Safety-Critical Java: Level 2 in Practice

TL;DR

This paper analyzes the features and requirements of Safety Critical Java Level 2, proposing modifications to enhance its support for nested mission sequencers, managed threads, and multi-processor scheduling, with formal modeling validation.

Contribution

It classifies Level 2 features, identifies specification gaps, and proposes modifications to improve support for complex safety-critical applications.

Findings

Identification of key features requiring support at Level 2

Proposed specification modifications for thread termination and timing

Formal model validation of proposed changes

Abstract

Safety Critical Java (SCJ) is a profile of the Real-Time Specification for Java that brings to the safety-critical industry the possibility of using Java. SCJ defines three compliance levels: Level 0, Level 1 and Level 2. The SCJ specification is clear on what constitutes a Level 2 application in terms of its use of the defined API, but not the occasions on which it should be used. This paper broadly classifies the features that are only available at Level 2 into three groups:~nested mission sequencers, managed threads, and global scheduling across multiple processors. We explore the first two groups to elicit programming requirements that they support. We identify several areas where the SCJ specification needs modifications to support these requirements fully; these include:~support for terminating managed threads, the ability to set a deadline on the transition between missions, and augmentation of the mission sequencer concept to support composibility of timing constraints. We also propose simplifications to the termination protocol of missions and their mission sequencers. To illustrate the benefit of our changes, we present excerpts from a formal model of SCJ Level~2 written in Circus, a state-rich process algebra for refinement.