Safety-critical systems (whose anomalous behavior could have catastrophic consequences such as loss of human life) are becoming increasingly prevalent; standards such as DO-178B, originally developed for the certification of commercial avionics, are attracting attention in other communities. The requirement to comply with such standards imposes constraints (on quality assurance, traceability, etc.) much beyond what is typical for Commercial-Off-The-Shelf Software.

One of the major decisions that affects the development of safety-critical software is the choice of programming language(s). Specific language features, either by their presence of absence, may make certification easier or harder. Indeed, full genera-lpurpose languages are almost always too complex, and restricted subsets are required.

This tutorial compares several languages currently in use or under consideration for safety-critical systems --C (and also C++), Ada, and Java -- and assesses them with respect to their suitability to be constrained for use for such purposes. It specifically examines the MISRA C subset, SPARK, and the in-progress effort to develop a safety-critical profile of the Real-Time Specification for Java. The tutorial also identifies the challenges that Object Oriented Programming imposes on safety certification and indicates possible future directions.