Resource Efficient Isolation Mechanisms in Mixed-Criticality Scheduling
RResource Efficient Isolation Mechanisms inMixed-Criticality Scheduling
Xiaozhe Gu, Arvind Easwaran
Nanyang Technological University, SingaporeEmail: [email protected], [email protected]
Kieu-My Phan, Insik Shin
KAIST, KoreaEmail: [email protected], [email protected]
Abstract —Mixed-criticality real-time scheduling has been de-veloped to improve resource utilization while guaranteeing safeexecution of critical applications. These studies use optimisticresource reservation for all the applications to improve utiliza-tion, but prioritize critical applications when the reservationsbecome insufficient at runtime. Many of them however sharean impractical assumption that all the critical applications willsimultaneously demand additional resources. As a consequence,they under-utilize resources by penalizing all the low-criticalityapplications. In this paper we overcome this shortcoming usinga novel mechanism that comprises a parameter to model theexpected number of critical applications simultaneously demand-ing more resources, and an execution strategy based on theparameter to improve resource utilization. Since most mixed-criticality systems in practice are component-based, we designour mechanism such that the component boundaries providethe isolation necessary to support the execution of low-criticalityapplications, and at the same time protect the critical ones. Wealso develop schedulability tests for the proposed mechanismunder both a flat as well as a hierarchical scheduling framework.Finally, through simulations, we compare the performance of theproposed approach with existing studies in terms of schedulabilityand the capability to support low-criticality applications.
I. I
NTRODUCTION
An increasing trend in embedded systems is towards opencomputing environments, where multiple functionalities aredeveloped independently and integrated together on a singlecomputing platform [1]. An important notion behind this trendis the safe isolation of separate functionalities, primarily toachieve fault containment. This raises the challenge of howto balance the conflicting requirements of isolation for safetyassurance and efficient resource sharing for economical bene-fits. The concept of mixed-criticality appears to be importantin meeting those two goals.In many safety-critical systems, the correct behavior ofsome functionality (e.g., flight control) is more important(“critical”) to the overall safety of the system than that ofanother (e.g., in-flight cooling). In order to certify such systemsas being correct, they are conventionally assessed under certainassumptions on the worst-case run-time behavior. For example,the estimation of Worst-Case Execution Times (WCETs) ofcode for highly critical functionalities involves very conserva-tive assumptions that are unlikely to occur in practice. Suchassumptions make sure that the resources reserved for criticalfunctionalities are always sufficient. Thus, the system can bedesigned to be fully safe from a certification perspective, butthe resources are in fact severely under-utilized in practice.In order to close such a gap in resource utilization, Vestal [2] proposed the mixed-criticality task model thatcomprises of different WCET values. These different valuesare determined at different levels of confidence (“criticality”)based on the following principle. A reasonable low-confidenceWCET estimate, even if it is based on measurements, maybe sufficient for almost all possible execution scenarios inpractice. In the highly unlikely event that this estimate is vio-lated, as long as the scheduling mechanism can ensure deadlinesatisfaction for highly critical applications, the resulting systemdesign may still be considered as safe.To ensure deadline satisfaction of critical applications,mixed-criticality studies make pessimistic assumptions when asingle high-criticality task executes beyond its expected (low-confidence) WCET. They assume that the system will eitherimmediately ignore all the low-criticality tasks [3], [4], [5], [6],[7], [8] or degrade the service offered to them [9], [10], [11],[12]. They further assume that all the high-criticality tasks inthe system can thereafter request for additional resources, up totheir pessimistic (high-confidence) WCET estimates. Althoughthese strategies ensure safe execution of critical applications,they have a serious drawback as pointed out in a recentarticle [9]. When a high-criticality task exceeds its expectedWCET, the likelihood that all the other high-criticality tasksin the system will also require more resources is very lowin practice. For instance, it is unlikely that adaptive cruisecontrol and anti-lock braking, both of which are critical, wouldsimultaneously require additional resources because their exe-cution time depends on different inputs. Cruise control wouldmost likely require additional resources when the cameras andlidars provide dense data, whereas the execution of anti-lockbraking mainly depends on speed of the vehicle and frictionon the tyres. Therefore, to penalize all the low-criticality tasksin the event that some high-criticality tasks require additionalresources seems unreasonable.In practice, most mixed-criticality systems are component-based wherein different vendors independently design anddevelop the various applications. For wide applicability, it isthen natural that mixed-criticality scheduling strategies mustconsider the impact of WCET violations across componentboundaries. To the extent possible, these strategies must limitthis impact to within components, so that other componentsin the system can continue their execution uninterrupted. Oneextreme manifestation of this view is the reservation-basedapproach that completely isolates components but severlyunder-utilizes the resources. On the other hand, most of therecent mixed-criticality studies such as those mentioned above,completely ignore these component boundaries but still under- a r X i v : . [ c s . O S ] A p r tilize resources due to unrealistic assumptions. Contributions.
Addressing the two central issues describedabove, in this paper we propose a resource efficient mechanismto support low-criticality tasks while still ensuring isolation ofhigh-criticality tasks. This mechanism comprises the following.1) A new parameter to model the expected number ofsimultaneous violation of low-confidence WCET byhigh-criticality tasks.2) A corresponding execution strategy that maximizeslow-criticality task executions as long as this numberis not exceeded.3) To efficiently support component-based mixed-criticality systems, we employ our mechanism atthe component level. We ensure that as long as thenumber of low-confidence WCET violations within acomponent does not exceed the component’s expectedlimit, task executions in other components, includinglow-criticality ones, remain unaffected.It is worth noting that this mechanism generalizes boththe reservation based approach in which high-criticalitytasks are allocated resources based on their high-confidenceWCETs [13], as well as the classical mixed-criticality studiesthat penalize all the low-criticality tasks (e.g., [8]). Consideringa mixed-criticality scheduling strategy based on the EarliestDeadline First (EDF) policy (e.g., [6], [7], [8]), we also deriveschedulability tests for the proposed mechanism. We derivethese tests for a flat (non-hierarchical) as well as a hierarchicalscheduling framework. While both these frameworks ensureisolation for high-criticality tasks as a result of employingcriticality-aware scheduling, the hierarchical framework addi-tionally supports compositionality , i.e., the ability of a systemto derive properties (e.g., schedulability) for higher level com-ponents using derived properties of lower level components.We evaluate the performance of the proposed mechanism interms of schedulability and the ability to support low-criticalityexecutions through extensive simulations. These results showthat our proposed mechanism outperforms all the other existingstudies in terms of this dual objective.
Related Work.
Since Vestal’s seminal work in 2007 [2],a growing number of studies have been introduced for mixed-criticality real-time scheduling, e.g., [3], [4], [5], [6], [7],[8], sharing the pessimistic strategy that all the low-criticalitytasks will be immediately dropped upon WCET violation of asingle high-criticality task. Some recent studies have presentedsolutions to improve support for low-criticality executions [9],[10], [11], [14], [12], [15]. The elastic mixed-criticality modelallows for a flexible release pattern of low-criticality tasksdepending on the runtime resource consumption of high-criticality tasks, essentially treating the low-criticality work-load as background [11], [9], [10]. This was improved bythe service adaptation strategy that decreased the dispatchfrequency of low-criticality tasks only when a high-criticalitytask violated its low-confidence WCET. All the above studieshowever, share the unrealistic assumption that once a singlehigh-criticality task violates its low-confidence WCET, all theother high-criticality tasks in the system will also exhibitsimilar behavior. The interference constraint graph strategypartially relaxes this assumption, at least in terms of its onlinestrategy for penalizing low-criticality tasks [14]. The constraint graph is used to specify execution dependencies between high-and low-criticality tasks, and a response-time based approachwas presented to determine graph constraints that improvelow-criticality executions at runtime. However, it still useshigh-confidence WCET estimates for all the high-criticalitytasks when determining schedulability (test based on [2]),which again leads to the same unrealistic assumption andtherefore results in resource under-utilization. Further, none ofthe above studies consider the impact of WCET violations inthe context of component-based systems. A couple of recentstudies proposed techniques to support hierarchical schedul-ing for component-based mixed-criticality systems [16], [13].These studies focused on implementation issues however, andtherefore did not consider the problems discussed above.II. S
YSTEM M ODEL
A. Task and Component
In this paper we consider constrained deadline mixedcriticality sporadic tasks (or tasks for short). Such a taskcan be specified as τ i = ( T i , L i , C i , D i ) , where T i denotesthe minimum separation between job releases, L i denotesthe criticality level, C i is a list of WCET values, and D i ( ≤ T i ) denotes the relative deadline. We assume that taskshave only two criticality levels, LC denoting low-criticalityand HC denoting high-criticality. Hence L i ∈ { LC, HC } and C i = { C Li , C Hi } , where C Li denotes LC WCET and C Hi denotes HC WCET. If L i = HC , then τ i is called a HC task , otherwise τ i is called a LC task . We also assume that C Li < C Hi for all the HC tasks, and C Li = C Hi for all the LC tasks. Jobs of τ i are released with a minimum separationof T i time units, and each job can execute for no more than C Hi time units ( C Li in the case of LC task) within D i timeunits from its release. Let T = { τ , . . . , τ n } denote a set ofsuch mixed-criticality tasks that are scheduled on a single-coreprocessor.We assume that the tasks are partitioned into components ,where each component C = ( W , T L ) comprises the following. • A real time workload W denoting a subset of tasksfrom T , and • A HC Tolerance Limit
T L ∈ N denoting the maxi-mum HC workload isolation limit of the component.As long as no more than T L i tasks in the compo-nent simultaneously exhibit HC behavior (executionrequirement is more than LC WCET), we must ensurethat all the job deadlines in the other components,including those of LC jobs, are met. More detailsabout this parameter are presented later in this section.Partitioning the task set into components is mainly drivenby practical considerations as mentioned in the introduction.Since these components are developed independently, it isdesirable to limit the impact of WCET violations to withincomponents as much as possible, while still efficiently utilizingthe resources. The HC tolerance limit T L precisely does thatin our model. It could be set based on component propertiesif information about the runtime behavior of HC jobs isavailable, e.g., probability of execution requirement exceeding LC WCET. It can also be determined such that the limit ismaximized so as to support more LC job executions, while stillaintaining system schedulability. C = ( W , T L ) is called a LC component if every task in its workload is a LC task, andfor such components we assume that T L = 0 . Otherwise, C is called a HC component. B. Task and Component Execution Model
The execution semantics of a mixed-criticality task hasbeen presented previously [3], and we summarize it as follows.A task τ i is said to be in low-criticality mode (or LC mode for short) as long as no job of the task has executed beyondits LC WCET C Li . If τ i is a LC task, then this is the onlyavailable criticality mode. Whereas if τ i is a HC task, then itswitches to high-criticality mode (or HC mode for short) atthe time instant when some job of the task requests to executefor more than its LC WCET. In HC mode, jobs of τ i canrequest to execute for no more than C Hi time units.We now define the execution semantics of a component C = ( W , T L ) . C has two execution modes, an internal mode that concerns the behavior of tasks in C , and an external mode that concerns the behavior of tasks in the other components.We first describe these two modes, and then discuss theirimplications. Internal Mode.
Component C experiences Internal ModeSwitch (or IMS for short) at the earliest time instant when any HC task in C switches to HC mode. The component switchesits internal mode from LC to HC at this time instant. Priorto this mode switch, all the task deadlines are required to bemet. After this switch however, all the LC tasks in C canbe dropped, and only the HC task deadlines are required tobe met. There is no impact of this mode switch on the othercomponents in the system. External Mode.
Component C experiences External ModeSwitch (or EMS for short) at the earliest time instant whenthe ( T L + 1) st HC task in C switches to HC mode. Thecomponent switches its external mode from LC to HC at thistime instant. Prior to this mode switch, at most T L tasks in C were executing in HC mode. After this switch however,all the HC tasks in C may execute in HC mode. Further,all the LC tasks in the system, including the LC tasks in theother components, are no longer required to meet deadlines.Component C ’s internal as well as external modes could switchback to LC mode when there are no pending jobs in the systemat some time instant.Note that the intra- and inter-component execution require-ments based on their internal and external modes respectively,are consistent with the mixed-criticality requirements in theexisting literature (e.g, [6]). If C is a LC component, thenits internal and external modes are identical and equal to LC . On the other hand if C is a HC component, then thesemodes, together with the HC tolerance limit T L , are keymechanisms for supporting LC job executions. If T L > , itis possible for IMS and EMS to occur at different time instants(asynchronously). Then, during the interval when component C ’s internal mode is HC while its external mode is LC , LC tasks in the other components are isolated from the internalmode switch of C . That is, these LC tasks can continuetheir execution even though some HC tasks in C are alreadyexecuting in HC mode. The proposed model and execution strategy generalizesboth the worst-case reservation based approach in which HC tasks are allocated resources based on their HC WCETs [13],as well as the classical mixed-criticality studies that drop allthe low-criticality tasks upon WCET violation by a single HC task (e.g., [8]). The former can be modeled by setting T L = | H | , where | H | denotes the total number of HC tasksin the component, while the latter can be modeled by setting T L = 0 . Scheduling Strategy.
In this paper we focus on the EarliestDeadline First (EDF) strategy, and assume that LC tasksare dropped (not considered for scheduling) once it becomesknown that their deadlines are not required to be met. Wehave chosen this scheduling strategy because it has beensuccessfully employed in the past for mixed criticality systems(e.g., [6], [7], [8]). To accommodate the sudden increase indemand when tasks start executing in HC mode, these existingstudies artificially tighten the deadlines of HC tasks whenthey are executing in LC mode. This ensures that when atask switches to HC mode, it has some amount of time leftuntil its real deadline to execute any additional demand. In thispaper we assume that such deadline tightening strategies areemployed.For a task τ i = ( T i , L i , C i , D i ) , we let D Li denote theartificially tightened deadline in LC mode of execution. Bydefinition, D Li ≤ D i for all tasks, and D Li = D i if L i = LC because no tightening is required for such LC tasks. While a HC task τ i = ( T i , HC, C i , D i ) is executing in LC mode, τ i must receive at least C Li processor units before its tighteneddeadline D Li . When the task τ i switches to HC mode, it mustreceive at least C Hi processor units before the actual deadline D i . Note that a HC task in component C that executes in LC mode after IMS of C will continue to be scheduled using itstightened deadline D Li , unless it switches to HC mode. AfterEMS of C however, all the HC tasks are assumed to switch to HC mode and will be scheduled using their actual deadlines.We consider two different scheduling frameworks in thispaper; a flat (non-hierarchical) framework in which all thetasks in all the components are collectively scheduled bya single scheduler, and a hierarchical framework in whichthe tasks in components are scheduled by intra-componentschedulers and the components themselves are scheduled by ainter-component scheduler. The flat framework is relevant inapplications that do not use hierarchical scheduling (e.g., DeosReal-Time Operating System for avionics [17]), whereas thehierarchical framework is relevant in applications that requirecompositionality (e.g., ARINC653 in avionics [18]). Note thata criticality-aware flat scheduler also ensures isolation forhigh-criticality tasks, and hence from that perspective providessimilar functionality as a hierarchical scheduler. In Section IIIwe present the schedulability test under a flat schedulingframework, and in Section IV we present the schedulabilitytest under a hierarchical scheduling framework. Finally, thecapability of the proposed mechanism and the correspondingschedulability tests to support LC job executions are evaluatedthrough extensive simulations in Section V. Li t i C Hi − C Li r ( J Ai ) D Li D i r ( J Ai ) + D Li − t i < t i r ( J Ai ) D Li D i r ( J Ai ) + D Li − t i ≥ t i r ( J Ai ) D Li D i t t i − r ( J Ai )(a):(b):(c): Fig. 1. Execution pattern for J Ai that generates maximal demand III. S
CHEDULABILITY T EST FOR F LAT S CHEDULING F RAMEWORK
Demand bound function (dbf), which gives an upper boundon the maximum possible execution demand of tasks ingiven time interval length, was first proposed to characterizethe maximal demand of workloads comprising non-mixed-criticality tasks [19]. Since then dbf has been extended tomixed-criticality tasks as well [7], [8].In this section, for the task and component model presentedearlier, we propose a dbf-based schedulability test under anEDF-based flat scheduling framework. In Section III-A wepresent the functions to calculate the demand of two specialjobs of a task, and in Section III-B we use this to compute thedbf of a task (this dbf has already been developed in [8]). InSection III-C, we present the dbf of a component, and finallyin Section III-D we present the dbf-based schedulability test.Let t denote the time interval length and without loss ofgenerality we assume the time interval is [0 , t ) . Let t E ( ≤ t ) denote the time instant for External Mode Switch or EMS of C , and t I ( ≤ t E ) denote the time instant for Internal ModeSwitch or IMS of C . If C is a LC component, then it hasno IMS or EMS, and tasks within it will be dropped after theearliest EMS of any component in the system. For a HC task τ i in the workload of C , let t i denote the time instant whenit switches to HC mode. By definition t I ≤ t i ≤ t E . For a LC task τ i in the workload of C , let t i denote the time instantwhen it is dropped. Note that t i in the LC case is either equalto t I or the earliest EMS of any HC component, whichever isearlier. We use J i to denote any job of τ i , and r ( J i ) to denoteits release time. A. Demand of two special jobs
We now introduce how to compute the demand of the firstspecial job which is the last one released by HC task τ i beforeit switches to HC mode at t i . As shown in Figure 1, this is ajob such that r ( J i ) ≤ t i and r ( J i ) + T i > t i , and we denotesuch a job as J Ai . The following lemma bounds the demandof J Ai when its deadline is greater than t . Lemma 1: If r ( J Ai ) + D Li > t , then J Ai will generate zerodemand during [0 , t ) . Further, if r ( J Ai ) + D i > t , then J Ai willnot generate any demand after t i . Proof:
Since r ( J Ai ) + D Li > t ⇒ r ( J Ai ) + D i > t ( D i ≥ D Li ) , J Ai does not generate any demand in the interval ofinterest. On the other hand, if r ( J Ai ) + D i > t and r ( J Ai ) + D Li ≤ t , then even if J Ai does not finish before t i , it does notgenerate any demand in the interval [ t i , t ) because after t i itsdeadline is outside the interval of interest.If J Ai satisfies the condition r ( J Ai )+ D Li < t i (Figure 1(a)),then J Ai must finish by t i , and hence it can generate a demandof up to C Li during [0 , t ) . However if r ( J Ai ) + D Li ≥ t i (Figure 1(b)), then J Ai will generate maximal demand during [0 , t ) if it executes as late as possible. In this case it cangenerate a demand of up to C Hi . One special case is when t i ≤ r ( J Ai ) + D Li ≤ t and r ( J Ai ) + D i > t (Figure 1(c)). Inthis case, J Ai will not generate any demand after t i accordingto Lemma 1. Thus, the demand of job J Ai for the interval [0 , t ) can be bounded as follows.dbf ( J Ai , t, t i ) = C Li , r ( J Ai ) + D Li < t i C Hi , r ( J Ai ) + D Li ≥ t i and r ( J Ai ) + D i ≤ t min (cid:8) t i − r ( J Ai ) ,C Li (cid:9) , t i ≤ r ( J Ai ) + D Li ≤ t and ( J Ai ) + D i > t , r ( J Ai ) + D Li > t (1)Another special job is the last job released by a LC task τ i before it is dropped at t i , and we denote such a job as J Bi .The release time of J Bi satisfies the conditions r ( J Bi ) ≤ t i and r ( J Bi ) + T i > t i .If r ( J Bi ) + D Li > t ( D Li = D i ) , J Bi will generatezero demand during [0 , t ) because its deadline is outside theinterval. Otherwise, it may generate some demand in theinterval [0 , t i ) , because it will be dropped after t i . In order tomaximize the demand of J Bi in this interval, we assume that J Bi will execute continuously from r ( J Bi ) . Thus, the demandof job J Bi for the interval [0 , t ) can be bounded as follows.dbf ( J Bi , t, t i ) = (cid:26) min (cid:8) t i − r ( J Bi ) , C Li (cid:9) , r ( J Bi ) + D Li ≤ t , otherwise (2) B. Dbf of task τ i In this section we derive the dbf of a task τ i usingEquations 1 and 2 presented above. Let dbf ( τ i , t, t i ) denotethe dbf of task τ i for a given time interval length t and instant t i . We present dbf ( τ i , t, t i ) using four sub-cases dbf ( τ i , t, t i ) [ x ] ,where x ∈ { a, b, c, d } , defined as follows. a : L i = LC , b : L i = HC and t − t i < D i − D Li , c : L i = HC and t − t i ≥ D i , and d : L i = HC and D i − D Li ≤ t − t i < D i .If τ i satisfies condition a, then it is a LC task. The totaldemand that τ i can generate during [0 , t ) is then the sum ofdemand of jobs released before r ( J Bi ) and the demand of J Bi itself. τ i generates maximal demand during [0 , t ) if therelease time of the first job is equal to zero, and all successivejobs are released as soon as possible with period T i . Thereforedbf ( τ i , t, t i ) [ a ] is given as follows. i t0 b i × C Li C Li C Hi − C Li dbf ( J Ai , t, t i ) a i × C Hi Fig. 2. Execution pattern for condition c dbf ( τ i , t, t i ) [ a ] = (cid:22) t i T i (cid:23) C Li + dbf ( J Bi , t, t i ) (3)If τ i satisfies condition b, c or d, then τ i is a HC task.Therefore, the total demand it generates is the sum of demandof all the jobs released before t . Among these jobs, the onesreleased before r ( J Ai ) will generate a demand of C Li , andthe ones released after r ( J Ai ) + T i will generate a demand of C Hi . The demand of job J Ai itself is given in Equation 1. Inthe following lemmas we derive the dbf of τ i for the threeconditions. Lemma 2: If τ i satisfies condition b ( t − t i < D i − D Li ),no job of τ i can execute for C Hi time units. Therefore τ i cangenerate maximal demand during [0 , t ) if the first job of τ i is released at time instant and all the successive jobs arereleased as soon as possible. Proof:
We prove this lemma by contradiction. Supposethere exists a job J i of τ i that can generate a demand of C Hi time units in the interval [0 , t ) . Then it must be true that r ( J i )+ D i ≤ t and r ( J i ) + D Li ≥ t i ⇒ t − t i ≥ D i − D Li , because τ i is a HC task that switched to HC mode at t i . This contradictsour assumption that t − t i < D i − D Li . Thus no job of τ i thatsatisfies condition b can generate a demand of C Hi time unitsin the interval [0 , t ) . Therefore τ i essentially behaves like a LC task, and this proves the lemma.Thus dbf ( τ i , t, t i ) [ b ] is given as follows.dbf ( τ i , t, t i ) [ b ] = (cid:22) t i T i (cid:23) C Li + dbf ( J Ai , t, t i ) (4) Lemma 3: If τ i satisfies condition c ( t − t i ≥ D i ), itgenerates maximal demand during [0 , t ) if the first job of τ i is released at t − D i − (cid:98) ( t − D i ) /T i (cid:99) × T i , and all thesuccessive jobs are released as soon as possible (scenarioshown in Figure 2). Proof: If t − t i ≥ D i and the first job of τ i is released at t − D i − (cid:98) ( t − D i ) /T i (cid:99) × T i , then the last job released before t will have its deadline at t . In this case, t i happens before therelease time of this last job. Therefore the last job can generatea demand of C Hi in the interval. Additionally, the number ofjobs with deadline before t as well as the number of jobs thatcan generate C Hi demand during [0 , t ) are maximized with thispattern. This proves the lemma.Intuitively speaking, the demand is maximized when the dead-line of a job of τ i coincides with t , because it maximizes thepossible executions for τ i in HC mode. Thus, dbf ( τ i , t, t i ) [ c ] is given as follows.dbf ( τ i , t, t i ) [ c ] = b i C Li + dbf ( J Ai , t, t i ) + a i C Hi , where b i = (cid:22) t i − ( t − D i − (cid:98) ( t − D i ) /T i (cid:99) × T i ) T i (cid:23) , and a i = (cid:22) t − D i T i (cid:23) − b i . (5)If τ i satisfies condition d, it does not have a singleexecution pattern that maximizes its demand as stated in thefollowing lemma. Lemma 4: If τ i satisfies condition d ( D i − D Li ≤ t − t i Since D i − D Li ≤ t − t i < D i , τ i can have at mostone job that can generate a demand of C Hi in the interval [0 , t ) .If the first job of τ i is released at t − D i − (cid:98) ( t − D i ) /T i (cid:99) T i andall the successive jobs are released as soon as possible (releasepattern of condition c), then the last job is a special job J Ai and is the only job generating C Hi demand. The only way tofurther increase the demand of τ i is to add a new job in theinterval by shifting the pattern left to the point when the firstjob is released at time instant .Thus, dbf ( τ i , t, t i ) [ d ] is given as follows.dbf ( τ i , t, t i ) [ d ] = max (cid:8) dbf ( τ i , t, t i ) [ b ] , dbf ( τ i , t, t i ) [ c ] (cid:9) (6) C. Dbf of component C In this section we present the dbf of a component C = {W , T L } . Let dbf ( C , t, t E , t I ) denote the dbf of component C for a given time interval length t , with mode-switch instants t I (IMS) and t E (EMS).We first present dbf for the case when T L = 0 and thenfor the case when T L > . Note that among all the HC tasks in C , at most T L of them can switch to HC mode inthe interval [ t I , t E ) , while all the remaining HC tasks areassumed to switch to HC mode at t E .If T L = 0 , then this means t E (EMS) is equal to t I (IMS),because C ’s internal and external modes will switch at thesame time. Thus, each HC task τ i in C will switch to HC mode at t i = t I = t E , and hence dbf ( C , t, t E = t I , t I ) isgiven as follows.dbf ( C , t, t E = t I , t I ) = (cid:88) τ i ∈ C dbf ( τ i , t, t I ) ( T L = 0) (7)If T L > , then at most T L HC tasks can switch to HC mode before t E . To compute the dbf of C , we then need todetermine which HC tasks should switch to HC mode before t E so as to maximize the total demand. The following lemmaasserts that for any HC task, its demand is maximized whenit switches to HC mode either at t I or t E . Lemma 5: If a HC task τ i switches to HC mode at sometime t i ∈ [ t I , t E ] , then dbf ( τ i , t, t i ) is maximized when t i iseither equal to t E or t I . roof: Suppose τ i satisfies condition b when t i = t E , i.e., t − t E < D i − D Li . Then as t i decreases, τ i could eventuallysatisfy condition d, i.e., D i − D Li ≤ t − t i < D i , and finallycondition c, i.e., t − t i ≥ D i . Without loss of generality, assumethat τ i satisfies condition b for t i ∈ ( t b , t E ] , condition d for t i ∈ ( t d , t b ] , and condition c for t i ∈ [ t I , t d ] , where t I ≤ t d ≤ t b ≤ t E . Case 1 ( t i ∈ [ t I , t d ] ): In this case, dbf ( τ i , t, t i ) [ c ] (seeEquation 5) is maximized if t i = t I . This is because as t i decreases from t d to t I , the number of jobs generating C Hi demand will remain the same or increase, while the totalnumber of jobs that generate demand for this time intervalremains unchanged. Case 2 ( t i ∈ ( t b , t E ] ): In this case,dbf ( τ i , t, t i ) [ b ] = (cid:106) t i T i (cid:107) C Li + dbf ( J Ai , t, t i ) . Then as t i increasesfrom t b to t E , dbf ( J Ai , t, t i ) and (cid:106) t i T i (cid:107) × C Li will stay thesame or increase. Thus dbf ( τ i , t, t i ) [ b ] is maximized when t i = t E . Case 3 ( t i ∈ ( t d , t b ] ): From Lemma 4 we knowthat dbf ( τ i , t, t i ) d = max (cid:8) dbf ( τ i , t, t i ) [ b ] , dbf ( τ i , t, t i ) [ c ] (cid:9) .While dbf ( τ i , t, t i ) [ b ] | t i ∈ ( t d , t b ] is maximized if t i = t b , dbf ( τ i , t, t i ) [ c ] | t i ∈ ( t d , t b ] stays the same. Sincedbf ( τ i , t, t b ) [ b ] ≤ dbf ( τ i , t, t E ) [ b ] and dbf ( τ i , t, t b ) [ c ] ≤ dbf ( τ i , t, t I ) [ c ] , combining the above three cases, we concludethat dbf ( τ i , t, t i ) is maximized when t i = t I or t i = t E .Let ∆ i = max { , dbf ( τ i , t, t I ) − dbf ( τ i , t, t E ) } . FromLemma 5 we know that task τ i generates maximum demandwhen t i = t E or t i = t I . Therefore ∆ i denotes the maximumpossible increase in the demand of τ i (if it increases) for atime interval length t when τ i is chosen as one of the T L tasks to switch to HC mode before t E . Once we compute ∆ i for all the HC tasks in component C , we sort these valuesin descending order and select the first T L elements. Let thecorresponding set of T L HC tasks be denoted by G . The totalmaximum demand of all the tasks in C is then given by thefollowing equation.dbf ( C , t, t E , t I ) = (cid:88) L i = HC dbf ( τ i , t, t E ) + (cid:88) τ i ∈G ∆ i + (cid:88) L i = LC dbf ( τ i , t, t I ) (8)A tighter bound for the dbf of component C can be obtainedusing an optimization presented in Section A of the Appendix. D. Schedulability Test and Tolerance Limit In this section we derive the schedulability test for amixed-criticality system comprising multiple components andscheduled under a flat scheduling framework. Consider asystem with p HC components C , C , . . . , C p and q LC components C p +1 , C p +2 , . . . , C p + q . Each HC component C i can independently switch its internal mode to HC at t Ii . Oncethe first HC component switches its external mode to HC at t E , all the LC tasks in the system are immediately dropped.We assume that all the HC tasks in the system can thereafterexecute in HC mode.Suppose there is a first deadline miss in the system at sometime instant t . Then, the total maximum demand generatedby the system in [0 , t ) must be greater than t . This assertionimmediately leads to the following theorem that presents theschedulability test. Theorem 1: A mixed-criticality system comprising p HC components and q LC components isschedulable under a flat scheduling framework if, ∀ t : 0 ≤ t ≤ t MAX , ∀ t E : 0 ≤ t E ≤ t, ∀ t Ii : 0 ≤ t Ii ≤ t E , i ≤ p + q (cid:88) i =1 dbf ( C i , t, t E , t Ii ) ≤ t, (9)where t MAX is a pseudo-polynomial in the size of the input,and is defined in Section B of the Appendix.The complexity of the schedulability test in Theorem 1 isexponential in the number of HC components, because weneed to consider a separate internal mode switch instant foreach component. In practice however, we expect the numberof HC components scheduled on a single processor to berelatively small, and then the complexity of the proposed testis pseudo-polynomial in the size of the input. Besides, ifthere is freedom to select the allocation of system tasks tocomponents, then it is feasible to create a component structurecomprising only two components, while still fully supporting LC task executions. All the HC tasks in the system areallocated to a single HC component C H = {W H , T L H } ,and each LC task can be either allocated to C H or to a LC component C L = {W L , T L L = 0 } . This two-componentsystem is sufficient to consider all the possible design choicesfor isolating HC and LC task executions. This can be doneby considering different values for the tolerance limit T L H ,and by considering different allocations of LC tasks to thetwo components. We can choose the maximum possible valuefor these tolerance limit as long as the resulting system is stillschedulable. Higher tolerance limit indicates support for more LC task executions, and thus better resource utilization. InSection V, we show through simulations that our mechanismoutperforms existing studies even with this two-componentstructure. However, if the allocation of tasks to components isfixed and the number of HC components is not small, then thehierarchical scheduling framework presented in the followingsection can be used to reduce the complexity of the test.IV. S CHEDULABILITY T EST FOR H IERARCHICAL S CHEDULING F RAMEWORK Hierarchical scheduling has emerged as an effective mech-anism to support temporal partitioning between applications,serving as a common scheduling paradigm in many mixed-criticality systems in practice [18]. It is preferred in practicebecause it supports compositionality so that higher-level prop-erties can be derived from verified component-level properties.Therefore, to increase the practical relevance of the proposedmechanism, we develop a schedulability test under a hierar-chical scheduling framework in this section. A. Execution Strategy under Hierarchical Scheduling For hierarchical systems, each component will have anadditional parameter S denoting its local scheduler. We specifysuch a component as C = ( W , T L, S ) . The componentworkload W is comprised of regular mixed-criticality tasks aswell as interface tasks representing the child components. Thetasks in the workload W are scheduled by the local scheduler S , independently of all the other components in the system. omponent interfaces have been widely used in tradi-tional hierarchical systems to abstractly represent the resourcedemand and supply of components (see for example [20]).From the component’s perspective, its interface represents theresource demand of its workload. While from the perspectiveof its parent component or system, the interface represents theresource supply that the parent guarantees. These interfacesof components are essential for satisfying the property ofcompositionality.Resource models such as periodic have been previouslydefined as interfaces for components in traditional hier-archical systems [20]. Analogously, we now present themixed-criticality periodic resource (MCPR) model for mixed-criticality components. Since we focus on systems with twocriticality levels, we assume that the MCPR model can haveat most two criticality levels. Definition 1: A Mixed-Criticality Periodic Resource(MCPR) is defined as I = ( T, L, C ) , where T denotes theperiod, L ∈ { LC, HC } denotes the criticality level, and C = { C L , C H } is a list of resource capacities. C L denotes LC resource capacity and C H denotes HC resource capacity.A component C can be abstracted as an MCPR interface I = ( T, L, C ) , and the corresponding task ( T, L, C , T ) (denotedas interface task ) represents C in the workload of its parentcomponent. We assume that period T of this interface isalready specified by the system designer as in the standard lit-erature on hierarchical scheduling (e.g., see [20]). For instance,this period could be determined based on either component-level requirements or considerations for overheads such ascontext-switches. The criticality level L is directly determinedby the criticality level of the component it is representing. If C is a LC component, then L = LC , otherwise L = HC . Mode of the interface. The semantics of interface I (andthe corresponding interface task) depend on its criticality mode at run time, which in turn depends on the criticality mode ofcomponent C . In fact, we assume that the criticality mode of I is identical to the external mode of C . When C experiencesEMS, the mode of the interface and interface task switchesfrom LC to HC . While the interface is in LC mode, it isguaranteed to request no more than C L time units of resourceperiodically every T time units from the parent component.But when it switches to HC mode, it can thereafter requestup to C H time units of resource periodically. B. MCPR Supply Bound Function The supply bound function (sbf) of a resource modelcharacterizes the minimum resource supply guaranteed by themodel to the underlying component. In this section, we derivethe sbf for a MCPR interface I = ( T, L, C ) of a component C = ( W , T L, S ) . We let sbf I ( t E , t ) denote the sbf for a timeinterval of length t , where t E ( ≤ t ) denotes the time instant forEMS of component C . As the resource is supplied periodically,component C is guaranteed to receive either C L or C H units ofresource every T time units in LC or HC mode, respectively.We use the following additional notations in this section. • s denotes the start time of the first interface periodwithin time interval [0 , t ) . . . .C L C L C L C L C L EMS E x E t s E e E e Interval of interest s = T − C L C L Executions beyond C L and up to C H Fig. 3. MCPR worst-case resource supply pattern A . . .C L C L C L C L C L E t s E e ( e E ) Interval of interest Fig. 4. Boundary case for MCPR worst-case resource supply pattern A • n denotes the number of interface periods withininterval [0 , t ) . • n E denotes the number of interface periods withininterval [0 , t E ) . • s E denotes the start of a interface period that ex-periences EMS ( t E ), i.e., s E ≤ t E < e E , where e E = s E + T . • e denotes the start of interface period after t , i.e., e = s + n × T + T . • For simplicity of presentation, we also use the short-cut notation [ x ] = max { , x } .When t E = t , there is no external mode switch forcomponent C in the interval of interest, and the componentand interface are only executing in LC mode. Therefore,sbf I ( t E , t ) in this case is identical to the sbf defined forperiodic resource models with I supplying C L units of resourceperiodically [20]. Thus, in this case, minimal resource issupplied when s = T − C L and n = (cid:104)(cid:106) t − ( T − C L ) T (cid:107)(cid:105) . Werecord this sbf in the following equation.sbf I ( t E , t ) = n × C L + (cid:2) t − T − C L ) − n × T (cid:3) If t E = t (10)For the case when t E < t , there are two possible resource sup-ply patterns, denoted A and B, that can lead to the minimumresource supply. We now present these two patterns and thecorresponding sbf equations, sbf I ( t E , t ) [ A ] and sbf I ( t E , t ) [ B ] . Pattern A: s = T − C L . The scenario of pattern A isshown in Figure 3, where n E = (cid:104)(cid:106) t E − ( T − C L ) T (cid:107)(cid:105) and n = (cid:104)(cid:106) t − ( T − C L ) T (cid:107)(cid:105) . In the first period, C L units of resource aresupplied as early as possible and hence during [0 , × ( T − C L )] ,no resource is supplied. In the following periods until timeinstant s E (= n E × T + T − C L ) , C L units are supplied aslate as possible. In the period [ s E , e E ] , the amount of supplydepends on the distance of t E from s E . If t E − s E < C L ,then the resource supply in this period cannot be exhaustedwhen component C has EMS at t E . Therefore interface I willprovide C H units of resource in this period, because it cansignal its mode switch to the parent component. On the otherhand, if t E − s E ≥ C L as in the example figure, then theresource supply in [ s E , e E ] can be exhausted before component experiences EMS, and hence the interface may only provide C L units in this period. After time instant e E , the interface isguaranteed to provide C H units of resource in every period.An important boundary case to consider is when e = n × T + 2 T − C L = e E and t E − s E ≥ C L . That is, when t E and t are in the same period and the interface can exhaust itsresource supply before EMS of component C (scenario shownin Figure 4). In this case, the minimum supply in this periodcan happen when it is provided as late as possible (for instancewhen e − t > C H − C L ). We record the sbf corresponding tothe pattern of Figures 3 and 4 below. sbf I ( t E , t ) [ A ] = n E × C L + ( n − n E ) × C H + (cid:2) t − (2 T − C L − C H ) − n × T (cid:3) t E − s E < C L ( n E + 1) × C L + ( n − n E − × C H + (cid:2) t − (2 T − C L − C H ) − n × T (cid:3) e (cid:54) = e E ∧ t E − s E ≥ C L n E × C L + min (cid:8) C L , (cid:2) t − (2 T − C L − C H ) − n × T (cid:3) (cid:9) e = e E ∧ t E − s E ≥ C L (11) Pattern B : s = T − C L − ( x E − t E ) , where x E = (cid:6) t E T (cid:7) × T . Scenario of pattern B is shown in Figure 5, whichis obtained by shifting pattern A in Figure 3 by x E − t E . Inthis case, n E = (cid:20)(cid:22) t E − s T (cid:23)(cid:21) , n = (cid:20)(cid:22) t − s T (cid:23)(cid:21) , e E = t E − C L + T and e = n × T + T + s . The sbf corresponding to this shifted supply pattern is givenbelow. It is similar to the previous case, except that theinterface period containing t E is now guaranteed to supplyno more than C L time units. sbf I ( t E , t ) [ B ] = ( n E + 1) × C L + ( n − n E − × C H + (cid:2) t − s − ( T − C H ) − n × T (cid:3) e (cid:54) = e E n E × C L + min (cid:8) C L , (cid:2) t − s − ( T − C H ) − n × T (cid:3) (cid:9) e = e E (12) The following lemma proves that it is sufficient to considerthe above two supply patterns for determining the sbf. Lemma 6: When t E < t , pattern A or B are the only twopossible supply patterns that can result in the minimal resourcesupply from interface I . Proof: Suppose there exists a s ∈ [0 , T ) such that s (cid:54) = T − C L (pattern A) and s (cid:54) = T − C L − ( x E − t E ) (pattern B),but s leads to the minimal supply pattern for time intervallength t . Case 1 ( s = T − C L + (cid:15) | < (cid:15) ≤ C L ): In thiscase, it is easy to see that the supply will be greater than orequal to sbf I ( t E , t ) [ A ] , because the supply for the first interfaceperiod will increase by (cid:15) and the supply for the last interfaceperiod will decrease by at most (cid:15) . Case 2 ( s = T − C L − ( x E − t E ) + (cid:15) | < (cid:15) < ( x E − t E ) ): In this case, the supplyfor the interface period containing t E will stay the same or . . .C L C L C L C L C L E t e E e Interval of interest x E − t E s Fig. 5. MCPR worst-case resource supply pattern B increase by C H − C L while the supply for the last interfaceperiod may decrease by at most (cid:15) compared with the casewhen s = T − C L − ( x E − t E ) . Therefore this supply isalso minimized when (cid:15) → x E − t E or (cid:15) → . Case 3 ( s = T − C L − ( x E − t E ) − (cid:15) | < (cid:15) ≤ T − C L − ( x E − t E ) ): Inthis case, the supply for the interface period containing t E willstay the same, while the supply for the last interface periodmay stay the same or increase compared with the case when s = T − C L − ( x E − t E ) . Therefore in this case as well,the supply is minimized when (cid:15) → . Combining the abovecases, we can conclude that the supply is minimized with eitherpattern A or pattern B.Thus, a safe lower bound for sbf I for the case when t E < t can be stated as follows.sbf I ( t E , t ) = min (cid:8) sbf I ( t E , t ) [ A ] , sbf I ( t E , t ) [ B ] (cid:9) (13) C. Interface Generation In this section we use the sbf, together with the dbf ofcomponent C , to generate interface I . For component C tobe schedulable using interface I , it is sufficient to ensure thatdbf ( C , t, t E , t I ) ≤ sbf I ( t E , t ) for various time interval lengths.Below we first present the schedulability test for the case whencomponent C does not experience EMS. That is, the interfaceonly executes in LC mode supplying C L resource capacityperiodically. Theorem 2: A mixed-criticality component C isschedulable in LC mode with sbf I ( t E = t, t ) if, ∀ t : 0 ≤ t ≤ t MAX , ∀ t I : 0 ≤ t I ≤ t ,dbf ( C , t, t E , t I ) ≤ sbf I ( t E = t, t ) If t E = t (14)where t MAX is a pseudo-polynomial in the size of the inputthat can be derived using similar techniques in Section B inthe appendix, and sbf I ( t E , t ) is given by Equation (10) inSection IV-B.For a given t and t I , dbf ( C , t, t E , t I ) can be computed usingtechniques described in Section III-C. The only unknownquantity in Equation (14) is the LC resource capacity C L .This capacity can then be computed exactly using existingtechniques [21].To compute the HC resource capacity C H , we need toconsider the schedulability test when component C experiencesEMS at some time instant t E ( < t ) . The following theorempresents this test. Theorem 3: A mixed-criticality component C is schedula-ble in HC mode with sbf I ( t E , t ) if ∀ t : 0 ≤ t ≤ t MAX , ∀ t E :0 ≤ t E ≤ t, ∀ t I : 0 ≤ t I ≤ t E ,dbf ( C , t, t E , t I ) ≤ sbf I ( t E , t ) (15)here sbf I ( t E , t ) is given by Equation (13) in Section IV-B.The only unknown quantity in Equation (15) is the HC resource capacity C H , assuming we have already computed C L using Theorem 2. C H can then be computed similar to C L using existing techniques [21].V. E VALUATION In this section we evaluate the performance of the proposedmechanism in terms of offline schedulability as well as itsability to support LC task executions online. Tasksets aregenerated using the following settings, where each parameteris randomly drawn from the given range using an uniformdistribution. • u Li = C Li /T i is in the range [0 . , . . • C Hi /C Li is in the range [2 , . • T i is in the range [10 , . • D i = T i as service adaption strategy, one of themechanisms being compared, can only support im-plicit deadline tasks. • Task τ i is deemed to be a HC task with probability . . • For a HC task τ i , D Li is determined by the deadlinetuning algorithm in [8]. • For the proposed mechanism, we assume that all the | H | HC tasks in the generated taskset are allocatedto a HC component C H = {W H , T L H } , and all the LC tasks are allocated to a LC component C L .We have chosen relatively small values for u Li and C Hi /C Li so that sufficient number of HC tasks are generated. Thisenables us to evaluate the online performance of variousapproaches when different number of HC tasks synchronouslyswitch to HC mode. The generated taskset is evaluated foroffline schedulability as well as online performance in termsof support for LC execution under four different mechanisms.These include the mechanism presented in this paper (“Pro-posed Mechanism”), service adaptation strategy [12] (“ServiceAdaptation”), Interference Constraint Graph [14] (“ICG”), andthe classical mixed-criticality studies in which all the LC jobsare dropped at the moment any HC job switches to HC mode [8] (“Classical Model”). Note that the classical modelcan be obtained by setting T L H = 0 in our mechanism. InSection V-A we present our results for offline performancebased on schedulability tests, and in Section V-B we comparetheir online performance through simulations. A. Offline Schedulability In order to generate feasible tasksets, we consider dif-ferent bounds for the term max { U LL + U LH , U HH } , where U LL = (cid:80) L i = LC C Li /T i , U LH = (cid:80) L i = HC C Li /T i and U HH = (cid:80) L i = HC C Hi /T i . For each bound value, we generate tasksets based on the procedure described above, and evaluatetheir off-line schedulability. For the elastic model [11] in whichthe LC task periods are extended, any generated taskset with U HH is always schedulable, because in the worst-case all the LC task periods can be extended to infinity. The schedulabilitytest for the service adaption strategy [6] is a utilization basedtest. ICG uses the well known Audsley’s algorithm to assign task priorities, and its schedulablity is maximized when theinterference graph is fully connected, i.e., each HC task hasan execution dependency with every LC task in the system.For our mechanism, if a hierarchical scheduling framework isconsidered, then we assume that the MCPR interface period T for both C H and C L is equal to time units. This is reasonablebecause the smallest task period in any taskset is time units.Figures 6 and 7 show the schedulability performancefor the tasksets under various mechanisms. In Figures 6we present results for our mechanism under a flat schedul-ing framework, and in In Figures 6 we present results forour mechanism under a hierarchical scheduling framework.In these figures, the x-axis denotes the bound value for max { U LL + U LH , U HH } , and the y-axis denotes schedulabilityratio, i.e., percentage of tasksets deemed schedulable by thedifferent mechanisms. For our mechanism, we generate theschedulability results for various values of the tolerance limit: T L H = 0 , (cid:98) . | H |(cid:99) , (cid:98) . | H |(cid:99) , (cid:98) . | H |(cid:99) , (cid:98) . | H |(cid:99) and | H | .As shown in Figure 6, the schedulability performance ofour mechanism clearly depends on the tolerance limit; a higherlimit generally implies lower schedulability, because it usesadditional resources to support LC executions. For values of T L H up to (cid:98) . | H |(cid:99) , our mechanism outperforms both serviceadaptation and ICG on an average. Similar trends can also beobserved for our mechanism under a hierarchical framework,except that the schedulability drops more rapidly due to theoverhead of hierarchical scheduling. The classical model isrepresented by the curve with T L H = 0 and it has the highestschedulability, but offers no support for LC executions when HC tasks switch to HC mode. Thus we can conclude thatas long as no more than (cid:98) . | H |(cid:99) of the HC tasks executein HC mode at each time instant, our mechanism offers thebest performance in terms of offline schedulability as well asonline support for LC executions. B. Online Support for LC Executions In this section, we compare the performance of our mech-anism in terms of its ability to support LC executions withthe other mechanisms described above. We use the followingquantitative parameter to measure this online LC performance. Definition 2 (Percentage of Finished LC Jobs ( P F J )): Let M AX t denote the maximum possible number of LC jobs that a taskset T can generate in the time interval [0 , t ) .By definition, M AX t = (cid:80) L i = LC (cid:100) t/T i (cid:101) . Let F IN t denote thenumber of LC jobs that successfully finish by their deadlinesin the time interval [0 , t ) using some mechanism. Then, P F J is equal to F IN t /M AX t .Tasksets are generated using the procedure described earlier,and the various mechanisms are simulated to measure theironline performance. The following additional settings andrestrictions are used for this purpose. • max { U LL + U LH , U HH } = 0 . , . and . . • Tolerance limit T L H is chosen to be the largest valuethat still guarantees schedulability of our mechanismunder a flat scheduling framework. • Tasksets are simulated for t = 10 , time units. l l l l Utilization Bound P e r c en t o f S c hedu l ab l e T a sks e t s 55 0.65 0.75 0.85 0.95 % % % % % % l SettingTL H = H = º | H |ß TL H = º | H |ß TL H = º | H |ß TL H = º | H |ß TL H = | H | Service AdaptationICG Fig. 6. Schedulability under a Flat SchedulingFramework l l l l l Utilization Bound P e r c en t o f S c hedu l ab l e T a sks e t s % % % % % % l SettingTL H = H = º | H |ß TL H = º | H |ß TL H = º | H |ß TL H = º | H |ß TL H = | H | Fig. 7. Schedulability under a HierarchicalScheduling Framework The Probability A HC Job Exhibits HC Behavior P F J ( P e r c en t o f F i n i s hed L C J ob s ) % % % % % % % % l l l l l l StrategyProposed MechanismService AdaptionElastic ModelClassical Model Fig. 8. max { U LL + U LH , U HH } = 0 . The Probability A HC Job Exhibits HC Behavior P F J ( P e r c en t o f F i n i s hed L C J ob s ) % % % % % % % l l l l ll l l l l ll StrategyProposed Mechanism with Utilization Bound = 0.80Proposed Mechanism with Utilization Bound = 0.85Proposed Mechanism with Utilization Bound = 0.90Classic Model with Utilization Bound = 0.80Classical Model with Utilization Bound = 0.85Classic Model with Utilization Bound = 0.90 Fig. 9. max { U LL + U LH , U HH } = 0 . , . and . • Each HC job independently switches to HC mode,i.e., executes for more than LC WCET, with a prob-ability of . , . , . , . or . . • All the mechanisms will transition back to LC modeof execution when there are no pending jobs.We have chosen a relatively high value for max { U LL + U LH , U HH } , because at smaller values there is sufficient sparecapacity so that all the mechanisms are easily able to support LC executions. Simulation results are shown in Figures 8 and9. The x-axis denotes the probability that a HC job indepen-dently switches to HC mode, and the y-axis denotes P F J for each mechanism. Each point in these figures is generatedby taking an average value of P F J over tasksets. InFigure 8, we consider only those tasksets that are deemed tobe offline schedulable by all the presented mechanisms. Asshown in the figure, our mechanism consistently outperformsall the other mechanisms for different values of mode switchprobability, and the performance gap improves with increasingprobability values. One should note that the results in Figure 8may not be truly representative of the performance of ourmechanism in terms of its ability to support LC jobs, andthis can be explained as follows. To compare our mechanism’sability to support LC executions with the other mechanisms,we have to simulate using tasksets that are schedulable byall these mechanisms. In particular, it does not include many tasksets that are schedulable under our mechanism, but notunder one of the other mechanisms. From our observation,in the tasksets that are schedulable by all these mechanisms,the average percentage of HC tasks is much higher than thatof LC tasks. Hence to show the ability of our mechanism tosupport LC executions in a more objective way, we comparethe proposed mechanism alone with the classical model, withutilization bound max { U LL + U LH , U HH } = 0 . , . and . as shown in Figure 9. In this case, any taskset schedulableby the classical model can be used in the simulation. It canbe seen that the performance of both our mechanism andthe classical model drops when compared with the results inFigure 8. However, it can also been seen that, our mechanismstill dominates the classical model and the correspondingperformance gap does not decrease compared with the gapin Figure 8. A CKNOWLEDGMENT This work was supported in part by MoE Tier-2 grant(MOE2013-T2-2-029) and NTU start-up grant, Singapore.This work was also supported in part by MSIP/IITP (14-824-09-013) funded by the Korea Government.VI. C ONCLUSIONS In this paper we proposed a novel mechanism to improvethe service levels of low-criticality tasks by allowing them toexecute even when some high-criticality tasks have exceededtheir estimated WCETs. We developed schedulability tests forour mechanism under the mixed-criticality EDF schedulingstrategy, considering both a flat as well as an hierarchicalscheduling framework. We also evaluated the performanceof our mechanism in terms of offline schedulability andonline support for low-criticality executions. Simulation resultsclearly show that the proposed mechanism outperforms all theexisting approaches.In the evaluation section we only consider the performanceof our mechanism when all the high-criticality tasks are inone component and all the low-criticality tasks are in anothercomponent. In fact, its performance can be further improved ifwe also consider scenarios in which the low-criticality tasks areallocated to the same component as the high-criticality ones,especially in terms of offline schedulability. In our future worke will consider this problem of optimally allocating the low-criticality tasks so as to maximize offline schedulability as wellas online performance. R EFERENCES[1] P. J. Prisaznuk, “Integrated modular avionics,” in Aerospace and Elec-tronics Conference (NAECON) . IEEE, 1992, pp. 39–45.[2] S. Vestal, “Preemptive scheduling of multi-criticality systems withvarying degrees of execution time assurance,” in Real-Time SystemsSymposium, 2007. RTSS 2007. 28th IEEE International . IEEE, 2007,pp. 239–243.[3] S. Baruah, A. Burns, and R. Davis, “Response-Time Analysis for MixedCriticality Systems,” in RTSS , 2011, pp. 34–43.[4] S. Baruah and G. Fohler, “Certification-Cognizant Time-TriggeredScheduling of Mixed-Criticality Systems,” RTSS , pp. 3–12, 2011.[5] N. Guan, P. Ekberg, M. Stigge, and W. Yi, “Effective and EfficientScheduling of Certifiable Mixed-Criticality Sporadic Task Systems,” in RTSS , 2011, pp. 13–23.[6] S. Baruah, V. Bonifaci, G. D”Angelo, H. Li, and A. Marchetti-Spaccamela, “The Preemptive Uniprocessor Scheduling of Mixed-Criticality Implicit-Deadline Sporadic Task Systems,” in ECRTS , 2012.[7] P. Ekberg and W. Yi, “Bounding and Shaping the Demand of Mixed-Criticality Sporadic Tasks,” in ECRTS , 2012, pp. 135–144.[8] A. Easwaran, “Demand-based Scheduling of Mixed-Criticality SporadicTasks on One Processor,” in RTSS , 2013, pp. 78–87.[9] A. Burns and S. Baruah, “Towards a More Practical Model for Mixed-Criticality Systems,” in Workshop on Mixed-Criticality Systems (co-located with RTSS) , 2013.[10] M. Jan, L. Zaourar, and M. Pitel, “Maximizing the execution rate oflow-criticality tasks in mixed criticality system,” in Workshop on Mixed-Criticality Systems (co-located with RTSS) , 2013.[11] H. Su and D. Zhu, “An elastic mixed-criticality task model and itsscheduling algorithm,” in Proceedings of the Conference on Design,Automation and Test in Europe , ser. DATE ’13. San Jose, CA,USA: EDA Consortium, 2013, pp. 147–152. [Online]. Available:http://dl.acm.org/citation.cfm?id=2485288.2485325[12] P. Huang, G. Giannopoulou, N. Stoimenov, and L. Thiele, “Serviceadaptions for mixed-criticality systems,” in In Proceedings of the Asiaand South Pacific Design Automation Conference (ASP-DAC) , 2014.[13] A. Lackorzy´nski, A. Warg, M. V¨olp, and H. H¨artig, “Flattening hier-archical scheduling,” in Proceedings of the Tenth ACM InternationalConference on Embedded Software (EMSOFT) , 2012, pp. 93–102.[14] P. Huang, P. Kumar, N. Stoimenov, and L. Thiele, “Interferenceconstraint grapha new specification for mixed-criticality systems,” in Emerging Technologies & Factory Automation (ETFA), 2013 IEEE 18thConference on . IEEE, 2013, pp. 1–8.[15] T. Fleming and A. Burns, “Incorporating the notion of importance intomixed criticality systems,” in WMC , 2014, p. 33.[16] J. Herman, C. Kenna, M. Mollison, J. Anderson, and D. Johnson,“RTOS support for multicore mixed-criticality systems,” in RTAS ”ARINC653 - An Avionics Standard for Safe, Partitioned Systems” .Wind River Systems / IEEE Seminar, 2008.[19] S. Baruah, A. Mok, and L. Rosier, “Preemptively Scheduling Hard-Real-Time Sporadic Tasks on One Processor,” in RTSS , 1990, pp. 182–190.[20] I. Shin and I. Lee, “Periodic resource model for compositional real-timeguarantees,” in RTSS , 2003, pp. 2–13.[21] A. Easwaran, M. Anand, and I. Lee, “Compositional Analysis Frame-work using EDP Resource Models,” in RTSS , 2007, pp. 129–138. A PPENDIX A. Dbf Optimization When component C experiences EMS, i.e., the case when t E < t , it is pessimistic to simply add up the demand of all the tasks. Here we introduce an optimization that can beapplied in the schedulability test to reduce this pessimism. Wesplit dbf ( τ i , t, t i ) into two elements, DL ( τ i , t, t i ) denoting thedemand for the interval [0 , t E ) , and DH ( τ i , t, t i ) denoting thedemand for the interval [ t E , t ) . dbf ( τ i , t, t i ) = DL ( τ i , t, t i ) + DH ( τ i , t, t i ) (16) Below we present a key observation that provides someinsight into this split. Since the first deadline miss is assumedto happen at time instant t in our schedulability test, thedemand before t E | < t cannot exceed t E . Otherwise, thefirst deadline miss would happen at or before t E . Thus thetotal demand during [0 , t E ) can be bounded by t E , and as aconsequence dbf ( C , t, t E , t I ) can be more tightly bounded asfollows. dbf ( C , t, t E , t I ) = DL + DH + (cid:88) ∆ i ∈G ∆ i , whereDH = (cid:88) L i = LC DH ( τ i , t, t I ) + (cid:88) L i = HC DH ( τ i , t, t E ) , andDL = min t E , (cid:88) L i = LC DL ( τ i , t, t I ) + (cid:88) L i = HC DL ( τ i , t, t E ) (17) In Equation 17, we use DL to bound the total demand of C for the interval [0 , t E ) , and DH to bound the total demandfor the interval [ t E , t ) . In order to maximize the total demand,we must then split the demand between DL and DH such thatDH is maximized (or equivalently DL is minimized). This isbecause the total demand for the interval [0 , t E ) is boundedby t E .In Section III-B we already present dbf ( τ i , t, t i ) when task τ i satisfies condition a , b , c or d . Here we present DL ( τ i , t, t i ) and DH ( τ i , t, t i ) for these cases, such that DH ( τ i , t, t i ) ismaximized. If τ i is a LC task, then it cannot execute after t E (dropped at t i = t I ≤ t E ). Hence for condition a , DL ( τ i , t, t I ) [ a ] = dbf ( τ i , t, t I ) [ a ] DH ( τ i , t, t I ) [ a ] = 0 (18) Consider the case when τ i satisfies condition b , i.e., L i = HC and t − t i < D i − D Li . Here as well τ i cannot executeafter t E as given in Lemma 2. Hence, DL ( τ i , t, t E ) [ b ] = dbf ( τ i , t, t E ) [ b ] DH ( τ i , t, t E ) [ b ] = 0 (19) t i = t E D Li − C Li t E − r ( J Ai ) − ( D Li − C Li ) r ( J Ai ) Fig. 10. DL ( τ i , t, t E ) [ c ] and DH ( τ i , t, t E ) [ c ] Consider the case when τ i satisfies condition c , i.e., L i = HC and t − t i ≥ D i . In this case t i (= t E ) occurs afterthe release of special job J Ai and this scenario is shown inigure 10. To minimize the demand of J Ai before t E , weassume that it executes as late as possible. Thus, J Ai ’s demandbefore t E can be bounded by t E − r ( J Ai ) − ( D Li − C Li ) , andwe have, DL ( τ i , t, t E ) [ c ] = min (cid:110)(cid:104) t E − r ( J Ai ) − ( D Li − C Li ) (cid:105) , C Li (cid:111) + b i × C Li , DH ( τ i , t, t E ) [ c ] = − min (cid:110)(cid:104) t E − r ( J Ai ) − ( D Li − C Li ) (cid:105) , C Li (cid:111) + dbf ( J Ai , t, t E ) + a i × C Hi , where b i = (cid:98) ( t E − ( t − D i −(cid:98) ( t − D i ) /T i (cid:99) × T i )) /T i (cid:99) ,a i = (cid:98) ( t − D i ) /T i (cid:99) − b i , and r ( J Ai ) = t − D i − (cid:98) ( t − D i ) /T i (cid:99) × T i + b i × T i . (20) Finally, consider the case when τ i satisfies condition d ,i.e., L i = HC and D i − D Li ≤ t − t i < D i . In this caseas well DH ( τ i , t, t i = t E ) [ d ] is maximized if the first job isreleased at t − D i − (cid:98) ( t − D i ) /T i (cid:99) × T i (pattern of conditionc), and therefore we have, DH ( τ i , t, t E ) [ d ] = DH ( τ i , t, t E ) [ c ] DL ( τ i , t, t E ) [ d ] = dbf ( τ i , t, t E ) [ d ] − DH ( τ i , t, t E ) [ d ] (21) B. Upper bound for t MAX Consider a mixed-criticality system with p HC components C , C , . . . , C p and q LC components C p +1 , C p +2 , . . . , C p + q . Let U LL ( j ) = τ i ∈ C j (cid:80) Li = LC C Li /T i , U LH ( j ) = τ i ∈ C j (cid:80) Li = HC C Li /T i and U HH ( j ) = τ i ∈ C j (cid:80) Li = HC C Hi /T i . Case 1 : If component C j experience IMS at t Ij , then thedemand of a LC task τ i in the time interval [0 , t ) is upperbounded by ( t Ij /T i + 1) × C Li , because τ i will be droppedafter t Ij .A HC task τ i in C j switches to HC mode at sometime instant t i ∈ [ t Ij , t E ] . The demand of τ i before job J Ai is bounded by t i /T i × C Li , the demand of job J Ai isbounded by C Hi , and the demand after t i is bounded by ( t − t i − D i + T i ) /T i × C Hi . Thus the total demand of τ i in the time interval [0 , t ) is bounded by t i T i × C Li + C Hi + t − t i − D i + T i T i × C Hi (22)Since C Hi > C Li and t i ∈ [ t Ij , t E ] , the value of Expression(22) is maximized when t i = t Ij . Therefore the total demandof C j is bounded by τ i ∈ C j (cid:88) Li = HC (cid:16) t Ij × C Li + C Hi ( t − t Ij − D i + 2 T i ) (cid:17) /T i + τ i ∈ C j (cid:88) L i = LC ( t Ij /T i + 1) × C Li ≤ U HH ( j ) × t + max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:88) L i = LC C Li + ( U LL ( j ) + U LH ( j ) − U HH ( j )) × t Ij Case 2 : Suppose component C j does not experience IMS,i.e., all the LC tasks within C j are dropped after t E , and allthe HC tasks switch to HC mode at t E . In this case, thedemand of a LC task τ i in the time interval [0 , t ) is upperbounded by ( t E /T i + 1) × C Li , and the demand of a HC task τ i in the time interval [0 , t ) is upper bounded by t E T i × C Li + C Hi + t − t E − D i + T i T i × C Hi . Therefore the total demand of C j is bounded by τ i ∈ C j (cid:88) Li = HC (cid:16) t E × C Li + C Hi × ( t − t E − D i + 2 T i ) (cid:17) /T i + τ i ∈ C j (cid:88) L i = LC ( t E /T i + 1) × C Li ≤ U HH ( j ) × t + max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:88) L i = LC C Li + ( U LL ( j ) + U LH ( j ) − U HH ( j )) × t E Let A denote the set of components C j with U LL ( j )+ U LH ( j ) − U HH ( j ) < , and B denote the remaining set of components.Then if C j ∈ A , its demand bound given above is maximizedwhen t Ij = 0 or t E = 0 . On the other hand, if C j ∈ B , itsdemand bound is maximized when t Ij = t or t E = t . Thus,an upper bound on the total demand of C j is equal to U HH ( j ) × t + max τ i ∈ C j { T i − D i } × U HH ( j )+ τ i ∈ C j (cid:80) L i = LC C Li if C j ∈ A max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:80) L i = LC C Li +( U LL ( j ) + U LH ( j )) × t if C j ∈ B (23)Suppose j ≤ p + q (cid:80) j =1 dbf ( C j , t, t E , t Ij ) > t for some t . Then it mustbe the case that j ≤ p + q (cid:88) j =1 max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:88) L i = LC C Li > t − (cid:88) C j ∈ A U HH ( j ) − (cid:88) C j ∈ B ( U LL ( j ) + U LH ( j )) ⇒ t < j ≤ p + q (cid:80) j =1 (cid:32) max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:80) L i = LC C Li (cid:33) − (cid:80) C j ∈ A U HH ( j ) − (cid:80) C j ∈ B ( U LL ( j ) + U LH ( j )) Thus we can conclude that the upper bound of t , i.e., t MAX ,is given as j ≤ p + q (cid:80) j =1 (cid:32) max τ i ∈ C j { T i − D i } × U HH ( j ) + τ i ∈ C j (cid:80) L i = LC C Li (cid:33) − (cid:80) C j ∈ A U HH ( j ) − (cid:80) C j ∈ B ( U LL ( j ) + U LH ( jj