Ada and the FACE approach: Enabling high-assurance, portable software for defense systems
StoryMay 08, 2025
Andrea Bristol
AdaCore
The Future Airborne Capability Environment, or FACE, approach seeks to drive down defense system costs and accelerate delivery through software reuse, portability, and interoperability. Ada – a language purpose-built for high-integrity, real-time embedded systems – aligns naturally with these goals. With robust support for safety, security, and long-term maintainability, Ada is an appropriate language for software that aligns with the FACE Technical Standard. The recent approval of AdaCore’s verification methodology by the FACE Consortium further reinforces Ada’s role in this ecosystem, enabling developers to produce standards-compliant, portable components using Ada and the GNAT technology stack.
The Future Airborne Capability Environment, or FACE, approach is a U.S. government, industry, and academia initiative designed to transform the procurement and development of software for military avionics systems. Managed by the FACE Consortium under the auspices of The Open Group the FACE approach’s overarching goal is to reduce system life cycle costs and time to field by enabling software portability, reusability, and interoperability across different platforms and suppliers. This method also avoids vendor lock-in. The approach consists of a technical framework, a software architecture based on well-defined, standardized interfaces, and a business strategy to encourage a competitive, innovation-driven marketplace through software components that conform to the FACE Technical Standard.
At the heart of the FACE initiative lies the principle of reducing duplication and increasing efficiency. Software components developed to conform to the FACE Technical Standard can be reused across multiple platforms and programs, significantly reducing the cost and effort required for integration and maintenance. This design is particularly valuable in the defense and aerospace sectors, where system complexity, long lifespans, and strict certification requirements make traditional development approaches costly and inflexible.
The FACE Technical Approach is based on several elements:
- A segmented software architecture that separates portable from platform-specific components
- An expressive and language-agnostic data modeling technology that ensures a consistent interpretation for data communicated across components
- Tiered profiles and capability sets that impose safety-oriented restrictions on standard software interfaces and language features
Although it is focused on portability and does not address functionality or assurance requirements, the FACE approach accounts for the fact that, in practice, an airborne system comprises components at varying levels of safety sensitivity. The FACE Technical Standard thus defines subsets of standard application program interfaces (APIs) – in particular POSIX and ARINC-653 – at several levels, called profiles. In increasing order of criticality – from most permissive to most restrictive – these are General Purpose, Safety Extended, Safety Base, and Security.
Analogously, the FACE Technical Standard defines subsets of standard language features for C, C++, Ada 95, Ada 2012, and Java (called capability sets): General Purpose, Safety Extended, and Safety Base/Security.
Technical, strategic alignment
Ada is a state-of-the-art programming language that development teams worldwide are using for critical software, from microkernels and small-footprint, real-time embedded systems all the way up to large-scale enterprise applications.
The language was designed from the ground up to support the development of reliable, efficient, and portable software for real-time embedded systems. With a strong emphasis on readability, modularity, and language-enforced correctness, Ada has the correct features for building high-assurance software in critical domains.
For several decades, Ada has been used in some of the most demanding software environments in the world, including military and aerospace systems, railway control, air traffic management, and medical devices. Its feature set – including strong typing, contract-based programming, compile-time checks, and tasking for real-time concurrency – makes it a natural fit for software designed for a FACE architecture, where robustness, traceability, and long-term maintainability are nonnegotiable. (Figure 1.)
Figure 1 ǀ Ada is used in demanding software environments, including places in which robustness, traceability, and long-term maintainability are nonnegotiable, for instance in the cockpit systems of an F-16 fighter jet. In photo: A fighter pilot climbs a ladder into the cockpit of an F-16C Fighting Falcon jet during an overseas training mission. U.S. Air National Guard photo by Senior Airman Darion Boyd.
The FACE Technical Standard has explicitly recognized the relevance and maturity of Ada by supporting both Ada 95 and Ada 2012 within its architecture. This formal support ensures that developers using Ada are not constrained in their ability to produce portable and reusable software components, provided those components meet the defined FACE Technical Standard criteria.
In 2024, a significant milestone was reached when the FACE Consortium formally approved a proposed approach for FACE conformance verification of Ada software.1 This development addressed a long-standing gap in the ecosystem and enabled a clear path forward for Ada users seeking conformance with the FACE Technical Standard.
Historically, conformance verification within the FACE ecosystem has been tailored to C and C++, languages that typically achieve portability through standardized APIs and header-based abstractions. The conformance process involves link-time tests against stubbed standard run-time libraries, enabling verification of source-level portability.
However, applying this methodology to Ada presents unique challenges. Ada relies on well-defined syntax, semantics, and language-defined keywords. Crucially, the compiled output of these features invokes functions within a compiler-specific runtime environment. This runtime dependency is the source of the challenges.
To address this hurdle, AdaCore developed an extension to the existing FACE verification methodology. This extension introduces a mechanism for incorporating an Ada toolchain including a compiler-specific runtime into the FACE Conformance Test Suite. The key idea is to evaluate whether this toolchain enforces the constraints and restrictions defined in the FACE Technical Standard. If the toolchain, with its stubbed runtime, does not detect a prohibited usage, then additional assurance measures are necessary. In such cases, the onus falls on the software developer to provide inspection-based evidence demonstrating that the disallowed feature is not used in the component under test.
Ada is now fully enabled within the FACE ecosystem, providing a robust, standards-aligned pathway for building portable, reusable, and certifiable software components. Developers can take advantage of Ada’s intrinsic strengths of strong typing, modular design, real-time support, and safety-focused semantics while remaining fully compliant with the FACE Technical Standard.
As defense programs increasingly embrace open architecture standards such as FACE, Ada continues to prove its enduring relevance. The Ada language remains a compelling and forward-looking choice for defense and aerospace organizations building critical software systems that demand high integrity, long-term maintainability, and cross-platform interoperability.
References
1 https://collaboration.consortia.opengroup.org/face/documents.php?action=show&dcat=93&gdid=53926
Andrea Bristol is the PR and Marketing Campaigns Manager at AdaCore. A marketer for over 19 years, Andrea is a Fellow of the Chartered Institute of Marketing.
AdaCore https://www.adacore.com/
