Method_2
Class_1.Method_2() Class_2.Method_2()
3.12.5.1 Guidelines
Numerous approaches have been proposed for the adequate testing of polymorphic calls:
1. The first approach says that execution of the polymorphic call is sufficient. This approach confines testing to the
level of abstraction of the source code (i.e., every statement has been executed). This approach assumes that the
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-66
Volume 3
underlying implementation hides no details requiring verification below the abstraction level of the source code.
This approach treats dynamic dispatch as being equivalent to static dispatch. Watson and McCabe refer to this as
the “optimistic approach” [30, pp. 62-63]. DO-178B currently does not require verification below the level of the
source code for software at Levels C and B. DO-178B does, however, require verification beyond the source
code for software at Level A.
2. The second approach says to treat a polymorphic call as a case/switch statement [31]. This approach assumes that
the underlying implementation is important. This approach can be implemented in two major ways. The first way
is to recognize that the “case/switch statement” is repeated in multiple places. Testing and coverage could be
obtained from the collective executions of all the calls (inlined call to the case/switch statement). The second
way is to exhaustively test and cover the feasible “branches” at each call, which makes this approach equivalent
to the next one.
3. The third approach says that execution of every possible dispatch is required. Binder states “Although a
polymorphic message is a single statement, it is an interface to many different methods. Just as we would not
have high confidence in code for which a only a small fraction of the statements or branches had been exercised,
high confidence is not warranted for a client of a polymorphic server unless all the message dispatches generated
by the client are exercised” [29, p. 438]. Watson and McCabe refer to this as the “pessimistic approach” [30, p.
63]. This approach can also be implemented in two ways. The first way is to look at polymorphic messages only
and ignore polymorphic parameters. The second way is to consider the polymorphic parameters. This brings in a
level of complexity that the next approach attempts to deal with.
4. The fourth approach says that execution of a “mathematically significant” subset of all possible dispatches is
required [32]. This approach attempts to mitigate the enormous number of tests and required effort that can result
from the exhaustive execution of all possible dispatches.
5. The fifth and final approach says that we need to execute every polymorphic call, and for one call site that forms
an equivalence class with all others dispatching on the same base class, require execution of every possible
dispatch. Note that the exhaustive dispatching can be done in a test driver instead of the application. This is
another attempt to mitigate the exhaustive approach. Watson and McCabe refer to this as the “balanced
approach” [30, pp. 63-64].
As the previous discussion has made clear, the proper verification of polymorphism and dynamic dispatch is still an
active research area. Until a final answer is in, a minimal requirement should be the execution of all polymorphic
calls, and the execution of all possible dispatches collectively (i.e., coverage of all entries in the dispatch table)
[21][26].
Current tools performing structural coverage of polymorphism with dynamic dispatch only measure the execution of
the polymorphic call, and thereby support the first approach discussed previously. These tools support the first part
of the recommended approach. These tools will need to be augmented with other analyses or tools in order to
support the second part of the recommendation.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-67
Volume 3
Some simple examples demonstrating the complexity of coupling are given in [35].
3.12.6.1 Guidelines
This is an active area of research, both within academia and the FAA. Therefore, no OO-specific guidelines can be
provided on data coupling and control coupling at this time.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-68
Volume 3
3.13 References
1. RTCA, Inc. Software Considerations in Airborne Systems and Equipment Certification. RTCA/DO-178B,
December 1992.
2. RTCA, Inc. Final Report for Clarification of DO-178B “Software Considerations in Airborne Systems and
Equipment Certification.” RTCA/DO-248B, October 2001.
3. Daugherty, Gary. “Application of the Subtyping Pattern to System Level Test.” Rockwell Collins technical
report, April 2002, available from the author (gwdaughe@rockwellcollins.com).
4. Object Management Group. OMG Unified Modeling Language Specification. Version 1.3, June 1999, available
from http://uml.shl.com/artifacts.htm.
6. Lindholm, Tim and Frank Yellin. The Java Virtual Machine Specification. Second Edition, Addison-Wesley,
1999.
7. Liskov, Barbara and Jeanette Wing. “A Behavioral Notion of Subtyping.” ACM Transactions on Programming
Languages and Systems, 16(6): 1811-1841, November 1994.
8. Liskov, Barbara with John Guttag. Program Development in Java: Abstraction, Specification, and Object-
Oriented Design. Addison-Wesley, 2001.
9. Lorentz, Mark and Jeff Kidd. Object-Oriented Software Metrics. Prentice-Hall, 1994.
12. Bruce, Kim, Luca Cardelli, Giuseppe Castagna, The Hopkins Object Group, Gary T. Leavens and Benjamin
Pierce. “On Binary Methods.” Iowa State University, technical report #95-08a, December 1995.
14. Clifton, Curtis, Gary T. Leavens, Craig Chambers, and Todd Millstein. “MultiJava: Modular Open Classes and
Symmetric Multiple Dispatch for Java.” OOPSLA 2000 Conference Proceedings: ACM SIGPLAN Notices,
vol. 35, no. 10, October 2000, pp. 130-145.
15. Johnston, Simon. Ada95 for C and C++ Programmers. Addison-Wesley, 1997.
Mis en forme
16. Meyers, Scott. Effective C++. 2nd edition, Addison-Wesley, 1998.
17. Meyer, Bertrand. “Applying design by contract.” IEEE Computer 25(10):40-51, October 1992.
18. Meyer, Bertrand. Object-Oriented Software Construction. 2nd edition, Prentice-Hall PTR, 1997.
19. Jeff Offutt, Roger Alexander, Ye Wu, Quansheng Xiao, and Chuck Hutchinson. “A Fault Model for Subtype
Inheritance and Polymorphism.” Twelfth IEEE International Symposium on Software Reliability Engineering
(ISSRE ’01), IEEE Computer Society Press, November 2001, pp. 84-93.
21. AVSI. Guide to the Certification of Systems with Embedded Object-Oriented Software. Available from Boeing,
Rockwell Collins, Honeywell, and Goodrich, or directly from the Aerospace Vehicle Systems Institute (AVSI).
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-69
Volume 3
Mis en forme
22. Stroustrup, Bjarne. The Design and Evolution of C++. Addison-Wesley, 1994.
23. Guidance for the Use of Ada in High Integrity Systems, ISO/IEC TR 15942:2000 see
http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm.
24. FAA Order 8110.49. Software Approval Guidelines. Chapter 4, June 3, 2003.
25. Perry, Dewayne E. and Gail E. Kaiser. “Adequate Testing and Object-Oriented Programming.” Journal of
Object-Oriented Programming, January/February 1990.
26. Chilenski, John Joseph, Thomas C. Timberlake and John M. Masalskis. Issues Concerning the Structural
Coverage of Object-Oriented Software. Technical Report: DOT/FAA/AR-02/113, November 2002.
27. Harrold, Mary Jean, John D. McGregor and Kevin J. Fitzpatrick. “Incremental Testing of Object-Oriented
Class Structures.” Proceedings of the 14th International Conference on Software Engineering, 1992.
28. McGregor, John D. and David A. Sykes. A Practical Guide to Testing Object-Oriented Software. Addison-
Wesley, 2001.
29. Siegel, Shel. Object Oriented Software Testing : A Hierarchical Approach. John Wiley & Sons, 1996.
30. Watson, Arthur H.,Thomas J. McCabe. Structured Testing: A Testing Methodology Using the Cyclomatic
Complexity Metric. NIST Special Publication 500-235, 1996.
31. Jacobson, Ivar, Magnus Christenerson, Patrik Jonsson and Gunnar Overgaard. Object-Oriented Software
Engineering: A Use Case Driven Approach. Addison-Wesley, 1992.
32. McDaniel, Robert and John D. McGregor. Testing the Polymorphic Interactions between Classes. Technical
Report: TR94-103, Clemson University, 1994.
33. Booch, Grady. Object-Oriented Analysis and Design with Applications. 2nd edition, Benjamin/ Cummings,
1994.
34. FAA AC 20-148, Reusable Software Components, final (unsigned) version dated August 3, 2004.
35. Laplante, Phillip A. (editor). Dictionary of Computer Science, CRC Press LLC, 2001.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-70
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-71
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-72
Volume 3
1. Does DO-178B require compliance with the subtyping rules for substitutability (LSP)?
No. However, the structural coverage criteria must still be met, and the issues raised in Volume 2 must still be dealt
with in some manner. Compliance with the subtyping rules is just one way to do so, and is compatible with the
definition of the Generalization relationship by UML (below).
2. Does UML require compliance with the subtyping rules for substitutability (LSP)?
UML does not directly mention the Liskov Substitution Principle (LSP) or the rules given in this Handbook. UML,
however, does say that the Generalization (subtyping) relationship implies substitutability, which indirectly implies
compliance with LSP.
6. Is it necessary to use special OO coverage tools to measure structural coverage of dynamic dispatch?
No. By following an appropriate test process , it is possible to ensure that all entries of all dispatch tables are
exercised. The use of tools to measure this type of coverage, however, is still encouraged.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-73
Volume 3
of certain features (such as multiple implementation inheritance). This table does not appear in this Handbook,
however, a similar mapping based on similar criteria may appear in a future version. This Handbook does provide
reference to DO-178B sections and objectives, which can help users determine the applicable software levels.
9. How about the use of “work arounds” as a substitute for the direct use of OO features?
The guidelines are not intended to give a “free pass” to the use of OO-like work arounds as a substitute for the direct
use of OO features. For example, the intent is not to favor the hand coding of dispatch routines (containing explicit
case statements) over the use of dynamic dispatch. By drawing an analogy between the two, the guidelines impose
the same coverage criteria for both.
Similarly, issues related to substitutability must be addressed by any system that permits the “plugging in”
(substitution) of one piece of software in place of another (either at run-time or in different versions of the system
intended for different customers), whether the system uses OO or not. The OO subtyping guidelines are only a plus
in this regard. If you intend to allow substitution (of either form) in an OO system, following the guidelines provides
a well trod path for doing so. Something comparable, and not addressed by this Handbook, would still be required if
a different approach were taken.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-74
Volume 3
B.1.1.1 Examples
Consider an avionics display system that defines a class DisplayElement and its subclasses (see Figure B.1-1).
A given display is composed by drawing its associated elements. In order to draw the pilot's attention to critical
information, we highlight specific elements while hiding others. The specifics of drawing an element, hiding it, and
highlighting it vary according to the type of element. To allow variations on the display for specific customers and
aircraft, and to minimize the impact of future changes, the overall application should deal with elements only
abstractly (e.g., in terms of the kind of information they display and not how they display it).
The code to draw the display is then:
for each display element
call the draw method associated with its run-time class
end
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-75
Volume 3
Client DisplayElement
importance : int
xOrigin : CoordinateValue
yOrigin : CoordinateValue
draw()
highlight()
hide()
NonTextualElement TextualElement
width : GraphicsDistance
highlight() height : GraphicsDistance
displayedValue : String
draw()
highlight()
getDisplayedValue() : String
setDisplayedValue(string : String)
B.1.1.2 Structure
In general, a client method calls an operation associated with a target object. The client method may be associated
with any object, including the target object itself. The run-time class of the target object is a concrete class which
may have superclasses and subclasses. The association of methods with classes is determined at compile time in
accordance with the restrictions imposed by the Simple overriding rule (see section 3.3.4.3) and the rules for
Subtyping (see section 3.3.6).
Polymorphically, the client method may view the target object at run-time as an instance of its run-time class or,
more abstractly, as an instance of any of its superclasses. In all circumstances, however, it is the method associated
with the run-time class of the target object that is executed when the operation is called.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-76
Volume 3
ta rg e tO bje c t T a rg e tC la ss
0 ..* 1
-ru nT im eC las s
1
clie n tM eth o d ta rg e tO p e ra tio n e x e cu te s m eth o d In T a rg e tC la s
1
ca lls s
+ s p ec if ic ation
+ s p ec if ic ation 1 1 + s p ec if ic ation
S up e rC la ss
1
m eth o d In S u p e rC lass
S ub C la ss
1
m eth o d In S u b cla ss
B.1.1.3 Participants
The client method calls the target operation on the target object, which executes the method associated with it by the
run-time class of the object.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-77
Volume 3
overhead. Dispatch times, however, should still be both bounded and deterministic. The invokeinterface can
also be implemented using dispatch tables if the implementation takes advantage of the fact that new classes cannot
be loaded dynamically, making it equivalent to invokevirtual.
7
Unlike C++ and Java, we cannot control the visibility of individual attributes (record fields). This, however, is of little
consequence if all data is hidden, as in normal practice. The Ada 95 tagged type can be designated as private to ensure this.
8
This would not be a problem if the argument were declared to be of a class wide type because dynamic dispatch would then
occur.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-78
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-79
Volume 3
9
In this section, qualification refers to the compiler qualification and is not related to the tool qualification of DO-178B.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-80
Volume 3
<<Interface>>
Dri ver
getAge() : i nt
getAddress() : String
getViolationCount()
passBi rthday()
payFee()
<<Interface>> <<Interface>>
FrenchDri ver USDriver
<<Interface>>
FrenchUSDriver
Figure B.2-1 Repeated inheritance: sharing and replication, based on [18, p. 547]
The fundamental question with respect to repeated inheritance is whether inheritance of the same operation along
more than one path should result in a single operation in the subinterface or in multiple operations.
Since we are dealing with this issue with respect to interfaces (and not implementation), we must view this question
from the client’s perspective. In general, a client will be satisfied if all subinterfaces of a given interface inherit a
definition of the expected operation. Since this is guaranteed (we will have at least one definition of the operation),
clients will be satisfied in this regard.
The remaining question is whether repeated inheritance should ever result in more than one definition of the
operation in the subinterface. A case for this can be made by the example appearing in Figure B.2-2. Each driver [of
a motor vehicle] has an age, and a primary residence (and associated address). We are also interested in tracking the
number of traffic violations committed by the driver, leading to a potential revocation of the person’s license.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-81
Volume 3
Subinterfaces of Driver represent French drivers and US drivers. Drivers who have licenses in both countries are
categorized as both French and US drivers 10.
In terms of this example, it is clear that there should be a single operation to get the driver’s age, which will be the
same in both countries. Address and number of traffic violations, however, are potentially a different matter. The
driver may have different addresses in each country and traffic violations committed in one country may not count
against his/her driving record in the other. Similarly, license fees may have to be paid at different times in each
country and paying the fee in one country will not necessarily satisfy the other (although it may be possible to obtain
an international driving license that can be used in both).
The need to be able to define both shared operations (such as getAge and passBirthday) and replicated operations
(such as getAddress, getViolationCount, and payFee) can be satisfied in a number of ways.
We could require that all replicated operations be specified redundantly. Doing so, we would require that
FrenchDriver define the operation getFrenchAddress, while UsDriver defines an otherwise identical operation
getUsAddress.
Alternately, the language could simply permit the renaming of those operations to be replicated in the subinterface
and assume that repeated inheritance otherwise implies sharing. This is appealing because the situations in which
replication is the right choice are relatively rare. In most cases (especially those involving interfaces), sharing is the
desired result. As Meyer notes, “Cases of repeated inheritance similar to the transcontinental drivers (Figure B.2-2),
with duplicated operations as well as shared ones, do occur in practice, but not frequently” [18]. The case involving
only shared operations is far more common, especially with regard to interface inheritance. For this reason, it is most
important that sharing be supported well at the language level, or in any prescribed guidelines. Additional work (or
the use of work arounds) is probably acceptable in the less common case involving replication.
Sharing is also appropriate when we view multiple interface inheritance as a means of breaking up a large interface
specification into smaller interface specifications (superinterfaces) intended for particular categories of clients. In
Figure B.2-3, for instance, we begin with the definition of a single large interface AvionicsDataServiceInterface.
This interface is large because it contains the operations needed by all clients. This, unfortunately, makes it
unwieldy for them all.
No particular type of client, however, may need the full set of operations. Rather clients of type Producer may need
a given subset of the operations, while clients of type Consumer may need a different (but overlapping) subset, and
so on. To simplify each client’s view, we define a separate interface containing only the operations that it needs (see
Figure B.2-4). Because operations that appear in more than one of these client specific superinterfaces have the same
source (AvionicsDataServiceInterface), it is clear that they are intended to represent the same operation. (The
operation getDataChannel in the producer interface is the same as the operation getDataChannel in the consumer
interface because both are taken from the definition of getDataChannel provided by AvionicsDataServiceInterface.)
As a result, definitions of such operations should always be shared. This view is also consistent with the policies of
Java and C++.
10
Bertrand Meyer, whose wife is French, is a case in point.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-82
Volume 3
<<Interface>>
Driver
getAge() : i nt
getAddress() : String
getViolationCount()
passBi rthday()
payFee()
<<Interface>> <<Interface>>
FrenchDriver USDriver
<<Interface>>
FrenchUSDriver
getFrenchAddress() : String
getUsAddress() : String
getFrenchViolationCount()
getUsViolationCount()
pay FrenchFee()
pay UsFee()
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-83
Volume 3
AvionicsDataServiceInterface
init()
addDataChannel(name : String) : DataChan...
deleteDataChaqnnel(name : String)
deleteDataChannel(channel : DataChannel)
getDataChannel(name : String) : DataChan...
getAllProducerDataItems(channel : DataCh...
getAllConsumerDataItems(channel : DataCh...
assignBandwidth(channel : DataChannel, m...
advertise(name : String) : DataItem
subscribe(name : String) : DataItem
setProducerRole(channel : DataChannel, pu...
setConsumerRole(channel : DataChannel, p...
setDataValue(item : DataItem, validity : boo...
setDefaultValue(item : DataItem, validity : b...
sendDefault(item : DataItem )
setRate(item : DataItem, rateInHertz : float)
setPriority(item : DataItem, priority : int)
getDataIValue(tem : DataItem, out validity ...
isStale(item : DataItem ) : boolean
getDataChannel (name : Stri ng) : DataChan... getDataChannel(name : Stri ng) : DataChannel init()
advertise(name : String) : DataItem subscribe(name : String) : DataItem addDataChannel(name : String) : DataChann...
setProducerRole(channel : DataChannel, pu... setConsumerRole(channel : DataChannel, pu... deleteDataChaqnnel(name : String)
setDataValue(item : DataItem, validity : boo... setRate(item : DataItem, rateInHertz : float) deleteDataChannel(channel : DataChannel)
setDefaul tValue(item : DataItem, validity : b... setPriority(item : DataItem, priority : int) getDataChannel (name : String) : DataChannel
sendDefault(item : DataItem) getDataIValue(tem : DataItem, out validity : V... getAllProducerDataItems(channel : DataChan...
isStale(item : DataItem) : boolean getAllConsumerDataItems(channel : DataCha...
assignBandwidth(channel : DataChannel, min...
AvionicsDataServiceInterface
init()
addDataChannel(name : String) : DataChan...
deleteDataChaqnnel(name : String)
deleteDataChannel (channel : DataChannel)
getDataChannel(name : String) : DataChan...
getAllProducerDataItems(channel : DataCh...
getAllConsumerDataItems(channel : DataCh...
assignBandwidth(channel : DataChannel, m...
advertise(name : String) : DataItem
subscribe(name : String) : DataItem
setProducerRole(channel : DataChannel, pu...
setConsumerRole(channel : DataChannel, p...
setDataValue(item : DataItem , validity : boo...
setDefaultValue(item : DataItem, validity : b...
sendDefault(i tem : DataItem)
setRate(item : DataItem, rateInHertz : float)
setPriority(item : DataItem, priority : int)
getDataIValue(tem : DataItem, out validity ...
isStale(item : DataItem) : boolean
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-84
Volume 3
<<Interface>>
A
f() : A
<<Interface>>
<<Interface>>
C
B
f() : B
<<Interface>>
D
In general, the combined operation has a pre-condition that represents an or’ing of the pre-conditions of all inherited
definitions of the operation, and a post-condition that represents an and’ing of all inherited post-conditions. Type
constraints on in parameters are considered part of the pre-condition. Type constraints on out parameters and the
result, and any restrictions on errors reported/exceptions thrown, are considered part of the post-condition.
These guidelines are simply intended to help the user write the correct signature for the combined operation. The
target language compiler should catch errors associated with the result of doing so, including errors resulting from
attempts to combine conflicting definitions.
Adopting the simple view of interface inheritance as a factoring of a large interface into smaller ones targeted to
specific categories of clients, we could instead forbid refinement of operations along separate paths. This is certainly
consistent with the idea that all refinements of an operation be compatible (in this case, they would have to be
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-85
Volume 3
identical). However, forbidding refinement of operations may be less flexible than we would like in situations such
as that given above, and would certainly be more restrictive than is required to be type safe 11.
<<Interface>>
A
f() : A
<<Interface>>
<<Interface>>
C
B
f() : B
<<Interface>>
D
f() : B
11
With respect to the languages of primary interest, the ways in which operations may be refined are limited (C++ permits the
return type to be made more specific, Java permits the elimination of exceptions from the exception list). The ability to make the
return type more specific, however, has been shown to have a large effect upon the number of run-time casts required [22].
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-86
Volume 3
<<Interface>> <<Interface>>
B C
<<Interface>>
D
Figure B.2-7 Independently defined operations with same signature, based on [18, p. 550]
If the operations were completely and formally specified, we could compare pre-conditions and post-conditions to
see if the semantics are the same. If they are, then a single operation that does what they both promise to do should
be sufficient in all cases.
Alternately, we could adopt the view that interface inheritance represents only a factoring of a large interface into
smaller ones targeted to specific categories of clients. If we use interface inheritance in only this way, then it is clear
that we intend the separately inherited operations to be the same (i.e., sharing is always the right answer). This view
is also consistent with the policies of Java and C++.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-87
Volume 3
signatures is not simply accidental. As suggested by the guidelines for Multiple Interface Inheritance (see section
3.4.4), a comment annotation should be used to document this intent, thereby ensuring it is properly maintained.
12
This explicit form of selection is preferred, even though C++ provides for implicit selection, in some cases, in accordance with
its own dominance rule [22, p. 263].
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-88
Volume 3
C_1
A_1
A_2
M_1() -- A_1
M_2() -- A_1
M_3() -- A_2
M_4() -- A_2
Client
C_2 C_3
M_1, A_3 A_4
M_2, M_5() -- A_3, M_1, M_2 M_6() -- A_4, M_3, M_4
M_5
The differentiator between dead and deactivated code is whether requirements exist for the unused portions of code
or not. If requirements exist and usage in another configuration is possible, then the code may be considered
deactivated but it must be verified according to its software level. If requirements exist, but the code is not intended
to be executed in any configuration, then the code may also be considered deactivated with the deactivation means
requiring verification. If, however, the appropriate requirements do not exist, then the code should be considered
dead and it should be removed.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-89
Volume 3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
3-90
DRAFT
Contents
4.1 PURPOSE.................................................................................................................................................. 4-1
4.2 BACKGROUND ......................................................................................................................................... 4-1
4.3 ACTIVITIES FOR STAGES OF INVOLVEMENT ............................................................................................. 4-1
4.3.1 Activities for Stage of Involvement #1 (SOI #1) – PLANNING REVIEW ........................................ 4-1
4.3.2 Activities for Stage of Involvement #2 (SOI #2) – DEVELOPMENT REVIEW ............................... 4-3
4.3.3 Activities for Stage of Involvement #3 (SOI #3) – VERIFICATION/TEST REVIEW ......................... 4-7
4.3.4 Activities for Stage of Involvement #4 (SOI #4) – FINAL REVIEW ................................................ 4-9
4.4 REFERENCES ......................................................................................................................................... 4-10
Tables
Table 4.3-1 SOI #1 Activities/Questions.................................................................................................................... 4-3
Table 4.3-2 SOI #2 Activities/Questions.................................................................................................................... 4-6
Table 4.3-3 SOI #3 Activities/Questions.................................................................................................................... 4-9
Table 4.3-4 SOI #4 Activities/Questions.................................................................................................................... 4-9
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it
intended to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a
standalone product but, rather, as input when considering issues in a project-specific context.
4-ii
Volume 4
4.1 Purpose
Volumes 1-3 of the OOTiA Handbook have pointed out a number of potential issues and some potential ways to
address the issues, when using object-oriented technology (OOT) in aviation products. Because OOT poses a
number of potential certification issues, it may require additional oversight by certification authorities and their
designees, as well as the applicants. This volume provides an approach for certification authorities and designees to
ensure that OOT issues have been addressed in the projects they are reviewing or approving.
4.2 Background
In 1998, the FAA’s Software Review Job Aid [2] for conducting software reviews prior to certification was released.
The Job Aid provides a standardized approach for certification authorities and designees to perform software
reviews in order to assess compliance to DO-178B objectives. In 2003, the Job Aid was updated to address lessons
learned and to correct some typographical errors. Additionally, Chapter 2 of the FAA Order 8110.49, “Software
Approval Guidelines,” addresses the software review process [1]. The focus of the Job Aid is a series of activities
and questions to be addressed by reviewers to ensure that the project meets DO-178B objectives.
Since the software review (either on-site or desk) is the primary means for certification authorities and designees to
assess compliance to DO-178B objectives, this volume provides a series of activities and questions to be considered
in conjunction with those in the Job Aid during a software review for object-oriented (OO) projects. The activities
and questions are in a format similar to the Job Aid and may eventually be implemented into the Job Aid. The
activities and questions are divided among the four stages of involvement (SOI) that are discussed in the Job Aid
and chapter 2 of Order 8110.49. Each activity has a set of questions designed to help carry out that activity. It is
important to realize that these questions are not all encompassing. Some questions will not be applicable to all OOT
projects and some projects will require additional questions. Each question includes reference(s) to DO-178B and
Volume 2 of this Handbook.
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context. 4-1
Volume 4
1.1 Review all software plans and consider the following questions:
1.1.1 Does the additional considerations section (or some other section) of the 2.3.4 A1: 4
Plan for Software Aspects of Certification (PSAC) address that the project
is object-oriented (OO) and identify OO-related issues for the specific
project?
1.1.2 Have the issues raised in Volume 2 of the Handbook (summarized in 2.3.1, 2.5.2 All
section 2.5.2 of Volume 2) been addressed by the applicant’s plans? Note:
Volume 3 provides some approaches for addressing OO issues; however,
applicants may have other means to address the issues.
1.1.3 Do the plans address how the following common OO implementation 2.3.1 A1: 4
features will be addressed to comply with DO-178B objectives?
• Encapsulation
• Overloading
• Inheritance
• Dynamic binding/dispatch
• Polymorphism
• Templates
• Inlining
• Deactivated code
• Reusability
4-2
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
1.2.2 Are OO methods and notations documented in the software requirements 2.3.1.1 and A1: 5
and design standards? Specifically, do the standards identify how non- 2.3.1.2 (Sect 11.6-
functional requirements are captured, and how low-level and derived 11.7)
requirements are addressed?
1.2.3 Do the development standards implement the solutions to the OO issues as N/A A1: 5 & 7
the PSAC (or other plans) claim they will?
1.2.4 Do the standards disallow “constructs or methods that produce outputs that 2.3.1.3 A1: 5
cannot be verified or that are not compatible with safety-related (Sect 4.5c)
requirements” (per DO-178B, section 4.5c)?
1.2.5 Are necessary restrictions for the chosen OO language identified in the 2.3.1.3 A1: 5
coding standards? (Sect 11.8)
1.2.6 If constructs or methods were disallowed, do the plans address how proper 2.3.1.3 A1:
implementation will be verified? 1,2,5,&7
1.3 Determine if an Issue Paper (IP) is needed for the project. An IP is 2.5.2 Varies
typically required if the plans do not address the known issues (e.g., the
issues summarized in section 2.5.2 of Volume 2).
4-3
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
4-4
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
2.3.1 Is the intent of subclass operations clear and unambiguous? Specifically, 2.3.2.2.1 A3: 1-4,
consider: 6,7
• Is the complete definition/intention of a class clear (in order to avoid a A4: 1-4, 6-
subclass being incorrectly located in a hierarchy)? 11
• How is the class hierarchy accuracy assured?
• Do top-heaviness or deep hierarchies exist (six or more subclasses)? If
so, how is it verified that the wrong variable type, variable, or method
are not inherited?
• How are unintended connections among classes (which could lead to
difficulty in meeting the DO-178B/ED-12B objective of data and
control coupling) prohibited?
2.3.2 Have overriding concerns been addressed? Specifically: 2.3.2.2.2 A3: 1-4,
• Can an operation accidentally override another? 6,7
• Can operations inherited from different sources be accidentally joined? A4: 1-4, 6-
• Can a subclass-specific implementation of a superclass be accidentally 11, 13
omitted?
• Have the classes of errors associated with overriding that were
identified in Volume 2 (section 2.3.2.2.2.d) been addressed?
2.4 If objects or design components are being reused, have
dead/deactivated code issues been addressed? Specifically:
2.4.1 Are the issues of dead and deactivated code addressed consistently 2.3.2.4.1 A5 & A7
throughout the project and as the planning documents stated?
(Sect 5.4.3
& 6.4.4.3)
2.4.2 Does overriding result in any dead or deactivated code? 2.3.2.4.1 A5 & A7
(Sect 5.4.3
& 6.4.4.3)
2.4.3 Do libraries and OO frameworks result in dead or deactivated code? 2.3.2.4.2 A5 & A7
(Sect 5.4.3
& 6.4.4.3)
4-5
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
4-6
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
3.1 Consider if data and control coupling issues have been addressed by
considering the following questions:
3.1.1 Does the OO approach address data and control coupling analysis? 2.3.3.1.1 A7: 8
3.1.2 If dynamic dispatch is used, how is data and control coupling analysis 2.3.3.1.1 A7: 8
performed?
3.1.3 If inlining is used, how is data and control coupling analysis performed? 2.3.3.1.1 A7: 8
4-7
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
3.3.3 If polymorphism is used, how is structural coverage addressed? 2.3.3.1.2 A7: 5-7
3.3.4 If inlining is used, how is structural coverage addressed? 2.3.3.1.2 A7: 5-7
3.3.5 If templates are used, how is structural coverage addressed? 2.3.3.1.2 A7: 5-7
3.3.6 If source to object code traceability is required (per DO-178B, section 2.3.3.1.4 A7: 7
6.4.4.2b), how is it carried out? Specifically, how do dynamic dispatch,
inlining, and type conversion affect source to object code traceability?
3.4 If dynamic dispatch, inlining, and/or polymorphism are used, have 2.3.3.1.3 A5: 6
their effects on stack usage and timing analysis been addressed?
3.5 Consider if the testing issues have been addressed by considering the
following questions:
3.5.1 Has requirements-based testing, software integration testing, and 2.3.3.2.1 A6
hardware/software integration testing been properly performed? The key
concern for requirements testing is that the mapping of function-oriented
test cases to an object-oriented implementation might not be obvious since
the basic unit of testing in an OO program is not a function or a subroutine,
but an object or a class.
3.5.2 Has test coverage of both high-level and low-level requirements been 2.3.3.2.1 A7: 3, 4
completed? Note: Test coverage of high-level and low-level requirements
typically requires different testing strategies than the traditional functional
approach, because information hiding and abstraction techniques decrease
or complicate the observability of low-level functions.
4-8
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
3.5.3 Has a retest or reuse of test cases approach been implemented to address 2.3.3.2.2 A6 & A7
inheritance and overriding? The concern to be addressed is: Requirements-
based testing is complicated by inheritance, dynamic dispatch, and
overriding because it might be difficult to determine how much testing at a
superclass level can be reused for its subclasses.
4.1 Has the approach for addressing OO concerns been summarized in the N/A A10: 3
Software Accomplishment Summary?
4.2 Have all open OO issues from previous reviews been addressed? N/A ALL
4.3 Have all issues identified in the OO Handbook and applicable to the Vol 1-3 ALL
system been assessed and properly addressed?
4.4 Does the Software Configuration Index accurately document the N/A A10:3
configuration items and environment of the OO software?
4-9
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.
Volume 4
4.4 References
1. FAA Order 8110.49, Software Approval Guidelines, June 3, 2003. A copy of this Order is available from the
FAA website at http://www2.faa.gov/certification/aircraft/av-info/software/software.htm.
2. FAA Job Aid, Conducting Software Reviews Prior to Certification, dated January 16, 2004. A copy of this FAA
Job Aid is available from the FAA website at http://www2.faa.gov/certification/aircraft/av-
info/software/software.htm.
4-10
NOTE: This Handbook does not constitute Federal Aviation Administration (FAA) policy or guidance, nor is it intended
to be an endorsement of object-oriented technology (OOT). This Handbook is not to be used as a standalone product but,
rather, as input when considering issues in a project-specific context.