Certification-Cognizant Time-Triggered Scheduling of Mixed-Criticality Systems

In many modern embedded platforms, safety-critical functionalities that must be certified correct to very high levels of assurance co-exist with less critical software that are not subject to certification requirements. Recent research in real-time scheduling theory has yielded some promising techniques for meeting the dual goals of (i) being able to certify the safety-critical functionalities under very conservative assumptions, and (ii) ensuring high utilization of platform resources under less pessimistic assumptions. This research has centered on an event-triggered/ priority-driven approach to scheduling. However current practice in many safety-critical domains, including (the safety-critical components of) automotive and avionics systems and factory automation, favors a time-triggered approach. In such time-triggered systems, non-interference of safety-critical components by non-critical ones is ensured by strict isolation between components of different criticalities, although such isolation facilitates the certification of the safety-critical functionalities, it can cause very low resource utilization. The research reported in this document is, to our knowledge, the first to study time-triggered scheduling from the perspective of both ensuring certifiability of high-criticality functionalities, and obtaining high resource utilization as in (i) and (ii) above. We present algorithms for time-triggered scheduling of mixed-criticality systems that offers resource utilization guarantees similar to those of event-triggered scheduling. Since the time-triggered approach currently seems to find greater acceptability with certification authorities, it is hoped that this research will hasten the adoption of these results in building embedded systems that are subject to mandatory certification.