Mixed-criticality scheduling

Modern engineered systems, from aircraft and cars to medical devices, face a fundamental design dilemma: they must be both demonstrably safe under the absolute worst-case scenarios and economically efficient in everyday operation. Designing for a one-in-a-million-year catastrophe can lead to prohibitively expensive and over-engineered systems, yet ignoring that possibility is not an option when lives are at stake. This creates a significant knowledge gap in system design, where the demands of safety certification and practical efficiency seem to be in direct conflict.

Mixed-criticality scheduling emerges as an elegant and formal answer to this very problem. It provides a theoretical framework for building systems that can dynamically adapt their behavior, delivering full functionality under normal conditions while guaranteeing the survival of critical functions when faced with unexpected events. This article demystifies this powerful concept. The first chapter, "Principles and Mechanisms," will dissect the core theory, explaining the dual views of time, the operational modes, and the mathematical proofs that provide confidence. Following this, "Applications and Interdisciplinary Connections" will illustrate how these abstract principles are applied in the real world, from drone controllers and automotive networks to the complex challenge of designing autonomous vehicles.

Imagine you are an engineer tasked with building a bridge. Your seismologists give you two reports. The first, based on extensive historical data and geological surveys, says the strongest earthquake you can realistically expect in the bridge's lifetime is a magnitude 7.0. The second report, from a team tasked with "absolute worst-case" thinking for a nearby critical facility, says that if a specific, uncharted fault line ruptures in a one-in-a-million-year configuration, it could theoretically produce a 9.0 quake.

What do you do? Building for the 7.0 quake is economical and safe for all foreseeable events. Building for the 9.0 quake would require so much steel and concrete that the bridge would be astronomically expensive, perhaps prohibitively so. But if you only build for the 7.0, what happens on that one-in-a-million chance? This is the essential dilemma faced by designers of cyber-physical systems, from aircraft and cars to medical devices and power grids. They must be both demonstrably safe and economically efficient. Mixed-criticality scheduling is a beautiful and ingenious answer to this very problem.

The core insight of mixed-criticality theory is to formally acknowledge that we live in a world of varying confidence. Instead of assigning a single, monolithic "worst-case" execution time (WCET) to a software task, we assign it multiple WCETs, each corresponding to a different level of assurance or criticality.

For a simple dual-criticality system, we have two levels: LO (low) and HI (high).

• ​​The LO View ($C^{\text{LO}}$)​​: This is the optimist's worst-case. It's a timing budget derived from extensive testing, profiling, and less conservative analysis. We have a high degree of confidence—say, $99.999\%$—that a task will finish within its $C^{\text{LO}}$ time. In our bridge analogy, this is the magnitude 7.0 earthquake. We expect it to be the limit of what we'll ever see.

• ​​The HI View ($C^{\text{HI}}$)​​: This is the pessimist's worst-case, or perhaps, the safety certifier's. To get the stamp of approval from an authority like the Federal Aviation Administration (for DO-178C) or an automotive standards body (for ISO 26262), you must prove safety with an extremely high level of confidence. This requires using highly conservative static analysis tools that account for all manner of rare, worst-of-the-worst scenarios: unforeseen processor pipeline states, cache misses happening in a perfect storm, cosmic rays flipping bits, and other gremlins in the machine. Consequently, this certified WCET, the $C^{\text{HI}}$, will almost always be larger than the practical $C^{\text{LO}}$.

This gives us the foundational principle of mixed-criticality WCETs: for any given high-criticality task, its execution time budgets are monotonic.

$C^{\text{HI}} \ge C^{\text{LO}}$

This isn't an arbitrary rule; it's a logical necessity. As elegantly framed in the formal model, the set of possible system circumstances considered for HI-level analysis is a superset of the circumstances considered for LO-level analysis. To be more certain, you must imagine more things going wrong. The worst case over a larger set of possibilities can never be smaller than the worst case over a subset.

Now, what does a scheduler do with these two different views of time? It creates a "social contract" with the tasks, one that has two distinct clauses corresponding to two operational modes.

LO-Mode: The Sunny Day Scenario

The system starts in ​​LO-mode​​. The contract here is based on efficiency and optimism. The scheduler promises to run all tasks—both the HI-criticality flight controls and the LO-criticality cabin entertainment system—and ensure they all meet their deadlines. This promise, however, comes with a crucial condition: it is only valid as long as every task behaves as expected and finishes its work within its optimistic, $C^{\text{LO}}$ time budget. This allows the system to be highly utilized and efficient, running many functions simultaneously, because we are banking on the high probability that the one-in-a-million-year earthquake won't happen today.

The Trigger: The Alarm Bell Rings

The system doesn't just hope for the best; it plans for the worst. It constantly monitors its own behavior. Specifically, the scheduler tracks the execution time of every running HI-criticality task. The moment one of these critical tasks executes for longer than its $C^{\text{LO}}$ budget but has not yet finished its job, an alarm bell rings. This is the ​​overrun event​​.

This is not a system fault. It is a pre-planned contingency. The system has detected that the world is not behaving as optimistically as it had hoped. The magnitude 7.0 earthquake has been surpassed, and we must now prepare for the magnitude 9.0. The scheduler's contract must change, and it must do so immediately, before any deadlines are missed.

HI-Mode: The Emergency Protocol

The system transitions to ​​HI-mode​​. The social contract is now radically different. The scheduler's one and only priority is the survival of the HI-criticality tasks. The promise to the LO-criticality tasks is revoked. They are unceremoniously dropped, suspended, or degraded. The cabin entertainment system might freeze, but the flight controls must continue to function.

In this mode, the scheduler makes a new promise to the HI-criticality tasks: "You can now use your full, pessimistic $C^{\text{HI}}$ budget, and I will still guarantee you meet your deadlines." By shedding the LO-criticality workload, the scheduler frees up the processor time needed to accommodate the increased demands of the critical tasks, thus ensuring the safety of the overall system.

Dropping the LO-criticality tasks might seem harsh, but it is often a matter of simple, unavoidable arithmetic. Let's look at a concrete example to see why this sacrifice is not a choice, but a mathematical necessity.

Imagine a single processor running four tasks for a robotic assembly line. We measure a processor's "busyness" using ​​utilization​​, which is the fraction of time a task needs the processor (its execution time divided by its period). A single processor's total utilization cannot exceed $1$, or 100%.

Let's say our tasks are:

• HI Task $\tau_1$: LO-utilization $u_1^{\text{LO}} = 0.25$, HI-utilization $u_1^{\text{HI}} = 0.45$.
• HI Task $\tau_2$: LO-utilization $u_2^{\text{LO}} = 0.24$, HI-utilization $u_2^{\text{HI}} = 0.40$.
• LO Task $\tau_3$: LO-utilization $u_3^{\text{LO}} = 0.20$.
• LO Task $\tau_4$: LO-utilization $u_4^{\text{LO}} = 0.15$.

In ​​LO-mode​​, the total utilization is the sum of all the LO-utilizations: $U_{\text{total}}^{\text{LO}} = 0.25 + 0.24 + 0.20 + 0.15 = 0.84$ Since $0.84 \le 1$, everything fits. The processor is 84% busy, and all four tasks can meet their deadlines.

Now, suppose $\tau_1$ overruns its LO budget, triggering a switch to ​​HI-mode​​. The HI tasks now need their HI budgets. What happens if we try to keep the LO tasks running? The new total utilization would be: $U_{\text{what-if}}^{\text{HI}} = (\text{HI tasks at } u^{\text{HI}}) + (\text{LO tasks at } u^{\text{LO}}) = (0.45 + 0.40) + (0.20 + 0.15) = 0.85 + 0.35 = 1.20$

A utilization of $1.20$ means the tasks require 120% of the processor's time. This is physically impossible. It's like trying to pour 1.2 liters of water into a 1-liter bottle—it will inevitably spill. The "spill" in our case is missed deadlines. To prevent this, the scheduler must discard the LO tasks. The utilization then becomes: $U_{\text{actual}}^{\text{HI}} = u_1^{\text{HI}} + u_2^{\text{HI}} = 0.45 + 0.40 = 0.85$ Since $0.85 \le 1$, the critical tasks are now safe. The sacrifice was mathematically necessary to preserve schedulability.

Modern systems rarely have just one processor; they have multiple cores. This adds another layer of complexity and beauty to the problem. How do we schedule our tasks across, say, two cores? There are two main philosophies.

• ​​Partitioned Scheduling​​: This is the simple approach. Before the system even starts, we assign each task to a specific processor, and it stays there forever. Task $\tau_1$ goes to Core 1, $\tau_2$ to Core 2, and so on. It's like assigning workers to fixed stations on an assembly line.

• ​​Global Scheduling​​: This is the flexible approach. Any task can run on any available core. There's a single queue of ready tasks, and the scheduler picks the most urgent ones to run on the available cores. It's like having a pool of workers who can move to whichever station needs help.

Partitioning seems simpler and avoids the overhead of moving tasks between cores. But a mode switch can reveal its hidden brittleness. Consider a two-processor system ($m=2$) where we've partitioned the HI tasks onto Core 1 and the LO tasks onto Core 2. In LO-mode, both cores might be happily running at 100% utilization. But when a mode switch occurs, a catastrophic imbalance is created. All the LO tasks on Core 2 are dropped, and its utilization plummets to 0%. Meanwhile, on Core 1, the HI tasks demand their $C^{\text{HI}}$ budgets, and their combined utilization might surge to, say, 140%. Core 1 is overloaded and fails, while Core 2 sits completely idle. The system fails despite having enough total computational power across both cores to handle the HI-mode workload.

Global scheduling, by allowing tasks to migrate, could potentially save the day. It could move some of the work from the overloaded Core 1 to the now-idle Core 2, balancing the load and keeping the system alive. This illustrates a profound trade-off in system design: the simplicity of static partitioning versus the robust flexibility of dynamic global scheduling.

These principles and mechanisms are not just clever heuristics; they are backed by rigorous mathematical proofs. An entire field of research is dedicated to developing ​​schedulability analysis​​ techniques for mixed-criticality systems. These are algorithms that take a task set and a scheduling policy as input and produce a definitive "yes" or "no" answer to the question: "Is this system guaranteed to be safe?"

For example, using a technique called ​​Response-Time Analysis (RTA)​​, we can calculate the absolute worst-case time it would take for a task to complete, accounting for its own execution time and all possible interference from higher-priority tasks. The analysis is performed in two phases:

1. ​​LO-Mode Analysis​​: It proves that, assuming $C^{\text{LO}}$ budgets, the worst-case response time of every task is less than its deadline.
2. ​​HI-Mode Analysis​​: It proves that, assuming $C^{\text{HI}}$ budgets for HI tasks, the worst-case response time of every HI-criticality task is still less than its deadline, even when accounting for the chaos of the mode switch itself. The reason this proof can succeed is that the interference from all LO-criticality tasks has been eliminated.

This ability to provide a formal, mathematical proof is the ultimate goal. It transforms our confidence in the system from a feeling based on testing into a certainty based on logic. It's how we build the bridge that is both economical for the everyday and provably strong enough to survive that one-in-a-million-year event.

We have spent some time exploring the clever rules and mechanisms of mixed-criticality scheduling—the elegant dance of priorities and budgets that allows a system to be both efficient and safe. But these are not just abstract games played on a whiteboard. These principles come to life in the most critical and advanced technologies that shape our world. This is where the mathematical beauty of scheduling theory meets the uncompromising demands of physical reality. Let us now take a journey to see where this rubber meets the road.

Imagine you are designing the controller for a high-performance drone. The drone's stability depends on making thousands of tiny adjustments to its propellers every second. Your control algorithms, running on a small processor, calculate these adjustments. Now, control theory—the science of making systems behave as we wish—gives us a crucial number: the maximum admissible delay. If an actuation command arrives later than this deadline, the drone might not just wobble; it could become unstable and fall out of the sky. This deadline is a hard law dictated by physics.

Here is where our scheduling theory enters the conversation. The controller is not the only task on the processor. There might be a low-priority task handling video compression and a high-priority, safety-critical task monitoring battery levels. The controller task can be preempted. Real-time systems theory gives us another crucial number: the worst-case response time ($R$), the longest possible time from when the controller calculates an adjustment to when that command is finally issued. Safety, then, is a simple, beautiful, and strict inequality: the worst-case response time from computer science must be less than the maximum admissible delay from control theory.

Mixed-criticality scheduling provides the tools to enforce this inequality with rigor. We can design the system such that in its normal, "low-criticality" mode, all tasks run happily. But if a critical event occurs—say, the battery monitoring task needs more processing time than expected to handle a sudden voltage drop—the system enters "high-criticality" mode. The video compression task is immediately dropped, guaranteeing that the processor's full attention is available to the critical tasks. We can calculate the response time in this worst-case scenario, $R^{\text{HI}}$, and prove that it still respects the physical laws of stability.

We can even build a "digital twin" of our drone inside a computer to test this before a single propeller is spun. This co-simulation couples a mathematical model of the drone's physics with a model of our scheduler. We can simulate a mode switch and watch how the increased actuation delay affects the drone's flight. Is it stable? Does it oscillate? By how much? This allows us to analyze the intricate dance between software timing and physical stability with incredible fidelity, giving us the confidence to build systems we can trust.

Of course, modern systems are rarely a single chip. Think of a modern car, an airplane, or a factory floor. They are distributed systems—a network of processors talking to each other. A single action, like applying the brakes in a car, might involve a sensor task on one processor, sending a message across a network, to an actuator task on another processor. The end-to-end deadline now spans this entire chain.

It's not enough to guarantee that each part is fast enough; we must guarantee that the sum of all the delays—computation on the first processor, network transmission, and computation on the second processor—is less than the total end-to-end deadline. The logic of mixed-criticality must extend beyond a single CPU.

And it does! The very same principles are now being built into the fabric of computer networks themselves through standards like Time-Sensitive Networking (TSN). Imagine a network switch handling data from our car's systems. Critical data, like a command from the braking controller, cannot be delayed by a large, unimportant data transfer from the infotainment system. Using a TSN mechanism called a Time-Aware Shaper, we can create a schedule on the network switch itself. For a few hundred microseconds, a special "gate" is open only for high-criticality traffic. Then, that gate closes, and another one opens for low-criticality traffic. If a large, low-priority infotainment packet is being sent when its time is up, a mechanism called Frame Preemption allows the switch to suspend it, let the tiny, critical brake packet pass through, and then resume the large packet later. It is a beautiful echo of the preemptive scheduling we saw on a CPU, demonstrating a fundamental unity in the way we manage contention for any shared resource, be it processor cycles or network bandwidth.

As we pack more and more intelligence into our devices, the processors themselves become more complex. We no longer have single-core chips; we have multi-core behemoths. This presents a new puzzle: if we have a dozen tasks and four processor cores, which task should run where? This is the partitioning problem. It's a bit like a game of Tetris or bin-packing. We need clever heuristics to assign tasks to cores such that the load on each core is balanced, and more importantly, each core's collection of tasks is schedulable in both LO- and HI-criticality modes. We might, for example, sort our high-criticality tasks from "heaviest" to "lightest" and place them one by one onto the core that is currently the least loaded, ensuring no single core becomes a bottleneck.

At the same time, we face another relentless constraint: energy. Running a processor faster doesn't just use a little more power; it uses a lot more. For a typical CMOS chip, the power consumed scales with the cube of the frequency ($P \propto f^3$). This means doubling the speed can cost eight times the energy! So, we want to run our processors as slowly as possible to conserve battery life or prevent overheating.

Mixed-criticality adds a fascinating dimension to this energy-saving puzzle. We can design a system that runs at a low, energy-efficient speed in its normal LO-mode. But we must always be prepared for a switch to HI-mode, where critical tasks may need to run faster to meet their deadlines. The challenge becomes an optimization problem: how do we deliver the best possible performance for our non-critical tasks (e.g., keeping the user interface smooth) while staying within a strict energy budget and always guaranteeing that we can handle a worst-case scenario? This leads to the idea of "graceful degradation," where we precisely calculate how much we can trim from non-essential functions to ensure our safety-critical core remains inviolable.

Nowhere do all these threads come together more vividly than in the design of an autonomous vehicle. The "brain" of such a car is a massively complex computing platform, running a symphony of tasks with vastly different levels of importance.

• ​​The Soloist:​​ The emergency braking controller. This is a hard real-time task of the highest criticality. Its deadlines are dictated by physics and are non-negotiable.
• ​​The String Section:​​ The motion planning and perception pipelines. These are soft real-time tasks of medium criticality. They need to be fast and responsive, but missing an occasional deadline might only result in a less smooth ride, not a catastrophe.
• ​​The Background Ambience:​​ The infotainment system and data logging. These are best-effort tasks of the lowest criticality. They are nice to have, but utterly disposable in an emergency.

This system must manage what we can call "external" priorities, defined by safety and the mission, but also "internal" priorities, like thermal limits. What happens when the car is driving on a hot day, and the main processor starts to overheat? An internal constraint—the chip's temperature—is about to be violated. The system must reduce its power consumption.

A naive approach would be disastrous. Simply throttling the task that uses the most power might mean slowing down the perception system or, even worse, the braking controller! This is where the mixed-criticality philosophy provides an elegant and robust solution: a ​​degradation hierarchy​​. The operating system doesn't panic; it follows a pre-defined, ordered plan based on criticality.

1. ​​First, sacrifice the disposable.​​ The infotainment system is disabled.
2. ​​Next, gracefully degrade the important-but-not-vital.​​ The perception system's frame rate is reduced from 60 FPS to 30 FPS.
3. ​​Then, reduce the quality of soft real-time functions.​​ The motion planner might switch to a faster, less optimal algorithm.

Throughout this entire process, the resources for the emergency braking task remain sacrosanct. Its budget, its priority, its ability to meet its hard deadlines are never compromised. This layered, hierarchical approach ensures that the system fails gracefully from the outside in, always protecting its safety-critical core. It is the practical embodiment of the scheduling theory we have discussed, made possible by clever algorithms like EDF with Virtual Deadlines that front-load critical work, and rigorous response-time analysis that provides the mathematical proof of safety.

Mixed-criticality scheduling, then, is far more than an academic curiosity. It is a foundational design philosophy for building the reliable, efficient, and safe technologies of the 21st century—the bridge that allows us to translate the abstract certainty of mathematics into the physical certainty of a car that brakes when it must.