**8.2.4 Experimental results**

22 Will-be-set-by-IN-TECH

• When a task deadline event expires, it is simply removed from the head of the queue an the system is notified that a deadline was missed. Hence, handling it requires *O*(1) time. • When a server replenishment event expires, an event representing the next replenishment is inserted into the system queue4. Since there are at most two events in the system queue per server (replenishment and wakeup event), handling a replenishment event is linear in

• When a server depletion event expires, it is simply removed from the queue. Hence,

Our HSF supports different global and local schedulers. For the sake of a fair comparison with the *μ*C/OS-II which implements a fixed-priority scheduler, we also assume fixed-priority global and local schedulers in this section. For both global and local scheduling we can reuse the bitmap-based approach implemented by *μ*C/OS-II, which has a constant time overhead for selecting the highest priority ready task as well as indicating that a task is ready or not (Labrosse, 2002). Consequently, in our HSF we can select the highest priority server and task

Once a highest priority server *σ<sup>i</sup>* is selected, the overhead of switching in the server depends on the number of events inside the stopwatch queue and *σi*'s server queue (which needs to be synchronized with the stopwatch), and the overhead of selecting the highest priority task. The stopwatch queue contains one stopwatch event for each inactive server. The length of the stopwatch queue is therefore bounded by |Σ| + *ds*, where |Σ| is the number of servers, and

*ts*(*σi*) is the longest time interval that a server can be switched out, and 2*<sup>n</sup>* <sup>−</sup> 1 is the largest

The only local events are a task delay and the arrival of a periodic task. Also, each task can wait for at most one timed event at a time. The number of events inside the server queue is therefore bounded by *m*(*σi*) + *dl*(*σi*), where *m*(*σi*) is the maximum number of tasks assigned

queue *σi*.*sq*. *tl*(*σi*) is the longest time interval between any two events inside of *σi*.*sq* (e.g. the

The complexity of the scheduler is therefore *O*(|Σ| + *ds* + *m*(*σi*) + *dl*(*σi*)). Note that the maximum numbers of dummy events *ds* and *dl*(*σi*)) can be determined at design time.

The tick handler synchronizes all active queues with the current time, and (in case an event was handled) calls the scheduler. The active queues are comprised of the system queue and two queues for the server *σ<sup>i</sup>* which is active at the time the tick handler is invoked (its server

<sup>4</sup> Inserting the next replenishment event could be deferred until the server is depleted, at a similar cost

is the maximum number of dummy events inside the stopwatch queue.

is the maximum number of dummy events local to the server

the number of servers, i.e *O*(|Σ|).

handling it requires *O*(1) time.

within a server in constant time.

 *ts*(*σi*) 2*<sup>n</sup>*−1 

to server *σi*, and *dl*(*σi*) =

**8.2.3 Tick handler**

relative time which can be represented with *n* bits.

longest task period or the longest task delay).

queue *σi*.*sq* and virtual server queue *σi*.*vq*).

and benefit to deferring the insertion of the task period event.

 *tl*(*σi*) 2*<sup>n</sup>*−1 

**8.2.2 Scheduler**

*ds* = max*σi*∈<sup>Σ</sup>

In Section 6.2 we introduced wakeup events in order to limit the interference due to inactive servers. In order to validate this approach we have also implemented a variant of the HSF scheduler which avoids using wakeup events and instead, whenever a deferrable server *σ<sup>i</sup>* is switched out, it keeps the server queue *σi*.*sq* active. Consequently, the scheduler does not need to synchronize the server queue when switching in a server. However, this overhead is shifted to the tick handler, which needs to handle the expired events in all the server queues from inactive deferrable servers. In the following discussion we refer to this approach as *without limited interference*, as opposed to *with limited interference* based on wakeup events.

Figures 12.a to 12.e compare the two variants. We have varied the number of deferrable servers and the number of tasks assigned to each server (all servers had the same number of tasks). The server replenishment periods and the task periods were all set to the same value (100ms), to exhibit the maximum overhead by having all tasks arrive at the same time. Each task had a computation time of 1ms and each server had a capacity of 7ms. We have run the setup within the cycle-accurate hardware simulator for the OpenRISC 1000 architecture OpenCores (2010). We have set the processor clock to 345MHz and the tick to 1KHz, which is inline with the platform used by our industrial partner. Each experiment was run for an integral number of task periods.

Figures 12.a and 12.b show the maximum measured overheads of the scheduler and the tick handler, while Figures 12.c and 12.d show the total overhead of the scheduler and the tick handler in terms of processor utilization. The figures demonstrate that wakeup events reduce the tick overhead, at the cost of increasing the scheduler overhead, by effectively shifting the overhead of handling server's local events from the tick handler to the scheduler. Since the scheduler overhead is accounted to the server which is switched in, as the number of servers and tasks per server increase, so does the advantage of the limited interference approach. Figure 12.e combines Figures 12.c and 12.d and verifies that the additional overhead due to the wakeup events in the limited interference approach is negligible.

Figure 12.f compares the system overheads of our HSF extension to the standard *μ*C/OS-II implementation. As the standard *μ*C/OS-II does not implement hierarchical scheduling, we have implemented a flat system containing the same number of tasks with the same parameters as in Figures 12.a and 12.b. The results demonstrate the temporal isolation and

efficiency of our HSF implementation. While the standard *μ*C/OS-II scans through all tasks on each tick to see if any task delay has expired, in the HSF extension the tick handler needs

An Efficient Hierarchical Scheduling Framework for the Automotive Domain 91

Figure 13 compares the best-case and worst-case measured overheads of the scheduler and tick handler between *μ*C/OS-II with our extensions, compared to the standard *μ*C/OS-II, for which we have implemented a flat system containing the same number of tasks with the same

Number of tasks per server 1 2 3 4 5 6 1

Number of tasks per server 1 2 3 4 5 6 1

 0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 Number of servers

Number of servers

 0 0.5 1 1.5 2 2.5 3

Number of instructions (x1000)

(a) (b)

Number of instructions (x1000)

(c) (d) Fig. 13. (a) tick handler overhead in *μ*C/OS-II+HSF, (b) tick handler overhead in *μ*C/OS-II,

The figure shows that both scheduler and tick handler suffer larger execution time jitter under *μ*C/OS-II+HSF, than the standard *μ*C/OS-II. In the best case the *μ*C/OS-II+HSF tick handler needs to decrement only the head of the system queue, while in *μ*C/OS-II the tick hander traverses all the tasks in the system and for each one it checks whether its timer has expired. In a system with small utilization of individual tasks and servers (as was the case in our experiments), most local events will arrive while the server is switched out. Since handling local events is deferred until the server is switched in and its server queue synchronized with the stopwatch queue, it explains why the worst-case tick handler overhead is increasing with the number of servers and the worst-case scheduler overhead is increasing with the number

(c) scheduler overhead in *μ*C/OS-II+HSF, (d) scheduler overhead in *μ*C/OS-II.

 2 3 4 5 6

Max scheduler overhead Min scheduler overhead

> 2 3 4 5 6

Number of tasks per server

Number of tasks per server

Max tick handler overhead Min tick handler overhead

to consider only head event in the server queue of the currently running server.

parameters as for the *μ*C/OS-II+HSF case.

1 2 3 4 5 6 1

1 2 3 4 5 6 1

Number of servers

Number of servers

of tasks per server.

Number of instructions (x1000)

Number of instructions (x1000)

 2 3 4 5 6

Max scheduler overhead Min scheduler overhead

> 2 3 4 5 6

Max tick handler overhead Min tick handler overhead

Fig. 12. (a) maximum overhead of the (local + global) scheduler, (b) maximum overhead of the tick handler, (c) total overhead of the scheduler, (d) total overhead of the tick handler, (e) and (f) total overhead of the tick handler and the scheduler.

24 Will-be-set-by-IN-TECH

Number of tasks per server 1 2 3 4 5 6 1

Number of tasks per server 1 2 3 4 5 6 1

Number of tasks per server 1 2 3 4 5 6 1

 0 0.2 0.4 0.6 0.8 1 1.2 1.4 Number of servers

Number of servers

Number of servers

Number of instructions (x1000)

(a) (b)

Overhead (% processor time)

(c) (d)

Overhead (% processor time)

(e) (f) Fig. 12. (a) maximum overhead of the (local + global) scheduler, (b) maximum overhead of the tick handler, (c) total overhead of the scheduler, (d) total overhead of the tick handler, (e)

 2 3 4 5 6

With limited interference Without limited interference

> 2 3 4 5 6

<sup>P</sup>C/OS-II + HSF <sup>P</sup>C/OS-II

 2 3 4 5 6

Number of tasks per server

Number of tasks per server

Number of tasks per server

With limited interference Without limited interference

1 2 3 4 5 6 1

1 2 3 4 5 6 1

1 2 3 4 5 6 1

Number of servers

Number of servers

Number of servers

 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8

Overhead (% processor time)

Overhead (% processor time)

Number of instructions (x1000)

 2 3 4 5 6

With limited interference Without limited interference

> 2 3 4 5 6

With limited interference Without limited interference

> 2 3 4 5 6

and (f) total overhead of the tick handler and the scheduler.

With limited interference Without limited interference efficiency of our HSF implementation. While the standard *μ*C/OS-II scans through all tasks on each tick to see if any task delay has expired, in the HSF extension the tick handler needs to consider only head event in the server queue of the currently running server.

Figure 13 compares the best-case and worst-case measured overheads of the scheduler and tick handler between *μ*C/OS-II with our extensions, compared to the standard *μ*C/OS-II, for which we have implemented a flat system containing the same number of tasks with the same parameters as for the *μ*C/OS-II+HSF case.

Fig. 13. (a) tick handler overhead in *μ*C/OS-II+HSF, (b) tick handler overhead in *μ*C/OS-II, (c) scheduler overhead in *μ*C/OS-II+HSF, (d) scheduler overhead in *μ*C/OS-II.

The figure shows that both scheduler and tick handler suffer larger execution time jitter under *μ*C/OS-II+HSF, than the standard *μ*C/OS-II. In the best case the *μ*C/OS-II+HSF tick handler needs to decrement only the head of the system queue, while in *μ*C/OS-II the tick hander traverses all the tasks in the system and for each one it checks whether its timer has expired.

In a system with small utilization of individual tasks and servers (as was the case in our experiments), most local events will arrive while the server is switched out. Since handling local events is deferred until the server is switched in and its server queue synchronized with the stopwatch queue, it explains why the worst-case tick handler overhead is increasing with the number of servers and the worst-case scheduler overhead is increasing with the number of tasks per server.

Evidence (n.d.). ERIKA Enterprise: Open Source RTOS for single- and multi-core applications.

An Efficient Hierarchical Scheduling Framework for the Automotive Domain 93

Faggioli, D., Trimarchi, M., Checconi, F. & Scordino, C. (2009). An EDF scheduling class for

Holenderski, M., Cools, W., Bril, R. J. & Lukkien, J. J. (2009). Multiplexing real-time timed events, *Emerging Technologies and Factory Automation (ETFA)*, pp. 1718–1721. Holenderski, M., Cools, W., Bril, R. J. & Lukkien, J. J. (2010). Extending an open-source

Inam, R., Maki-Turja, J., Sjodin, M., Ashjaei, S. & Afshar, S. (2011). Support for hierarchical scheduling in freertos, *Emerging Technologies Factory Automation (ETFA)*, pp. 1 –10. Kim, D., Lee, Y.-H. & Younis, M. (2000). SPIRIT-*μ*Kernel for strongly partitioned real-time

Lehoczky, J. P., Sha, L. & Strosnider, J. K. (1987). Enhanced aperiodic responsiveness in hard real-time environments, *Real-Time Systems Symposium (RTSS)*, pp. 261–270. Mercer, C., Rajkumar, R. & Zelenka, J. (1994). Temporal protection in real-time operating systems, *IEEE Workshop on Real-Time Operating Systems and Software*, pp. 79–83. Nolte, T. (2011). Compositionality and CPS from a platform perspective, *Embedded and Real-Time Computing Systems and Applications (RTCSA)*, Vol. 2, pp. 57 –60. Nolte, T., Shin, I., Behnam, M. & Sjödin, M. (2009). A synchronization protocol for temporal

Oikawa, S. & Rajkumar, R. (1999). Portable RK: a portable resource kernel for guaranteed and

Palopoli, L., Cucinotta, T., Marzario, L. & Lipari, G. (2009). Aquosa—adaptive quality of

Rajkumar, R., Juvva, K., Molano, A. & Oikawa, S. (1998). Resource kernels: A resource-centric

Saewong, S., Rajkumar, R. R., Lehoczky, J. P. & Klein, M. H. (2002). Analysis of hierarchical

Shin, I. & Lee, I. (2003). Periodic resource model for compositional real-time guarantees,

Shin, I. & Lee, I. (2008). Compositional real-time scheduling framework with periodic model,

Strosnider, J. K., Lehoczky, J. P. & Sha, L. (1995). The deferrable server algorithm for enhanced

van den Heuvel, M. M. H. P., Holenderski, M., Bril, R. J. & Lukkien, J. J. (2011).

service architecture, *Software – Practice and Experience* 39(1): 1–31.

*ACM Transactions on Embedded Computing Systems* 7: 30:1–30:39.

systems, *Real-Time Systems and Applications (RTCSA)*, pp. 73–80. Labrosse, J. J. (2002). *MicroC/OS-II: The Real Time Kernel*, 2nd edition edn, CMP Books.

real-time operating system with hierarchical scheduling, *Technical Report CS-report*

isolation of software components in vehicular systems, *IEEE Transactions on Industrial*

enforced timing behavior, *Real-Time Technology and Applications Symposium (RTAS)*,

approach to real-time and multimedia systems, *Conference on Multimedia Computing*

fixed-priority scheduling, *Euromicro Conference on Real-Time Systems (ECRTS)*, p. 173.

aperiodic responsiveness in hard real-time environments, *IEEE Transactions on*

Constant-bandwidth supply for priority processing, *IEEE Transactions on Consumer*

URL: *http://www.evidence.eu.com*

*Informatics* 5(4): 375–387.

*Computers* 44(1): 73–91.

*Electronics* 57(2): 873–881.

OpenCores (2010). Openrisc 1000: Architectural simulator. URL: *http://opencores.org/openrisc,or1ksim*

*and Networking (CMCN)*, pp. 150–164.

*Real-Time Systems Symposium (RTSS)*, pp. 2–13.

pp. 111–120.

the linux kernel, *Real-Time Linux Workshop*.

*10-10*, Eindhoven University of Technology.

#### **9. Conclusions**

We have presented an efficient, modular and extendible design for enhancing a real-time operating system with a two-level HSF. It relies on Relative Timed Event Queues (RELTEQ), a general timer management system targeting embedded systems. Our design supports various server types (including polling, idling periodic, deferrable and constant-bandwidth servers), and global and virtual timers. It supports fixed-priority and EDF schedulers on both local and global level. It provides temporal isolation between components and limits the interference of inactive servers on the active server, by means of wakeup events and a combination of inactive server queues with a stopwatch. We have evaluated a fixed-priority based implementation of our RELTEQ and HSF within the *μ*C/OS-II real-time operating system used in the automotive domain. The results demonstrate that our approach exhibits low performance overhead and limits the necessary modifications of the underlying operating system.

We have assumed a linked-list implementation of our RELTEQ queues, and indicated the challenges of a tree-based implementation due to the relative time representation. In the future we want to investigate in more detail other advanced data structures for implementing RELTEQ queues.

#### **10. References**

	- URL: *http://www.autosar.org*

26 Will-be-set-by-IN-TECH

We have presented an efficient, modular and extendible design for enhancing a real-time operating system with a two-level HSF. It relies on Relative Timed Event Queues (RELTEQ), a general timer management system targeting embedded systems. Our design supports various server types (including polling, idling periodic, deferrable and constant-bandwidth servers), and global and virtual timers. It supports fixed-priority and EDF schedulers on both local and global level. It provides temporal isolation between components and limits the interference of inactive servers on the active server, by means of wakeup events and a combination of inactive server queues with a stopwatch. We have evaluated a fixed-priority based implementation of our RELTEQ and HSF within the *μ*C/OS-II real-time operating system used in the automotive domain. The results demonstrate that our approach exhibits low performance overhead and

We have assumed a linked-list implementation of our RELTEQ queues, and indicated the challenges of a tree-based implementation due to the relative time representation. In the future we want to investigate in more detail other advanced data structures for implementing

Abeni, L. & Buttazzo, G. (1998). Integrating multimedia applications in hard real-time

Asberg, M., Behnam, M., Nemati, F. & Nolte, T. (2009). Towards hierarchical scheduling in AUTOSAR, *Emerging Technologies Factory Automation (ETFA)*, pp. 1 –8.

Behnam, M., Nolte, T., Shin, I., Åsberg, M. & Bril, R. J. (2008). Towards hierarchical scheduling

Behnam, M., Shin, I., Nolte, T. & Nolin, M. (2007). Sirap: a synchronization protocol for

Buttazzo, G. & Gai, P. (2006). Efficient EDF implementation for small embedded

Carlini, A. & Buttazzo, G. C. (2003). An efficient time representation for real-time embedded

Chodrow, S., Jahanian, F. & Donner, M. (1991). Run-time monitoring of real-time systems,

Davis, R. I. & Burns, A. (2005). Hierarchical fixed priority pre-emptive scheduling, *Real-Time*

Engler, D. R., Kaashoek, M. F. & O'Toole, Jr., J. (1995). Exokernel: an operating system

Eswaran, A., Rowe, A. & Rajkumar, R. (2005). Nano-RK: An energy-aware resource-centric RTOS for sensor networks, *Real-Time Systems Symposium (RTSS)*, pp. 256–265.

architecture for application-level resource management, *Symposium on Operating*

systems, *ACM Symposium on Applied Computing*, pp. 705–712.

on top of VxWorks, *International Workshop on Operating Systems Platforms for Embedded*

hierarchical resource sharingin real-time open systems, *International Conference on*

systems, *International Workshop on Operating Systems Platforms for Embedded Real-Time*

limits the necessary modifications of the underlying operating system.

systems, *Real-Time Systems Symposium (RTSS)*, pp. 4–14.

AUTOSAR (2011). Automotive open system architecture (AUTOSAR).

*Real-Time Applications (OSPERT)*, pp. 63–72.

*Embedded Software (EMSOFT)*, pp. 279–288.

*Real-Time Systems Symposium (RTSS)*, pp. 74–83.

*Systems Symposium (RTSS)*, pp. 389–398.

*Systems Principles (SOSP)*, pp. 251–266.

URL: *http://www.autosar.org*

*Applications (OSPERT)*.

**9. Conclusions**

RELTEQ queues.

**10. References**


**Part 2** 

**Specification and Verification** 

van den Heuvel, M. M. H. P., Holenderski, M., Cools, W., Bril, R. J. & Lukkien, J. J. (2009). Virtual timers in hierarchical real-time systems, *Work in Progress session of the Real-time Systems Symposium (RTSS)*.
