quantitative schedulability analysis of continuous...
TRANSCRIPT
Quantitative Schedulability Analysis of ContinuousProbability Tasks in a Hierarchical Context∗
Jin Hyun KimINRIA/IRISA, Rennes
Abdeldjalil BoudjadarQueen’s University
Ulrik NymanAalborg [email protected]
Marius MikucionisAalborg University
Kim G. Larsen,Arne Skou
Aalborg University{kgl,ask}@cs.aau.dk
Insup Lee,Linh Thi Xuan Phan
University of Pennsylvania{lee,linhphan}@cis.upenn.edu
ABSTRACTWe define the concept of degree of schedulability to charac-terize the schedulability and performance of soft real-timesystems. The degree of schedulability of a system is givenin terms of the two factors 1) Percentage of Missed Dead-lines (PoMD); and 2) Degradation of the Quality of Service(DoQoS). Our work is set as a model-based framework forhierarchical scheduling systems where we introduce proba-bility based sporadic tasks. The novel aspect is that weconsider task arrival patterns that follow user-defined con-tinuous probability distributions. The separately modeledtask triggering events represent the system environment. Wedetermine the degree of schedulability of a single schedulingcomponent which can contain both periodic and sporadictasks using statistical model checking in the form of UppaalSMC. Finally, we show the applicability of our frameworkby analyzing an avionics case study.
1. INTRODUCTIONIn the areas of avionics and automotive, embedded sys-
tems are increasingly constructed as hierarchical schedulingsystems, where a set of components share different resources.Some of these components are hard real-time (critical) whileothers may be soft real-time components, such that the hi-erarchical scheduling system itself is a mixed-criticality sys-tem. Due to the complexity and size of the systems, it isnot feasible to analyze the complete system in one model.
We present a model-based analysis method that fits in acompositional approach [4, 26] for modeling and analyzingsingle-core hierarchical scheduling systems. In this paper we
∗The research presented in this paper has been partiallysupported by EU Artemis Projects CRAFTERS and MBAT.
Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full cita-tion on the first page. Copyrights for components of this work owned by others thanACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected]’15, May 4–8, 2015, Montréal, QC, Canada.Copyright is held by the owner/author(s). Publication rights licensed to ACM.ACM 978-1-4503-3471-6/15/05 ...$15.00.http://dx.doi.org/10.1145/2737166.2737170 .
Figure 1: Overview of framework setup.
focus on the quantitative analysis of soft real-time compo-nents. We propose metrics for analyzing the quality of ser-vice of scheduling systems where some deadline misses canbe tolerated. One novel aspect is that we handle sporadictasks with arrival patterns modeled as continuous proba-bilistic functions.
Supplying a system with less resources than it requiresmay lead to a degradation of the quality of service. Theo-retical interest as well as practical considerations have moti-vated additional metrics, such as deadline miss ratio [20] anddeadline miss probability [12], to quantify the degradationof the quality of service. For the estimation of the quality ofservice, in the case of hierarchical systems, we introduce thedegree of schedulability (Sched◦) in terms of the Percentageof Missed Deadlines (PoMD); and average delay per misseddeadline, called Degradation of Quality of Service (DoQoS).The PoMD and DoQoS can be computed compositionallyfor any level of the system using only the interfaces of theimmediately lower level components or tasks.
Our analysis technique relies on a model based settingthat uses statistical and symbolic model checking. Symbolicmodel checking is used to ensure that the hard real-timetasks contained in a component never miss a deadline. Thesame models can be analyzed using statistical methods in or-der to obtain quality of service measures. Methods based onstatistical model checking scale logarithmically in the size ofthe analyzed models, moreover they are trivially paralleliz-able and still scale sub-linearly [16], thus easily scaling toindustrial size systems. Our framework gives a great degree
91
of flexibility where all models are parameterized and can beinstantiated for any kind of scheduling system.
Our method is intended to be used by system engineersduring the design space exploration of an embedded system.The engineers can estimate the performance of the systemunder different environment assumptions and system config-urations.
As illustrated in Fig. 1, we make the unusual choice ofmodeling the triggering events for the sporadic tasks sepa-rately from the system itself, leading to a clearer separationof concerns. A major motivation for this separation is thatit more easily allows changing the environment model of thesystem without changing the system implementation. If oneuses a static minimum inter-arrival time for sporadic tasks,the analysis can potentially be very pessimistic. The sep-aration of concerns also allows for modeling different en-vironments that represent different operating contexts ormodes of the system. Our model fits well with sporadictasks that are triggered by hardware interrupts, based onsensors and other embedded systems. An application fieldof this framework is automotive and avionics systems. Thesystem consists of a set of hierarchical components. For eachcomponent, the timing requirements are represented by theinterface consisting of period and budget. A component con-sists in a set of tasks sharing a single CPU according to ascheduling policy. We consider static (Fixed Priority) anddynamic priority (Earliest Deadline First) scheduling poli-cies, together with preemptive execution of tasks. So thatour system model can be analyzed under any kind of schedul-ing policy in the same way. When a soft real-time taskmisses its deadline, it continues to execute. Soft real-timetasks are triggered by external events that have continuousprobabilistic arrival patterns such as Gaussian, uniform, ex-ponential, and user-defined. We only consider cases wherehard real-time tasks never miss a deadline.
Our main contributions are:
• We study the degree of schedulability (Sched◦) of hier-archical scheduling systems where sporadic tasks havecontinuous probability arrival patterns.
• We show how to compute and estimate the two metricsPercentage of Missed Deadlines (PoMD); and averagedelay per missed deadline, called Degradation of Qual-ity of Service (DoQoS).
• We provide detailed implementation models of the frame-work including explicit environment models as well asan avionics case-study.
The rest of the paper is structured as follows: Section 2 ex-amines relevant related work, Section 3 introduces the com-positional analysis framework. In Sections 4, 5 and 6 weintroduce respectively continuous sporadic tasks, the mod-els used to analyze them and the actual analysis. Finally, wedemonstrate the applicability of our method on an avionicscase study in Section 7, and conclude in Section 8.
2. RELATED WORKIn this section we present related work with a specific focus
on sporadic tasks. The sporadic task model [3, 22], which isan extension of an earlier task model known as the Liu andLayland (LL) [17] task model has received immense research
attention over the years. In [3], the authors propose an ex-act schedulability analysis by providing some necessary andsufficient conditions for a sporadic task system to be schedu-lable. In fact, the authors consider sporadic tasks with min-imum inter-arrival time as periodic tasks, then define the setof legal requests that a task may perform. Based on such afunction, they analyze the system schedulability regardlessof the schedulability policy. However, considering sporadictasks with known minimum inter-arrival times as periodictasks may lead the schedulability analysis to be pessimisticand seriously overestimates the number of task arrivals. Ourwork differs by modeling probabilistic inter-arrival times andquantifying the system schedulability according to hard andsoft real-time requirements.
In [29], the authors propose a framework for the schedu-lability analysis of real-time systems, where they define ageneralized model for sporadic tasks to characterize moreprecisely the task arrival times. Each task is characterizedby two constraints: higher instantaneous arrival rate whichbounds the maximum number of task arrivals during somesmall time interval; lower average arrival rate which is usedto specify the maximum number of arrivals over some longertime interval. In [9] the authors present a symmetric multi-core framework where a flat scheduling system can be de-scribed in the Prelude language. The schedulability can bechecked using generated Uppaal models.
The work of [21] extends the work in [12] by making allthe task attributes of a flat scheduling system probabilis-tic. However the methodology in [21] does not handle dy-namic scheduling policies. In [28], the authors propose amethod to control the preemptive behavior of real-time spo-radic task systems by the use of CPU frequency scaling.They introduced a new sporadic task model in which thetask arrival may deviate, according to a discrete time prob-ability distribution, from the minimum inter-arrival time.Based on the probability of arrivals, the authors proposean on-line algorithm computing CPU frequencies that guar-antee non-preemptiveness of task behavior while preservingsystem schedulability.
The work in [5] is an introduction to the concept of ”degreeof schedulability”, without theory nor implementation. Thecurrent work is built on [5] by formally defining how to com-pute the two metrics: DoQoS and PoMD. Moreover, it alsopresents the Uppaal models used for the implementation ofthe concepts as well as an avionics case-study.
To the best of our knowledge, there is no previous re-lated work which uses continuous probabilities to character-ize the arrival patterns of sporadic tasks. A concept similarto PoMD is given in the work by [20] which handles only flatsoft real-time systems, whereas our framework can modeland analyze hierarchical mixed criticality systems. Anotherdifference is that [20] has a stochastically distributed execu-tion time but with fixed periods. Our arrival patterns followa probability distribution, whereas our tasks execution timesare static.
The term “degree of schedulability” was first introducedin [23] to characterize the sum of response time delays fromthe individual task deadlines for static priority schedulingsystems. The work in [23] is presented in the context of adistributed, but flat, real-time system with a common com-munication bus and only considers hard real-time systems.
We define the concept of DoQoS in a similar way, but focuson the total amount of time by which deadlines are missed.
92
Avionics
Hard-Subsystem ( 25, insuf )
Controls and Display (20, 15)
Targeting (40, 23)
Navigation (30, 11)
Weapon Ctrl. (10, 8)
HUD Display T9(50,6,50)
MPD Display T10(50,8,50)
MPD Button Resp. T11(Exp.,200,1,200)
Change Display T12 (Gauss.,200,1,200)
Flight Data T1(50,8,50)
Steering T2(80,6,80)
Target Tracking T3(40,4,40)
Target Sweetening T4(Unif.,40,2,40)
AUTO/CCIP Toggle T5(Gauss.,200,1,200)
Weapon Release T8(10,1,5)
Weapon Trajectory T6 (100,7,100)
Reinitiate Trajectory T7(Unif.,400,6,400) Hard
Soft
Periodic Task
Sporadic Task
insuf : insufficient budget
EDF
EDF FP FP
FP
Figure 2: Mixed crit. hierarchical scheduling system
We define our notion of degree of schedulability (Sched◦) bycombining PoMD and DoQoS into one measure.
3. COMPOSITIONAL FRAMEWORKA hierarchical scheduling system [1] consists of a set of
concurrent real-time components sharing a set of resourcesaccording to a scheduling policy. Each component can be in-ternally organized as a set of components, giving the systema tree-like structure. The use of temporal partitioning [25]of components is motivated by the fact that it provides re-duction of complexity, separation of concerns, confinementof failure modes, and temporal isolation among system ap-plications. One obvious partitioning of the components in amixed-criticality system is to group them according to theircriticality [14]. Such a grouping enables easier certificationof the safety-critical components when they have minimalcommunication with the non safety-critical parts [24].
In this paper we focus on the schedulability analysis of onecomponent inside a hierarchical scheduling system. The hi-erarchical scheduling system can be as deeply nested as it isnecessary for the given application, and is thus not restrictedto two levels as shown in the avionics system of Fig. 2. Eachsquare box represents a component in the system, exceptfor the top box which represents the complete system. Theavionics system is based on a previously published case study[18, 13, 4]. Throughout this paper we use the Targetingcomponent as a running example to illustrate our analysismethod. The whole system will be analyzed in Section 7.
Formally, a hierarchical scheduling system S = (C,R,A)is given by a set of hierarchical components C, a set of re-sources R and a scheduling algorithm A. A component,in turn, can be either a hierarchical unit ({C1, .., Cn}, A)of other components Ci, or a basic composition (W,A) of aworkloadW , together with a scheduling policy A. The work-load W is a set of real-time tasks having time constraintslike deadline, execution time, and next arrival. The inter-face I [27] of a component is given in terms of a period anda budget, i.e. I = (p, b). The budget b specifies the resourceamount that should be provided to the component workloadin order for it to be schedulable. The interface I of a compo-nent C(W,A) specifies the collective resource requirementsthat the workloads W performs under the scheduling policyA. In a compositional schedulability analysis framework [7,4], a hierarchical system is said to be schedulable if eachcomponent is schedulable.
In Fig. 2, we specify for each task (in parenthesis) theperiod or arrival pattern (probability distribution togetherwith the minimum inter-arrival time), followed by executiontime and deadline. For each component we specify the pe-riod, minimum supply and the scheduling policy. One com-ponent has “insuf” as minimal supply because its resourcerequirement exceeds 100% of the system resource for oneCPU. This is dealt with in Section 7 by distributing thecomponents to different CPUs.
The analytical analysis approaches [15, 3, 19] computewhether or not a system is schedulable, according to EDF(Earliest Deadline First) scheduling policy, by giving a firmresponse to the following question: is the demand boundfunction dbf of each component workload W , over a timeinterval t, lower or equal to the supply bound function sbf
of a resource according to interface I, over the same time in-terval, i.e. ∀t > 0 dbfA(W, t) ≤ sbfI(t). If such an equationis satisfied, the component is said to be schedulable. In thesame way, in a model-based setting [28, 2, 10, 4] a system issaid to be schedulable if the error locations, stating the dead-line violation, are unreachable. We use location to denote thestates of Timed Automata. Moreover, in our model-basedframework, the condition dbfA(W, t) ≤ sbfI(t) is appliednot only to EDF but also for other scheduling policies, suchas FP (Fixed Priority) scheduling, so that the same taskmodels can be used for different scheduling policies.
In contrast to the mentioned techniques, we do not onlyconsider if a system is schedulable or not, but we providethe degree of schedulability (Sched◦) as a way to measurehow schedulable a system is. We define the Sched◦ of anentity (system, component or task) by the two concepts:Percentage of Missed Deadlines (PoMD) and Degradationof Quality of Service (DoQoS). Each of these concepts canbe computed for either a task, a component or a completeembedded system. They should be measured or simulatedover a sufficiently large time bounded run and a sufficientlylarge number of runs in order to obtain usable values.
By S we designate the system comprising the probabilisticmodels of the event-triggering as well as the hierarchicalscheduling of tasks as depicted in Fig. 1. A run π of asystem S is an infinite sequence:
π = s0(t0, e0)s1(t1, e1) . . . sn(tn, en) . . .
where si is a global state giving information about the stateof each task (e.g. idle, ready, running, blocked) and resource(e.g. idle, occupied) at stage i; s0 is the initial state. Eachei indicates an event (triggering, completing or preemption)signifying a transition from state si to si+1. Timestampt0 indicates the time from system initiation until event e0.Every subsequent timestamp ti (with i ≥ 1) indicates theseparation between events ei−1 and ei.
We denote by Runs the set of runs of S. For a run π and atime-interval t ∈ R≥0, we may define (in an obvious manner)the functions:
• Missti(π) ∈ N is the total number of missed deadlinesfor task i up to time t;
• Trigti(π) ∈ N is the total number of triggerings of taski up to time t.
Definition 3.1. The Percentage of Missed Deadlines(PoMD) of an entity X for a run π is given by:
PoMDX(π) = (lim supt→∞
Misst(X,π)
Trigt(X,π))× 100
93
where Misst(X,π) is the total number of deadlines missed byX on run π up to time bound t, and Trigt(X,π) is the to-tal number of X executions triggered within the run π untiltime bound t. The entity X could be a task, a componentor a system. In the case where X is a system, Misst andTrigt are computed with the system components consideredas tasks. Even if no top-level component misses a deadline, atask inside one of the components could still miss its dead-line. A healthy system engineering approach might be toensure that all levels except the lowest levels have a PoMDof 0. Now, the probabilistic arrival patterns of tasks of Sgive rise to a unique probability measure PS over (Runs, B)1
as such PoMDT and PoMD are random variables. In orderto estimate the expected values of PoMDX and ePoMDX ,we generate a set Π of random (according to the stochas-tic semantics of S) and independent runs and calculate themean using the following formula:
ePoMDX(Π) =
∑π∈Π PoMDX(π)
|Π|In fact, we estimate the ePoMD at the system level by sim-ulating the complete system and summing up all triggeringevents and deadline misses. Our concept of PoMD is similarto the concept Deadline Miss Ratio (DMR) from [20].
Definition 3.2. We define the Degradation of Quality ofService (DoQoS) of a task Ti over a single run π by:
DoQoSTi(π) =
0 if lim sup
t→∞Misst(Ti, π) = 0
lim supt→∞
Overrunt(Ti,π)Misst(Ti,π)
Otherwise
where Overrunt(Ti, π) is the sum of the time amounts bywhich task Ti misses its deadline over run π.
An example of an overrun for a specific triggering, overrunj ,is given in Fig. 3. Similarly as done for PoMD, we estimatethe expected value of DoQoS, called eDoQoS, using a set ofrandom and independent runs.
eDoQoSTi(Π) =
∑π∈Π DoQoSTi(π)
|Π|The eDoQoS of a component C over a set of time boundedruns Π is defined by the eDoQoS of its workload W as:
eDoQoSC(Π) =
∑Ti∈W eDoQoSTi(Π)
|W |Each item i in the workload W can either be a task or a
component. The eDoQoS can be recursively calculated upto the system level. The eDoQoS of a task could be used tocompare the same task embedded in different componentswith different configurations. For the eDoQoS of a compo-nent we chose to use a simple weighted average.
Definition 3.3. We define the degree of schedulability(Sched◦) of an entity in terms of two factors Sched◦P andSched◦D to be given by:
Sched◦P =
{∞ if ePoMD = 0
1ePoMD
Otherwise
}Sched◦D =
{∞ if eDoQoS = 0
1eDoQoS
Otherwise
}1Here B is the standard Σ-algebra over Runs generated froma standard cylinder construction. For more see e.g. [11].
Figure 3: Execution of a sporadic task, TS(P, 4, 2, 3)
According to such a definition, an entity is absolutely schedu-lable if either Sched◦P or Sched◦D is equal to ∞. This cor-responds to the classical notion of schedulability where nodeadline is missed.
To compare different system configurations in terms ofthe Sched◦, we use the multi-objective Pareto frontier ofSched◦P and Sched◦D. In this way, engineers could keep up-dating resources and requirements and compare the systemSched◦ from one configuration to another. Thus, this facthelps to define the best system configuration in terms of anequation including the amount of provided resources, theexpected schedulability degree and the task requirements.But, Sched◦ is not intended as a measure to compare com-pletely unrelated systems.
We reuse and adapt our previous work [4], for the schedu-lability analysis of hierarchical systems, now extended withprobabilistic sporadic tasks. As mentioned earlier, a work-load W = {T1, ..., Tm} is a set of periodic and sporadic tasks.Periodic tasks [17] T p(p, e, d) are commonly given at leastby a period p, an execution time e and a deadline d. Simi-larly, sporadic tasks [3] T s(I, e, d) are usually specified witha minimum inter-arrival time I, an execution time e and arelative deadline d. In order to characterize more preciselythe arrival time of sporadic tasks and capture efficiently thedeviation of their arrivals from the minimum inter-arrivaltime, we associate to each sporadic task a continuous prob-ability distribution stating the probability of each possibledelay dlyprob. Thus, our sporadic task model is given byT s(P, I, e, d) where P is a probability distribution given bya density function F . Depending on the density function F ,the probability distribution P could be uniform, exponentialor Gaussian.
Fig. 3 depicts an example of the execution of our prob-ability based sporadic task model where we show how theprobability distribution influences the task behavior, andthus affects the task schedulability. We use ai,j as the jth
arrival of the task with index i. The task arrival aj de-lays for dlyprob = 1 time unit, according to the probabilitydistribution, from the previous minimum inter-arrival time(expected at the starting point of the time axis). The taskarrives at time aj and becomes immediately ready to startits execution. Unfortunately, due to the resource availabil-ity the task waits dlyres = 1 time unit before acquiring re-sources and starting its execution. After being provided withresources, the task starts its execution e which achieves per-fectly with the deadline d. After one minimum inter-arrivaltime I = 4 since the last task arrival aj , the task may start anew execution. Always depending on the probability distri-bution, the new arrival aj+1 of the task delays for dlyprob = 2time units from the last minimum inter-arrival time point.After being ready, the task delays again dlyres = 1.5 be-cause of the resource availability. After acquiring resources,the task starts its execution e = 2 which leads task to missits deadline d with an amount of time dlymiss = 0.5. Onecan remark that such an excess could be not critical and can
94
be measured as Quality of Service (QoS) of the schedulabil-ity. Our probability-based sporadic task model is strictlymore expressive than traditional real-time task models butcould retain efficient demand computation for the analysis.
4. CONTINUOUS PROBABILITY TASKSIn this section, we introduce the characteristics of the
probability-based sporadic tasks. Our framework modelsboth a fixed inter-arrival time and a probability distribu-tion. Obviously, a task cannot arrive before the inter-arrivaltime, and the inter-arrival time can potentially be set tozero. After the expiration of the inter-arrival time, the ar-rival of a given task delays with δ according to a continuousprobability distribution, such as Gaussian N = (µ, σ2) witha mean value µ and a variance σ2 (Fig. 4(a)). Fig. 4 showsthe three specific probability distributions we consider in oursetting: Gaussian, exponential and uniform. As the proba-bility distribution is a parameter of the sporadic tasks in ourframework, any user-defined probability distribution can beused.
4.1 Probability Distributions
(a) Gaussian (100,100)
(b) Exponential (1/800)
(c) Uniform (1,100)
Figure 4: Probabilistic ar-rival patterns.
We have implementedthe continuous prob-ability distributionswe consider via a setof Uppaal embed-ded functions overthe time domain. Anexample of a Gaus-sian normalized curve,generated by UppaalSMC, is depicted inFig. 4(a) where thex axis represents con-tinuous time from 0to 240, µ=100 , andσ =100. Fig. 4(b)shows an exponentialprobability distribu-tion, with the rate ofexponential λ being
1800
. The smaller λ is,the more spread outthe distribution is. In contrast to the two previous proba-bility distributions, the uniform distribution (Fig. 4(c)) hasa equal probability for all time instances up to a maximumtime where the probability drops to zero.
4.2 Conceptual Model of Sporadic TasksOur conceptual event model is shown in Fig. 5(a). When a
delay has elapsed, the event triggers the corresponding taskand moves to the location InterArrivalWait waiting for oneinter-arrival time I before starting a new round. The con-ceptual task model (Fig. 5(b)) starts at location Wait waitingfor the triggering event (trigger?) by which it moves to thecomposite state Execution. Depending on the scheduling, thetask can alternate between the locations Running and Pre-
empted, while the deadline is not missed. The task can leavethis composite state when completing the execution. If thetask ends up in location MissedDeadline, the overrun will bemeasured (used for estimating the DoQoS) before movingto the location Wait. The Uppaal implementations of our
InterArrivalWaitRandomWait
trigger!
x==1!
(a) Event model
MissedDeadline
finished and not deadline_missed
Running Preempted
Execution
Wait
DoQoS
trigger?
finished and deadline_missed
(b) Task model
Figure 5: Conceptual model of a sporadic task andits triggering event.
probability based sporadic task model, omitted because ofthe space limitation, are very close to the conceptual eventtriggering model given in Fig. 5(a) and can be found in thelinked zip-file. In the Uppaal task model (Fig. 11), thecomposite state is modeled by a single location in which thepreemption is captured by a stopwatch; which is active whenthe task is running and stopped when the task is preempted.Thus, the stopwatch will always contain the accumulated ex-ecution time of the task.
5. ANALYSIS MODELS FOR THE DEGREEOF SCHEDULABILITY
For our compositional analysis framework, the hierarchi-cal scheduling systems and their analysis elements consistof environment models, scheduling models, resource model,and task models.
We are using Uppaal SMC to perform a formalized sta-tistical simulation of our models, known as Statistical ModelChecking (SMC). SMC enables quantitative performancemeasurements instead of the Boolean (true, false) evalua-tion that symbolic model checking techniques provide. Wecan summarize the main features of Uppaal SMC in thefollowing:
• Stopwatches [8] are clocks that can be stopped andresumed without a reset. They are very practical tomeasure the execution time of preemptive tasks.
• Simulation and estimation of the expected minimumor maximum value of expressions over a set of runs,E[bound](min:expr) and E[bound](max:expr), for agiven simulation time and/or number of runs specifiedby bound.
• Probability evaluation Pr[bound] (P) for a propertyP to be satisfied within a given simulation time and/ornumber of runs specified by bound. P is specified usingeither LTL or tMITL logic.
The disadvantage of using statistical model checking isthat it will not provide complete certainty that a propertyis satisfied, but only verify it up to a specific confidence level[6], given as an analysis parameter.
95
Ready DoneSupplyingx <= p‐b y=0
supply=1y <= b
y >= bsupply=0 x <= p
x >= px=0
Figure 6: Conceptual model of PRM
5.1 Periodic Resource ModelThe resource model that this paper considers is the Pe-
riodic Resource Model (PRM), which provides a specificamount of resources to a set of tasks or components everyperiod [26]. The PRM represents the interface requirementbetween a set of tasks and their (higher level) scheduler. Thehigh level scheduler is referred to by Supplier, which satis-fies the interface requirement given by the periodic resourcemodel. To represent the behavior of the resource supply,based on the interface requirement, we use the PRM in theform of a PSA model.
In order to model the PRM for any type of schedulingpolicy, we provide a stochastic resource model as shown inFig. 6. This resource model guarantees the specific amountof resource allocation for a specific period, but the beginningof the supply is non-deterministic such that it implements anasynchronous supply of resources of the PRM [26]. In thismodel, the variable supply represents the resource allocation,which is a variable shared with the task model. Thus, thesupply is only enabled for b time units (budget) within theperiod p. At location Ready, the supply of resource can bedelayed for at most p − b. The contracted amount of re-source in the interface of a component is fully fed to a set oftasks in that component at location Supplying, and then theremaining time of a period is spent at location Done.
One can remark that our resource model supplies thewhole budget non-preemptively in one chunk, but accord-ing to [26] if one considers only worst cases, both preemptiveand non-preemptive resource models provide the same worstcase analysis results. This is also true for our framework be-cause we search for the traces with the highest PoMD orDoQoS. What we are analyzing is the DoQoS and PoMD ofa component in any potential setting where this componentcould be used given that it is still supplied with its budget.We achieve this by analyzing all extreme cases of the supplyof the budget.
Figure 7: PSA template of Periodic Resource Model
Figure 8: Supplier and Task Execution.
Fig. 7 shows the supplier template. The initial locationis committed in order to enforce the supplier to move in-stantaneously to the next location NotSupplying. Slack time(sup[supid].prd-sup[supid].budget) is the maximum amount oftime that can elapse before the supplier starts supplying.Non-deterministically at some point between time zero andthe slack time, the supplier moves to the location Supplying.Entering this location the stopwatch supplying time[supid] isreset to 0 and the rate is indirectly set to 1 through thevariable supplying[supid]. Once the budget is fully provided,the Supplier moves to the location Done.
Fig. 8 shows the supplier supply, and runs of tasks T p3and T s4 (of Fig. 2). In this setting, T s4 has priority over T p3 ,and executes sporadically over a uniform distribution. Thus,the execution period of T s4 is irregular. The supplier at thebottom is supplying non-deterministically so the supply isalso irregular within the period. Further explanation can befound in our previous paper [4].
(a) Budget estimation model
(b) Budgets causing deadline miss
Figure 9: Budget estimation.
96
Figure 10: PSA template of EDF Scheduler
In order to estimate the sufficient budget of a supplier(component) that makes the workload of a component schedu-lable, we present another stochastic supplier as shown inFig. 9.(a). It starts supplying by selecting a random amountof budget using gbudget[supid] and cbudget[supid]. UppaalSMC checks whether any task misses deadline and generatesa probability distribution of budgets leading to a deadlinemiss of a component. Fig. 9.(b) shows the estimated bud-get numbers that make the component of T p3 and T s4 non-schedulable, and it can be concluded that 23 is the minimumbudget.
5.2 SchedulerWe have implemented different scheduling policies in our
framework, but we only show the EDF scheduler here asan example. Fig. 10 shows the implementation of the EDFscheduler. At the initial location WaitSchedReq, it waits fora scheduling request. In the location SearchQPosition, thescheduler searches through the queue until it has found theright position. On the transition to location AckSchedReq, itinserts the task at the correct place in the queue. Finally,on returning to location WaitSchedReq it communicates tothe rest of the system the task id of the currently scheduledtask.
5.3 Task ModelsIn the rest of this paper, we use PoMD instead of ePoMD,
and similarly DoQoS for eDoQoS. This is for consistencywith the models where we have used PoMD and DoQoS eventhough we are estimating the values.
Figure 12: PoMD calculator
In our framework,we provide 4 differ-ent task templates:hard real-time andsoft real-time tem-plates for periodicand sporadic tasks.The hard real-timetask stops runningimmediately when itmisses a deadline.Meanwhile, the softreal-time task con-tinues running untilthe end of simula-tion time while mea-suring PoMD andDoQoS. Fig. 11shows the soft real-time sporadic task template. It is trig-gered by the event startTask[tid]? from the environment
Figure 11: Soft real-time sporadic task
model following a probability distribution. The clocks cur-
Time[tid] and exeTime[tid] are used to measure the currenttime and the execution time respectively. The clock twcrt[tid]
measures the worst-case response time. Similarly to the con-ceptual model, location Execution models both the runningand preempted states of the task. The stopwatch exeTime[tid]
measuring the execution time keeps increasing while the taskis scheduled (exeTime[tid]’ == isTaskSched()). The function is-
TaskSched() returns zero when the task is preempted and onewhen the task is scheduled. When the task is preempted itstays at location Execution, but the stopwatch exeTime[tid] isstopped by setting the rate of progression for it (exeTime[tid]’)to zero. The task cannot stay active in the location Exe-
cution longer that the WCET (exeTime[tid] ≤ taskTid[wcet]).Once the task has actually been scheduled for more than theBCET, it can non-deterministically choose to go to the loca-tion ClosingExec, issuing a taskCompl[tid]! event stating thatthe task execution is done. When the deadline is missed,the task will be forced to change location to MISSDL. In thatlocation, even though the deadline is missed the task keepsrunning, whereas the stopwatch exeTime[tid] keeps measuringthe accumulated execution time.
The variables cntExecution[tid], cntMissDline[tid], and DoQoS[tid]
are used to calculate PoMD and DoQoS by the PoMD cal-culator of Fig. 12 and the following queries:
E[gClock<=simTime;simNum] (max: PoMD[1])
E[gClock<=simTime;simNum] (max: DoQos[1])
For every simulation (simNum) of which time is up to sim-
Time, one PoMD[1] is obtained by calculating the percentageof the accumulated number of missed deadlines of cntMissD-
line[tid], and the count of task executions of cntExecution[tid].Finally, PoMD is calculated from the average of PoMD[1]s ofall traces. DoQoS[tid] measures the delay after a task missesa deadline, and the maximum DoQoS[tid] is selected fromone trace. Finally, DoQoS is determined by calculating theaverage of the maximum DoQoS[tid]s of each individual trace.
97
6. ANALYSIS OF THE DEGREE OF SCHEDU-LABILITY
We use as a running example in this section the Tar-
get component from Fig. 2. The workload is character-ized by a periodic task T p3 (40, 4, 40) and a sporadic taskT s4 (Unif ., 40, 2, 40). In our setting, T s4 has priority overT p3 . Both tasks are scheduled according to the fixed pri-ority scheduling (FP) policy. The sporadic task T s4 followsthe uniform probability distribution between 0 and 20 timeunits. The analysis is performed in the following steps:
1. Estimate a component budget as described in Sec-tion 5.
2. Analyze the Sched◦ for the estimated and lower bud-gets.
To estimate the budget of a component, we use the budgetestimator shown in Fig. 9(a) and the following query:
Pr[cbudget[rid] <= randomBudget]
( <> gClock >= simTimeanderror)
As a result, we found that 23 time units every 40 timeunits is a good candidate as a sufficient budget for bothtasks. In order to have valid results, in the next analysissection we perform experiments where we analyze the samesystem with a varying amount of traces and simulation time.When reaching more than 1000 traces and a simulation timeof more than 100,000 time units, we see that the resultsstabilize.
6.1 Analysis of Mixed-Criticality ComponentsBecause our analysis framework is compositional, we can
analyze different components with different methods basedon the criticality of each component. If a component con-tains hard real-time tasks, it should be analyzed using rigor-ous methods [4, 27]. Components containing both soft andhard real-time tasks should be analyzed both for the de-gree of schedulability and with rigorous methods to ensurethat no hard task ever misses a deadline. So that, statisticalmodel checking is used to analyze that the DoQoS and PoMDof the hard real-time tasks are 0. Secondly, in order to ob-tain 100% confidence, we use the firm schedulability analysistechnique presented in [4]. In this way two different analysistechniques are combined to analyze a mixed-criticality hier-archical scheduling system in an efficient way, while ensuringconfidence in the critical parts of the system.
6.2 Analysis ResultsIn Table 1, we show that T3 and T4 are schedulable under
the interface (40, 23) even if T4 is treated as a periodic taskwith a period equal to the minimal inter-arrival time. This isthe classical worst-case budget estimation, and our analysisalso confirms that tasks miss exactly 0 deadlines and havea DoQoS of 0. Throughout the running example, we useFP scheduling but our framework supports other schedulingpolicies.
Suppose that the resource amount provided to the compo-nent is reduced to 18. In order to have a baseline to comparewith, in the next analysis steps, we perform an artificial ex-periment presented in Table 2. We analyze task T4 using thesporadic template, but with a completely fixed periodic ar-rival pattern. Note that the sporadic task T s4 never misses its
Table 1: The degree of schedulability of tasks underperiodic events
Component ((40, 23), FP) PoMD DoQoS
T p3 (40, 4), 0 0T s4 (40, 2), 0 0
Table 2: The degree of schedulability of tasks underlack of budgetComponent ((40, 18), FP) PoMD DoQoS
TP3 (40, 4), 0.032 ± 0.033 1.610 ± 0.616T s4 (Periodic, 40, 2, 40) 0 0
deadline, because it has the highest priority. Table 2 showsthe average value of the PoMD and DoQoS for 1000 tracesas well as the variance of each one. In the following, we fixthe set of tasks and vary the arrival pattern of the sporadictask. This is done in order to show the versatility of ourmethod. In an engineering setting, the arrival patterns willusually be fixed while the workload and budgets vary. Forthe same deficit budget (40, 18), Table. 3 shows the degreeof schedulability when the sporadic task T s4 is assumed tofollow an exponential probability distribution with differentrates of exponential.
Table 4 shows the Sched◦ for the two tasks given a uniformprobability distribution for triggering the sporadic task T s4 .Table 5 shows the results of our analysis when using differentGaussian distributions, all with a mean value µ of 10 anddifferent deviations σ.
To sum up, we have provided a highly configurable analy-sis framework where the workload, task types, arrival-patterns,priorities and scheduling mechanisms can be varied and agiven system configuration can be easily analyzed. All Up-paal models used in this paper are available at: http://
people.cs.aau.dk/~ulrik/submissions/872346/CBSE.zip
7. CASE STUDYAs a case study to show the applicability of our analysis
framework, we analyze the schedulability of an avionics sys-tem [18, 13, 4]. We use the same timing specification as [13],whereas the system structure depicted in Fig. 2 follows thedescription given in [18]. In our analysis we include infor-mation about the criticality of the individual tasks, some-thing which has not been included in any of the previoustreatments of that case study. Table 6 summarizes botharchitecture and timing attributes of the avionics system.
Table 3: Degree of schedulability of tasks under Ex-ponential distribution.
Component Rate of Exp.PoMD DoQoS
((40, 18), FP) of T s4
Tp3 (40, 4)
1/100,000 0.040 ± 0.040 0.489 ± 0.5181/1000 0.043 ± 0.041 0.581 ± 0.6301/10 0.035 ± 0.032 0.705 ± 0.634
T s4 (Exp.,40,2,40)
1/100,000 0.0± 0.0 0.003 ± 0.0081/1000 0.182 ± 0.168 0.259 ± 0.3531/10 0.223 ± 0.039 1.792 ± 0.319
98
Table 6: Generic Avionics Components and TasksComponent Criticality Ti ei pi di Importance
Navigation HardAircraft flight data(T p1 ) 8 50(55) critical
Steering(T p2 ) 6 80 critical
Targeting HardTarget tracking(T p3 ) 4 40 critical
Target sweetening(T s4 ) 2 40 criticalAUTO/CCIP toggle(T s5 ) 1 200 critical
WeaponHard
Weapon trajectory(T p6 ) 7 100 criticalControl Reinitiate trajectory(T s7 ) 6 400 essential
Weapon release(T p8 ) 1 10 5 critical
Soft
HUD display(T p9 ) 6 55(52) essentialControls & MPD tactical display(T p10) 8 50(52) essential
Displays MPD button response (T s11) 1 200 backgroundChange display mode (T s12) 1 200 background
Table 4: Degree of schedulability of tasks under Uni-form distribution.
Component ((40, 18), FP) PoMD DoQoS
T p3 (40, 4), 0.057 ± 0.040 0.008 ± 0.008T s4 (Unif., 40, 2, 40) 0.188 ± 0.037 1.941 ± 0.274
Table 5: Degree of schedulability under Gaussiandistribution
Component (µ, σ)PoMD DoQoS
((40, 18), FP) of T s4
Tp3 (40, 4)
(10,10) 0.068 ± 0.047 0.903 ± 0.648(10, 8) 0.046 ± 0.045 0.903 ± 0.777(10, 5) 0.033 ± 0.036 0.810 ± 0.686(10, 1) 0.057 ± 0.471 0.875 ± 0.759
T s4 (Gauss., 40, 2, 40)
(10,10) 0.184 ± 0.038 1.844 ± 0.287(10, 8) 0.173 ± 0.040 1.908 ± 0.239(10, 5) 0.175 ± 0.038 1.801 ± 0.277(10, 1) 0.185 ± 0.340 1.823 ± 0.308
The avionics system is a mixed-criticality application, wherewe mainly considered 7 periodic tasks and 5 sporadic tasksall grouped in 4 components. In the case of critical sporadictasks, we have introduced a periodic event to trigger eachtask where the event period is equal to the minimum inter-arrival time of those tasks. We characterize the arrival timesof non-critical sporadic tasks by different probability distri-butions where the delays generated by such distributions arerelatively proportional to the minimum inter-arrival timesof the corresponding tasks. This was chosen as the originalcase-study did not contain any information on the proba-bility distributions. Because of space limitations, we onlyprovide the analysis results of one component (Controls &Displays). Table 7 states the degree of schedulability ofthe tasks in the component Control & Displays. One canremark that component Control & Displays cannot bescheduled with a budget less than 20 for a period equal to 30because, at least, one of the tasks misses its deadline. In par-ticular, tasks HUD Display and MPD Display miss theirdeadlines because they are ”background tasks”, i.e. havinglower priorities. While keeping budget increasing, DoQoSand PoMD are decreasing until reaching 0, meaning that thecorresponding budget (20) is the minimal sufficient budgetmaking the component workload schedulable. Other budgetvalues (14, 17, 19) can be acceptable as sufficient, dependingon the quality of service required by the system. We have
quantified the components schedulability according to thebudgets, hard and soft real-time requirements.
8. CONCLUSIONSWe have presented a compositional method for analyzing
the degree of schedulability of hierarchical real-time systems.The system is modeled in terms of components containingperiodic and sporadic tasks. In order to characterize moreaccurately the arrival time of sporadic tasks, we introducedcontinuous probability distributions. Given hard and softreal-time requirements, our approach provides probabilis-tic guarantees on the system schedulability. The Degree ofSchedulability (Sched◦) is defined by the two factors: 1) Per-centage of Missed Deadlines (PoMD) and 2) Degradationof Quality of Service (DoQoS). These concepts are help-ful when analyzing systems or components with insufficientbudgets to meet all deadlines. Uppaal SMC is used toperform statistical model checking, in order to compute theDoQoS and PoMD. Finally, we have demonstrated the appli-cability of our approach by analyzing the degree of schedula-bility of an avionics case study which was previously shownto be non-schedulable [18, 13, 4].
9. REFERENCES[1] M. Anand, S. Fischmeister, and I. Lee. A comparison
of compositional schedulability analysis techniques forhierarchical real-time systems. ACM Trans. Embed.Comput. Syst., 13(1):2:1–2:37, Sept. 2013.
[2] M. Asberg, T. Nolte, and P. Pettersson. Prototypingand code synthesis of hierarchically scheduled systemsusing times. Journal of Convergence (ConsumerElectronics), 1(1):77–86, December 2010.
[3] S. K. Baruah, A. K. Mok, and L. E. Rosier.Preemptively scheduling hard-real-time sporadic taskson one processor. In RTSS, pages 182–190. IEEEComputer Society Press, 1990.
[4] A. Boudjadar, A. David, J. H. Kim, K. G. Larsen,M. Mikucionis, U. Nyman, and A. Skou. Hierarchicalscheduling framework based on compositional analysisusing uppaal. In Proceedings of FACS 2013, lncs.Springer, 2013. To appear.
[5] A. Boudjadar, A. David, J. H. Kim, K. G. Larsen,M. Mikucionis, U. Nyman, and A. Skou. Degree ofschedulability of mixed-criticality real-time systemswith probabilistic sporadic tasks. In TheoreticalAspects of Software Engineering Conference (TASE),2014, pages 126–130, Sept 2014.
99
Table 7: Schedulability degree of component Controls & DisplaysTask Sched◦ Budget=14 Budget=17 Budget=19 Budget=20
HUD Display(T9)DoQoS 0.004±0.003 0 0 0PoMD 0.004±0.004 0 0 0
MPD Display(T10)DoQoS 3.068±0.151 0.343±0.052 0.003±0.003 0PoMD 0.231±0.018 0.002±0.002 0.0005±0 0
MPD Button(T11)DoQoS 0 0 0 0PoMD 0 0 0 0
Change Mode(T12)DoQoS 0 0 0 0PoMD 0 0 0 0
[6] P. E. Bulychev, A. David, K. G. Larsen,M. Mikucionis, D. B. Poulsen, A. Legay, and Z. Wang.Uppaal-smc: Statistical model checking for pricedtimed automata. In H. Wiklicky and M. Massink,editors, QAPL, volume 85 of EPTCS, pages 1–16,2012.
[7] L. Carnevali, A. Pinzuti, and E. Vicario.Compositional verification for hierarchical schedulingof real-time systems. IEEE Transactions on SoftwareEngineering, 39(5):638–657, 2013.
[8] F. Cassez and K. G. Larsen. The impressive power ofstopwatches. In C. Palamidessi, editor, CONCUR,volume 1877 of Lecture Notes in Computer Science,pages 138–152. Springer, 2000.
[9] M. Cordovilla, F. Boniol, J. Forget, E. Noulard, andC. Pagetti. Developing critical embedded systems onmulticore architectures: thePRELUDE-SCHEDMCORE toolset. In S. Faucou,A. Burns, and L. George, editors, RTNS 2011, pages107–116, 2011.
[10] A. David, K. G. Larsen, A. Legay, and M. Mikucionis.Schedulability of herschel-planck revisited usingstatistical model checking. In ISoLA (2), volume 7610of LNCS, pages 293–307. Springer, 2012.
[11] A. David, K. G. Larsen, A. Legay, M. Mikucionis,D. B. Poulsen, J. van Vliet, and Z. Wang. Statisticalmodel checking for networks of priced timed automata.In U. Fahrenberg and S. Tripakis, editors, FORMATS,volume 6919 of LNCS, pages 80–96. Springer, 2011.
[12] J. Diaz, D. Garcia, K. Kim, C.-G. Lee, L. Lo Bello,J. Lopez, S.-L. Min, and O. Mirabella. Stochasticanalysis of periodic real-time systems. In RTSS 2002,pages 289–300, 2002.
[13] R. Dodd. Coloured petri net modelling of a genericavionics missions computer. Technical report,Department of Defence, Australia, Air OperationsDivision, 2006.
[14] G. Horvath, S. Chung, D. Dvorak, and D. Hecox.Safety-critical partitioned software architecture: Apartitioned software architecture for roboticspacecraft. In Infotech@Aerospace Conference 2011.American Institute of Aeronautics and Astronautics,2011.
[15] J. Lee, L. T. X. Phan, S. Chen, O. Sokolsky, andI. Lee. Improving resource utilization forcompositional scheduling using dprm interfaces.SIGBED Rev., 8(1):38–45, Mar. 2011.
[16] A. Legay and B. Delahaye. Statistical model checking: An overview. CoRR, abs/1005.1327, 2010.
[17] C. L. Liu and J. W. Layland. Scheduling algorithmsfor multiprogramming in a hard-real-timeenvironment. J. ACM, 20(1):46–61, Jan. 1973.
[18] C. D. Locke, D. R. Vogel, L. Lucas, and J. B.Goodenough. Generic avionics software specification.Technical report, DTIC Document, 1990.
[19] J. Lorente, G. Lipari, and E. Bini. A hierarchicalscheduling model for component-based real-timesystems. In IPDPS 2006, pages 8 pp.–, 2006.
[20] S. Manolache, P. Eles, and Z. Peng. Optimization ofsoft real-time systems with deadline miss ratioconstraints. In Proceedings of RTAS 2004, pages562–570, 2004.
[21] D. Maxim and L. Cucu-Grosjean. Response TimeAnalysis for Fixed-Priority Tasks with MultipleProbabilistic Parameters. In RTSS 2013, Vancouver,Canada, 2013.
[22] A. K. Mok. Fundamental design problems ofdistributed systems for the hard-real-timeenvironment. Technical report, Cambridge, USA, 1983.
[23] P. Pop, P. Eles, and Z. Peng. Schedulability-drivencommunication synthesis for time triggered embeddedsystems. Real-Time Systems, 26(3):297–325, 2004.
[24] P. Pop, L. Tsiopoulos, S. Voss, O. Slotosch, C. Ficek,U. Nyman, and A. Lopez. Methods and tools forreducing certification costs of mixed-criticalityapplications on multi-core platforms: the recompapproach. In WICERT 2013 proceedings, 2013.
[25] K. Purna and D. Bhatia. Temporal partitioning andscheduling data flow graphs for reconfigurablecomputers. Computers, IEEE Transactions on,48(6):579–590, Jun 1999.
[26] I. Shin, A. Easwaran, and I. Lee. Hierarchicalscheduling framework for virtual clustering ofmultiprocessors. In ECRTS, pages 181–190. IEEEComputer Society, 2008.
[27] I. Shin and I. Lee. Compositional real-time schedulingframework with periodic model. ACM Trans.Embedded Comput. Syst., 7(3), 2008.
[28] A. Thekkilakattil, R. Dobrin, and S. Punnekkat.Probabilistic preemption control using frequencyscaling for sporadic real-time tasks. In The 7th IEEEInternational Symposium on Industrial EmbeddedSystems, 2012.
[29] Y. Zhang, D. K. Krecker, C. Gill, C. Lu, and G. H.Thaker. Practical schedulability analysis forgeneralized sporadic tasks in distributed real-timesystems. In Proceedings of ECRTS ’08, pages 223–232,Washington, DC, USA, 2008. IEEE Computer Society.
100