Inferensys

Glossary

Mixed-Criticality System

A consolidated computing architecture where safety-critical control functions and non-critical edge applications execute on a single hardware platform with strict temporal and spatial isolation guarantees.
Engineer deploying small language model to edge device, IoT sensor visible on desk, technical hardware setup in bright workspace.
SAFETY-CRITICAL ARCHITECTURE

What is Mixed-Criticality System?

A computing architecture that consolidates safety-critical and non-critical functions onto a single hardware platform with guaranteed isolation.

A mixed-criticality system is a consolidated computing architecture where functions of differing safety importance—such as a real-time emergency shutdown routine and a non-critical data logging application—execute on a single hardware platform while maintaining strict temporal and spatial isolation guarantees. This approach eliminates the need for separate physical controllers for each function, reducing hardware cost, cabling, and physical footprint in industrial environments.

The architecture relies on a real-time hypervisor or separation kernel to enforce hard partitioning between safety-critical partitions (often certified to IEC 61508 or DO-178C) and general-purpose partitions. Critical tasks receive guaranteed CPU cycles, memory bandwidth, and I/O access via mechanisms like CPU pinning and SR-IOV, ensuring that a fault or resource overrun in a non-critical Linux application can never corrupt or starve a safety-rated control loop executing on the same silicon.

MIXED-CRITICALITY SYSTEM

Key Architectural Features

A mixed-criticality system consolidates safety-critical control functions and non-critical edge applications onto a single hardware platform. The architecture relies on strict temporal and spatial isolation guarantees to prevent interference between workloads of differing criticality levels.

01

Temporal Isolation via Strict Partitioning

The system enforces a fixed, pre-determined time-division multiplexing schedule where each virtual machine or container is allocated a dedicated time slot on the processor. This prevents a runaway non-critical application from consuming CPU cycles needed by a safety-critical control loop.

  • Time-Triggered Scheduling: Tasks execute according to a static timetable, not dynamic events, ensuring deterministic worst-case execution time.
  • Zero Interference: A fault in a Linux-hosted analytics container cannot delay a real-time PLC function executing in its designated window.
  • Mechanism: Relies on a real-time hypervisor or a PREEMPT_RT kernel with strict CPU pinning to enforce the schedule at the microsecond level.
< 10 µs
Maximum Scheduling Jitter
02

Spatial Isolation and Memory Protection

Hardware-enforced memory partitioning ensures that each software component operates within its own private address space. A buffer overflow or memory leak in a non-critical edge analytics process cannot corrupt the memory of a safety-rated controller executing on the same silicon.

  • IOMMU/SMMU: The system uses an Input-Output Memory Management Unit to map device DMA accesses to specific memory regions, preventing rogue peripherals from overwriting critical data.
  • Static Allocation: Memory for critical partitions is allocated at boot time and never dynamically requested, eliminating the risk of out-of-memory errors.
  • MPU/MMU Enforcement: Leverages the Memory Protection Unit on ARM cores or the Memory Management Unit on x86 to trap illegal access attempts immediately.
100%
Fault Containment Guarantee
03

Deterministic Inter-Partition Communication

Data exchange between critical and non-critical partitions does not use shared memory, which would break spatial isolation. Instead, communication occurs via asynchronous message passing over a hypervisor-mediated virtual network or a shared memory ring buffer with strict access control.

  • Virtual Ethernet: A point-to-point virtual NIC pair connects a real-time OS partition to a general-purpose OS partition, with traffic policed to prevent bandwidth saturation.
  • OPC UA Pub/Sub over TSN: For external communication, the system uses publish-subscribe protocols over Time-Sensitive Networking to guarantee bounded latency even on converged networks.
  • Bounded Queues: Message queues have fixed depths; a non-critical subscriber that stops consuming messages will never cause the critical publisher to block.
04

Safety-Certified Hypervisor Foundation

The entire mixed-criticality stack rests on a Type-1 hypervisor that has been certified to IEC 61508 SIL 3 or ISO 26262 ASIL D. This minimal software layer is formally verified to ensure its own failure rate is negligible.

  • Minimal Trusted Computing Base (TCB): The hypervisor consists of only a few thousand lines of code, making exhaustive formal verification feasible.
  • Lockstep Execution: For the highest safety levels, the hypervisor can run a redundant VM in lockstep on a separate core, comparing outputs cycle-by-cycle to detect silent data corruption.
  • Health Monitoring: A dedicated watchdog partition monitors the liveness of all other partitions and can trigger a safe state transition if a critical function misses its deadline.
SIL 3
Achievable Safety Integrity
05

Hardware Resource Partitioning with SR-IOV

Single Root I/O Virtualization allows a single physical network interface card to present multiple virtual functions directly to individual virtual machines. This bypasses the hypervisor for data-plane I/O, eliminating virtualization overhead for latency-sensitive control traffic.

  • Direct Device Assignment: A real-time VM gets exclusive, direct access to a dedicated virtual function of the NIC, achieving bare-metal I/O latency.
  • Bandwidth Reservation: Each virtual function is allocated a guaranteed slice of the physical link bandwidth, preventing a non-critical data logger from starving a motion control stream.
  • Interrupt Steering: Hardware interrupts from a specific virtual function are routed directly to the assigned physical CPU core, avoiding cache pollution on cores running other workloads.
06

Mixed-Criticality Scheduling Algorithms

The system employs scheduling policies that dynamically adapt to the criticality level of the current operational mode. If the system transitions to a high-criticality state, non-critical tasks may be temporarily suspended to guarantee resources for safety functions.

  • Vestal Model: The classic mixed-criticality scheduling model where each task has multiple worst-case execution time estimates, one per criticality level. The scheduler uses the more conservative estimate when criticality escalates.
  • Criticality Mode Change Protocol: A formal handshake ensures all partitions are aware of the current system-wide criticality level, preventing a non-critical partition from continuing to consume resources during an emergency.
  • Graceful Degradation: Non-critical functions like predictive maintenance dashboards are paused or run at reduced fidelity, not crashed, preserving system state for post-incident analysis.
MIXED-CRITICALITY SYSTEMS

Frequently Asked Questions

Clear answers to the most common questions about consolidating safety-critical and non-critical workloads on shared hardware platforms.

A mixed-criticality system is a consolidated computing architecture where software functions of differing safety assurance levels—such as a SIL 3 emergency shutdown routine and a non-critical edge analytics dashboard—execute concurrently on a single hardware platform. It works by enforcing strict temporal and spatial isolation through a combination of a real-time hypervisor, hardware memory protection units (MPUs), and deterministic scheduling policies. The hypervisor partitions physical resources like CPU cores, cache, and I/O into isolated virtual machines, ensuring that a fault or resource starvation in a low-criticality Linux VM cannot propagate to a high-criticality real-time control VM. This eliminates the traditional requirement of dedicated physical controllers for each safety function, reducing hardware footprint, cabling, and energy consumption while maintaining certifiable safety guarantees as defined by IEC 61508.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.