Mixed Criticality Embedded Systems on Many-Core Platforms

An increasingly important trend in the design of real-time and embedded systems is the integration of applications with different levels of criticality onto a common hardware platform. At the same time, these platforms are migrating from single cores to multi-cores and, in the future, many-core architectures. Criticality is a designation of the level of assurance against failure needed for a system component. A mixed criticality system (MCS) is one that has two or more distinct levels. A number of application domains, such as automotive and avionics, and EU initiatives (for example Horizon2020) have identified Mixed Criticality as a key issue in future systems.

The fundamental research question underlying these initiatives is: how, in a disciplined way, to reconcile the conflicting requirements of 'partitioning' for (safety) assurance and 'sharing' for efficient resource usage. This question gives rise to theoretical problems in modelling and verification, and systems problems relating to the design and implementation of the necessary hardware and software run-time controls. This project addresses both the theoretical and related systems questions.

A many-core platform with a scheduled communications medium is the designated platform on which multiple applications (perhaps composed of what are often called 'system of systems') are to be hosted. The isolation of components with different criticality levels is crucial, but the processor interconnects must be shared and be able to transmit messages with different criticality levels. Moreover, applications with different criticality levels must be able to exchange data in a demonstrably safe way.

A defining property of MCS is that the different means of assurance (for each criticality level) give rise to different values for the component's key parameters such as worst-case execution times and worst-case transmission times. In general, the higher the criticality level, the more conservative are the assumptions made about these values. Hence the context (system criticality level) will determine the parameters that must be used to verify (via scheduling analysis) that each core and each inter-connect will perform as required by the temporal constraints of each application. The development of criticality-aware analysis is needed for these systems.

Although total isolation with rigid time-triggered global scheduling is a possible architectural structure, significantly greater resource utilisation and hence reduced power consumption is possible if trade-offs are made between the overall system criticality level and assumptions about each component's run-time behaviour. For example, we require that: in a dual-criticality systems all applications will meet their timing constraints if all components are constrained by (rely on) their low criticality assumptions, but all high-criticality applications must also meet their deadlines if any component exhibits high-criticality behaviour (i.e. the low criticality assumptions can no longer be relied upon).

Previous work (in York and in a number of other international research centres) has explored this trade-off for single processor systems. This project will focus on many-core platforms to: (i) develop the appropriate scheduling schemes (on the cores and interconnects), (ii) derive verification procedures for MCSs, (iii) explore the theoretical bounds of the developed schemes (to show to what extent resource usage and power consumption are improved over a full partitioned system), (iv) develop the necessary run-time controls (to manage the sharing of communication media between the criticality levels), and (v) demonstrate the developed theory via simulations, a FPGA test-bed and an industrially relevant case study.

The ultimate goal of this project is to allow multiple applications with different levels of criticality to co-exist on the same many-core platform. And to do so in a way that is safe, uses the minimum of resources (fabric and energy), and that facilitates the development and deployment of compete systems that can benefit from a disciplined approach to data sharing between criticality levels.

The proposed research has the potential to benefit the following individuals and organisations:
- Original Equipment Manufacturers and their suppliers in the automotive electronics and avionics industries.
- Middleware vendors providing software tools and services for real-time systems development.
- Silicon vendors, designing the next generation of embedded many-core processors and platforms.
- The general public as purchasers and/or users of advanced real-time embedded systems technology as found in cars, aircraft and similar products.

By exploiting the results of the project, companies building complex real-time embedded systems comprising multiple applications with mixed criticality levels, will be able to obtain the maximum performance from hardware platforms without compromising either the processing resources and bandwidth needed by low criticality applications to deliver a high quality of service, nor compromising the assurance needed that high criticality applications will always meet their time constraints. This will enable them to include more functionality on the same hardware platform, enhancing competitiveness; or to use lower cost hardware, reducing unit costs in production. The increased efficiency can also be utilised to reduce the size, weight and power consumption of the hardware required, leading to reductions in lifetime costs and CO2 emissions. Exploiting the results of the project to place the design of complex mixed criticality real-time systems on a sound theoretical basis, will reduce the amount of engineering time spent trying to find and remove sources of intermittent timing failures. This will reduce both time-to-market and development costs, while also enhancing end-product reliability.

These factors will have economic benefits for the companies adopting the technology, contribute to economic prosperity, and ultimately have a societal benefit in terms of more reliable, more efficient and more cost effective products which will be brought to market earlier.

We intend our research to have a clear impact on a number of sectors where UK enterprises can exploit the knowledge we will accumulate. In more specialist domains, especially in the safety-critical industries, our work will contribute to the trend of certifying more integrated systems of systems.

One of the pathways to impact will be via the three companies directly supporting this project: BAE SYSTEMS, ETAS(UK) and Rapita. As well as technical input and participating in six-monthly review meetings, these companies will advise on all aspects of dissemination. Note, BAE SYSTEMS have estimated their input to the project to be of value £30K.