This position paper follows from a previous proposal to integrate a time-triggered scheduler in a prioritybased, preemptive scheduler such as that supported by Ada's task dispatching policy FIFO Within Priorities . The resulting combined scheduling carries the advantages of both time-triggered and priority-based scheduling, and helps mitigating their drawbacks.
Introduction
In the real-time systems domain, there are two major approaches to scheduling real-time tasks. One is timetriggered scheduling (TTS) whereby each task is executed during the exact time intervals dictated by a fixed plan designed in advance. The other is priority-based scheduling (PBS), in which the time intervals when a task executes are decided at run time, based on the task's priority. The priority attribute of a task can in turn be static or dynamic, leading to several variations of the idea.
There are pros and cons to both approaches. While TTS is superior to PBS in terms of predictability and reduced jitter (i.e., precise and rapid task release), a time-triggered schedule is difficult to design for non-trivial casesactually, it is an NP hard problem. Another interesting property of TTS systems is that access to shared resources is simpler, provided all tasks execute non-preemptively; whereas PBS preemptive systems require mechanisms to enforce mutual exclusion in the access to shared resources. A fundamental advantage of PBS over TTS is that it keeps a convenient separation of concerns between timing and functional requirements, making PBS systems easier to modify and maintain.
In previous papers we have proposed an architecture supporting the execution of applications that include a mix of TTS and PBS workload [7, 6] . The idea was to divide the application into two subsets of tasks, one scheduled according to a time-triggered plan, and the other one scheduled by a priority-based scheduler. The implementation of this architecture reserves the highest priority of a priority-based scheduler to the TTS subset of tasks, and lets the PBS subset execute during the spare time left by the time-triggered workload, using the rest of priority levels. The time-triggered schedule is driven by an Ada timing event handler (like a timer interrupt handler), which allows the system to react promptly to the arrival of time events, hence keeping a reduced release jitter for TTS tasks.
Combining both scheduling approaches helps mitigating their drawbacks and taking advantage of their benefits. For example, the time-triggered load can be reduced to just the set of more jitter-sensitive tasks (such as control or communication tasks) and the rest of tasks (logging, user interface, optimisation tasks,...) can benefit from a priority-based scheduler. This mitigates the difficulty of designing the TT schedule, since there are less tasks to consider. For the rest of application tasks, scheduled by the PBS, the designer is relieved from the burden of building an offline schedule for them. The price to pay with this combined scheduling approach is that, ultimately, the underlying scheduler is a PBS, which cannot be as efficient as a TTS since it has to execute context switches between tasks.
In summary, combined scheduling (TTS-PBS) gives good results for jitter control, slot-based communication and reuse of pre-designed TT schedules. Our aim in this paper is to adapt the technique proposed and implemented in [7, 6] to Ravenscar, towards facilitating the adoption of this approach in High-Integrity, certifiable, real-time and embedded systems, which is the target niche of the Ravenscar profile.
The rest of this paper is organised as follows. Section 2 describes the system model with regard to the timetriggered subset only, given that our model does not modify the fixed-priority, preemptive scheduling model already supported by the Ravenscar profile. Section 3 proposes a variety of behavioural patterns for time-triggered works that must be executed according to the TT plan, and in Section 4 we describe design and Ravenscar implementation aspects of the TT scheduler. We present some experimental results in Section 5, focusing on jitter measurements obtained from running the TT scheduler on an embedded board using ARM's STM32F407VGT6 micro-controller unit. We finally present our conclusions in Section 6.
System Model: the Time-Triggered Plan
Our system model combines two disjoint subsets of tasks: (i ) a subset scheduled according to an offline, static time-triggered plan; and (ii ) another subset of tasks scheduled under a priority-based, preemptive scheduler. The two subsets run on a common priority-based, preemptive scheduler, but the time-triggered workload always takes precedence over the priority-based subset. Due to this reason, the set of priority-scheduled tasks does not interfere the execution of the TT plan.
Since we are aiming at implementing our model with the Ravenscar tasking profile restrictions, the priority-based subset can only be scheduled based on a fixed-priority scheme such as Rate Monotonic or Deadline Monotonic [4, 3] ; but nothing in our model precludes the use of dynamic priority algorithms such as EDF [4] for this second subset, or even a combination of schedulers using different priority bands. For this reason, we will limit ourselves to describe the system model for the time-triggered plan.
A time-triggered plan is a cyclic sequence of actions to be executed at particular points in time. The plan is described by means of an ordered list of time slots, each of its own slot duration. If a slot starts at time t, its lifetime goes from t to t+Slot Duration. There are no gaps between slots: each slot starts just at the end of the previous slot in the plan. In other words, the duration of the plan is the sum of slot durations. Figure 1 shows a 12-slot example plan, with slots numbered from 0 to 11. Apart from its duration, each slot is characterised by the type of actions to take during the slot lifetime. Each slot has a particular mark indicating its type (digits and other symbols whose meaning will be described in a moment). Using the time scale in milliseconds at the bottom of the plan, it can be seen that the plan has a duration of 80 ms, slot 0 has a duration of 5 ms, slot 11 takes 6 ms from time 74 ms to 80 ms, etc.
There are five possible types of slots in a plan:
• A regular slot defines a time interval reserved for the execution of a time-triggered task (a work ). It is Figure 1 . A 12-slot time-triggered plan. Slots marked 2, 4 and 10 are regular slots for works 1 and 2, as indicated; slots 0 and 6 are continuation slots for work 1; slot 8 is an optional slot for work 3; and slot11 is a mode change slot. The rest are empty slots.
denoted by a regular Work Id, a strictly positive integer value that identifies the particular work to execute during the slot. In Figure 1 , slots 2, 4 and 10 are regular slots corresponding to works 1 or 2 as indicated. The underlying TT scheduler will make the work start to execute as soon as feasible after the start time of the slot. The duration of a regular slot must be sufficient, by design, to accommodate the worst-case execution time of the work it serves. If a work overruns its regular slot then the scheduler will resort to raising a Program Error exception, since an overrun violates the schedulability assumptions of TTS. If, on the contrary, a work completes before the end of the slot duration, then the rest of the slot remains available for PB tasks. A TT task must always be ready to use its allocated regular slots in the plan. Failing this, the scheduler will raise Program Error as well. The next type of slot is more permissive in this regard.
• An optional slot is like a regular slot except that it can be omitted. A TT task may decide to use or not to use an assigned slot in the plan. If it does use it (the task is ready to start when the optional slot starts) then it has the same semantics as a regular slot, including overrun control at the end of the slot. But if the task is not ready at the start of the slot, it is not considered an error and the slot duration is made available for PB tasks. In Figure 1 , slot 8 is an optional slot for work 3, indicated with parentheses. Optional slots are useful for tasks that may or may not require to use their allocated slot, such as a communication task when it has nothing to say; or a sporadic task whose activation event has not occurred.
• A continuation slot can be regarded as a special kind of regular slot, in the sense that it is associated to a particular Work Id. In Figure 1 , slots 0 and 6 are continuation slots. They are marked with a regular Work Id plus a letter 'c', indicating continuation.
What is special about these slots is that the work they host does not need to be completed by the end of the slot; it can be continued in future slots. Failing to finish by the end of a continuation slot is not considered an overrun. Instead, the work is held at the end of the slot and resumed at the start of the next slot marked with its Work Id. There may be a number of consecutive continuation slots for a given work. Overrun will only be checked when the plan reaches a regular slot for this work. We will refer to the last, non-continuation slot of a series, as a terminal slot. In Figure 1 , slots 4 and 10 are terminal slots for work 1, given that they are preceded by continuation slots 0 and 6 for work 1, respectively. This type of slots are useful to split a large time-triggered task into smaller pieces in a way that is essentially transparent to the task code. We will visit this pattern in more depth in Section 3. Continuation slots require asynchronously holding and resuming a running task, which in turn requires support from the runtime system. This is the reason why our implementation of the TT scheduler (Section 4) is an extension of the runtime system, in the form of a new package Ada.Dispatching.TTS. The hold/release mechanism is indeed to be taken very carefully, specially with regard to its interaction with protected actions 1 . But it is doable under certain restrictions as we will show later.
The following two types of slots correspond to scheduler actions exclusively and they have no associated timetriggered task to execute.
• An empty slot defines a time interval during which no TT activity is planned. This is useful for inserting gaps in the plan where they are needed, making the CPU available to priority scheduled tasks. Note that, even though there is no application-specific activity to execute during an empty slot, there will be scheduler actions executed at the beginning of the slot, as described in subsection 4. In Figure 1 , slots 1, 3, 5, 7 and 9 are empty slots.
• A mode-change slot is similar to an empty slot in the sense that it has no associated work to execute. But additionally, it defines the times in the plan where it is possible to substitute the current plan with a new one. By placing mode change slots in the plan, the designer determines the points where the system can admit a mode change. At the start of a mode-change slot, the TT scheduler will check whether there is a pending mode-change request to process. If there is one, then the new plan will start executing at the end of the mode-change slot. The change will be immediate if the mode-change slot duration is defined to be zero. The ability to change mode (substitute the current plan with a new one at run time) introduces a degree of flexibility that off-line, static schedules do not possess by nature. In Figure 1 ), slot 11 is a mode change slot, indicated with a curved arrow.
For comparison with the TT plan model we defined in previous papers [7, 6] , the model we have just defined introduces the new types of continuation and optional slots. The former are motivated by feedback received from participants at the 18 th International Real-Time Ada Workshop suggesting that "[...] one should be able to divide a long-running time-triggered task into segments that would be executed across several slots [so that] spreading the TT task execution across several slots [would give] chances for other tasks to execute in between these slots." [5] . With this type of slots we want to give support to this concept, although it has relevant implications that we will present in Section 3, in the context of patterns using this type of slots.
Finally, note that in this model we are assuming that a plan is executed on a single CPU: there are no overlapping slots. This assumption will help us keep the rest of this paper as simple as possible. However, note also that in a multiprocessor system, the model is applicable provided that it is fully partitioned, i.e., there is only one plan per processor and tasks are statically fixed to CPUs. With careful synchronisation of plans, it is also conceivable to allow data sharing between tasks running in different CPUs. Beyond this restrictive setup, we have also suggested to use controlled forms of migration between plans, so that a task can alternate slots in plans on different processors, to balance the overall TT workload [7] . But we will assume a single processor platform for the rest of this paper, except when explicitly mentioned otherwise.
Time-Triggered Task Patterns
The model described in the previous section grants time slots for the execution of TT tasks, leaving time gaps to be used at lower priority levels by PB tasks. The ability to use both regular and continuation slots, opens the possibility to define a number of behavioural patterns for the TT tasks using them. This section proposes a set of such patterns. From some of these patterns we will derive requirements for the design and implementation of the TT scheduler that will be presented in Section 4.
Simple TT Task Pattern
The simplest pattern we can think of is a TT task that accommodates all its execution time within the duration of one slot. The task structure is simply an infinite loop where the task waits for the arrival of its next slot and then executes its sequence of statements, just before suspending itself again until the arrival of its next slot. Figure 2 represents an example of this pattern, showing the execution of three iterations of a simple TT task. The task uses Work Id = 1 (for example) in a call to the scheduler to wait for the arrival of the next slot marked with this Work Id (Wait For Activation (1) in the example). Slots assigned to a simple TT task must be all regular slots. At the beginning of each slot, the scheduler releases the work and lets it run at the highest priority among all application tasks. The priority-based subset is therefore disabled to run, since it must use strictly lower priorities than TT tasks. When the task completes within the slot duration (first and second cases of the example in Figure 2 ), it is suspended by a new call to Wait For Activation . The time not used by the TT task becomes available for the lower-priority PB tasks. If, for whatever reason, the execution time of a simple TT task exceeds the slot duration, this is considered a hard deadline violation and Program Error is raised. The TT scheduler is thus in charge of making this check at the end of regular slots.
A simple TT task may have its own local state, which is kept across successive releases. It can also share data with other simple TT tasks, because this type of task executes in mutual exclusion with other simple TT tasks (there are no overlapping slots). If the task needs to share data with preemptable PB tasks (or sliced TT tasks, as we'll see later), then it needs to do it via protected objects. In such case, the TT task may experience blocking that must be taken into account when deciding the slot duration. 
Initial-Final Pattern (I-F)
The Initial-Final pattern (I-F, for short) is for TT tasks that can be subdivided in two parts, both with strict jitter requirements. This pattern can be easily obtained by sequential composition of two simple TT patterns, as in Figure 3 , which shows the execution of two iterations of an I-F task. The loop is split in two parts, first the initial and then the final, and both use the same Work Id when calling Wait For Activation -not necessarily as a restriction, but just to keep the plan more human-readable. Note that the slots for the initial and final parts need not have the same duration. Overrun must be checked for both parts.
Regarding data sharing, the considerations we made about simple TT tasks apply also to the case of an I-F task. Furthermore, communication between the initial and final part is straightforward, since they are both the same task.
Initial-Mandatory-Final Patterns (I-M-F and I-{M}-F)
This pattern (I-M-F, for short) uses three consecutive regular slots to perform a logically related sequence of TT actions. This scheme is typical in embedded control systems, where the initial part acquires some environment data, the mandatory part does some calculations with the acquired data, and the final part applies the results of the mandatory part to actuators of the controlled system.
The logical structure is defined by three calls to Wait For Activation using the same Work Id, preceding the statements of the initial, mandatory and final parts. The same considerations regarding overrun detection and data sharing we made for simple and I-F tasks, apply to I-M-F tasks: overrun is checked for each and every part of the task.
Actually, this pattern can be generalised to a form I-{M}-F, where there are one or more slots dedicated to execute parts of the mandatory section, each part with overrun control. If we do not want overrun control in all the mandatory slots, then we need to use continuation slots, as the following patterns do.
Sliced TT Task Pattern
This pattern allows one to break a long running TT task into slices in a way that is transparent to the application code, i.e., it does not require the task to make successive explicit calls to Wait For Activation at particular points of its execution. Slicing is dynamic and occurs at run time, rather than statically hardcoded. The TT scheduler will stop and restart the task at points dictated by the plan. A sliced TT task requires the use of one or more continuation slots, ending with a terminal, regular slot. Figure 4 shows two iterations of execution of a sliced TT task. This task can make use of up to three consecutive slots, which is reflected in the plan as two continuation slots (marked '1c') and one terminal, regular slot (marked simply '1'). The task structure does not differ in structure from the simple TT task described in Section 3.1, but the semantics are totally different due to the use of continuation slots. In other words, one needs to look at the plan to distinguish a simple TT task from a sliced TT task.
In the two iterations shown in Figure 4 , the task is held (by the TT scheduler) at the end of exhausted continuation slots, and resumed at the start of its next slot in the plan. Exceeding the lifetime of a continuation slot is not an overrun situation. In the first iteration, the task completes its work within its last slot (a regular slot). In the second, it does not finish by the end of the regular slot, hence the scheduler raises a Program Error exception.
These two cases are relatively simple to consider, but we need to look into more possible situations. Given the pattern structure, the task will call Wait For Activation as soon as it is done with the Do My Work Sliced sequence of statements. This may well happen during a continuation slot, before the terminal slot of the sequence. The task may use up to three slots to complete, but it could take less. If that is the case, then the scheduler needs to ignore the pending call to Wait For Activation until the first slot of the next sliced sequence. An early wait for activation must be therefore be propagated until the next continuation slot after the next terminal slot, i.e., the next start of a sliced sequence. Figure 5 shows the possible cases of early completion of a three-slot sliced task. In the first case, the task completes in the second slot of a three-slot sequence. When the terminal slot of this sequence arrives, the scheduler has to avoid waking up the task at the start of the slot and checking for overrun at the end. The effect of Wait For Activation must be postponed and the task must remain blocked waiting for the start of a new sequence of slots. This is marked as "Propagate" in Figure 5 . In the second case, the task completes even earlier, during the first slot of the sequence. The effects of Wait For Activation must be propagated to the next two slots. A new sequence of the sliced TT task starts after the next regular (terminal) slot. Figure 5 . Two iterations of a three-slot sliced task completing before the terminal slot, requiring propagation of early Wait For Activation calls.
As indicated previously, the need to hold and resume a running task has implications that must be taken into account. The problem is specially relevant if the sliced task shares data with other TT tasks or PB tasks. Since the task can be held asynchronously, this data sharing can only be protected. But holding the task while it is running a protected action is not acceptable, and letting it finish a long protected action could enlarge the release jitter of the next slot. To mitigate the effects of these two issues, at a cost, there are two design aspects to consider: 1. A sliced task can only share data with other TT or PB tasks by means of a protected object. To avoid holding the task while it is running a protected action, the ceiling priority of such protected object must be set at a level that effectively disables interrupts. This is the only way to avoid the execution of the (interrupt-driven) TT scheduler while a sliced task is executing a protected action.
2. As a consequence of the previous point, protected actions involving a sliced TT task must be as short as possible. Typically, they should only involve word-sized data exchanges and perhaps a simple condition evaluation. As few cycles as possible, because we are meanwhile blocking interrupts. If the protected action cannot be so short, then there are still alternatives. One is to design the plan so that all continuation slots are followed by empty slots of sufficient duration to absorb the potential blocking time of the runtime system. If this is not possible, because the data exchange required is large, then it is still possible to make use of multiple buffering techniques in order to reduce the need for mutual exclusion to just the time to swap a pointer.
A final consideration with continuation slots and their use by sliced TT tasks has to do with mode changes: they are not allowed in the middle of sliced sequences, because track of an ongoing sliced sequence may be lost when switching from one plan to another. This is easy to avoid by design, because the plan has to determine the exact points when mode changes may occur, by explicitly including mode change slots.
Initial-Mandatory Sliced-Final Patterns (I-Ms-F and IMs-F)
The I-Ms-F pattern is a variant of the I-M-F pattern (as described in Section 3.3), where the mandatory part is sliced (as in Section 3.4). The IMs-F pattern (note the missing dash between the 'I' and 'M' parts) is a slight modification of the former that allows the mandatory part to start executing immediately after the initial part, without waiting for the next slot in the plan. Both patterns have the same representation in the plan, taking one regular slot for the initial part (so that it is subject to overrun control), then several continuation slots for the mandatory part, and one regular slot for the final part.
Note that the IMs-F pattern requires specific support from the TT scheduler. Since IMs-F allows the mandatory sliced part to start as soon as the initial part is done, during the first regular slot, we are effectively transforming the semantics of this particular regular slot into that of a continuation slot. The scheduler must therefore be informed of the termination of the initial part so that, if the initial part is not done by the end of the slot, then there is an overrun; but if it has completed, then the slicing regime has started and the hold/resume mechanism has to apply to the already started sliced mandatory part. After completing the initial part before the end of the first slot, the task waits for the next activation, hence delaying the start of the mandatory part to the next slot. Since the first slot is regular, the initial part runs under overrun control. The sliced mandatory part takes the next continuation slot and a part of the second continuation slot and then waits for the arrival of the terminal slot, which it uses to execute the final part. In the IMs-F pattern in Figure 6 , use of this scheduler service is represented by the call to Continue Sliced . If the scheduler has not received this call by the end of the first slot, then the initial part has overrun; otherwise, the initial part was completed during the first slot and the running task is held/resumed as an sliced subsequence of this pattern. The final part of the pattern requires a previous call to Wait For Activation , as already described for other patterns with a final part.
TT Patterns with Non-TT Parts
More than just one particular pattern, although we will be using one as an example, this section introduces a scheduler mechanism that makes it possible for a TT task to include parts that are executed in the PB level, in competition with the priority-scheduled tasks subset. The mechanism (Leave TT Level) allows a TT task to abandon the TT level and continue execution under the PBS regime. This is useful to execute parts that are not subject to strict jitter requirements and that may be difficult to integrate in the TT plan.
As an example, consider a control task with jitter-sensitive initial and final parts. These parts are used for reading the plant state and for sending commands to actuators, respectively. After reading sensors, the initial part rapidly calculates a first approximation to the control output, to be later applied during the final part. Until that time arrives, an intermediate part tries to improve this calculation by means of an optimisation algorithm that may take disparate execution times, depending on changing environment conditions (e.g., the number of objects detected by a radar). If this middle part had to be included in the TT plan, then the plan would have to provide sufficient slots for the worst-case execution of the optimisation algorithm. But if we could execute this optimisation part as any other PB task, with a selected priority below the TT level, then it would not require slots in the plan, hence keeping it simpler. At the end of the middle part, the task would go back to the TT level to execute the final part with minimal jitter and using the best output possible in the available time. Figure 7 shows the execution of such Initial-Priority Based-Final pattern, or I-P-F. The pattern requires just two regular slots in the plan for the initial and final parts. In the figure, there is a regular slot for another, unrelated work (Work Id = 2) in between these two slots of the I-P-F task, which uses Work Id= 1. The initial part executes during the first slot and, when completed, issues a call Leave TT Level to inform the scheduler that the task continues with the execution of the non-TT part at a priority in the PB region. From that moment on, the PB part continues in competition with higher-priority PB tasks and other TT tasks, such as that with Work Id = 2. The PB part eventually completes with a call to Wait For Activation , which makes the task return to the TT level and wait for a slot to execute the final part. The implementation of the Leave TT Level mechanism requires changing the priority of the TT task at runtime, which, at first sight, appears to be in contradiction with the Ravenscar model of fixed priorities. However, a Ravenscar runtime has to actually support a limited form of dynamic priorities, because it is needed to implement the Ceiling Locking policy for protected objects. Handling PB parts as required by Leave TT Level can be supported as well in Ravenscar. Without going into the implementation details that we will visit in Section 4, the problem of scheduling a task with TT and PB parts can be seen as if the task had a base priority in the PB level, at which it runs its PB phase, and an active priority at the TT level when it runs in a TT slot. The mechanism does not need to change the priority of a task other than the running task, as for Ceiling Locking case. And the changes between base and active priorities occur only as a result of statements executed by the same task that is affected by the priority changes, as is the case for protected actions..
The Leave TT Level mechanism can also be used to compose other interesting patterns. For example, a periodic PB task with one TT phase, to be executed during a regular slot in the plan. This slot could be used to synchronise the task with the arrival of slots in the plan, for mutually exclusive communication or data exchange with other tasks, or for accessing a shared resource in general, such as in a slot-based communication protocol.
The P-[F] pattern described now, is another pattern using non-TT parts and that also serves to illustrate the use of optional slots. This pattern models a periodic, PB task, that may or may not use a TT regular slot, for example to synchronise or timely communicate with other TT or PB tasks. At the TT level, the task requires just a sequence of optional slots conveniently spread across the plan. At the PB level, the task executes as any other priority scheduled task. Figure 8 shows three full iterations of a P-[F] task with a periodic PB part. In the first iteration, the task completes the priority-based part and ends up calling Wait For Activation , because the boolean Needed happens to be True. As a result, the final part is executed at the TT level at the start of the next (optional) slot for this work. In the second iteration, Needed is False and hence the task skips the call to Wait For Activation and re-enters the loop to execute the delay sentence instead. Consequently, the task skips its next slot in the plan. If the slot was regular, then this no-show situation would end up in Program Error. But because the slot is optional, the scheduler knows that this absence of a task waiting for a just started slot is intended and taken care of by the application. If required by the application, synchronisation between time bases of the PB and TT parts can be provided by a similar pattern that reads the clock during the TT part to obtain a new value for Next. 
Patterns: Looking back
As we mentioned in the introduction, our aim with this work was to revisit our previously proposed model and implementation of combined TT-PB scheduling [7, 6] . The goal was to make our implementation Ravenscarcompatible, and hence making it susceptible for consideration in the High-Integrity domain. Given that Ravenscar is a restrictive subset of the tasking model of Ada, one could think that, a priory, something will need to be sacrificed. We have found that this almost not true.
Looking back at the patterns we proposed in [7, 6] , the only mechanism we have not included is the self cancellation mechanism, which requires the use of Ada's asynchronous transfer of control, a feature that is (wisely) absent in Ravenscar, because it is not an adequate feature in a High-Integrity context, due to the indeterminism it introduces. So this is a sacrifice that stems logically from our new context assumptions.
But it is to be noticed that, despite the Ravenscar restrictions, we have been able to replicate all the functionalities provided by the full-Ada scheduler -the cancellation mechanism mentioned above was implemented by the TT tasks, not the scheduler-. In addition, we have extended the model to include continuation and optional slots, which suggest a number of new patterns.
Design and Implementation Details
The time-triggered plan dictates the actions to be taken by the TT scheduler at the start of each slot. The data structure that represents the plan is an array of slot descriptors, each with one field to indicate the slot duration and another three fields to characterise the slot as follows:
• Work Id -This field contains either a positive value identifying a TT task, or an indication of empty slot or mode change slot, two reserved non-positive values.
• Is Continuation -A boolean that marks the slot as a continuation slot.
• Is Optional -A boolean indicating whether the slot is an optional slot or not.
Another important source of information for the scheduler is the status of all TT tasks. The scheduler uses the work status to determine the actions to be taken during a slot switch. The status of a TT work is determined by the following boolean fields of a Work Control Block record:
• Has Completed -Indicates if a single-slot work or an sliced work does not require more time at TT level.
• Is Waiting -Indicates whether the work task is waiting for a new slot or not. This flag is set to True when the work calls Wait For Activation .
• Is Sliced -When this flag is True, it means that this work is currently running sliced, hence it may need to be held/resumed. This flag is set to False when the work is at the start of a terminal slot.
In our implementation, the TT scheduler is the handler of a timing event that is set to trigger at the start of each slot in the plan. Hence it executes at the highest interrupt priority (ARM D.15 12/2 [2] ). Based on the slot and work descriptors, the scheduler decides the actions to take during a slot switch. Table 1 describes some of these actions, limited to the case of regular slot processing, for short.
The top part of Table 1 lists two cases of actions to take at the end of a slot. These are Hold task, to hold the running TT task when it exhausts a regular slot and must continue sliced in future slots; and raise Program Error when overrun is detected, i.e., the task has not completed and it is not running sliced. To support Hold, our implementation of Ada.Dispatching.TTS uses runtime operations to suspend and extract from the ready queue the low-level thread behind the TT task. This is why a sliced part can only use protected objects with priority ceiling at the highest interrupt priority, as mentioned in Section 3.4.
Work status
Actions at END of slot Table 1 . Some actions to be taken by the scheduler at a slot switch. Actions with regard to the exhausted slot (Actions at END of slot) are shown in the top part, Actions related to the immediately starting slot (Actions at START of slot) take the bottom part. These actions depend on work status and type of slot.
The bottom part of Table 1 lists scheduler actions related to the immediately starting slot. The actions that are common to most cases in this table (denoted CA) are to mark the work as sliced when it enters a continuation slot, and to set the timing event handler to the end of this starting slot. Transferring the Is Continuation property of the slot to the Is Sliced attribute of the work effectively propagates the sliced condition of the TT task until the terminal slot, for which Is Continuation will be False.
The scheduler must also perform some actions upon calls to its public services. These may affect to the work status and to the priority of the underlying threads. It is the task itself who changes its own work status and priority, if needed, while running a scheduler protected operation. Table 2 summarises these update operations. For example, when a TT task invokes Leave TT Level, its work status is marked as completed and its priority demoted to the task's base priority -so the base priority of the task implementing the TT pattern must be determined according to the required priority level when it runs in the PB level. For readers interested in the full code of the TT scheduler, it is available on GitHub [8] .
Invoked procedure
Changes to work status Changes to task prio Table 2 . How and when the work status and TT task priority are modified by the scheduler.
Experimental Results
To evaluate the performance of the scheduler, mainly in terms of jitter, we have used a workload similar to the one we used in [7] . In this case, the hardware platform is a STM32F4 Discovery board at 168 MHz clock frequency, running a modified version of the GNAT ravenscar-full runtime from AdaCore's GNAT GPL 2017.
Apart from adding the Ada.Dispatching.TTS package to the runtime, we have changed the timing event and delay resolution of the GNAT runtime from the original 1 ms to 10 µs. We have measured an additional overhead of 3.5% due to this modification. Release jitter on a STM32F4 Discovery at 168 MHz Figure 9 shows the cumulative frequency histogram of measured release jitters of three TT tasks (W1..W3), one simple and two I-F tasks, and two PB tasks (T4 and T5). The jitter is measured with respect to the theoretical activation time, i.e. the start of the next slot for TT tasks or the time expression used in the delay statements of the periodic PB tasks. As it happened with the previous full-Ada implementation, the PB tasks suffer from quite disperse release jitter, due to interference from TT tasks and higher priority PB tasks. Their minimal jitter is however shorter than that of the TT tasks, due to the TT scheduler overhead. Note that the jitter for TT tasks is not only short but also very predictable, always within the range of 22 to 24 µs.
Taking this high predictability into account, we have tested an optimisation strategy that requires precise characterisation of the TT scheduler overhead. The optimisation consists in reprogramming the TT scheduler for the next slot time minus a fixed offset (20 µs in our case) so that the TT scheduler overhead is not paid at the start, but at the end of the TT slot. This overhead is unavoidable and has to be taken into account when the plan is built, but moving it to the end of the slot drastically improves the release jitter of the TT tasks. Figure 10 shows the release jitters obtained after applying this optimisation, which now range from 3 to 4 µs. These results clearly outperform those previously obtained with a full-Ada implementation using a MarteOS [1] on a Pentium @ 800 MHz, that raged from 30 to 70 µs. 
Conclusions
This paper has presented the results of transforming a full-Ada architecture for combined TT-PB scheduling [7, 6] to make it Ravenscar-compatible. Our aim was to make this scheduling strategy compatible with a more appropriate programming model for High-Integrity systems. Our first efforts focused on a user-level library supporting the scheduler, but we soon moved to a runtime library, so that the scheduler could support continuation slots (via hold/resume) and non-TT slots (via priority demotion), thus improving expressiveness and making room for more possible patterns. We have also introduced the concept of optional slot, and included provision for, now tolerable, no-show situations.
In addition, we have made Ada.Dispatching.TTS a generic package, where the number of regular work identifiers is a generic parameter. This allows us to keep the size of data structures to the minimum necessary for the number of TT tasks to be scheduled. The experimental results are encouraging, even better than those obtained in full-Ada with a much faster processor. No doubt, the simplicity of the Ravenscar runtime has to do with these results.
