Combining Task-level and System-level Scheduling Modes for Mixed Criticality Systems
Jalil Boudjadar, Saravanan Ramanathan, Arvind Easwaran, Ulrik Nyman
CCombining Task-level and System-level SchedulingModes for Mixed Criticality Systems
Jalil Boudjadar Saravanan Ramanathan Arvind Easwaran Ulrik Nyman Aarhus University Denmark, Nanyang Technological University, Aalborg University Denmark
Abstract —Different scheduling algorithms for mixed criticalitysystems have been recently proposed. The common denominatorof these algorithms is to discard low critical tasks wheneverhigh critical tasks are in lack of computation resources. Thisis achieved upon a switch of the scheduling mode from Normalto Critical. We distinguish two main categories of the algorithms: system-level mode switch and task-level mode switch . System-levelmode algorithms allow low criticality (LC) tasks to execute only in normal mode. Task-level mode switch algorithms enable toswitch the mode of an individual high criticality task (HC), fromlow (LO) to high (HI), to obtain priority over all LC tasks.This paper investigates an online scheduling algorithm for mixed-criticality systems that supports dynamic mode switches for bothtask level and system level. When a HC task job overruns its LCbudget, then only that particular job is switched to HI mode. Ifthe job cannot be accommodated, then the system switches toCritical mode. To accommodate for resource availability of theHC jobs, the LC tasks are degraded by stretching their periodsuntil the Critical mode exhibiting job complete its execution. Thestretching will be carried out until the resource availability is met.We have mechanized and implemented the proposed algorithmusing Uppaal. To study the efficiency of our scheduling algorithm,we examine a case study and compare our results to the state ofthe art algorithms.
I. I
NTRODUCTION
Modern embedded systems are achieved via the integrationof different system components having different criticalitylevels on a single platform. Such systems are known by mixed criticality systems (MCS). Examples are safety controlsystems in avionics [27] and automotive applications [1].Mixed criticality systems are subjected to certifications dic-tated by the standards of different application areas, wheredifferent criticality levels require different assurance levels[2]. The consequences of missing a deadline vary in severityfrom task to task, according to the given criticality levels.It is therefore clear that highly critical components requirea rigorous analysis to deliver a formal assurance about safetyunder error-free conditions, and the presence of certain definederrors maintains the behavior predictable [11].During operation, it is important that critical tasks aresupplied with sufficient computation resources to meet theirtime constraints. Running low critical tasks ( LC ) with thesame privilege as high critical tasks ( HC ) enables the systemfunctionality to be fully embraced [22], [44], however thisleads to potential violation of the critical tasks safety e.gdeadline miss. An intuitive alternative is to prioritize criticaltasks eternally over low/non critical ones by the use of criticality-as-priority . Prioritizing critical tasks may require to discard low critical tasks. This may degrade the quality ofservice and functionality of the system [31], [28].Since Vestal’s seminal work [45], different scheduling al-gorithms for mixed criticality systems have been introduced[29], [42], [19], [4]. Such scheduling protocols rely on theassumption that a task can have different Worst Case ExecutionTime (WCET) bounds if one considers different confidencelevels. This is due to the fact that determining the exact WCETof a task code is very pessimistic [12], [32]. A task’s WCETcan be bounded according to different confidence levels wherethe higher the confidence is the larger WCET will be [45].Mixed criticality scheduling algorithms commonly use scheduling modes to decide which tasks to consider forscheduling at any point in time [10]. In essence, a schedulingmode dictates the tasks that can be prioritized/ignored accord-ing to the actual workload, so that tasks of a given criticalitylevel obtain privilege over the rest of the tasks regardless ofthe actual priorities. Within a given scheduling mode, tasksare scheduled according to the adopted scheduling policy.Scheduling algorithms for mixed criticality systems can becategorized, based on the type of mode switch scenario, intwo groups: system-level mode and task-level mode . System-level mode scheduling algorithms [33], [29], [13] employ twoscheduling modes Normal and
Critical . HC and LC tasksare equally scheduled under Normal mode. A mode switchfrom Normal to Critical happens whenever there is a potentialinsufficiency of computation resources due to one or more HCtasks exhibiting high confidence behavior, i.e., tasks run formore than their low confidence WCET. In Critical schedulingmode, LC tasks are either entirely dropped [4], [16], or runwith a degraded service [33], [42], [19] to accommodate HCtasks. The system-level algorithms commonly penalize LCtasks [33], [29], [13] as the system mode switch can be decidedwhen a single HC task overruns its low confidence WCET.Task-level mode switch [29], [26] is motivated by thefact that not necessarily all HC tasks exhibit high criticalitybehavior (largest WCET) at the same time. Thus, only the HCtasks running high confidence WCET obtain priority over therest of tasks. Each HC task runs in LO mode and switches to HI mode whenever it overruns its low confidence WCET. Suchoverruns can lead to insufficiency of computation resourceswhere HC tasks running LO mode miss their deadlines if theirpriorities are lower than those of LC tasks.In this paper, we introduce a new elastic control-basedscheduling algorithm by combining the aforementioned cat- (cid:13) a r X i v : . [ c s . O S ] M a r gories. The resulting algorithm relies on a job-level modeswitch technique, where the system mode switch occurs onlywhen there is a HC task job, running LO mode, in risk to missits deadline due to a low priority. We restrict HC behavior toonly the job that either exceeds its low confidence WCET ortriggers a systems mode switch. On Critical mode, we run LCtasks under a degraded mode (periods stretching) rather thancompletely discarded. When the workload permits, LC tasksare compensated by shrinking subsequent periods to amortizethe degradation. Our scheduling algorithm enables runtimeresilience and recovery from overload transient scenarios.The rest of the paper is organized as follows: Section II citesthe relevant related work. Section III presents our multimodescheduling setting for MCS. In Section. IV, we show how toanalyze the schedulability. Section V is a case study. Finally,Section VI concludes the paper.II. R ELATED W ORK
Since Vestal’s [45] seminal work on mixed-criticality (MC)systems, several studies have been carried out in the recentpast for MC scheduling. Most existing works on MC schedul-ing [15], [4], [16], [13], [35] rely on system-level mode switchi.e., when a HC task executes more than its low confidenceWCET the remaining HC tasks also simultaneously exhibitHC behavior. In order to guarantee resources for the HC tasks,many solutions employ a very pessimistic approach that com-pletely discards all the LC tasks upon mode transition [15], [4],[16]. There are some works to delay the dropping of LC tasksby postponing the mode switch instant [38], [20], [23], [33].Santy et al. [39] and Bate et al. [7] proposed some techniquesto minimize the duration for which the system is in mode HIso that to reduce the non-service duration of LC tasks.In this context, a plethora of studies has been carried outto improve the service offered to the LC tasks [3], [20], [28],[41], [40], [43], [5], [31], [36], [30], [18], [19], [25]. Theseapproaches can be classified into four major categories:1)
Elastic Scheduling . The dispatch frequency of LC tasksis reduced (extending their periods) in the HI mode [3],[28], [41], [40], [43], [33].2)
Imprecise Computation/Reduced Execution . LC tasksare executed with reduced execution budget when thesystem is in mode HI [3], [5], [31], [20], [36], [30].3)
Selective Degradation . Depending on the budget avail-ability in the HI mode, only a certain subset of LCjobs/tasks are executed [20], [18], [19].4)
Processor speedup . Huang et al. [24], [25], [9] proposeda dynamic processor speedup technique to guaranteeresources for HC tasks instead of degrading the serviceto the LC tasks in the HI mode.However, all the above works employ an impractical as-sumption that all the HC tasks in the system simultaneouslyexhibit HC behavior. On the contrary, there are very fewworks that relax the system-level mode switch assumption andemploy task-level mode switch [26], [37], [21], [29]. Task-level mode switch algorithms restrict the impact of HC tasksexceeding their low confidence WCET and limit the servicedegradation of LC tasks. Huang et al. [26] proposed a constraint graph to map theexecution dependencies between HC tasks and LC tasks: whena HC task exhibits HC behavior only the LC tasks connectedto it are dropped. However, in their analysis they consider allHC tasks utilize their high confidence WCET. Ren et al [37]proposed a similar technique in which each HC task is groupedwith some LC tasks and only these tasks are affected if thatparticular HC task exhibits HC behavior.Gu et al [21] presented a hierarchical component-basedscheduling technique that allows multiple HC tasks to begrouped within a component. If any HC task in a componentswitches to HI mode, all the HC tasks in the component are runwith their high confidence WCET and the LC tasks within thatcomponent are discarded. The authors also limit the numberof components that can safely switch to HI mode using atolerance parameter to trigger the system mode switch.Erickson et al. [17] proposed a scheduling framework formulticore mixed criticality systems to recover from transientoverload scenarios. The recovery relies on scaling the taskinter-release times to reduce the jobs frequency. The underly-ing schedulability analysis requires that all tasks must run theWCETs of the same confidence level, which implies to rerunthe analysis for each criticality level separately. Compared tothat, our schedulability analysis is performed across differentcriticality levels at once.Lee et al. [29] proposed an online schedulability test fortask-level mode switch and an adaptive runtime task droppingstrategy that minimizes LC task dropping. However, they con-sider all the jobs of a HC task exhibit HI mode behavior whichmay be a pessimistic assumption. Recently, Papadopoulos etal. [34] presented a control approach to achieve resilience inMC systems. HC tasks and LC tasks are executed using aserver-based approach and based on the runtime property ofthe tasks the budget allocated to these servers is dynamicallyvaried. When a HC server exhibits HC behavior, the LCservers are under-scheduled to meet the demand of HC servers.We rely on the same control-based mechanism to achieveLC task periods stretching, however we compensate such adegradation by shrinking LC task periods whenever the HCtasks workload permits.In contrast to the above studies, we propose a dynamicmode switching algorithm that allows both task-level andsystem-level mode transitions. In particular, we restrict the HCbehavior to only the job that either exceeds its low confidenceWCET or triggers a systems mode switch. At the same time,we offer a minimum service to all LC tasks in the Criticalmode using elastic scheduling instead of dropping them.III. M
ULTIMODE S CHEDULING OF
MCSIn this section, we combine system-level and task-levelscheduling modes to produce a multimode scheduling algo-rithm for MCS. Our mixed criticality scheduling algorithmenables efficient mode switches for HC tasks, by predictingthe workload causing HC tasks to fail.
A. System model
We consider deadline-implicit periodic task systems withtwo distinct criticality levels: high (HC) and low (LC), sohat each mixed criticality (MC) task can be a LC or HC.By default criticality , we refer to the criticality level assignedto a given task at the design stage (constant). The runtimecriticality of a task is in fact the (dynamic) criticality levelassigned to the task according to the scheduling mode and/ortask behavior. a) Assumptions:
We consider the following assumptions: • Tasks are preemptible. • All tasks are assigned a static criticality level (LC or HC)by design, called default criticality. • The execution of a HC task must not be discarded underany runtime circumstances. • The runtime criticality of a LC task can never be up-graded to HC. • LC tasks stick always to their low confidence WCET. • There is no dependency between LC and HC tasks. b) Notations: • We use π i to refer to a single task, and Π to refer to theset of tasks. • M ode ( t ) ∈ { N ormal, Critical } states the systemscheduling mode at time point t . • To track the mode of individual HC tasks over runtime,we introduce a function
Ω : { π i | χ i = HC } × R ≥ →{ HI , LO } . For the sake of notation, we write Ω( π i , t ) forthe mode of task π i at time point t . Definition III.1 (Tasks) . A task π i is given by (cid:104) T i , C li , C hi , χ i , ρ (cid:105) where: • T i is the task period. • C li ∈ R ≥ and C hi ∈ R ≥ are the worst case executiontime for low and high confidence levels respectively. Weassume that C hi ≥ C li for HC tasks, and C hi = C li forLC tasks. • χ i ∈ { LC , HC } is the default (constant) criticality of thetask. • ρ is the task priority.The task runtime mode Ω() will be updated on the fly accord-ing to the actual task execution budget.
We distinguish between the task mode Ω( π i , t ) , which isindividual for each task, and the system scheduling mode M ode ( t ) . A task scheduling mode is driven by its execu-tion time, so that whenever the execution violates the lowconfidence WCET C li the task mode is elevated to HI . Theindividual mode of a HC task switches independently. Theoverrun of C li , by a HC task, is considered to be non-deterministic.The system scheduling mode is common for all tasks.It determines the tasks that are allowed to execute, andthe main scheduling criterion (criticality, priority or both).Under Normal mode, all ready tasks are equally scheduledaccording to the adopted scheduling policy. However, when thesystem mode is
Critical criticality levels are used as the mainscheduling criterion to arbitrate tasks. If two tasks have thesame criticality level, then we refer to their actual priorities. Insuch a scheduling mode, LC tasks may not be scheduled giventheir low criticality level. A stretching of the LC task periodsis applied while the system runs in mode Critical. Thus, reducing the utilization of LC tasks to accommodate HC tasks.Whenever the system scheduling mode returns to Normal, theperiods of LC tasks are then shrunk to amortize the delayscreated by the stretching. The shrinking can start only after LCtasks complete the jobs of the periods experienced a stretching.Taskset Π will be scheduled by the real-time operatingsystem according to a scheduling function Sched . In fact,
Sched () implements an actual static priority-based schedulingpolicy such as Fixed Priority scheduling (FP). Sched : 2 Π × R ≥ → Π In a similar way, we define a (
Intermediate ) schedulingfunction
Sched I (Π , t ) which employs both task mode andpriority. Thus, a task gets scheduled at a given time point t if it has either a higher task mode compared to any readytask, or the same task mode but a higher priority. Sched I (Π , t ) = π i | Ready ( π i , t ) ∧ ∀ π j ∈ Π Ready ( π j , t ) ⇒ Ω( π j , t ) < Ω( π i , t ) ∨ Ω( π j , t ) = Ω( π i , t ) ∧ Sched ( { π i , π j } , t ) = π i where Ready ( π i , t ) is a predicate stating whether a given taskis ready at a given time point. As a third stage, we define amore restrictive scheduling function Sched C () which employs Criticality level, task mode and priority to decide which taskto be scheduled at any point in time.
Sched C (Π , t ) = π i | Ready ( π i , t ) ∧ ∀ π j ∈ Π Ready ( π j , t ) ⇒ χ j < χ i ∨ ( χ j = χ i ) ∧ Ω( π j , t ) < Ω( π i , t ) ∨ ( χ j = χ i ) ∧ (Ω( π j , t ) = Ω( π i , t )) ∧ Sched ( { π i , π j } , t ) = π i The utilization of
Sched I () , Sched C () and Sched () isdescribed in the next sections. In the rest of this section, wepresent our task-level and system-level mode switches and howto combine both modes to achieve a more flexible scheduling. B. Task-level mode switcha) Low criticality tasks behavior:
Low criticality tasksare not concerned by the task mode switch because theyare not concerned by rigorous certification as high criticalitytasks. They are also assumed to run always the same WCET,i.e. C l = C h . Figure 1 illustrates the LC tasks behavior. Infact, LC tasks execute regularly next to HC tasks as long asthe system scheduling mode is Normal. Under that contextLC tasks are equally scheduled, using Sched () , as HC tasksrunning in mode LO.Upon a switch of the system mode to Critical, the currentjob periods of LC tasks are stretched to reduce their utilizationand the frequency of releasing new jobs. The system is thendeclared to be performing a stretching pattern. We introducea variable P ∈ {
Stretching, Shrinking, Regular } to storethe current system pattern. We consider that
HI > LO , but HC tasks running in mode LO arecomparable to LC tasks. igure 1: Low criticality task behavior
Active (stretched period)
Active (regular) Active (shrunk period)System scheduling-mode switched to Critical Period stretchingPeriod shrinking
Figure 2: Stretching/shrinking of LC task periods
T T T+(t’-t) T-x t t’ s=s+(t’- t)
To track the stretching duration, we use a variable s whichindicates how much an LC task needs to be compensatedin order to absorb the delays caused by the stretching. Thestretching of LC tasks is a degraded operation mode.Whenever the system scheduling mode is back to Normaland the current stretched periods expire, the stretching isinterrupted and the LC tasks can then execute regularly. Toamortize the slack time created by stretching, the schedulerapplies a shrinking to LC task periods . The shrinking pacedepends on the system workload and the LC task periodslength. The fewer HC tasks run C h the larger the shrinkingwill be. Once all the delays introduced due to stretching areamortized, LC tasks run regular periods .Figure 2 depicts an example of stretching and shrinkingoperations for an LC task period. Within the initial period, thetask executes normally. After releasing the second period, asystem mode switch (from Normal to Critical) happens at time t causing the period to be stretched until time instant t (cid:48) whereanother system mode switch (Critical to Normal) occurs. Thestretching duration t (cid:48) − t is accumulated in s . The third periodwill then be shrunk with ≤ x ≤ s to absorb the delay s . If thedelay s is not completely absorbed in one period, subsequentperiods will be shortened accordingly. Formal calculation ofthe stretching/shrinking durations is provided in Section III-CGiven that C l and C h are equal for each LC task, we simplywrite C . The utilization of a LC task is defined as follows: • Regular activation: U L i = C i T i • During shrinking with a duration δ : U δL i = C i T i − δ suchthat C i ≤ ( T i − δ ) . b) High criticality tasks behavior: Each individual HCtask starts at mode LO and can change its mode independentlyfrom the rest of tasks. By default, on the release of a newperiod the HC task runs LO mode and whenever C l overrun The system pattern is then updated accordingly, P = Shrinking . P = Regular . Figure 3: High criticality task behavior
Active (HI mode)Active (LO mode) WCET C l violation Period termination happens the task mode switches to HI [29]. Such a task modeis maintained until the expiry of the given period. The budgetoverrun is non-deterministic . Figure 3 illustrates the modeswitches of HC tasks.Whenever a HC task switches to mode HI, Ω( π i , t ) = HI ,it obtains the scheduling privilege over all LC tasks. Besides,a HC task running in HI mode has priority over all HC tasksrunning in LO mode. Among the HC tasks running HI mode,the task having the highest priority is scheduled first. Function Sched I () is used to schedule tasks according to these criteria.However, given that HC tasks running LO mode do not haveprivilege over LC tasks, a HC task can miss its deadline underLO mode in case there is a lack of computation resourcesto execute both HC and LC tasks. This can be consideredto be the major drawback of both task-level and system-level scheduling algorithms of mixed criticality systems. Tocircumvent this issue, our scheduling algorithm can assign aHC task running in LO mode the privilege over LC tasks eventhough it does not overrun its low confidence WCET C l .We define the utilization of a HC task π i running mode HI,respectively mode LO, by: U H i = C Hi T i , respectively U L i = C Li T i We also use U L to refer to the utilization of LC tasks. Tospecify the task mode switches, we introduce the followingfunctions: • Status ( π i , t ) ∈ { Ready, Running, Done } returns thestatus of any task π i at any point in time t . • Λ( π i , t ) returns the budget consumed at time t by thecurrent release of a task π i . Λ( π i , t ) is not accumulative,i.e., it resets to zero upon each period release.Formally, the runtime mode of a high criticality taskswitches from LO to HI as follows: ∀ π i ∈ Π | χ i = HC, ∀ t | Status ( π i , t ) (cid:54) = Done ∧ Λ( π i , t ) ≥ C li ∧ Ω( π i , t ) = LO Ω( π i , t ) (cid:55)→ HI Accordingly, the runtime criticality of a HC task returns toLO mode whenever its period expires as shown below. ∀ π i ∈ Π | χ i = HC, ∀ t | Ω( π i , t ) = HI ∧ Status ( π i , t ) = Done ∧ t % T i = 0Ω( π i , t ) (cid:55)→ LO % is the arithmetic modulo operator. One can see that thetask-level mode switch relies on the violation of C l and doesnot guarantee the feasibility of HC tasks running LO mode.igure 4: Runtime example for the system in Table. I π1π2 π3 π4 Ω=LOLOΩ=LOLO Ω=LOHI C l overrun ρ =LO 2 ρ =LO 4 ρ =LO 1 ρ =LO 3 C. System-level mode switch
As stated earlier, the task level mode can be used toprioritize HC tasks running in HI mode. The drawback ofthe task level scheduling mode is then how to prioritize aHC task running a LO mode when the system workloadlacks computation resources . To circumvent this drawback,our system level mode complements the task level mode andconstrains the classic system level mode switches with theworkload of HC tasks running both LO and HI modes equally.Let us illustrate the aforementioned drawback scenario for thesystem of Table I.Table I: Example of a failure case for both system and tasklevel scheduling modes Task T C l C h χ ρπ
20 5 7 HC 2 π
20 5 6 HC 4 π
20 5 - LC 1 π
20 4 - LC 3
Figure 4 depicts a runtime example. On the first period,tasks execute according to the order of their priorities. On thesecond period, π violates its C l = 5 and runs for two extratime units. This delays π , which in turn delays π due to itslower priority. In the end, π misses its deadline with one timeunit. This scenario could be avoided if one would account forthe feasibility of π , at the time point when π violates C l ,and elevate its priority immediately. Thus, π would executebefore π and meets its deadline.To summarize, our system level scheduling mode monitorsthe workload, for both LC and HC tasks, online and decideswhen to prioritize HC tasks over all LC tasks regardless of theHI/LO task modes. The system scheduling mode is effectivelyswitched from Normal to Critical if the actual workload ofLC tasks and HC tasks exceeds the resource supply for a timeinterval starting at the actual time point. Figure 5: System scheduling mode behavior CriticalmodeNormal mode Workload (when all HC tasks run C h ) exceeds Threshold At least one HC task terminated
Figure 5 shows the system mode behavior. The systemis initially at Normal mode, and transits to Critical modewhen the resource demand exceeds the resource supply. LCtask periods are stretched accordingly, thus reducing theirutilization, to make room in the schedule for HC tasks at leastfor their low confidence WCET C l . Whenever the workloadof HC tasks is relaxed, the system switches back to Normaland LC tasks can then be compensated to absorb the delaycaused by stretching.We define the workload function Ψ( π i , [ a, b ]) of a task π i over a time interval [ a, b ] to be the amount of resource that canbe requested by π i . Such a workload includes the remainingexecution time at time point a for the current job plus the jobsto be potentially released until time instant b . We distinguishbetween Ψ H () and Ψ L () according to the task criticality andmodes. Ψ H ( π i , [ a, b ]) = C hi − Λ( π i , a ) + U H i · T i · (cid:100) b − aT i (cid:101) If ( b − a )% T i ≥ C hi C hi − Λ( π i , a ) + U H i · T i · (cid:98) b − aT i (cid:99) Otherwise Ψ L ( π i , [ a, b ]) = C li − Λ( π i , a ) + U L i · T i · (cid:100) b − aT i (cid:101) If ( b − a )% T i ≥ C li C li − Λ( π i , a ) + U L i · T i · (cid:98) b − aT i (cid:99) Otherwise
We define the workload of HC tasks having a high criticalitythan π i for the time interval [ t, T i ] as follows: W hH ( π i , t ) = (cid:88) π j | χ i = HC ∧ Ω( π j ,t )= HI Ψ H ( π j , [ t, T i ]) Implicitly, the time interval [ t, T i ] is the duration left to theexpiry of the last period released by task π i before time point t , i.e. [ t % T i , T i ] . Thus, we avoid writing the conversionabsolute-relative time. In a similar way, we calculate theworkload of HC tasks running LO mode and having higherpriority than π i , for time interval [ t, T i ] as follows: W L ( π i , t ) = (cid:88) π j | χ j = LC ∧ π j ∈ hp ( π i ,t ) Ψ L ( π j , [ t, T i ]) where hp ( π i , t ) is the set of tasks having a higher priority than π i at time point t . Finally, the workload of LC tasks having ahigher priority than π i is given by: W lH ( π i , t ) = (cid:88) π j | χ j = HC ∧ π j ∈ hp ( π i ,t ) ∧ Ω( π j ,t )= LO Ψ L ( π j , [ t, T i ]) We define
DEM ( π i , t ) , an upper bound on the resourcedemand over a given time interval [6], of a HC task runningin LO mode at any time point t till the expiry of that periodto be the remaining budget of such a task for the given periodplus the workload of tasks having either a higher criticality or higher priority. Namely, these are LC tasks having a higherpriority, HC tasks running HI mode and HC tasks running LOmode but having higher priority than task π i . DEM ( π i , t ) = W hH ( π i , t )+ W lH ( π i , t )+ W L ( π i , t )+ C Li − Λ( π i , t ) One can see that we distinguish between HC tasks runningHI, and HC tasks running LO and having higher prioritythan a given task. This is in fact to avoid counting the taskssatisfying both conditions twice in the workload. Given thatthe maximum resource amount that can be supplied to thetask set during a time interval [ a, b ] is b − a , the systemscheduling mode switches from Normal to Critical if theworkload exceeds (or is going to exceed) the resource supply. ∃ t π i | χ i = HC ∧ Ω( π i , t ) = LO ∧ DEM ( π i , t ) ≥ T i − ( t % T i ) M ode ( t ) (cid:55)→ Critical
One can see that the load calculation, as a ground for thesystem mode switch, is performed on the time interval of theactual trigger task rather than classic entire busy period. This isin fact to reduce the over-approximation of the workload, giventhat low confidence WCET violation is non-deterministic, anddeliver an exact load calculation.Once the system scheduling mode is switched to Critical,the periods of LC jobs will be extended with the time left ofthe current release ( T i − ( t % T i ) ) of the HC task ( π i ) causingthe mode switch.Let us call the HC task causing the actual system modeswitch a trigger T , and S the relative time instant of thecorresponding mode switch . Thus, we simply write T ( π i , S ) for a task π i being a trigger at time S . In Critical mode, thesystem uses Sched C () to schedule tasks rather than Sched () so that LC tasks do not have a chance to execute before anyHC task regardless of the HC task mode and priority. Thisdoes not mean that LC tasks are discarded but rather they canexecute once HC tasks are satisfied.We define the demand bound function of a trigger task π i tobe the workload of that task (running C h ) plus the workloadof HC tasks running HI mode and having higher priority than π i . DEM c ( π i , S ) = (cid:88) π j | χ j = HC ∧ Ω( π j , S ) = HI ∧ π j ∈ hp ( π i , S ) Ψ H ( π j , [ S , T i ])+( C hi − Λ( π i , S )) To make room for the trigger task to fully execute just incase it violates its low confidence WCET, we consider C hi instead of C li in DEM c () calculation. This can be an over-approximation but it is much safer and practical given thatHC tasks non-deterministically run C hi . In case the triggertask sticks to its allotted execution time C li , the surplus timeis used to accommodate more LC tasks. The mode trigger task π i is schedulable (under the stretching pattern) if: DEM c ( π i , S ) ≤ T i − S For the sake of notation, we consider S to be a time instant relative to thecurrent release of the trigger task so that we avoid the conversion relative-absolute time. Whenever the current job of the trigger task expires , thesystem scheduling mode switches from Critical to Normal .The mode change instant is calculated from S with the timeleft to the period expiry of π i , i.e. t (cid:48) = S + ( T i − S ) . ∃ π i | T ( π i , S ) ∧ M ode ( S + ( T i − S )) = Critical
M ode ( S + ( T i − S )) (cid:55)→ Normal
Upon such a mode switch, the trigger task is refreshed forthe new period where Ω( T , t (cid:48) ) is set to LO and Λ( T , t (cid:48) ) to 0.To such a purpose, we define the following function: Refresh ( π i , t ) = (Ω( π i , t ) (cid:55)→ LO ) ∧ (Λ( π i , t ) (cid:55)→ where π i must be the most recent trigger task and t is themode switch-back instant ( S + ( T i − S ) ). a) Stretching of LC task periods: To guarantee theruntime resilience, our control-based scheduling algorithmstretches the current job periods of the LC tasks with theduration ( T i − ( t % T i ) ), left to the expiry of the current releaseof the trigger HC task ( π i ), when system mode switches toCritical (at time t ). Once the system mode is switched back toNormal, one needs to absorb the stretching delay ( T i − S ) ofLC tasks so that such tasks return to regular periodic dispatch. b) Shrinking of LC task periods: The shrinking rate ofthe LC task periods depends on the actual system workloadand the length of the individual LC task periods. In fact,the shrinking is driven by the schedulability of the HC taskrunning in LO mode and having the lowest priority, i.e. apriority lower than LC tasks. We consider the current jobof such a HC task, and calculate first how would be theschedulability of that task according to the workload resultingfrom the shrinking of LC periods with a duration δ . Westart with δ equals to the stretching duration ( T i − S ) , if theresulting workload is schedulable (using a DEM -based onlineschedulability test) then the shrinking is applied. Otherwise,we consider a tighter shrinking duration δ < T i − S and so onuntil the workload is schedulable. This binary process can endup having δ = 0 if the resulting workload is not schedulablefor any potential shrinking duration.Let us assume a shrinking duration δ ≤ T i − S (thestretching duration due to the most recent trigger task). Letus assume also that η is the instant of the system mode switchback to Normal mode. The shrinking with δ will be split overa number of periods each LC task can perform within the timeleft ( T i − η ) to the expiry of the current job of the HC taskrunning LO mode with lowest priority ( π i ). The number ofLC task ( π j ) periods occurring within [ η, T i ] , after shrinkingwith δ , is given by T i − η + δT j . Then the actual shrinking of eachLC task ( T j ) period is µ such that δ = µ · T i − nT j − µ which makes µ = T j · δT i − η + δ .We calculate first the resource demand DEM δ ( π i , n ) of theHC task, running LO and having the lowest priority level, The period of the most recent S . T ( π i , S ) and ∀ t ∈ [ S , T i ] ∀ π j (cid:54) = π i ¬T ( π j , t ) . µ is the actual shrinking of each period of a given LC task π j whereas δ is the accumulated shrinking over [ η, T i ]. igure 6: Example of LC task periods shrinking System mode:HC task π : (T=30,C=7)LC task π :(T=20, C=4)LC task π :(T=14,C=3) StretchingRegularShrinkingCriticalNormalStretchingRegularShrinkingHI modeLO mode Shrinking with ∆ =12 over interval[5,30]78 3521 µ =6 µ =4 assuming the actual shrinking µ of LC task periods, from themode change instant until the expiry of its current job period. DEM δ ( π i , η ) = W hH ( π i , η ) + W lH ( π i , η ) + W δL ( π i , η )+( C li − Λ( π i , η )) The workload of LC tasks after shrinking is given as follows: W δL ( π i , η ) = (cid:88) π j | χ j = LC ∧ π j ∈ hp ( π i ,η ) U µL j · ( T j − µ ) · (cid:100) T i − ηT j − µ (cid:101) Figure 6 depicts the period shrinking of two LC tasks fora total duration δ = 12 . We omitted HC tasks and only thelowest priority HC task is depicted. The periods of π , releasedwithin interval [5,30], are shrunk with µ = 6 whereas theperiods of π are shrunk with µ = 4 . Given that we have twoperiods of π , respectively three for π , within [5,30] thus theaccumulated shrinking × , respectively × ,equals δ . D. Multimode Scheduling Algorithm
Our scheduling algorithm is a control-based where thescheduling parameters and criteria (priority only, priorityand criticality, priority-criticality-mode) considered to arbitratetasks depend on the actual system workload and task modes.The overall scheduling algorithm is depicted in Algorithm 1where t is a clock variable to model the time progress. Weintroduce a function Use () to dictate the scheduling criteria tobe used during runtime, in terms of priority, default criticalityand/or runtime criticality. The corresponding scheduling func-tion ( Sched () , Sched I () or Sched C () ) is then accordinglyapplied.Let us introduce lp l ( t ) = π i | χ i = HC ∧ Ω( π i , t ) = LO ∧∀ π j Sched I ( π i , π j , t ) (cid:54) = π i to be the lowest priority HCtask running LO mode. Similarly, we use lp h ( t ) = π i | χ i = HC ∧ Ω( π i , t ) = HI ∧ ∀ π j Sched c ( π i , π j , t ) (cid:54) = π i to referto the lowest priority HC task running HI mode. Wheneverthe execution period of a HC task expires, we refresh the taskmode accordingly to be LO.The initialization function is given by: Init () = t = 0 ∧ Mode ( t ) = N ormal ∧P = Regular ∧∀ i | χ i = HC Ref resh ( π i , t ) ∧ Use ( Sched ())
The statement in line 3 describes when to refresh both statusand mode of each HC task upon the release of a new period.
Algorithm 1:
Elastic multimode scheduling Init () ; while True do if ∃ π i | Status ( π i , t ) = Done ∧ t % T i = 0) then Ref resh ( π i ) ; end if ∃ π i | χ i = HC ∧ Λ( π i , t ) ≥ C li ∧ Status ( π i , t ) (cid:54) = Done then Ω( π i , t ) = HI ; U se ( Sched I ()) ; end if M ode ( t ) = N ormal ∧ DEM ( lp l ( t ) , t )
U se () n principle, a shrinking is applied as long as the stretch-ing duration δ is not completely amortized. To simplify thealgorithm, we have specified a one-go shrinking action, butthe shrinking might be performed on several chunks due topreemption of the system Normal mode. This can be achievedusing an extra variable to track the accumulated stretchingdelays. IV. S CHEDULABILITY A NALYSIS
In this section we show how to analyze the schedulabilityof MCS running our new scheduling algorithm. Our schedu-lability analysis is in fact an online test checking the actualworkload of the different modes and compare it against theresource supply that can be provided for each mode duringa given time interval. We consider the mode switch instantsto be the ground to calculate both demand and supply boundfunctions for our online schedulability test. This makes ourschedulability test applicable no matter of how many modeswitches happen during the system execution.The ultimate goal of our algorithm and the underlyingschedulability analysis is: • guarantee the feasibility of HC tasks under all potentialmodes and patterns, i.e. ∀ t π i | χ i = HC, t % T i = 0 ⇒ Status ( π i , t ) = Done . • minimize the degradation of LC tasks, and compensatefor all potential degradation.To perform the schedulability test, we define the demandbound function DBF( π i , [ t, t + z ] ) to be the resource demand DEM ( π i , t ) of a HC task π i for the entire busy period z startingat time instant t . We simply write: DBF ( π i , [ t, t + z ]) = DEM ( π i , t | Ψ( π i , [ t, T i (cid:55)→ t + z ])) DBF c ( π i , [ t, t + z ]) and DBF δ ( π i , [ t, t + z ]) are accordinglybuilt on DEM c ( π i , t ) and DEM δ ( π i , t ) respectively. t is the timeinstant of the Normal mode release, which could be either ”0”for the initial system release or a time instant where the systemmode switches back to Normal.A given system remains under Normal mode as long as allHC tasks are schedulable, DBF () of the lowest priority HCtask π i does not exceed the potential resource supply for thetime interval [ t, T i ] . To check schedulability, regardless of theindividual task modes, we analyze DBF () of the lowest priorityHC task. Theorem IV.1 (Schedulability under Normal mode) . The HCtaskset is schedulable when the system runs in mode
Normal ,with at least one HC task under mode LO , if the followingholds: ∀ t M ode ( t ) = N ormal ∀ π i | Ω( π i , t ) = LO ∧ lp l ( t ) = π i and DBF ( π i , [ t, t + z ]) ≤ z Proof.
It is trivial. Given that π i is the least priority ( lp l ( t ) )HC task ( Ω( π i , t ) = LO ), then ∀ π j (cid:54) = π i π j ∈ hp ( π i , t ) . Sincewe only consider fixed priority policies, thus lp l ( t ) = π i ⇒ lp l ( t (cid:48) ∈ [ t, t + z ]) = π i , i.e π i remains the lowest priority HCtask over [t,t+z]. From DBF ( π i , [ t, t + z ]) definition W hH ( π i , t ) and W lH ( π i , t ) include the workload of each newly released With Ψ H ( π i , [ t, z ]) and Ψ L ( π i , [ t, z ]) calculated for the entire busyperiod. HC job in the time interval [t,t+z] having either a higherpriority ( π j ∈ hp ( π i , t ) ∧ Ω( π j , t ) = LO ) or a higher taskmode ( Ω( π j , t ) = HI ), and the execution budget left forthe actual period of time instant t ( C Li − Λ( π i , t ) ). Thus, if π i is schedulable then ∀ π j | Sched ( i, j, t (cid:48) ∈ [ t, t + z ]) = π j ∧ Ω( π j ) ≥ Ω( π i ) is schedulable.This Theorem implies that, in case the lowest priority taskis a high critical, the schedulability test includes all HC andLC tasks. Thus, the schedulability of HC tasks implies theschedulability of the entire task set.In case the system is in Normal mode but all HC tasks runmode HI, there is no point to consider LC tasks as any HCtask has priority over all LC tasks. Theorem IV.2 (Schedulability when all HC tasks run HI mode) . The HC taskset is schedulable when the system runsin mode Normal , with all HC tasks under mode HI , if thefollowing holds: ∀ t M ode ( t ) = N ormal ∧ ∀ π j Ω( π j , t ) = HI and DBF c ( lp h ( t ) , [ t, t + z ]) ≤ z Proof.
It is trivial.In a similar way, the schedulability of the HC taskset undershrinking pattern is defined by the schedulability of the lowestpriority HC task running LO mode. This is because such atask is comparable to LC tasks, thus it can be affected by theshrinking workload.
Theorem IV.3 (Schedulability under Shrinking pattern) . HC taskset is schedulable when the system runs a shrinking witha delay δ if: ∀ t M ode ( t ) = N ormal ∧ P = Shrinking ⇒ DBF δ ( lp l ( t ) , [ t, t + z ]) ≤ z Proof.
It is similar to that of Theorem. IV.1.Again, this theorem implies not only the schedulability ofHC tasks but the schedulability of the entire task set in casethe lowest priority task of Π is a HC task.Whenever a HC task, running in mode LO, is jeopardized tomiss its deadline under mode Normal our scheduling algorithmanticipates a system mode change to Critical . Thus, HCtaskset is schedulable under Critical mode if the lowest priorityHC task running in mode LO, known as a trigger task, isschedulable.
Theorem IV.4 (Schedulability under critical mode) . HC taskset is schedulable when the system runs Critical mode if: ∀ t M ode ( t ) = Critical, ∃ π i | Ω( π i , t ) = LO ∧∀ π j | χ j = HC, Sched C ( π i , π j , t ) (cid:54) = π i ⇒ DBF c ( π i , [ t, t + z ]) ≤ z Proof.
The condition ∀ π j | χ j = HC Sched C ( π i , π j , t ) (cid:54) = π i implies that π i is either the lowest priority HC task or the HCtask having the lowest task mode ( Ω( π i , t ) = LO ) given that Sched C () relies on both task runtime mode and priority. Bydefinition DBF c ( π i , [ t, t + z ]) , includes the workload of all HCtasks π j | χ j = HC ∧ Ω( π j , t ) = HI ∧ π j ∈ hp ( π i , t ) .Thus, if π i is schedulable then any other HC task will beschedulable.able II: Task attributes of the case study Task χ T C l C h ρ Aircraft flight data( π ) HC 55 8 8.9 6Steering( π ) HC 80 6 6.3 9Target tracking( π ) HC 40 4 4.2 3Target sweetening( π ) HC 40 2 2 4AUTO/CCIP toggle( π ) HC 200 1 1 12Weapon trajectory( π ) HC 100 7 7.5 10Reinitiate trajectory( π ) LC 400 6.5 - 14Weapon release( π ) HC 10 1 1.2 1HUD display( π ) LC 52 6 - 7MPD tactical display( π ) LC 52 8 - 8Radar tracking( π ) HC 40 2 2.2 2HOTAS bomb button ( π ) LC 40 1 - 5Threat response display( π ) LC 100 3 - 11Poll RWR( π ) LC 200 2 - 13Perodic BIT( π ) LC 1000 5 - 15 V. C
ASE S TUDY
To study the applicability and performance of our multi-mode scheduling algorithm and show the underlying schedu-lability analysis, we have analyzed an actual example from theavionic domain [14]. The most relevant attributes of the taskset description are given in Table II.We have synthetically calculated C h from C l by consideringthe worst case response time of data fetching. The originaltaskset description of [14] states how many data each taskexchanges during each period. The best case response time ofdata fetching is instantaneous whereas the worst case responsetime is µs for data words, µs for a command and µs for a status. The scheduling policy adopted to schedule thetask set is FP (fixed priority).To analyze the case study, we have mechanized the systemmodel and scheduling algorithms in Uppaal [8]. When werun the taskset using a classic priority-based scheduling, tasks π and π miss their deadlines making thus the system notschedulable. When the system runs fixed priority policy with task level scheduling mode only, task π misses its deadline (response time 106).When the taskset runs the system-level scheduling mode,all HC tasks meet their deadlines whereas multiple LC jobsare discarded to achieve the schedulability of HC tasks. Thenumber of LC task jobs discarded is depicted in Fig. 7.When the system runs our multimode scheduling algorithm ,all the high criticality tasks meet their deadlines. To achievethe schedulability of the HC tasks, our scheduling algorithmpostpones the execution of some of the LC tasks. We con-sider each postponing operation with a delay longer than thecorresponding LC task slack time to be a discard case. Thisis because a delay longer than the available slack time willabsolutely lead the task execution to miss its deadline. Thenumber of LC task jobs discarded by our algorithm is depictedin Figure 7.Compared to the state of the art, for the given case study, ourmultimode scheduling algorithm guarantees the schedulabilityof all HC tasks whereas Task-level scheduling algorithms donot. Moreover, the discard rate of the LC task jobs achievedby our algorithm is 1.0% to 4.58% whereas the discardrate achieved by the state of the art system-level bi-modescheduling [13], [33] is 2.1% to 11.5%. The discard rate is Figure 7: Comparison of the LC task jobs discardedcalculated to be the number of jobs discarded to the totalnumber of jobs released.An important observation from this experiment is that,although the proposed algorithm achieves less discards tolow criticality tasks, it requires around 30% extra overheadcompared to most of the state of the art algorithms. Byoverhead we mean the data size to track the system runtimeand the time to process such data. Thus, the combination oftask-level and system-level mode switches is not efficient inmaking real-time scheduling decisions. Another observation isthat the compensation of LC tasks is slow given that LC taskshave the period lengths comparable to the period of the lowestpriority HC task. VI. C ONCLUSION
This paper introduced a flexible multimode scheduling algo-rithm for mixed criticality systems by combining the system-level and task-level mode switch techniques. The proposedalgorithm relies on a job-level mode switch, where we restrictthe HC task behavior to only the job that either exceeds itslow confidence WCET or triggers a system mode switch. Thistechnique provides an exact schedulability test for the systemmode switches. Low criticality tasks are not discarded undercritical mode, rather their periods are stretched to loosen theunderlying workload. Such tasks are later compensated for thedegradation, due to stretching, by shrinking their subsequentperiods accordingly. We have mechanized our new multimodescheduling algorithm in Uppaal and analyzed an actual avionicsystem component as a case study.The efficiency of our elastic algorithm remains in thefact that considering a short range load calculation of highcriticality tasks leads to accurate and non-aggressive systemmode switches.Although combining task-level and system-level schedulingmodes offers a higher flexibility and accuracy, it experiencesa heavy overhead to calculate real-time scheduling decisions.Thus, such a combination is not suitable for the scheduling ofsafety critical real-time systems.As a future work, we aim to study potential optimizationsof the proposed algorithm overhead.
CKNOWLEDGMENT
This work was in part funded by Independent ResearchFund Denmark under grant number DFF-7017-00348, Com-positional Verification of Real-time MULTI-CORE SAFETYCritical Systems. R
EFERENCES[1] ISO 26262-1:2011 Road vehicles–Functional safety. Technical report,ISO, 2011.[2] K. Abel Ouedraogo, J. Beugin, E. M. El Koursi, J. Clarhaut, D. Renaux,and F. Lisiecki. Toward an application guide for safety integrity levelallocation in railway systems.
International Journal of Risk Analysis ,2018.[3] A.Burns and S. Baruah. Towards a more practical model for mixedcriticality systems. In
Workshop on Mixed- Criticality Systems (co-located with RTSS) , 2013.[4] S. Baruah, V. Bonifaci, G. DAngelo, H. Li, A. Marchetti-Spaccamela,S. van der Ster, and L. Stougie. The preemptive uniprocessor schedulingof mixed-criticality implicit-deadline sporadic task systems. In
ECRTS2012 , pages 145–154, 2012.[5] S. Baruah, A. Burns, and Z. Guo. Scheduling mixed-criticality systemsto guarantee some service under all non-erroneous behaviors. In
ECRTS2016 , pages 131–138, July 2016.[6] S. K. Baruah, L. E. Rosier, and R. R. Howell. Algorithms and complexityconcerning the preemptive scheduling of periodic, real-time tasks on oneprocessor.
Real-Time Syst. , 2(4):301–324, Oct. 1990.[7] I. Bate, A. Burns, and R. I. Davis. A bailout protocol for mixed criticalitysystems. In
ECRTS 2015 , pages 259–268, July 2015.[8] G. Behrmann, A. David, and K. G. Larsen.
A Tutorial on Uppaal , pages200–236. Springer Berlin Heidelberg, Berlin, Heidelberg, 2004.[9] J. Boudjadar. An efficient energy-driven scheduling of dvfs-multicoresystems with a hierarchy of shared memories. In
IEEE/ACM 21st DS-RTConference , pages 1–8, 2017.[10] A. Burns and R. I. Davis. A survey of research into mixed criticalitysystems.
ACM Comput. Surv. , 50(6):82:1–82:37, Nov. 2017.[11] A. Burns, R. I. Davis, S. Baruah, and I. Bate. Robust mixed-criticalitysystems.
IEEE Transactions on Computers , To appear, 2018.[12] A. Burns and B. Littlewood. Reasoning about the reliability of multi-version, diverse real-time systems. In , pages 73–81, 2010.[13] D. de Niz, K. Lakshmanan, and R. Rajkumar. On the scheduling ofmixed-criticality real-time task sets. In
RTSS’09 , pages 291–300, 2009.[14] R. Dodd. Coloured petri net modelling of a generic avionics missionscomputer. Technical report, Department of Defence, Australia, AirOperations Division, 2006.[15] A. Easwaran. Demand-based scheduling of mixed-criticality sporadictasks on one processor. In , pages 78–87, Dec 2013.[16] P. Ekberg and W. Yi. Bounding and shaping the demand of generalizedmixed-criticality sporadic task systems.
Real-Time Systems , 50(1):48–86, Jan 2014.[17] J. P. Erickson, N. Kim, and J. H. Anderson. Recovering from overload inmulticore mixed-criticality systems. In , pages 775–785, May 2015.[18] T. Fleming and A. Burns. Incorporating the notion of importanceinto mixed criticality systems. In
Proceedings of Workshop on MixedCriticality Systems , page 33, 2014.[19] O. Gettings, S. Quinton, and R. I. Davis. Mixed criticality systemswith weakly-hard constraints. In
Proceedings of the 23rd InternationalConference on Real Time and Networks Systems , RTNS ’15, pages 237–246. ACM, 2015.[20] X. Gu and A. Easwaran. Dynamic budget management with serviceguarantees for mixed-criticality systems. In
Proceedings of the IEEEReal-Time Systems Symposium , pages 47–56. IEEE, 2016.[21] X. Gu, A. Easwaran, K.-M. Phan, and I. Shin. Resource efficientisolation mechanisms in mixed-criticality scheduling. In
Proceedingsof the Euromicro Conference on Real-Time Systems , pages 13–24, July2015.[22] G. Howard, M. Butler, J. Colley, and V. Sassone. Formal analysis ofsafety and security requirements of critical systems supported by anextended stpa methodology. In , pages 174–180, 2017. [23] B. Hu, K. Huang, P. Huang, L. Thiele, and A. Knoll. On-the-fly fastoverrun budgeting for mixed-criticality systems. In
Proceedings of theIEEE & ACM International Conference on Embedded Software , pages1–10. IEEE, 2016.[24] P. Huang, G. Giannopoulou, N. Stoimenov, and L. Thiele. Serviceadaptions for mixed-criticality systems. In
In Proceedings of ASP-DAC ,2014.[25] P. Huang, P. Kumar, G. Giannopoulou, and L. Thiele. Run and besafe: Mixed-criticality scheduling with temporary processor speedup. In
DATE 2015 , 2015.[26] P. Huang, P. Kumar, N. Stoimenov, and L. Thiele. Interference constraintgraph - a new specification for mixed-criticality systems. In
ETFA 2013 ,pages 1–8, 2013.[27] P. Huyck. Arinc 653 and multi-core microprocessors; considerations andpotential impacts. In
DASC’12 , pages 6B4–1–6B4–7, 2012.[28] M. Jan, L. Zaourar, and M. Pitel. Maximizing the execution rate of lowcriticality tasks in mixed criticality system. In
Proceedings of Workshopon Mixed-Criticality, RTSS 2013 , pages 43–48, 2013.[29] J. Lee, H. S. Chwa, L. T. X. Phan, I. Shin, and I. Lee. MC-ADAPT:Adaptive task dropping in mixed-criticality scheduling.
ACM Trans.Embed. Comput. Syst. , 16(5s):163:1–163:21, Sept. 2017.[30] D. Liu, N. Guan, J. Spasic, G. Chen, S. Liu, T. Stefanov, and W. Yi.Scheduling analysis of imprecise mixed-criticality real-time tasks.
IEEETransactions on Computers , 2018.[31] D. Liu, J. Spasic, N. Guan, G. Chen, S. Liu, T. Stefanov, and W. Yi.Edf-vd scheduling of mixed-criticality systems with degraded qualityguarantees. In , pages35–46, 2016.[32] A. L¨ofwenmark and S. Nadjm-Tehrani. Understanding shared memorybank access interference in multi-core avionics. In
Proceedings ofWCET’16 , OpenAccess Series in Informatics (OASIcs), 2016.[33] B. Madzar, J. Boudjadar, J. Dingel, T. E. Fuhrman, and S. Ramesh.Formal analysis of predictable data flow in fault-tolerant multicoresystems. In
FACS ’16 , pages 153–171, 2016.[34] A. V. Papadopoulos, E. Bini, S. Baruah, and A. Burns. AdaptMC: Acontrol-theoretic approach for achieving resilience in mixed-criticalitysystems. In , pages 14:1–14:22, 2018.[35] T. Park and S. Kim. Dynamic scheduling algorithm and its schedulabilityanalysis for certifiable dual-criticality systems. In
Proceedings ofEMSOFT ’11 , pages 253–262. ACM, 2011.[36] R. M. Pathan. Improving the Quality-of-Service for Scheduling Mixed-Criticality Systems on Multiprocessors. In , volume 76 of
Leibniz Interna-tional Proceedings in Informatics (LIPIcs) , pages 19:1–19:22, Dagstuhl,Germany, 2017.[37] J. Ren and L. T. X. Phan. Mixed-criticality scheduling on multiproces-sors using task grouping. In , pages 25–34, July 2015.[38] F. Santy, L. George, P. Thierry, and J. Goossens. Relaxing mixed-criticality scheduling strictness for task sets scheduled with FP. In
ECRTS ’12 , pages 155–165, July 2012.[39] F. Santy, G. Raravi, G. Nelissen, V. Nelis, P. Kumar, J. Goossens, andE. Tovar. Two protocols to reduce the criticality level of multiprocessormixed-criticality systems. In
Proceedings of RTNS ’13 , pages 183–192,New York, NY, USA, 2013. ACM.[40] H. Su, P. Deng, D. Zhu, and Q. Zhu. Fixed-priority dual-rate mixed-criticality systems: Schedulability analysis and performance optimiza-tion. In
Proceedings of RTCSA , 2016.[41] H. Su, N. Guan, and D. Zhu. Service guarantee exploration for mixed-criticality systems. In
Proceedings of RTCSA , pages 1–10, Aug 2014.[42] H. Su and D. Zhu. An elastic mixed-criticality task model and itsscheduling algorithm. In , pages 147–152, 2013.[43] H. Su, D. Zhu, and S. Brandt. An elastic mixed-criticality task modeland early-release edf scheduling algorithms.
ACM Trans. Des. Autom.Electron. Syst. , 22(2):28:1–28:25, Dec. 2016.[44] H. Su, D. Zhu, and J. Zhu. On the implementation of rt-fair schedulingframework in linux. In
IUCC 2015 , pages 1258–1265, 2015.[45] S. Vestal. Preemptive scheduling of multi-criticality systems withvarying degrees of execution time assurance. In28th IEEE InternationalReal-Time Systems Symposium (RTSS 2007)