A mixed-criticality system is a consolidated computing architecture where functions of differing safety importance—such as a real-time emergency shutdown routine and a non-critical data logging application—execute on a single hardware platform while maintaining strict temporal and spatial isolation guarantees. This approach eliminates the need for separate physical controllers for each function, reducing hardware cost, cabling, and physical footprint in industrial environments.
Glossary
Mixed-Criticality System

What is Mixed-Criticality System?
A computing architecture that consolidates safety-critical and non-critical functions onto a single hardware platform with guaranteed isolation.
The architecture relies on a real-time hypervisor or separation kernel to enforce hard partitioning between safety-critical partitions (often certified to IEC 61508 or DO-178C) and general-purpose partitions. Critical tasks receive guaranteed CPU cycles, memory bandwidth, and I/O access via mechanisms like CPU pinning and SR-IOV, ensuring that a fault or resource overrun in a non-critical Linux application can never corrupt or starve a safety-rated control loop executing on the same silicon.
Key Architectural Features
A mixed-criticality system consolidates safety-critical control functions and non-critical edge applications onto a single hardware platform. The architecture relies on strict temporal and spatial isolation guarantees to prevent interference between workloads of differing criticality levels.
Temporal Isolation via Strict Partitioning
The system enforces a fixed, pre-determined time-division multiplexing schedule where each virtual machine or container is allocated a dedicated time slot on the processor. This prevents a runaway non-critical application from consuming CPU cycles needed by a safety-critical control loop.
- Time-Triggered Scheduling: Tasks execute according to a static timetable, not dynamic events, ensuring deterministic worst-case execution time.
- Zero Interference: A fault in a Linux-hosted analytics container cannot delay a real-time PLC function executing in its designated window.
- Mechanism: Relies on a real-time hypervisor or a PREEMPT_RT kernel with strict CPU pinning to enforce the schedule at the microsecond level.
Spatial Isolation and Memory Protection
Hardware-enforced memory partitioning ensures that each software component operates within its own private address space. A buffer overflow or memory leak in a non-critical edge analytics process cannot corrupt the memory of a safety-rated controller executing on the same silicon.
- IOMMU/SMMU: The system uses an Input-Output Memory Management Unit to map device DMA accesses to specific memory regions, preventing rogue peripherals from overwriting critical data.
- Static Allocation: Memory for critical partitions is allocated at boot time and never dynamically requested, eliminating the risk of out-of-memory errors.
- MPU/MMU Enforcement: Leverages the Memory Protection Unit on ARM cores or the Memory Management Unit on x86 to trap illegal access attempts immediately.
Deterministic Inter-Partition Communication
Data exchange between critical and non-critical partitions does not use shared memory, which would break spatial isolation. Instead, communication occurs via asynchronous message passing over a hypervisor-mediated virtual network or a shared memory ring buffer with strict access control.
- Virtual Ethernet: A point-to-point virtual NIC pair connects a real-time OS partition to a general-purpose OS partition, with traffic policed to prevent bandwidth saturation.
- OPC UA Pub/Sub over TSN: For external communication, the system uses publish-subscribe protocols over Time-Sensitive Networking to guarantee bounded latency even on converged networks.
- Bounded Queues: Message queues have fixed depths; a non-critical subscriber that stops consuming messages will never cause the critical publisher to block.
Safety-Certified Hypervisor Foundation
The entire mixed-criticality stack rests on a Type-1 hypervisor that has been certified to IEC 61508 SIL 3 or ISO 26262 ASIL D. This minimal software layer is formally verified to ensure its own failure rate is negligible.
- Minimal Trusted Computing Base (TCB): The hypervisor consists of only a few thousand lines of code, making exhaustive formal verification feasible.
- Lockstep Execution: For the highest safety levels, the hypervisor can run a redundant VM in lockstep on a separate core, comparing outputs cycle-by-cycle to detect silent data corruption.
- Health Monitoring: A dedicated watchdog partition monitors the liveness of all other partitions and can trigger a safe state transition if a critical function misses its deadline.
Hardware Resource Partitioning with SR-IOV
Single Root I/O Virtualization allows a single physical network interface card to present multiple virtual functions directly to individual virtual machines. This bypasses the hypervisor for data-plane I/O, eliminating virtualization overhead for latency-sensitive control traffic.
- Direct Device Assignment: A real-time VM gets exclusive, direct access to a dedicated virtual function of the NIC, achieving bare-metal I/O latency.
- Bandwidth Reservation: Each virtual function is allocated a guaranteed slice of the physical link bandwidth, preventing a non-critical data logger from starving a motion control stream.
- Interrupt Steering: Hardware interrupts from a specific virtual function are routed directly to the assigned physical CPU core, avoiding cache pollution on cores running other workloads.
Mixed-Criticality Scheduling Algorithms
The system employs scheduling policies that dynamically adapt to the criticality level of the current operational mode. If the system transitions to a high-criticality state, non-critical tasks may be temporarily suspended to guarantee resources for safety functions.
- Vestal Model: The classic mixed-criticality scheduling model where each task has multiple worst-case execution time estimates, one per criticality level. The scheduler uses the more conservative estimate when criticality escalates.
- Criticality Mode Change Protocol: A formal handshake ensures all partitions are aware of the current system-wide criticality level, preventing a non-critical partition from continuing to consume resources during an emergency.
- Graceful Degradation: Non-critical functions like predictive maintenance dashboards are paused or run at reduced fidelity, not crashed, preserving system state for post-incident analysis.
Frequently Asked Questions
Clear answers to the most common questions about consolidating safety-critical and non-critical workloads on shared hardware platforms.
A mixed-criticality system is a consolidated computing architecture where software functions of differing safety assurance levels—such as a SIL 3 emergency shutdown routine and a non-critical edge analytics dashboard—execute concurrently on a single hardware platform. It works by enforcing strict temporal and spatial isolation through a combination of a real-time hypervisor, hardware memory protection units (MPUs), and deterministic scheduling policies. The hypervisor partitions physical resources like CPU cores, cache, and I/O into isolated virtual machines, ensuring that a fault or resource starvation in a low-criticality Linux VM cannot propagate to a high-criticality real-time control VM. This eliminates the traditional requirement of dedicated physical controllers for each safety function, reducing hardware footprint, cabling, and energy consumption while maintaining certifiable safety guarantees as defined by IEC 61508.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Mixed-criticality systems rely on a precise orchestration of hardware isolation, real-time communication, and safety-certified software. The following concepts form the technical foundation for consolidating safety-critical and non-critical workloads onto a single platform.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us