Java in Safety Critical Systems

Until recently, the preferred language for developing safety critical applications has been Ada, but this is beginning to change. The number of developers willing to program in Ada is diminishing, while the complexity of applications is increasing. Where as C and C++ are poor alternatives to Ada, realtime Java specifications have benefited from strong cross fertilisation from the Ada community, giving realtime Java most of Ada’s advantages for developing safety critical systems. Though strongly related to standard Java technology such as J2SE and J2EE, realtime Java is really a different beast. The differences are subtle, so as to benefit from a common language base; but essential. Realtime Java sets itself apart by having much stronger threading semantics: it provides a strict specification of thread priorities and protocols for avoiding Priority Inversion. The RTSJ also introduces techniques for avoiding timing anomalies caused by garbage collection, ideally while maintaining the reference consistency automatic object deallocation ensures. In the past, reference consistency in safety critical applications was maintained by disallowing or severely limiting dynamic memory management. This approach works well for state machine like tasks, but not for more complex applications. Many complex safety critical applications use object pooling to dynamically manage memory to get around this ad hoc restriction. The emerging Safety Critical Java standard (JSR 302) provides more flexibility than currently tolerated by providing a stack like approach to memory allocation and deallocation. This will enable the Java language to be used at the highest criticality levels in the near term, but it does not address increasing complexity well. In the long term and for applications into the medium criticality in the near term, where complexity is already challenging, realtime garbage collection offers a more practical solution. Garbage collection relieves the application developer of reference inconsistency concerns, such as dangling pointers and memory leaks, since these can be guaranteed by the Java runtime environment. A deterministic, realtime garbage collector can also ensure that the garbage collection process does not interfere with applications meeting timing deadlines. Current work on object oriented technology in SG-5 of the SC-205/WG-71 Plenary to update the DO-178 standards, will make certification of Java technology, including the use of virtual machine technology and garbage collection, easier. In the past, these technologies where up to the discretion of individual certification experts, who often have only minimal understanding of OO Technology. New standards will provide both stronger rules and rationale for how certification should be conducted. This paper outlines the important Java standards, such as the realtime Specification for Java (JSR 1 and JSR 282) and Safety Critical Java (JSR 302), as well as proposed changes from SG-5 for object oriented technology. New garbage collection technology will also be covered. This should give the attendee a good background in the state-of-the-art of realtime Java Technology and safety certification.