Mixed Criticality Systems with Weakly-Hard Constraints Oliver - PowerPoint PPT Presentation

Mixed Criticality Systems with Weakly-Hard Constraints Oliver Gettings Sophie Quinton Rob Davis University of York INRIA Grenoble University of York oliver@cs.york.ac.uk sophie.quinton@inria.fr rob.davis@york.ac.uk

Mixed Criticality Systems Mixed Criticality n Criticality is the required level of assurance against failure n Mixed Criticality Systems contain applications of at least two criticality levels n Examples: Aerospace – Flight Control Systems v. Surveillance n Automotive – Electric Power Steering v. Cruise Control Motivation for MCS n Driven by Size, Weight and Power (SWaP) and cost requirements n Applications with different criticalities (safety critical, mission critical etc.) on the n same HW platform This research: n Dual-Criticality - Applications of HI and LO criticality n 2

Mixed Criticality Systems Key requirements n Separation – must ensure that LO-criticality applications cannot impinge on n those of HI-criticality Sharing – want to allow LO- and HI-criticality applications to use the same n resources for efficiency Real-Time behaviour n Concept of a criticality mode (LO or HI) n LO and HI-criticality applications must meet their time constraints in n LO-criticality mode Only HI-criticality applications need meet their time constraints in HI- n criticality mode (?) Initial Research (Vestal 2007) n Idea of different LO- and HI-criticality WCET estimates for the same code n Certification authority requires pessimistic approach to 𝐷 "# n System designers take a more realistic approach to 𝐷 $% n 3

System Model Uniprocessor, fixed priority pre-emptive scheduling n Sporadic task sets where a task, 𝜐 ( = (𝑈 ( , 𝐸 ( , 𝐷 ( ,𝑀 ( ) n ( - Task period or minimum inter-arrival time 𝑈 n 𝐸 ( - Relative deadline n / - WCET of 𝜐 ( at criticality level 𝑚 𝐷 ( n 𝑀 ( - Designated criticality level for 𝜐 ( n ℎ𝑞(𝑗) - Set of higher priority tasks (than 𝜐 ( ) n ℎ𝑞𝐼𝐽(𝑗) - Set of higher priority, 𝐼𝐽 criticality tasks n ℎ𝑞𝑀𝑃(𝑗) - Set of higher priority, 𝑀𝑃 criticality tasks n 4

Recap: Adaptive Mixed Criticality AMC scheduling scheme n If a HI-criticality task executes for its 𝐷 $% without signalling completion then no n further jobs of LO-criticality tasks are started 1 and the system enters HI-criticality mode This frees up processor bandwidth to ensure that HI-criticality tasks can meet their n deadlines in HI-criticality mode But, … it has the drawback that LO-criticality functionality is completely n abandoned 1 Any partially executed job of each LO-criticality task may complete 5

Recap: Adaptive Mixed Criticality After Criticality y change, 𝜐 ( assumed LO Mode HI Mode to execute up to 𝐷 ( "# τ i 𝐼𝐽 criticality task 0 t C i C i HI LO τ i Executing Job released Deadline Met y LO Mode HI Mode τ k 𝑀𝑃 criticality task 0 t No more releases C k LO of 𝜐 7 after τ k Preempted τ k Executing criticality change 6

Recap: AMC-rtb Analysis 𝑀𝑃 -criticality mode $% 𝑆 ( $% = 𝐷 ( $% + $% 𝑆 ( ; 𝐷 < 𝑈 < <∈>?(() 𝐼𝐽 -criticality mode Interference from "# 𝑆 ( "# = 𝐷 ( "# + "# higher priority 𝑆 ( ; 𝐷 < 𝑈 LO-criticality tasks < <∈𝒊𝒒𝑰𝑱(() only up to R LO Mode change transition ∗ $% 𝑆 ( 𝑆 ( ∗ = 𝐷 ( "# + "# $% 𝑆 ( ; 𝐷 + ; 𝐷 7 < 𝑈 𝑈 < 7 <∈𝒊𝒒𝑰𝑱(() 7∈𝒊𝒒𝑴𝑷(() 7

Recap: AMC-max Analysis AMC-rtb analysis assumes (pessimistically) that all jobs of 𝐼𝐽 - n criticality tasks execute with their 𝐷 "# values AMC-max removes this pessimism n y LO Mode HI Mode τ i 0 t C i C i HI LO τ i Executing Job released Deadline Met Calculates number 𝑢 + 𝑧 + 𝐸 ( , 𝑢 of releases after 𝑁 𝑗, 𝑧, 𝑢 = 𝑛𝑗𝑜 criticality change 𝑈 𝑈 up to t ( ( 8

Recap: AMC-max Analysis AMC-max Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) at time y M 𝑧 𝑆 ( M = 𝐷 ( M 𝐷 "# + $% + "# + M $% 𝑆 ( ; + 1 𝐷 7 ; 𝑁 𝑘, 𝑧,𝑆 ( − 𝑁 𝑘,𝑧,𝑆 ( 𝐷 < < 𝑈 𝑈 7 < 7∈𝒊𝒒𝑴𝑷(() <∈𝒊𝒒𝑰𝑱(() Values of 𝑧 that need to be assessed are bounded by 0 and 𝑆 $% . n Values of 𝑧 at which response time may change correspond to releases of n higher priority, 𝑀𝑃 -criticality tasks: M ∀𝑧 where 𝑧 ∈ 𝑙𝑈 ∗ = max 𝑆 ( $% ∀𝑙 ∶ ℕ 𝑆 ( < ∀𝑘 ∈ ℎ𝑞𝑀𝑃 𝑗 ∧ 𝑧 ≤ 𝑆 ( 9

AMC Abandonment Problem Abandoning all 𝑀𝑃 -criticality jobs n Is not acceptable in many real systems n May lead to loss of important functionality as 𝑀𝑃 -criticality tasks n are still critical (not non-critical) This work: n Aims to address the abandonment problem by combining AMC n with an existing concept called Weakly-Hard Provides a guaranteed minimum quality of service for 𝑀𝑃 -criticality n tasks in 𝐼𝐽 -criticality mode – graceful degradation 10

AMC-Weakly Hard Weakly Hard Model n Proposed in 2001 by Guillem Bernat et al. n Guarantees that ( m − 𝑡 ) out of any m deadlines are met via (somewhat n complex) offline analysis AMC-Weakly Hard n Combines a simple interpretation of the weakly-hard concept with existing n AMC policy and schedulability analysis Allows 𝑡 out of m 𝑀𝑃 -criticality jobs to be skipped in 𝐼𝐽 -criticality mode to n reduce the load on the system Still provides a level of service to 𝑀𝑃 -criticality applications, since ( m − 𝑡 ) n out of m deadlines are met Gives system designer flexibility to provide graceful degradation for n 𝑀𝑃 -criticality applications 11

AMC-Weakly Hard Skips a number of consecutive jobs in a cycle Criticality Mode Change LO Mode HI Mode 𝑀𝑃 criticality task τ k 0 4 6 8 10 12 14 16 18 t 2 Job τ k Job Deadline τ k Executing released Met Skipped § After criticality mode change: Skip 𝑡 jobs in next 𝑛 releases § Repeat this cycle indefinitely in 𝐼𝐽 -criticality mode § Number of skipped jobs is strictly bounded ( m − 𝑡 ) out of § m deadlines met 12

AMCrtb-WH Analysis n=3 n=2 n=1 τ k 0 2 3 4 5 6 7 8 9 t 1 m k T k τ k Executing τ k Job Skipped Job released Deadline Met 𝜐 ( = 𝑈 ( , 𝐸 ( , 𝐷 ( ,𝑀 ( ,𝑡 ( ,𝑛 ( 𝑛 is length of a cycle \ ] 𝑢 − ; 𝑢 − 𝑛 7 − 𝑜 𝑈 7 𝑡 is number of skipped jobs in a cycle 𝐷 7 𝑈 𝑛 7 𝑈 7 7 n is index of a skipped job ^_` 13

AMCrtb-WH Analysis 𝑀𝑃 Criticality Mode de $% = 𝐷 ( $% + ∑ b c $% 𝑆 ( 𝐷 <∈𝒊𝒒(() < f g Worst case assumes skips are at the end of each cycle 𝐼𝐽 Criticality Mode \ ] "# − 𝑛 7 − 𝑜 𝑈 "# "# 𝑆 ( 𝑆 ( − ; 𝑆 ( "# = 𝐷 ( $ c + 7 "# $% 𝑆 ( ; 𝐷 + ; 𝐷 7 < 𝑈 𝑈 𝑛 7 𝑈 < 7 7 <∈𝒊𝒒𝑰𝑱(() 7∈𝒊𝒒𝑴𝑷 ( ^_` h 14

AMCrtb-WH Analysis Skips starts on first Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) release after mode change LO Ri LO Mode HI Mode τ k t 0 4 6 8 10 12 14 16 18 2 m k T k m k T k x k τ k Job Skipped τ k Executing Job released Deadline Met $% 𝑦 7 = 𝑆 ( First release of job after Criticality Mode Change 𝑈 7 𝑈 7 15

AMCrtb-WH Analysis Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) : 𝐼𝐽 Criticality Tasks j ] ∗ − 𝑛 7 − 𝑜 𝑈 ∗ ∗ 𝑆 ( 𝑆 ( − ; 𝑆 ( 7 − 𝑦 7 ∗ = 𝐷 ( "# + "# $% 𝑆 ( ; 𝐷 < + ; 𝐷 7 𝑈 𝑈 𝑛 7 𝑈 < 7 7 h <∈𝒊𝒒𝑰𝑱(() 7∈𝒊𝒒𝑴𝑷 ( ^_\ ] Assumes skips are at the start of each cycle Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) : 𝑀𝑃 Criticality Tasks ∗ ∗ 𝑆 ( 𝑆 ( ∗ = 𝐷 ( $% + "# $% 𝑆 ( ; 𝐷 + ; 𝐷 7 < 𝑈 𝑈 < 7 <∈𝒊𝒒𝑰𝑱(() 7∈𝒊𝒒𝑴𝑷(() No skipping assumed for higher priority 𝑀𝑃 - criticality task. 16

AMCmax-WH Analysis AMCrtb-WH criticality mode change analysis is pessimistic n Analysing 𝐼𝐽 -criticality: Assumes all 𝐼𝐽 -criticality jobs up to 𝑆 ∗ execute with n their 𝐷 "# values AND Analysing 𝑀𝑃 -criticality: Assumes no skipping of 𝑀𝑃 -criticality jobs up to 𝑆 ∗ . n AMCmax-WH analysis remove these sources of pessimism by taking into n account the points at which a criticality mode change could occur Analysis for 𝑀𝑃 - and 𝐼𝐽 -criticality modes is same as AMCrtb-WH n 17

AMCmax-WH Analysis Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) at time y y LO Mode HI Mode τ k t m k T k m k T k z k τ k Job Skipped τ k Executing Deadline Met Job released M First release of job after Criticality Mode Change 𝑨 7 = f ] 𝑈 7 18