The notion of a single system-level notation addresses the multiple-paradigm, multipleanalyses problem of embedded systems design. The idea is to reduce the semantic gap between system-level specifications and IP-level implementation decisions. There are many specific languages in use today for various aspects of embedded systems synthesis. Efforts are underway to deal with the system-level design problem, these include most notably SpecC, Rosetta, and SDL. Several extensions to UML are being proposed to address some of the realtime issue, including isomorphic mappings to these system-level notations. We survey these system-level languages, their concepts and pragmatics, and include descriptions of the extensions to UML.
Introduction
Plummeting hardware costs are leading to rapid growth in new application areas, and especially in the embedded systems arena. Embedded system applications range from small scale devices such as smart phones, personal digital assistants (PDAs), set-top boxes, to large enterprise servers and network computers, radar systems, automotive, avionics, etc. These systems, and more specifically systems-on-a-chip (SoC), are characterized by some unique factors. They are in close contact with their environment; they must meet stringent requirements of time, power and weight constraints; and they are expected to have higher levels of dependability (this includes attributes such as reliability, robustness, fault-tolerance, availability, etc.).
Designing embedded electronics products involves a diversity of creative professionals including systems, hardware, and software engineers involved in conceptualization, creation, implementation, testing, and manufacturing of the product. This process requires many steps and iterations, each with specialized tools. A simplified view of this integrated process is shown in the flow chart on Figure 1 . In Figure 1 , we highlight the major steps in going from a set of needs to a product/solution that involves both computer hardware and software. The first three steps are part of systems engineering, an area that deals with high-level structures such as the overall system architecture, and the tradeoffs of partitioning functionality into hardware or software. Co-design then follows, where hardware and software engineers are concerned with implementation details and the integration of hardware and software; these steps are usually performed in parallel.
Software development includes application and system software. Hardware development provides the computer system architecture and the physical devices.
Solution V&V V&V V&V V&V V&V V&V

Figure 1: Integrated Embedded Systems Design Process
There is an ever more important need for low cost and efficient implementation in hardware and software. The hardware has responsibilities for providing generalpurpose processing and storage elements, and physical interfacing to the controlled system or "plant"; thus, the "form factor," (area, power, weight, etc.) depends on the hardware. Whereas correct and timely functionality depend mostly on the embedded
3/18
software. Dependability is a function of both hardware and software, and of their interaction.
In today's post-PC era, embedded systems are increasingly more softwaredriven, as more and more of the functionality is placed in software. Ideally, this functionality should be portable over a variety of platforms such as PDA, PCS phone, PCs, telecom switches, automotive devices, home networks, etc. But, since these applications are highly device dependent, they require that routine functionality be custom-written, often repeatedly from scratch, each time a new system is built for the hardware being controlled. Furthermore, current monolithic, platform-dependent implementations are difficult to port, upgrade and customize, and offer limited opportunities for reuse, even within a single product family.
Real-time embedded software design is further constrained, as compared to conventional software, by the domain requirements for interaction with the physical world. Unlike other information processing systems, real-time embedded software, in most instances, must "embody" the laws of physics to control its environment and it is thus hampered by the complexities of the dynamics of the real world.
There has been a proliferation of "specialized" modeling techniques to tackle this complexity of embedded systems. Many different notations with distinct goals are currently in use, ranging from a variety of hardware description languages, continuous modeling languages, protocol specification languages, dynamic synchornization languages, architrecture description languages, programming and module interconnection languages, and a pletora of formal languages and mathematical notations. For a fairly complete list see [1] , and for a good survey see [2] .Current notations and practices by themselves are not entirely satisfactory for all aspects of embedded systems development.
More recently, however, we are witnessing a strong movement to create system-level design notations addressing both structural and bahevioral specification of both hardware and software componets, and their intercommuncation mechanisms [3] . The purpose of this chapter is to present a survey of these system-level design notations. In section 2 we briefly outline motivational and background aspects of the problem. We then, in section 3 provide a summary of each of the main system-level notations being put forward today. We conclude with a comparative summary and a brief discussion on the proposed extensions to UML [4] to cater for embedded systems requirements.
The Embedded Systems Specification and Design Problem
Developing embedded systems can be seen as a continuum of successive elaboration of models, representing different viewpoints at varying degrees of abstraction. A major issue is the selection of the appropriate notation and semantic language for each of these models. Many of these representations are orthogonal to each other, which makes it difficult to perform "integrated" analyses of the various 29b submitted to World Scientific : 01/06/90 : 10:11 PM 4/18 models. Different tools supporting the various notations usually suffer from lack of interoperability among them.
A fundamental problem we are facing is the inability of representing ALL this design information in an appropriate standard modeling notation, one that is suitable for analysis at various levels of abstraction and that can present the design from various view points.
Thus, there are two aspects to this problem as follows:
1. Modeling and design to capture different views and levels of abstractions.
There are several levels of abstraction when specifying requirements for embedded systems; these go from the high-level system concept to the register transfer level. Components for both hardware and software blocks are typically specified using different notations and modeling techniques. A critical aspect is the ability to design "reusable" components from specification to silicon with the understanding of their need for adaptation when reused. For this, we must be able to capture the design information in a consistent and "standard" form, in such a way that engineers other than the original designers can integrate components. Specific modeling and design aspects include the following: architectural design and optimization analysis system test design and analysis object (Hw/Sw) design and analysis component (Hw/Sw) implementation and testing 2. System-Level Validation: to develop an executable specification capable of expressing concurrency and other critical aspects in the system being described. Components must not be designed for a single technology, since they must be "portable" and independent of specific simulators, capable of being independently verified in different environments (or chips). Finally, to aid in the validation and verification processes, specification languages must be either formal or executable (or both). Specific issues that need addressing for systemlevel validation include the following: behavior of mixed signals computations (analog, digital, wireless) real-time related behavior size, weight, area, and power (SWAP) constraints hardware/software interfaces system integration and co-simulation Previous attempts to address these problems have taken two avenues, a cosimulation approach based on a common backplane, and a compositional approach based on a single, "integrated" model. In the former, the various analysis tools corresponding to the different notations are cognizant of the semantics of an underlying common backplane (see Figure 2a) . The basis for the second, compositional, approach is the translation of all different notations to a single "integrated" notation with its own analysis tool (see Figure 2b) . Currently, several main competing efforts are underway to deal with the systemlevel design problem. An important question is whether semantic analyses can be made from the unification or integration of these models. The overall goal is to provide a broad-spectrum integrating notation, addressing the multiple-language, multiple-analyses problem of embedded systems design by combining levels of abstraction (vertical integration), and heterogeneous conceptual models (horizontal integration). These are the groups working on SpecC [5, 6] , SDL [7] , Rosetta [8] , and SystemC [9] . In what follows we present a summary of each of the proposed system-level notations.
SpecC
The SpecC language evolved in 1997 from the integration of system-level concepts form the more graphical notation known as SpecCharts [10] , and the C programming language. Although the notion of "classes" is used in SpecC, it is meant to be more of the concept of abstract data types; SpecC is not an objectoriented language since many of the typical OO features are not present such as inheritance, polymorphism, etc.
SpecC Basic Concepts
Fundamentally, SpecC specifies a system through the concepts of behaviors that interact via channels through ports and interfaces. There is a clear separation between computation and communication where behaviors model computation, and communication is modeled by using shared variables and/or channels. Specifications can be shown both graphically or textually (see Figure 3 The concept of Interfaces is also critical in SpecC. Interfaces are used to connect behaviors with channels in a way that both, behaviors and channels, are easily interchangeable with compatible counterparts ("plug-and-play"). An interface is like a "class" (or more like a type) that consists of a set of method declarations. A behavior with a port of interface type can call the communication methods declared in that interface. Method definitions for these declarations are supplied by the channel (or behavior) that implements the interface. Thus, for each interface, multiple channels can provide an implementation of the declared communication methods. A hierarchical network of interconnected behaviors describes the functionality of a system (See Figure 4) . Designs are specified in a hierarchical manner using top-down decomposition. A behavior is called a composite behavior if it contains instantiations of other behaviors. Otherwise, it is called a leaf behavior; leaf behaviors specify basic algorithms. 
8/18
Pipelined execution, specified by the pipe statement similarly to the par construct, is a special form of concurrent execution. All statements in the compound statement block after the pipe keyword form a new thread of control. They are executed in a pipelined fashion (in parallel but obey the specification order). The pipe statement never finishes through normal execution. In the example above (see Figure 5c ), the behaviors a, b and c form a pipeline of behaviors. In the first iteration, only a is executed. When a finishes the second iteration starts and a and b are executed in parallel. In the third iteration, after a and b have completed, c is executed in parallel with a and b. This last iteration is repeated forever.
In order to support buffered communication in pipelines, the piped storage class can be used for variables connecting pipeline stages. A variable with piped storage can be thought of as a variable with two storage places. Write access always writes to the first storage, read access reads from the second storage. The contents of the first storage are shifted to the second storage whenever a new iteration starts in the pipe statement.
Finite State Machine (FSM) execution is a special form of sequential execution which allows explicit specification of state transitions. The fsm construct species a list of state transitions where the states are actually instantiated behaviors. A state transition is a triple {current_state; condition; next_state}. The current_state and the next_state take the form of labels and denote behavior instances. The condition is an expression that has to be evaluated as true for the transition to become valid.
The execution of a fsm construct starts with the execution of the first behavior that is listed in the transition list. Once the behavior has finished, its state transition determines the next behavior to be executed. The conditions of the transitions are evaluated in the order they are specified and as soon as one condition is true the specified next behavior is started. If none of the conditions is true the next behavior defaults to the next behavior listed (similar to a case statement without break). A break statement terminates the execution of the fsm construct.
Synchronization and exception handling in SpecC
There are three statements in SpecC to support synchronization between concurrent executing behaviors: wait, notify and notifyone. Each of these statements takes a list of events as argument.
The wait statement suspends the current behavior from execution until one of the specified events is notified by another behavior. The execution of the waiting behavior is then resumed.
The notify statement triggers all specified events so that all behaviors waiting on one of those events can continue their execution.
The notifyone statement acts similar as the notify statement but notifies exactly one behavior from all behaviors waiting on the specified events.
29b submitted to World Scientific : 01/06/90 : 10:11 PM
9/18
The try-trap-interrupt construct deals with two types of exception handling: abortion (or trap) and interrupt. With try, a behavior is made sensitive to the events listed with the trap and interrupt declarations. Whenever such an event occurs while executing the try behavior its execution is immediately suspended.
For an interrupt event, the specified interrupt handler is executed and after its completion the execution of the try behavior is resumed. For a trap event, the suspended execution is aborted and the trap handler takes over the execution.
Handling time and timing behavior in SpecC
In SpecC, the time type represents the type of simulation time. This is an implementation dependent integral type used only with the waitfor statement and with the do-timing construct.
The waitfor statement species delay of execution time. Whenever the simulator reaches such statement, the execution of the current behavior is suspended. As soon as the simulation time is increased by the number of time units specified in the argument, the execution of the current behavior resumes. The do-timing construct can be used to specify timing constraints in terms of ranges (minimum and maximum times). In the construct, the do block defines labeled statements which must be executed according to the constraints specified in the timing block.
SpecC future developments
[TBD]
SDL
The Specification and Description Language (SDL), originally devised in 1968 for telecommunications products to handle control switching systems, in conjunction with the accompanying Message Sequence Chart (MSC) [11] , allow the specification to implementation of discrete, reactive real-time systems. The first, small SDL ITU (International Telecommunication Union) standard was produced in 1976, and it has been updated every four years. All ITU standards (called Recommendations -they recommend norms to national bodies) are the result of collaborative work. The current standard, SDL-2000, simply SDL from now on, has support for object modelling and implementation. The main standard for SDL is Z.100, which gives a definition of SDL in a precise and concise way, and therefore is a language reference manual. Z.109 defines SDL as a UML profile, giving the mapping of UML concepts. Z.120 is similar to Z.100, but for MSC. The most fundamental concepts of SDL are those of a system, a block, process, and services. Systems, blocks and processes can be types. A system type definition is a top-level agent type definition. Services have their behavior specified as state machines. A unified agent concept for blocks, processes and services, that allows mixing on one diagram A type defines properties that instances of the type have, and that can be inherited by other types. Types can also be aggregations of other types. The relationship between types can be shown by associations and inheritance symbols. Another important concept is that of a process, which specifies leaf behavior of a block -unless the process itself is decomposed into services.
Other features in SDL-2000 that support specification and integration with other approaches include:
• Interfaces, class symbols as references, and associations 
Specification of functionality in SDL
An SDL specification defines system behaviour in a stimulus/response fashion, assuming that both stimuli and responses are discrete and carry information. In particular a system specification is seen as the sequence of responses to any given sequence of stimuli. The system specification model is based on the concept of communicating extended finite state machines.
Systems specified in SDL behave according to the stimuli exchanged with the external world. This external world is called the environment. There are one or more agent instances in the environment, and therefore stimuli flowing from the environment towards the system have associated identities of these agent instances. SDL also provides structuring concepts that facilitate the specification of large and/or complex systems. These constructs allow the partitioning of the system 29b submitted to World Scientific : 01/06/90 : 10:11 PM
11/18
specification into manageable units that may be handled and understood independently. Partitioning may be performed in a number of steps resulting in a hierarchical structure of units defining the system at different levels.
An SDL-specification has the combined semantics of the system agent (if one is given) with the packages. If no system agent is specified, the specification provides a set of definitions for use in other specifications. In order for a type definition to be used in different systems it has to be defined as part of a package. Definitions as parts of a package define types, signal lists, remote specifications and synonyms. Definitions within a package are made visible to another scope unit by a package use clause.
A system is the outermost block. This means that agents within a system are blocks and processes that are interpreted concurrently with each other and with the possible state machine of the system. A complete system is structured as a tree of referenced diagrams with the system diagram as the root. When the system is 'executed (simulated) there is one instance of the "system agent," and one or more instances of other agents (additional blocks and processes inside the system diagram). This is a dynamic structure since the number of instances can change during the execution of the system, as agents are created, and agents stop themselves. Inter-process communication is based on point-to-point asynchronous message exchanges. SDL describes a system architecture as a set of "autonomous reactive classes" called processes. Process behavior is detailed using a state diagram. See Figure 6 .
Process agents represent all the behaviour in SDL. A complete SDL system is a set of communicating process agents. Several instances of the same agent set may exist at the same time and be interpreted asynchronously and in parallel or alternating with each other and with instances of other agent sets in the system. Block agents provide structure. The processes and communication paths provide interfaces to/from the processes. Each process is a state machine. The simplest processes (with no data variables) are finite state machines. It is the data within process agents and passed by signals which provides the SDL system with its behaviour. Data has no existence in SDL without process agents. Variables defined s ignal s, t ; 
12/18
in a block (or system) are contained within the block's (or system's) process agent, which is implicit if one is not defined explicitly. A data type defines a set of elements and operations. The stimuli handled by an agent determine the interface that it offers. The stimuli generated by an agent determine the interface it requires. Every agent has an implicit interface with the same name as the agent covering each signal, remote procedure, remote variable and exception that it handles. An interface defines a set of stimuli handled by an agent. There can be different interfaces defining different subsets of all the stimuli handled by an agent. An interface can inherit properties from other interfaces. Typically an interface offered by a block will inherit interfaces from agents within the block.
Synchronization and exception handling in SDL
Communication in SDL takes place by channels between agents. However, channels can be given explicitly and are derived implicitly from the stimuli that agents handle and generate. Channels convey the stimuli passed between the agents of the system as signals (for example a remote procedure can be considered as an exchange of signals). A gate is similar to a channel but gives a connection point on an agent or agent type and defines a set of stimuli that are handled, and the stimuli that are generated. Such definitions result in implicit channels. A Channel-definition represents a transportation path for signals (including the implicit signals implied by remote procedures and remote variables). A channel can be considered as one or two independent unidirectional channel paths between two agents or between an agent and its environment. A channel may also connect the state machine (composite state) of an agent with the environment and with contained agents.
An agent instance has a communicating extended finite state machine defined by its explicit or implicit state machine definition. Whenever the state machine is in a state, on input of a given signal it will perform a certain sequence of actions, denoted as a transition. The completion of the transition results in the state machine of the agent instance waiting in another state, which is not necessarily different from the first one. Variable objects in other agents are accessed by an implicit exchange of signals between agents.
A system is separated from its environment by a system boundary and contains a set of agents. Communication between the system and the environment or between agents within the system can take place using signals, remote procedures and remote variables. Within a system, these communication means are conveyed on explicit or implicit channels. The channels connect the contained agents to one another or to the system boundary.
When a signal instance is sent to an instance of the same agent instance set, interpretation of the Output-node either implies that the signal is put directly in the input port of the destination agent, or that the signal is sent via a channel without delay which connects the agent instance set to itself. A remote procedure or remote variable on a channel is mentioned as outgoing from an importer and incoming to an 29b submitted to World Scientific : 01/06/90 : 10:11 PM
13/18
exporter. A signal instance is a flow of information between agents, and is an instantiation of a signal type defined by a signal definition. A signal instance can be sent by either the environment or an agent and is always directed to either an agent or the environment. A signal instance is created when an Output-node is interpreted and ceases to exist when an Input-node is interpreted.
A remote procedure call by a requesting agent causes the requesting agent to wait until the server agent has interpreted the procedure. Signals sent to the requesting agent while it is waiting are saved. The server agent will interpret the requested procedure in the next state where save of the procedure is not specified, subject to the normal ordering of reception of signals.
A state represents a particular condition in which the state machine of an agent may consume a signal instance. If a signal instance is consumed, the associated transition is interpreted. A transition may also be interpreted as the result of a continuous signal or a spontaneous transition.
An exception instance transfers control to an exception handler. An exception instance is created implicitly by the underlying system or explicitly by a Raise-node and the exception instance ceases to exist if it is caught by a Handle-node or Elsehandle-node. Creation of an exception instance breaks the normal flow of control within an agent, operation or procedure. Unhandled exceptions propagate (dynamically) outwards to the caller and is treated as if it were created at the place of the invocation. A number of exception types are predefined within the package Predefined. It is also allowed for the specifier to create instances of these exception types explicitly.
Handling time and timing behavior in SDL
A timer instance is an object, which can be active or inactive. When an inactive timer is set, a Time value is associated with the timer. Provided there is no reset or other setting of this timer before the system time reaches this Time value, a signal with the same name as the timer is put in the input port of the agent. A timer is active from the moment of setting up to the moment of consumption of the timer signal.
There is an ongoing study of time and performance issues that could lead to changes to SDL, or some way of linking requirements such as time deadlines to SDL models. There needs to be a binding of MSC data to SDL, and there is a need to be able to define encoding of SDL data on interfaces. 
SLDL and Rosetta
The VHDL's international's System Level Design Language committee, SLDL for short, is currently examining solutions and problems presented by a heterogeneous modeling language. The Rosetta language under development "(named after the Rosetta stone, which contained text in three different alphabets and thus helped in understanding each one)" [12] proposes to raise the level of abstraction much higher than currently available RTL-based languages. Rosetta provides modeling support for different design domains using multiple-domain semantics and syntax appropriate for each. Each domain theory provides a semantic and representational framework for one or more design domains. Domain theories include data, computation, and communication models for describing systems facets. A facet is a model of a component or system that provides information specific to a domain of interest.
SLDL basic concepts
Specification of functionality in SLDL
[TBD] 
SystemC
"On September 1999, leading EDA, IP, semiconductor, systems and embedded software companies announced the "Open SystemC Initiative" (OSCI) and immediate availability of a C++ modeling platform called SystemC for free web download at the Embedded Systems Conference, San Jose, California." [13] 1 SystemC is not a new notation like SpecC, but a methodology backed by a collection of C++ class library to support embedded system design work. More specifically, to specify, simulate and optimize system designs at higher levels of abstraction (including performance analysis as well as behavior correctness). It is also expected that SystemC will make it easier to create new and reuse old IP. The methodology and supporting environment will try to traverse the path to hardware/ software implementations from high-level specification more efficiently.
SystemC building blocks include multiple concurrent processes, communication mechanisms, and a rich variety of hardware data types. All the building blocks are C++ classes, and SystemC makes full use of the C++ language. SystemC consists of a set of header files describing the classes and a link library that contains the simulation kernel. Thus, any ANSI C++-compliant compiler can compile SystemC, together with the specification being developed. The SystemC library also contains the simulation kernel. The resulting executable specification serves as a simulator for the system described *similar to SpecC).
SystemC basic concepts
The fundamental building construct in SystemC is a process. A process is like a C or C++ function that implements behavior. The following are the most prominent features of SystemC:
Modules: This is a hierarchical, information hiding, container class that is used to define system structure. 
Specification of functionality in SystemC
In SystemC, a complete system description consists of multiple concurrent processes. Using the SystemC library, a system can be specified at various levels of 29b submitted to World Scientific : 01/06/90 : 10:11 PM 16/18 abstraction. At the highest level, only the functionality of the system may be modeled. For hardware implementation, models can be written either in a behavioral style or in a register-transfer level style. The software part of a system can be naturally described as C or C++ algorithms. SystemC supports modeling at different levels of abstraction and top-down specification refinement. Interfaces between software and hardware and between hardware blocks can be easily described either at the transaction-accurate level or at the cycle-accurate level.
Since SystemC specification are actually C++ programs, these models can coexist during system simulation. C/C++ and the SystemC classes can be used not only for the development of the system, but also for the testbench.
Synchronization and exception handling in SystemC
Processes communicate with one another through signals, and explicit clocks can be used to order events and synchronize processes. SystemC has the notion of clocks as special signals.
SystemC also provides mechanisms for modeling reactive behavior, processes can be synchronized by waiting on clock edges, events, and signal transitions. SystemC also supports watching for a certain event, regardless of the execution stage of the process (the most common example is the watching of a reset signal).
The capabilities provided by a SystemC channel are different from those provided by a signal. Channels, and abstract concept, are used in the initial stages of modeling when the primary interest is the system functionality. Channels implicitly provide the necessary handshaking to ensure correct delivery of data from the sender to the receiver, without, at this level, timing considerations.
Handling time and timing behavior in SystemC
Clocks are the timekeepers of the system during simulation. Multiple clocks, with arbitrary phase relationship, are supported. SystemC includes a cycle-based simulation kernel that allows high speed simulation. SystemC also provides mechanisms for simulation control at any point of the input specification.
The SystemC kernel contains basic routines to dump waveforms to a file (VCD, WIF, and ISDB format), which can be viewed by typical waveform viewers. 
Summary and Conclusions
In this chapter we have survey fours major efforts taking place today in order to define a system-level design notation for embedded, real-time, distributed systems development.
SpeC is a new notation based on the C programming language. SpecC is a relatively small language, quite easy to learn. The power of SpecC is on its very high level constructs such as par and pipe, to specify concurrent execution, fsm for specifying finite state machines, and the notion of interchangeable interfaces. The corresponding graphical notation is also very useful.
SDL is also a new language, not based on any particular programming language, but much more complex than SpecC. It also has an accompanying graphical notation. SDL is an international, mature standard in development since the late 1960's. The most recent version, SDL-2000, directly supports objectoriented concepts as defined by UML. SLDL/Rosetta is not a single language, but a variety of multi-faceted languages. It provides modeling support for different design domains using multiple-domain semantics and syntax appropriate for each, describing systems facets. A facet is a model of a component or system that provides information specific to a domain of interest.
It is interesting to note that a number of UML extensions are being proposed to model real-time behavior. In addition, there is a move to create isomorphic (and semantic homomorphisms) mappings between system-level notations and UML.
The idea is to use a general modeling language, such as UML, and define mappings to concepts from existing notations supporting various modeling techniques. This mapping works two ways, namely at the front-end analysts deal directly with UML models, and at the back-end designers are able to use their conventional analyses tools which are "seamlessly" connected via UML implementation technology such as XMI [14] ). This way, the semantic gap between system-level specifications and IP-level implementation decisions is reduced. It is worth mentioning that UML itself is an attempt to unification of several orthogonal elements such as data (classes), behavior (states), and execution flow (actions). Detailed reviews of these efforts are outside the scope of this chapter.
