Budgeting Under-Speciﬁed Tasks for Weakly-Hard Real-Time Systems ∗

In this paper, we present an extension of slack analysis for budgeting in the design of weakly-hard real-time systems. During design, it often happens that some parts of a task set are fully speciﬁed while other parameters, e.g. regarding recovery or monitoring tasks, will be available only much later. In such cases, slack analysis can help anticipate how these missing parameters can inﬂuence the behavior of the whole system so that a resource budget can be allocated to them. It is, however, suﬃcient in many application contexts to budget these tasks in order to preserve weakly-hard rather than hard guarantees. We thus present an extension of slack analysis for deriving task budgets for systems with hard and weakly-hard requirements. This work is motivated by and validated on a realistic case study inspired by industrial practice.


Introduction
In the design of real-time systems, it is not uncommon for some parts of a task set to be fully specified while other parameters, e.g.regarding recovery or monitoring tasks, will be available only much later.In such cases, slack analysis can help anticipate how these missing parameters can influence the behavior of the whole system so that a resource budget can be allocated to them.It is, however, sufficient in many application contexts to budget these tasks so as to preserve weakly-hard rather than hard guarantees.Such guarantees allow for a bounded number of consecutive deadline misses ("at most m out of k deadlines may be E v a lu ate d

Motivational Example
In this section we introduce the case study which motivates the work presented in this paper.

State of the practice for the timing analysis of satellite software
A satellite is made of two major parts: the platform and the payload.The payload realizes the main satellite mission, and comprises scientific instruments, telescopes or telecommunication antennas, according to the mission of the satellite.The payload is typically characterized by high computation requirements but in the general case its software is considered at best firm or soft real-time.
The platform is the service module that governs the satellite and ensures the execution of the mission.The platform on-board software (OBSW) implements all major functions of the satellite: e.g., the Attitude and Orbit Control System (AOCS), the Thermal Control System (TCS), mode management, Data Handling System (DHS).
A subset of those OBSW functions are characterized by hard real-time requirements.For example, sending thruster commands at the wrong moment during an attitude modification or an orbital maneuver (e.g., the main orbit insertion of a deep-space orbiter) may lead to mission failure.
In contrast, some tasks executing some less critical functions, may occasionally miss deadlines without dreadful consequences on the mission, and at most some performance degradation.One example is the AOCS functions itself, where sensor acquisition and processing are somehow robust to occasional deadline misses because of the intrinsic robustness of the implemented control laws.
The OBSW is however traditionally designed, analyzed and implemented with techniques typical of safety-critical, hard real-time systems.This implies that all tasks defined for the OBSW are considered as hard real-time and treated as such in the schedulability analysis used to confirm the system feasibility.The analysis is performed using representative worst-case operational scenarios.The reason for this choice is twofold: 1.It is much easier to prove to clients that the system is schedulable and fulfills the mission goals by treating all tasks as hard real-time, with a design process and analysis equations consolidated along several years, and without admitting exceptions on the treatment of task deadlines.2. The OBSW development team does not know completely the possible consequences of deadline misses from the point of view of performance degradation or function losses, as such knowledge requires deep analysis at system / avionics level.It is therefore not obvious to understand if deadline misses are admissible in the overall mission context.

System model and use case
Current satellite OBSW is typically executed on a single-core processor, and using a Fixed-Priority Preemptive scheduling policy (FPP).
Table 1 shows a representative task set and the real-time attributes of each task.The attributes are representative of a high-load scenario for the OBSW in a mission operational mode.Each task τ i in the system is characterized by its: priority index π i ; for simplicity of notation, we assume that tasks are given in order of their static priority, i.e., τ j has higher priority than τ i for every j < i; type of task release pattern: periodic (P), possibly with static offset, software sporadic (S), hardware sporadic (HWS), i.e., triggered by an interrupt, background task; worst-case execution time C i ; this value is not based on static analysis but rather on the observed execution times; period or interarrival time T i ; offset ϕ i if applicable; relative deadline D i -all deadlines are constrained; maximum blocking time b i ; execution in mutual exclusion is enforced with semaphores or protected objects (monitors) for which the maximum blocking can be bounded.
Note that some tasks specified as sporadic have in fact a pseudo-periodic behavior.Table 1 includes two different kinds of tasks: (i) nominal tasks: tasks that are active and executed in the represented operational scenario; (ii) recovery tasks: tasks that are involved in asynchronous fault handling or recovery activities and are triggered only on given fault / error occurrences.They are marked as gray in the table.Among the nominal tasks, some have real-time constraints that we will consider as hard real-time; others can be considered as weakly-hard real-time, as they can withstand occasional deadline misses without significant system-level consequences.

Problem Statement
The specification of recovery tasks typically occurs in the latest development phases, and therefore their characteristics are not known until late in the development cycle.The execution of such recovery tasks may however perturb the execution of nominal tasks, leading to deadline misses which would potentially induce a degradation of the system performance.
E C R T S 2 0 1 7

17:4
Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems Configuring the timing attributes of the recovery tasks represents a challenging timing issue for the real-time architect.It is important to guarantee that the reconfiguration and recovery tasks can accomplish their functions, which are related to the safety of the spacecraft.At the same time, it is necessary to preserve a sound timing behavior for the nominal tasks.
Moreover, the timing behavior of the recovery tasks must be established and assessed as early as possible in the development, as in later phases the development of the rest of the software system approaches completion, with little freedom for significant modifications.
The reader should note that the problem statement regards finding a convenient method for assigning attributes and guarantees to such tasks, rather than establishing a complete fault tolerance strategy [19] [14] for the on-board software and the satellite.The latter requires a much more global reasoning at system level and it is not in the scope of this paper.Those tasks would be just some among several mechanisms (hardware and software) that are devoted to the implementation of such global fault tolerance strategy for a given satellite, and the method we seek would simply concur to their definition in a convenient manner.
To solve this problem, there is a need for a timing verification method fulfilling two conditions: (i) applicability at early design stages; (ii) a guarantee on the provided upper bounds for the tasks' response times.Worst-case response time analysis seems well adapted to solve the timing challenge mentioned above, since its applicability already starts with the early conceptual design phases and it provides formal proofs based on a mathematical model of the system timing behavior.These proofs allow calculating safe lower and upper bounds on the response times, thus guaranteeing corner-case coverage.
Classic worst-case response-time analysis would however not be able to take into account the weakly-hard nature of some tasks, and would just check that deadlines of those tasks are met in the worst case.This would lead to an under-estimation of the timing budget available for the recovery tasks (and therefore to ensure the safety functions), which could be delicate, especially in case of a system with a high CPU load.
A method that takes into account the weakly-hard nature of some tasks and can provide to the real-time architect means to perform tradeoffs on the budget to be assigned to the recovery tasks would be considered attractive in this context.
Let us now formulate our problem.We consider a single processing resource which schedules a task set T = {τ 1 , τ 2 , . . ., τ n } according to a Fixed Priority Preemptive (FPP) policy.Each task τ i ∈ T is modeled by its worst-case execution time C i worst-case activation pattern η + i (see below) priority π i constrained deadline D i The tasks described in the motivating example of Section 2 are either periodic or sporadic.We will in this paper use the more general model of arrival curves to describe activation patterns, such that we can model sporadic tasks (in particular the recovery tasks that we want to budget) less conservatively than using a model based on the minimum interarrival time.We do not however handle offsets and conservatively assume that all periodic tasks can be activated at the same time.We leave to future the formal proof that offset analysis is compatible, as we conjecture, with the analysis presented in this paper.In contrast, blocking times are not mentioned in the rest of the paper for readability but they can easily be included in the analysis (and they are accounted for in the experiments).

E C R T S
) defines the minimum (respectively maximum) time that might pass between the first and the last activation in any sequence of k consecutive activations of τ i .
In this context, the fact that deadlines are constrained translates into D i ≤ δ − i (2).Our task set T is partitioned into nominal tasks, which are fully specified, and recovery tasks, for which only priorities and deadlines are known, such that we call these under-specified tasks.We denote by N the set of nominal tasks and R the set of under-specified tasks.Under-specified tasks are considered to be sporadic.Weakly-hard constraints are assumed to be given for nominal tasks.
Our problem is to provide a set of constraints on the execution times and the activation patterns of the tasks in R that is sufficient (and ideally necessary too) to guarantee (m, k)schedulability of all tasks in N , where a task is said to be (m, k)-schedulable if it cannot miss more than m deadlines out of a sequence of k consecutive executions.

Preliminaries on Response-Time Analysis
In this section we recall some state-of-the-art definitions and results on response-time analysis which we will use in the rest of the paper, based on the notations introduced at the end of our problem statement.We specifically present results related to worst-case response-time analysis, Typical Worst-Case Analysis (TWCA) and slack analysis.Note that we suppose throughout this paper a representation of time based on natural numbers.This is reasonable since we consider single processor systems, which operate according to a unique, discrete clock.

Worst-case response-time analysis
A standard approach to establish schedulability of a system is to compute the worst-case response time of each task based on the concept of busy window.In this section we present results for the case where deadlines are arbitrary as we will need these later.
Definition 2. A level-i busy window (originally called busy period in [10]) is a maximal time interval during which the resource still has activations of tasks of equal or higher priority than τ i pending.
The longest such window, called worst-case level-i busy window and denoted BW i , is built by assuming the occurrence of a so-called critical instant, where τ i and higher-priority tasks are all activated at the same time, inducing maximum interference with τ i .It is also assumed that all tasks are activated as early as possible after the critical instant, and that they always use their maximum execution time.The maximum level-i busy window stops at the first instant when no activation of τ i or any higher priority task remains incomplete.It has been proven that the worst-case response time of task τ i can be found in the longest level-i busy window.Definition 3.For a task τ i and q ≥ 1, the multiple event busy time, denoted B i (q), represents the maximum time it may take to process q activations of τ i within a level-i busy

17:7
window starting with the first of these q activations.
where hp(i) denotes the set of tasks with higher priority than τ i (we assume that all tasks have distinct priorities).
The maximum number K i of activations of τ i in a level-i busy window is then K i is the smallest number such that the resource would be able to start processing the (K i + 1)-th activation before this activation can occur according to δ i , which implies an idle time.The worst-case level-i busy window can then be determined as The response time of every activation of τ i is bounded by The response time of τ i is bounded by Theorem 4.
We refer the reader to [21] for detailed explanations about the FPP response-time analysis.

Typical Worst-Case Analysis
Typical Worst-Case Analysis (TWCA) as presented e.g. in [17] [23] aims at providing weaklyhard guarantees for real-time systems, where a weakly-hard guarantee states that in no more than m out of k consecutive executions of a task, a deadline is missed.TWCA relies on the assumption that deadline misses in a system are due to transient overload resulting e.g. from sporadic activations.
We present here a specific application scenario of TWCA where activations of some specific tasks are considered as overload while activations of all other tasks are classified as typical.
We say that the system is in the typical case in a time interval in which there are no past or currently pending/executing overload activations which could impact the behavior of the system.We require the system to be schedulable in the typical case.The alternative case is called the worst case scenario where some overload activations may incur transient overload and therefore deadline misses.
The objective of TWCA is to compute a deadline miss model (DMM) for each task.

Definition 5.
A deadline miss model (DMM) for task τ i is a function dmm i : N → N, with the property that out of any sequence of k consecutive activations (called k-sequence) of τ i , at most dmm i (k) might miss their deadline D i .
In the basic TWCA as introduced in [17], dmm i (k) is computed in four steps: 1. Computation of N i , the number of deadline misses that occur in the longest level-i busy window BW i .Note that one overload activation of any task cannot result in more than N i deadline misses of τ i as it can only impact activations of τ i which are in the same level-i busy window.

E C R T S 2 0 1 7 17:8
Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems

X busy windows
Figure 1 Packing overload activations into busy windows of task τ4 (X = deadline miss).

2.
Computation of ∆T i k , the longest time window during which an overload activation (of any task) can impact the response time of activations in the k-sequence.Activations in different busy windows cannot influence each other's response time.As a result, only activations of an overload task occurring at most BW i time before the first activation of τ i in the k-sequence and before the last activation finishes can have an impact.This time interval is thus bounded by:

3.
Computation of Ω i , the maximum number of higher-priority overload activations that may occur within a window of size ∆T i k : where O denotes the set of overload tasks.

We can then safely define dmm
The improved TWCA of [23] uses an additional concept called combinations to improve the accuracy of DMMs.Definition 6.A combination is a subset of the overload tasks, the idea being that one overload activation alone is usually not sufficient to cause a deadline miss as most tasks have some slack.Here we distinguish the overload due to different overload tasks: A bound on the maximum number of deadlines that τ i may miss in a k-sequence is then obtained by packing overload activations into level-i busy windows.
Example 7. As an example see Figure 1 where we consider a system with 4 tasks: τ 1 , τ 2 , τ 3 are overload tasks while τ 4 is a typical task.To bound the maximum number of deadlines that τ 4 may miss within a given time interval, we pack respectively Ω 1 i , Ω 2 i and Ω 3 i activations into the busy windows of τ 4 .Figure 1 shows two possibilities of packing where in case 1 the number of deadline misses is 3 while in case 2 τ 4 may miss only 2 deadlines.Notice that not all combinations may lead to deadline misses.Theorem 8.The following function is a DMM.where U is the set of unschedulable combinations, i.e. combinations c which may lead to a deadline miss if all tasks in c are activated in the same level-i busy window.Note that in this approach it is assumed that all unschedulable may result in N i deadline misses.
[23] additionally provides an efficient criterion to determine whether a combination is schedulable as well as an efficient ILP solution to compute the above DMM.

Slack analysis
Finally, we now recall some results related to slack analysis [5], [11], [18], [20].Definition 9.The slack S 0 i of task τ i is the maximum amount of processing time which may be stolen from any job of τ i without causing its deadline to be missed.
The slack of a task τ i can be computed by noticing that any level-i idle time between the completion of a job of τ i and its deadline can be used for computation of that job without causing it to miss its deadline.
Definition 10.By level-i idle time we refer to any maximal time interval between two level-i busy windows.Theorem 11.For FPP scheduling, the slack of τ i is equal to the sum of all level-i idle times between the critical instant and D i in the worst-case busy window.This is illustrated in Figure 2.

Budgeting with Hard Real-Time Constraints
In this section, we first focus on the problem of providing a set of constraints on the load incurred by the tasks in R (i.e.recovery tasks, a.k.a.under-specified tasks) that is sufficient to guarantee schedulability of all tasks in the nominal mode, before we move to discuss weakly-hard schedulability.
Let us first focus on a task τ i in the nominal mode.Denote R i the set of under-specified tasks with a priority higher than τ i .We can directly reuse the concept of slack to budget the under-specified tasks.
Lemma 12. Let S 0 i be the slack of τ i in the system made of only nominal tasks (i.e.excluding under-specified tasks).Proof.This follows directly from the definition of slack.Note that we need to ensure that at most one activation of any under-specified task will interfere with a given job of τ i for the result to hold.
We can generalize the above result by splitting the load allocated to an under-specified task among several of its jobs.

Lemma 13. Let BW 0
i be the longest level-i busy window obtained by analyzing the nominal task set with an additional load of size S 0 i .That is: Proof.Again, this follows directly from the definition of slack.In this case the slack used by an under-specified task τ r is shared among several of its jobs.
We can now state our general result on how to budget under-specified tasks to guarantee hard real-time schedulability of all nominal tasks.

Theorem 14. If for all τ
then the system is schedulable.
Proof.The above equation and Lemma 13 guarantee together than all nominal tasks remain schedulable in presence of under-specified tasks satisfying the given constraints.
If this budget is acceptable then there is no need to consider budgeting for the weakly-hard case.The rest of this paper is dedicated to proposing solutions if a larger budget is needed for execution times of the under-specified tasks.

Budgeting with Weakly-Hard Real-Time Constraints
Our problem is now to provide a set of constraints on the load incurred by the tasks in R that is sufficient to guarantee weakly-hard schedulability of all tasks in the nominal mode rather than (hard) schedulability.Again, we first focus on a task τ i in the nominal mode, this time supposing that it has an (m, k) weakly-hard requirement, i.e. τ i may miss no more than m out of k deadlines.Denote R i the set of under-specified tasks with a priority higher than τ i .
As recalled in Section 4.2, the standard way to establish (m, k)-schedulability using Typical Worst-Case Analysis [23] is to consider a sequence of k consecutive activations of τ i and to prove that no more than m activations in this sequence may miss their deadline.In our case the activations of under-specified tasks can be considered as overload since they are not taken into account by the initial worst-case analysis.We can therefore adapt TWCA to our context.We reuse in particular the following notations.
N i , the number of deadline misses that occur in the longest level-i busy window BW i of the system with nominal and under-specified tasks.
∆T i k , the longest time window during which an activation of an under-specified task can impact the response time of activations in the k-sequence.
Ω r i , the maximum number of activations of higher-priority under-specified task τ r that may occur within a window of size ∆T i k : and Ω i the sum over all higher-priority under-specified tasks: Notice here that budgeting according to constraints on N i and ∆T k i is not easy as these parameters themselves depend on the parameters of the under-specified tasks.In next section we first focus on how to relate the load budget of recovery tasks and N i , i.e. the maximum number of deadline misses in a single busy window.

Extending the concept of slack to weakly-hard systems
Let us start with a few lemmas.

Lemma 15.
There can be more than one activation of a given task τ i in one level-i busy window only if that task misses its deadline in that busy window.Formally: ) and for any q < K i , B i (q) > δ − i (q + 1).For q = 1 : B i (1) > δ − i (2).We work with constrained deadlines so This lemma is easily generalized to consecutive deadlines misses: ∀q < K i , RT i (q) > D i .This result is useful for us as it directly relates the number of deadline misses in a busy window with the length of that busy window.In particular, we obtain that Let us now go one step further and extend the slack analysis of Section 4 to systems in which a bounded number of deadline misses are allowed.Definition 16.For µ ∈ N, the µ-slack of a task τ i , denoted S µ i , is the maximum amount of processing time which may be stolen from τ i in a level-i busy window without causing more than µ deadlines of τ i to be missed in a row.
The µ-slack of a task τ i can be computed in a way similar to the usual slack but focusing on the (µ + 1)-th deadline instead of the first deadline.

Theorem 17. For FPP scheduling, the µ-slack of τ i is equal to the sum of all level-i idle times between the critical instant and δ −
i (µ + 1) + D i in the worst-case busy window.
Proof.The above condition guarantees that the (µ + 1)-th deadline is met.
Let us now introduce a definition which will be useful to bound BW i and WCRT i .

E C R T S 2 0 1 7 17:12
Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems Definition 18.Let BW µ i be the longest level-i busy window obtained by analyzing the nominal task set with an additional load of size S µ i .We know that such a busy window contains exactly µ + 1 activations of τ i so: Since τ i may not miss more than m deadlines in a row, we can conclude that BW i ≤ BW m i .Similarly WCRT i is bounded by the response times of τ i observed in BW m i .We thus know how to define ∆T k i .Let us now state the condition which guarantees that τ i may not miss more than m deadlines in a row, and thus Proof.This is a direct consequence of the definition of m-slack.
At this point, it may seem that the intuitive, if pessimistic, way to budget the underspecified tasks is to require that τr∈Ri η + r (∆T k i ) × C r ≤ S m i .This, however, is not a sufficient condition for (m, k)-schedulability.The reason is that the same load incurred by under-specified tasks may result in more deadline misses if they happen in different busy windows.This is the meaning of the following lemma.

∀µ ∈ N
Proof.Consider a sequence of µ + 1 consecutive activations of τ i .Remember that S 0 i is the sum of all level-i idle times between the critical instant and D i in the worst-case busy window.Because deadlines are constrained, this is smaller than or equal to the sum of all level-i idle times between the critical instant and δ − i (2) in the worst-case busy window.Allowing only S 0 i slack for each activation in the sequence furthermore assumes that the critical instant may repeat for each activation, which is pessimistic compared to the way S µ i is computed.As a result, S µ i provides more slack than (µ + 1) × S 0 i .
The consequence of this is that a safe bound on the budget for the under-specified tasks must be based for now on S 0 i .

Lemma 21. Let
Proof.We have to prove that a load of Λ i within ∆T k i causes no more than m consecutive deadline misses if it occurs in one level-i busy window of τ i , and no more than m nonconsecutive deadline misses if it distributes over several busy windows.
The first condition is directly satisfied by Lemmas 19 and 20.Suppose now that Λ i is distributed over n level-i busy windows with l b denoting the load in each busy window: then the system satisfies its hard and weakly-hard requirements.
Proof.This results is a direct consequence of Lemma 21.
This result is obviously quite pessimistic.It is clear at this point that obtaining better bounds requires us to use a more fine-grained model of how load distributes over busy windows.We investigate this possibility in the next section.

Budgeting for multiframe tasks
In the following, we focus on a specific application scenario and assume that each underspecified task performs two activities: A frequent monitoring activity with a relatively short execution time aiming at analyzing deviations from safe state in the system and perform some rapid recovery or triggering higher-level recovery, characterized by a short minimum distance between two consecutive occurrences.
A less frequent failure recovery activity (e.g., an avionics reconfiguration procedure) which requires a longer execution time and characterized by a longer minimum time distance between two consecutive executions.
Based on the behavior described above, the execution time model of any under-specified task τ r can be characterized by (C l r , C s r , x) where: C s r is the short execution time corresponding to the recovery activity of the task; C l r is the long execution time corresponding to the error handling activity of the task; x is the number of short execution times between two long execution times.
Based on this new model we again address the problem of providing a set of constraints on the execution times and activation patterns of the tasks in R that is sufficient to guarantee weakly-hard schedulability of all tasks τ in the nominal mode.
Let us first focus on a task τ i in the nominal mode with an (m, k) weakly-hard requirement, i.e. τ i may miss no more than m out of k deadlines.Denote R i the set of under-specified tasks with a priority higher than τ i , Ω r i = η + r (∆T k i ) for all τ r ∈ R i and Ω i = r∈Ri Ω r i .Let us first by formulating a hypothesis which is consistent with the application scenario mentioned at the beginning of this section.We use the notation c c r to refer to the execution time of τ r in combination c.Note that we exclude here the possibility for several activations of the same under-specified task to be in the same level-i busy window.That is, we suppose that ∀τ r ∈ R i : Definition 24.Let µ(c) denote the maximum number of deadlines misses which may be caused by a combination c. we have: Of course µ(c) depends on the values chosen for the various execution times C l r and C s r for τ r ∈ R i .Our strategy for budgeting the under-specified tasks is to first assign values on µ(c) for all combinations and then in a second step to assign execution time budgets.Hypothesis 2. We suppose that a combination containing only short execution times of under-specified tasks cannot be unschedulable.That is, τr∈Ri C s r ≤ S 0 i .
Again this hypothesis seems realistic given the application context.Based on the notion of combination we can define gangs which correspond to distributions of the Ω i instances within ∆T k i .More specifically, a gang is a packing of activations of the under-specified tasks into the level-i busy windows of ∆T k i .

Definition 25.
A gang G is a set of combinations which contain at least one long execution time and such that for all Notice that we ignore combinations which do not contain any long execution time as they cannot lead to deadline misses.Note also that each combination appears at most once in a gang (since there can be only one long execution time of each task within ∆T k i ).We use G i to denote all possible gangs with respect to τ i .
Proof.The above condition guarantees that no matter how activations of under-specified tasks align, they can never result in more than m deadline misses.This lemma trivially extends to upper bounds on the µ(c) as we formulate now.

Lemma 27. For all c, let µ c be an upper bound on µ(c). If ∀G ∈ G
Now, one thing which does not appear in the above lemma is that the µ(c) are not independent from each other.Definition 28.There exists a partial order ≤ on combinations such that c1 ≤ c2 if and only if the execution times in c1 are all smaller than their counterpart in c2 , i.e., Proof.This directly follows from the fact that c1 ≤ c2 implies that the load incurred within one level-i busy window by the under-specified tasks in c1 is smaller than that in c2 .
Theorem 30.Suppose that you have assigned the µ c such that ∀G ∈ G i : c∈G µ c ≤ m.Then any assignment of the c c r such that for all combination c, r∈Ri c c r ≤ S µc i guarantees the (m, k)-schedulability of τ i .
Proof.This follows directly from Lemma 27 and the definition of µ c-slack.
Note that there always exists such an assignment.Now that we have presented our solution for budgeting under-specified tasks based on the multiframe execution time model, let us show how it proceeds on an illustrative example.
Example 31.Consider as an example a system with only one task τ 3 in the nominal mode and two under-specified tasks τ 1 and τ 2 , as illustrated in Figure 3. Task τ 3 has a (2, 10) weakly-hard requirement.τ 1 and τ 2 have priorities higher than the priority of τ 3 , and no more than 2 instances within ∆T k i .Figure 3 shows gang -to improve readability we omit 0s in the representation of combinations.There are five combinations containing at least one long execution time: There are three more combinations containing at least one short execution time: Let us now focus on gangs.Remember that gangs consist of combinations containing at least one long execution time and that two combinations with the long same execution time cannot be in the same gang.We only list here maximal gangs.
E C R T S 2 0 1 7

17:16
Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems This yields the following constraints, the first five of which are directly derived from the gangs while the remaining four constraints are obtained by comparing combinations.
One solution to this set of constraints is e.g.
Assuming we have chosen the above assignment for the µ c we now the define the constraints to be satisfied by the execution times of tasks, one per combination and then one for the short execution times.
Any solution to this set of constraints guarantees (m, k)-schedulability of τ i .

Methodology and Discussion
Let us now summarize the methodology that we propose to provide the architect with simple answers helping him/her dimension the tasks that are still under-specified in the system.1.We first compute an execution time budget for the under-specified tasks which guarantees hard real-time constraints (zero deadline misses).If this execution time budget is acceptable for the architect then we do not need to go further.2. If, however there is a need for larger execution times for the under-specified tasks, we then compute a second execution time budget which guarantees weakly-hard constraints.
Taking into account weakly-hard constraints we can allow more load within shorter time windows but over longer time windows the load available for under-specified tasks is still limited.

3.
If the activation patterns of the under-specified tasks are known and a multiframe execution time model is meaningful we can propose more relaxed bounds on execution times budgets.

Experimental Results
Let us now provide some experimental results we have obtained using the cplex constraint solver on budgeting under-specified tasks.We first address the motivational example of Section 2 and then present experiments made on synthetic test cases.

The OBSW case study
The case study presented in Section 2 is a system made of a single resource and a task set shown in Table 1 where 27 tasks are in the nominal mode and there are 3 recovery and reconfiguration tasks τ 10 , τ 11 , τ 21 which are under-specified.As discussed before in Section 2, all on-board software is currently typically analyzed with hard real-time techniques; and yet by experience, the overall system is still quite robust to For the sake of the case study we propose some weakly-hard constraints for tasks that are purposely quite aggressive: the reader could notice that in some cases a tolerance of 1 deadline every 2 seconds is admitted for some tasks.This would permit to ascertain the robustness (at least from the point of view of real-time constraints) of such representative task set even in case of severe degradation (which would require high sporadic load for the recovery activities).
The worst-case response time analysis of the nominal mode shows that the system is schedulable.Our goal is to synthesize a load budget for the under-specified tasks τ 10 , τ 11 , τ 21 which guarantees that all weakly-hard real-time constraints described in Table 2 are satisfied.We show first the constraints on the execution times and activation models of the tasks in R which guarantee absence of any deadline miss before providing the same result when a few deadline misses are tolerated.
Note that tasks {τ 1 , . . ., τ 9 } have higher priority than the recovery and reconfiguration tasks so their timing properties do not depend on the budget of tasks in R.They will therefore be excluded from our study.We denote by T the remaining tasks with lower priority, that is: T = T \ {τ 1 , . . ., τ 9 }.

Budgeting with hard real-time constraints
If we want to guarantee that the system is schedulable then the budget to be shared between the under-specified tasks is S 0 i = 48.01ms.If this budget is not sufficient for the architect we can propose a budget with weakly-hard real-time guarantees.

Budgeting with weakly-hard real-time constraints
If the architect can accept to work with weakly-hard rather than hard guarantees then the available budget for the recovery tasks is (m + 1) × S 0 i = 96.02ms.This budget is twice as much as the budget for the hard real-time case.We can obtain even better bounds by using a more fine-grained model of how load distributes over busy windows.

Budgeting for multiframe tasks
Let us assume that for all τ i ∈ N there are at most This means in particular that the budget that is available for the under-specified tasks within ∆T k i is at least 108.015 ms.Note that there are many other possible assignments for the µ values which lead to different execution times.

Synthetic examples
In this section, we present a set of synthetic test cases to test more extensively our approach on a variety of systems.In this experiment we study the impact of different characteristics such as utilization, (m, k) constraints, system size, etc.
For that purpose we generated 1000 task sets randomly depending on UUniFast [7].We define a set of tasks T with a priority, a worst-case execution time, a period, a deadline, and an (m, k) real-time constraint.The standard approach is to first define the system utilization and then assign a share of it to each task [7].We picked up a utilization among {0.4,0.5, 0.6, 0.7, 0.8}, then the number of tasks are chosen to be ∈ [1,20] and periods are harmonic.The worst-case execution time is then computed C i = U i * T i .Deadlines = {0.6,0.8, 1} * T i as our approach supports only constrained and implicit deadlines.We generate a random (m, k) for each task in the system such that: The number of under-specified tasks is limited to r = 3 and the maximum number of instances of each under-specified task is generated randomly to be in [1, r 2 ].

Results
Figure 4 shows in the form of a histogram how much we gain in terms of load budget for the under-specified tasks by using a multiframe task model with weakly-hard constraints instead of using a single worst-case execution time with hard real-time constraints.Note that the results in the former case are obviously at least as good as those for the latter case.Figure 4 shows for example that for 198 task sets the load budget in the multiframe case (load M F ) is between 5 and 10 times larger than the load budget in the hard case (load H ), that is: .
The load we gain, however, is related to the number of under-specified tasks.Figure 5 shows that the larger the number of under-specified tasks the less load we gain, that is due to sharing the available slack among more under-specified tasks which makes the long execution C l shorter.
The results shows that there is no impact of the utilization on the load we gain.Number of periodic tasks causes no degradation on the load we gain by using multiframe task model.Note that we have repeated our experiment 10 times and observed similar results.

Related Work
The work presented in this paper most closely relates to sensitivity analysis, slack analysis, multiframe task systems and weakly-hard real-time systems.Note that determination of bounds on unspecified system parameters is the scope of Parametric Model Checking [6] [9].Even if such approaches are known to have difficulty scaling up to even simple settings, it would be interesting to see if these approaches could apply to our problem.This work focuses on budgeting under-specified tasks for weakly-hard real-time systems.Although the under-specified tasks in our case study (OBSW) are recovery tasks, schedulability analysis of fault-tolerant real-time systems [4] [12] is not in the scope of this paper.
Sensitivity analysis is used to provide guarantees on the schedulability of a system in case of uncertainty on the system parameters.In [2] Bini et al. introduced an analytical sensitivity analysis for FPP scheduled periodic task sets with constrained deadlines (i.e.D ≤ T ).Work by [22] and [16] propose solutions for sensitivity analysis of systems with activation patterns specified with arrival curves.
In contrast to all these papers, our work proposes for the first time a solution for the sensitivity analysis of weakly-hard real-time systems: We constrain the admissible load that under-specified tasks in the system can use without violating weakly-hard real-time constraints in FPP scheduled task sets with arbitrary activation patterns and constrained deadlines.

E C R T S 2 0 1 7 17:20
Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems Slack stealing is a scheduling algorithm proposed by [11] to schedule aperiodic tasks by stealing all the processing time it can from the periodic tasks without causing their deadlines to be missed.Similar algorithms based on slack stealing have been proposed by other authors [5] [18] [20].These algorithms do not take into account any weakly hard guarantees and they, therefore, bound the maximum slack in a window of size D i .In our approach, however, we consider (m, k) weakly-hard requirements and we thus bound the maximum slack in a window of size δ − i (m + 1) + D i .Multiframe task model was invented originally in [15] to provide a less pessimistic schedulability test than [13] for hard real-time systems.This model assigns to each periodic task N execution times (C 0 , C 1 , . . ., C N ), the execution time alternates between them where the execution time of the i-th instance of the task is C ((i−1)modN ) where i ≥ 1.In this paper we use a specific case of the multiframe task model for sporadic tasks which assigns two execution times: long C l and short C s where within a time window ∆ one instance of the task uses the long execution time while the rest use the short execution times.We propose our multiframe task model in a context of budgeting under-specified recovery tasks (sporadic) to provide the recovery tasks with more load for weakly-hard real-time systems.
Weakly-hard systems [1] is a concept which guarantees that out of k consecutive executions of a task, not more than m deadline misses may occur.The approach of [17] and the related articles provide analyses to verify such constraints.In this paper we reuse the concepts developed in these papers to better budget under-specified tasks.

Conclusion
In this paper, we have shown how to budget under-specified tasks in the early design of weakly-hard real-time systems by providing sufficient conditions which guarantee (m, k) schedulability.This is particularly useful in industrial practice because it often happens during design that some parts of a task set are fully specified while other parameters, e.g.regarding recovery or monitoring tasks, do not become available before much later.Existing budgeting techniques, which are restricted to hard real-time constraints, can help anticipating how these missing parameters influence the behavior of the whole system, but they are likely to yield execution time budgets that are too tight to be useful.We have shown that using weakly-hard rather than hard guarantees, whenever possible, results in much more applicable execution time budgets.Our results are thus of real practical value for the design of systems such as the on-board software system discussed in the paper.Note that in this paper we have not at all addressed the issue of the complexity of the analysis.The reason for that is that this does not appear to be a limiting factor for industrial applicability at this point.It would however be interesting to better understand how far the approach presented in this paper can scale and how much we can improve its efficiency.
Finally, we need to acknowledge the need for complementary work related to weakly-hard real-time systems as mentioned in Section 2, in particular in relation with the impact of deadline misses on system functions.Recent work [8,3] in this direction indicate that this question is indeed considered as relevant in the research community as well as in the industry.

Figure 2
Figure 2Worst-case busy window analysis.The slack S 0 4 of τi is shown.

1 iTheorem 22 .
n b=1 l b = Λ i .For each l b let µ b denote the maximum number of (consecutive) deadline misses that may be caused by l b (µ b ≥ 0).We have to prove that n b=1 µ b ≤ m.By definition we know that l b > S µ b −for all l b so from Lemma 20 we can derive that l b > µ b × S 0 i .If we now sum this over all l b we get b = Λ i = (m + 1) × S 0 i we can conclude that m + 1 > n b=1 µ b , which is what we had to prove.If for all τ i ∈ N with an (m, k) schedulability constraint τr∈Ri

Hypothesis 1 .
For each task τ r ∈ R i , we allow only one instance out of Ω r i to have a long execution time C l r .The other Ω r i − 1 activations of τ r within ∆T k i will be bounded by the short execution time bound C s r .Tasks for Weakly-Hard Real-Time SystemsIn a way that is similar to the state of the art in TWCA as explained in Section 4.2 we now introduce the concept of combinations.Definition 23.A level-i combination is a tuple c = (c 1 , c 2 , . . ., c |Ri| ) such that each task τ r ∈ R i corresponds to one c r in the tuple and c r = 0 or c r = C s r or c r = C l r .

Figure 3 A
Figure 3 A gang of τ1 and τ2 within ∆T k i where τ3 has a real time constraints (2,10).

Figure 5
Figure 5The relation between the gain of load and r.

Table 1
A task set representative of on-board software.π, C, T , ϕ, D and b denote respectively: priority, worst-case execution time, period/minimum distance, offset, deadline, blocking time.The time unit is ms.

2 0 1 7 17:6 Budgeting Under-Specified Tasks for Weakly-Hard Real-Time Systems Definition 1. Arrival
curves are functions η + i , η − i : N → N to model the possible activations of a task τ i such that for any time window ∆, η + i (∆) defines the maximum number of activations of τ i that might occur within ∆, and , and η − i the minimum (in this paper we only use η + i ).The pseudo-inverse of arrival curves, namely δ

Table 2
Real-time constraints of tasks in T .(m, w) represents the maximum number of allowed deadline misses m every w seconds, (m, k) means that a task may miss at most m deadline out of k consecutive activations.