In response to increasing interest in the use of objectoriented technology for development of safety-critical systems, the new DO-178C guidelines will include supplements to address object-oriented technology, model-driven development, formal methods, and development tool qualification [1]. These supplements correlate well with the emerging safety-critical Java standard. As a portable object-oriented programming language enabling high levels of abstraction, safety-critical Java is an ideal candidate for automatic code generation for programming models. The use of formal methods to prove the absence of certain memory management errors at run time is a critical distinction between safety-critical Java and the Real-Time Specification for Java (RTSJ) [2]. And the specialized development tools that facilitate the use of these formal methods will, in the ideal, be qualified so that the results of their analysis can be relied upon as trustworthy safety certification evidence.