A Survey of Research into Mixed Criticality Systems

Alan Burns, Robert I. Davis
2017 ACM Computing Surveys  
This survey covers research into mixed criticality systems that has been published since Vestal's seminal paper in 2007, up until the end of 2016. The survey is organised along the lines of the major research areas within this topic. These include single processor analysis (including fixed priority and EDF scheduling, shared resources and static and synchronous scheduling), multiprocessor analysis, realistic models, and systems issues. The survey also explores the relationship between research
more » ... nto mixed criticality systems and other topics such as hard and soft time constraints, fault tolerant scheduling, hierarchical scheduling, cyber physical systems, probabilistic real-time systems, and industrial safety standards. route planner, is desirable and improves the Quality of Service (QoS) of the system, but is less critical. The criticality of a component determines the level of rigour applied in the design and analysis used to determine its correct functionality and resource usage (e.g. processor execution time, communication bandwidth etc.). As a result, the same component can have more than one resource-usage profile. If it is used as part of the flight control subsystem then more conservative assumptions as to its potential resource usage need to be made; if it is part of a mission-critical activity then lower, though still realistic, resource requirements can be assumed. Put simply, all safety-critical software must meet its timing requirements when conservative assumptions are made; and all mission-critical components must meet their requirements when more realistic assumptions are made for all of the software. This crucial property, of being able to take a criticality specific view of resource usage, makes the verification task more complex, but opens up the possibility of much more efficient resource usage. A simplistic contrived example illustrates this tradeoff. Consider a system with just two components, A and B. Component A is safety critical and needs a 2-core platform to guarantee its temporal behaviour, when analysed using the conservative techniques prescribed for this level of criticality. Component B is mission critical and needs a 1-core platform. It would therefore seem that a 3-core platform is required. However, if A is also analysed as if it were mission critical, i.e. using the same techniques applied to B, then it may only require a single core. Hence a 2-core system is sufficient for the mission; a saving of one whole core and its associated cost, heat and power consumption. In the unlikely event that A needs more than one core then B will be abandoned and A will have both cores, thus satisfying the safety case for A. By contrast in normal operation, both A and B will run adequately on the 2-core platform. This very simple example hides most of the important details of the resource usage model and the necessary verification. Nevertheless, it highlights the advantages that can accrue from the verification techniques currently being developed for MCSs. It also points to the need for run-time monitoring and protection mechanisms that will protect A from B and that can abandon B if either A or B operates outside the assumptions encapsulated in their mission-critical profiles. The first paper on the verification of MCS was published by Vestal [2007] 1 . It employed a somewhat restrictive work-flow model, focused on a single processor and made use of Response Time Analysis [Joseph and Pandya 1986; Audsley et al. 1993] for fixed priority (FP) scheduling. Vestal [2007] showed that neither rate monotonic [Liu and Layland 1973] nor deadline monotonic [Leung and Whitehead 1982] priority assignment was optimal for MCS; however the optimal priority assignment algorithm of Audsley [2001] was found to be applicable. This paper was followed by publications by Baruah and Vestal [2008] and Huber et al. [2008]. The first of these papers generalises Vestal's model. It contains the important result that Earliest Deadline First (EDF) scheduling does not dominate fixed priority scheduling when there is more than one criticality level, and that there are feasible systems that cannot be scheduled by EDF. This is in direct contrast to the case with just one criticality level [Dertouzos 1974 ]. The second paper addresses multi-processor issues and virtualisation. It focuses on resource management via encapsulation and monitoring, assumes time-triggered applications and a trusted network layer. Further impetus to defining MCS as a distinct research topic came from the white paper produced by Barhorst et al. [2009] , the keynote talk that Baruah gave at the 2010 ECRTS conference 2 , and a workshop report from the European Commission [Thompson 2012]. Since then, the research topic has led to a wealth of publications (reviewed in this survey), as well as the establishment of a peer-1 The term Mixed Criticality had been used before 2007 to address issues of non-interference in non-federated architectures such as IMA [Hill and Lake 2000]; Vestal changed the focus of research by concentrating on real-time performance. Systems with more than one criticality level that only aim to give complete isolation are called multiple-criticality systems; the use of mixed-criticality implies some tradeoff between isolation and integration that involves resource sharing. 2 Available from the conference web site: http://ecrts.eit.uni-kl.de/index.php?id=53.
doi:10.1145/3131347 fatcat:6ax3uztmjnaelgzwipjdcsfuaa