Towards A More Practical Model for Mixed Criticality Systemsrobdavis/wmc2013/presentation3.… ·...
26
Towards A More Practical Model for Mixed Criticality Systems Alan Burns and Sanjoy Baruah University of York, UK University of North Carolina, USA WMC 2013 – p. 1/26
Transcript of Towards A More Practical Model for Mixed Criticality Systemsrobdavis/wmc2013/presentation3.… ·...
Towards A More PracticalModel for Mixed Criticality
SystemsAlan Burns and Sanjoy Baruah
University of York, UK
University of North Carolina, USA
WMC 2013 – p. 1/26
Standard Model - 1A mixed criticality system is defined toexecute in either of two modes: a HI-critmode or a LO-crit mode
Each task is characterised by:
L (equal to either LO or HI)T and D, period and deadlineC(HI) and C(LO), execution times, withC(HI) ≥ C(LO)
WMC 2013 – p. 2/26
Standard Model - 2The system starts in the LO-crit mode, andremains in that mode as long as all jobsexecute within their low criticality computationtimes (C(LO))
If any job executes for its C(LO) executiontime without completing then the systemimmediately moves to the HI-crit mode
As the system moves to the HI-crit mode allLO-crit tasks are abandoned. No furtherLO-crit jobs are executed
WMC 2013 – p. 3/26
Standard Model - 3The system remains in the HI-crit mode
Tasks are assumed to be independent ofeach other (they do not share any resourceother than the processor)
WMC 2013 – p. 4/26
Important Note
LO-crit is still critical
If all C(LO) values are safe, then the systemnever leaves LO-crit mode
However, some C(LO) values may not besafe, and
We need to address the harshness of‘abandon all LO-crit tasks’
WMC 2013 – p. 5/26
More RealisticAssumptions
LO-crit jobs should not be aborted
LO-crit tasks should survive in some sense
The LO-crit mode is eventually returned to
Tasks are not independent of each other –see paper at ReTiMiCS
More than two criticality levels – see nextpaper here
LO-crit tasks are constrained to execution forat most C(LO)
i.e. mode change is only triggered byHI-crit jobs WMC 2013 – p. 6/26
AMC-rtb Test (LO)
Ri(LO) = Ci(LO) +∑
j∈hp(i)
⌈
Ri(LO)
Tj
⌉
Cj(LO)
WMC 2013 – p. 7/26
AMC-rtb Test (HI)
Ri(HI) = Ci(HI) +∑
τj∈hpH(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI)
+∑
τk∈hpL(i)
⌈
Ri(LO)
Tk
⌉
Ck(LO)
WMC 2013 – p. 8/26
Limitation/Benefits ofAnalysis
All released LO-crit jobs are assumed tocomplete
So no need to abort jobs during theirexecution
though these jobs may not meet theirdeadlines
WMC 2013 – p. 9/26
Alternative Models –on mode change:
Reduce priority of LO-crit tasks
Reduce execution-time of LO-crit tasks
Increase period/deadline of LO-crit tasks
Allow LO-crit tasks to inherent slack fromunder-utilising HI-crit tasks
Then return to LO-crit mode on idle tick
WMC 2013 – p. 10/26
Reduced executiontime
For HI-crit tasks: C(HI) ≥ C(LO)
WMC 2013 – p. 11/26
Reduced executiontime
For HI-crit tasks: C(HI) ≥ C(LO)
For LO-crit tasks: C(HI) ≤ C(LO)
WMC 2013 – p. 12/26
Reduced executiontime
For HI-crit tasks: C(HI) ≥ C(LO)
For LO-crit tasks: C(HI) ≤ C(LO)
For some tasks C(HI) = 0
WMC 2013 – p. 13/26
Analysis for HI-crit
Ri(HI) = Ci(HI) +∑
τj∈hpH(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI) +
∑
τk∈hpL(i)
⌈
Ri(LO)
Tk
⌉
Ck(LO) +
∑
τk∈hpL(i)
(⌈
Ri(HI)
Tk
⌉
−
⌈
Ri(LO)
Tk
⌉)
Ck(HI)
WMC 2013 – p. 14/26
Analysis for HI-crit
Ri(HI) = Ci(HI) +∑
τj∈hpH(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI) +
∑
τk∈hpL(i)
⌈
Ri(LO)
Tk
⌉
(Ck(LO)− Ck(HI)) +
∑
τk∈hpL(i)
⌈
Ri(HI)
Tk
⌉
Ck(HI)
WMC 2013 – p. 15/26
Analysis for HI-crit
Ri(HI) = Ci(HI) +∑
τj∈hp(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI) +
∑
τk∈hpL(i)
⌈
Ri(LO)
Tk
⌉
(Ck(LO)− Ck(HI))
WMC 2013 – p. 16/26
Analysis for LO-crittask in LO-crit mode
R∗i (LO) = Ci(HI) +
∑
j∈hp(i)
⌈
Ri(LO)
Tj
⌉
Cj(LO)
WMC 2013 – p. 17/26
Analysis for LO-crittask in HI-crit mode
Ri(HI) = Ci(HI) +∑
τj∈hpH(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI) +
∑
τk∈hpL(i)
⌈
R∗i (LO)
Tk
⌉
Ck(LO) +
∑
τk∈hpL(i)
(⌈
Ri(HI)
Tk
⌉
−
⌈
R∗i (LO)
Tk
⌉)
Ck(HI)
WMC 2013 – p. 18/26
Analysis for LO-crittask in HI-crit mode
Ri(HI) = Ci(HI) +∑
τj∈hp(i)
⌈
Ri(HI)
Tj
⌉
Cj(HI) +
∑
τk∈hpL(i)
⌈
R∗i (LO)
Tk
⌉
(Ck(LO)− Ck(HI))
WMC 2013 – p. 19/26
Alternative Models –use together:
Reduce execution-time of LO-crit tasks, and
Increase period/deadline of LO-crit tasks
WMC 2013 – p. 20/26
Alternative Models –use together:
Reduce execution-time of LO-crit tasks
Increase period/deadline of LO-crit tasks
Allow LO-crit tasks to inherent slack fromunder-utilising HI-crit tasks
WMC 2013 – p. 21/26
Alternative Models –use together:
Reduce execution-time of LO-crit tasks
Increase period/deadline of LO-crit tasks
Allow LO-crit tasks to inherent slack fromunder-utilising HI-crit tasks
Reduce priority of LO-crit tasks
WMC 2013 – p. 22/26
Capacity Inheritance
Capacity Sharing
Extended Priority Exchange
History Rewriting
WMC 2013 – p. 23/26
RobustnessAnother practical issue is increasing systemrobustness
For example, use sensitivity analysis with theschedulability tests to increase C(LO)s andC(HI)s
And allow priorities to change as part of thisprocess
WMC 2013 – p. 24/26
ConclusionOur models must be realistic
MCS theory must deal with the survival ofLO-crit tasks following a mode change
A number of schemes are possible
This paper has concentrated on reducingexecution time
Paper has also addressed robust priorityassignment, and capacity inheritance
WMC 2013 – p. 25/26
Future WorkLooking at more aggressive methods ofreturning system back to LO-crit mode
Note review on mixed criticality research onmy home page, and on the home page of ourMCC project
WMC 2013 – p. 26/26
