I. INTRODUCTION Partitioned architectures (PAs) allow the safe integration of applications of different criticality levels on the same platform, reducing the development, verification and integration costs. PAs rely on partitioning mechanisms at the platform level to ensure temporal and spatial separation between applications of different criticality levels. With PAs, each application is running in its own partition. Spatial partitioning protects the private data or devices of an application in a partition from being tampered with, by another application. Temporal partitioning ensures that an applications access to shared resources is not affected by applications in other partitions.
I. INTRODUCTION Partitioned architectures (PAs) allow the safe integration of applications of different criticality levels on the same platform, reducing the development, verification and integration costs. PAs rely on partitioning mechanisms at the platform level to ensure temporal and spatial separation between applications of different criticality levels. With PAs, each application is running in its own partition. Spatial partitioning protects the private data or devices of an application in a partition from being tampered with, by another application. Temporal partitioning ensures that an applications access to shared resources is not affected by applications in other partitions.
PAs have been successfully used in several industries, including automotive and avionics. For example, in the avionics area, platform level separation mechanisms are described in the ARINC 653 software specification, also called Integrated Modular Avionics [3] . Recently, the European Space Agency (ESA) and the National Aeronautics and Space Administration (NASA) have also shown interest in PAs, as a way to "manage the growth of mission function implemented in the on-board software" [8] , and as intermediate step to introducing multicore processors in spacecraft computers [7] .
In [6] , we have addressed the optimization of PAs for hard real-time applications, focusing on finding schedulable implementations that minimize the development and certification costs. In this paper we are not interested in the issue of cost minimization, but in supporting soft real-time applications that share the same PA with critical hard real-time applications. The advantage of a PA is that it allows the integration of mixed-criticality applications, including non-critical and soft real-time applications, onto the same platform. Our proposed optimization approach determines an implementation such that all hard real-time applications are schedulable and the quality of service of the soft real-time tasks is maximized.
II. SYSTEM MODEL On a processing element (PE) N i , a partition P j is defined as the sequence P i j of partition slices. A partition slice is a predetermined time interval in which the tasks of application A j mapped to N i are allowed to use the PE. All the slices on a processor are grouped within a Major Frame (MF), that is repeated periodically. The period T MF of the major frame is not yet known and will be decided by our optimization approach. Several MFs are combined together in a system cycle that is repeated periodically, with a period T cycle . Within a T cycle , the sequence and length of the partition slices are the same across MFs (on a given PE), but the contents of the slices can differ.
The set of all applications in the system is denoted with Γ = Γ H ∪ Γ S , where Γ H is the subset of hard real-time applications (HRT), and Γ S is the subset of soft real-time applications (SRT). The applications can be of different criticality levels. We model an application as a directed, acyclic graph, where a node represents one task. An edge indicates a communication.
The mapping of tasks to processors is denoted by the function M : V i → N , where N is the set of PEs in the architecture.
We consider this mapping as given by the designer. For each task τ i we know the worst-case execution time (WCET) C i on the PE where it mapped. Furthermore, the assignment of tasks to partitions as fixed. The applications can be scheduled using either fixed-priority scheduling (FPS) or static cyclic scheduling (SCS). A deadline D i ≤ T i is imposed on each task graph A i for SCS applications, and on each τ i for FPS tasks, where T i is the period of the application/task.
Unlike for HRT applications, missing a deadline will not lead to system failure for SRT applications: they will continue functioning, but with a degraded service. For each SRT application A j , we use a quality of service (QoS) function QoS(A j ) ∈ [0, 1]. This function is specific for each application and is given by the designer.
III. PROBLEM FORMULATION
The problem can be formulated as follows: given a set Γ of applications, an architecture of N of PEs, the mapping of tasks to PEs, the assignment of tasks to partitions, and the application cycle T cycle , we are interested to find an implementation Ψ such that the HRT applications meet their deadlines and the QoS is maximized for the SRT applications.
Deriving an implementation Ψ means deciding on the set P of partition slices on each PE, the size of the major frame T MF , and the schedule S for all the tasks. IV. PARTITIONED ARCHITECTURE OPTIMIZATION Next, we describe the proposed "Partitioned Architecture Optimization" (PAO) strategy. We have modified and extended our Tabu Search (TS) approach from [6] to solve the problem formulated in the previous section. TS [2] is a meta-heuristic optimization that searches for the solution that minimizes the cost function. The exploration of the design space is done by applying design transformations (moves) to the current solution. To escape local minima, and to prevent the search from revisiting solutions, TS uses an adaptive memory (called "tabu list").
PAO uses four types of moves applied to partition slices: resize, swap, join and split. These moves are applied to a randomly selected partition slice on each PE. PAO also uses a resize MF move that increases or decreases the T MF , proportionally adjusting the partition slice sizes.
We define the cost function as:
If at least one HRT application A i from the set Γ H is not schedulable, there exists one R i greater than the deadline D i , and therefore the term c 1 will be positive (c 1 drives the search towards schedulable solutions). If all the applications in Γ H are schedulable, then each R i is smaller than D i , and the term c 1 = 0. In this case, we use c 2 as the cost function: once the HRT applications are schedulable, we are interested to maximize the QoS for the SRT applications. The alternative solutions provided by PAO are evaluated using a List Scheduling-based heuristic to determine the schedule tables for each SCS application. The worst-case response times for the FPS tasks are determined using a Response Time Analysis that we modified to take into account partitions [4] .
V. CASE STUDY We have evaluated our PAO strategy using an aerospace case study, with two mixed-criticality applications running on a partitioned PE: the mixed-critical Mars Pathfinder Mission [1] (MESUR), and the non-critical controller for the Compositional Infrared Imaging Spectrometer [5] (CIRIS), a Fourier Transform Infrared Spectrometer.
The MESUR tasks are HRT (scheduled with FPS), mixedcritical, with 4 high-criticality (MHC) and 3 low-criticality (MLC) tasks (see Fig. 1a ). The CIRIS application is noncritical, SRT scheduled with SCS. The task set is shown Fig. 1b . CIRIS acquires 160 interferograms, which it processes using Fast Fourier Transform (FFT) tasks ( f ft i tasks in Fig. 1b) . The avg j , dc j , cal j and avg tasks in Fig. 1b are post-processing tasks. A detailed description of the task set can be found in [5] . We have shown in [5] how the number of the acquired and processed interferograms affects the signal to noise performance of the instrument, which is a measure of the QoS. We define the QoS function for CIRIS as the:
Thus, a QoS of 1 means that all 160 FFT tasks are executed. A QoS of 0 means that none executed. We have run our proposed PAO strategy on this case study, and we have obtained the solution depicted in Fig. 2d , where all the hard tasks are schedulable and the QoS for the soft tasks is maximized (QoS=1, corresponding to a high quality signal). we are able to increase the QoS to 1 at the expense of 2 MHC tasks missing their deadlines. This case study shows that it is important to carefully optimize PAs to support soft real-time applications and at the same time meet the stringer constraints of the critical hard real-time applications.
VI. CONCLUSION In this paper we have proposed a new Tabu Search-based design optimization strategy for mixed-criticality systems implementing hard and soft real-time applications on the same platform. Our proposed strategy determines an implementation such that all hard real-time applications are schedulable and the quality of service of the soft real-time tasks is maximized. We have evaluated our strategy using an aerospace case study.
